Index

FOREWORD xix
by Solar Designer
INTRODUCTION xxiii
A Few Words about Me  xxiii
About This Book  xxiv
PART I: THE SOURCE
On the problems that surface long before one sends any infomation over the network
1
I CAN HEAR YOU TYPING 3
Where we investigate how your keystrokes can be monitored from far far away
The Need for Randomness  4
   Automated Random Number Generation  6
The Security of Random Number Generators  7
I/O Entropy: This Is Your Mouse Speaking  8
   Delivering Interrupts: A Practical Example  8
   One-Way Shortcut Functions  11
   The Importance of Being Pedantic  12
Entropy ls a Terrible Thing to Waste  13
Attack: The Implications of a Sudden Paradigm Shift  14
   A Closer Look at Input Timing Patterns  15
   Immediate Defense Tactics  18
   Hardware RNG: A Better Solution?  18
Food for Thought  19
   Remote Timing Attacks  19
   Exploiting System Diagnostics  2O
   Reproducible Unpredictability  2O
2
EXTRA EFFORTS NEVER Go UNNOTICED 21
Where we learn how to build a wooden computer and how to obtain information from
watching a real computer run
Boole's Heritage  21
Toward the Universal Operator  22
DeMorgan at Work  23
   Convenience Is a Necessity 24
   Embracing the Complexity  25
Toward the Material World  25
A Nonelectric Computer  26
A Marginally More Popular Computer Design  27
   Logic Gates  27
From Logic Operators to Calculations  28
From Electronic Egg Timer to Computer  31
Turing ond Instruction Set Complexity 32
   Functionality, at Last  34
   Holy Grail: The Progrommable Computer 35
   Advoncement through Simplicity  35
   Split the Task  36
   Execution Stages 37
   The Lesser Memory 38
   Do More at Once: Pipelining  39
   The Big Problem with Pipelines 40
Implications: Subtle Differences 41
   Using Timing Patterns to Reconstruct Data  42
   Bit by Bit. . .  42
In Practice  44
   Early-Out Optimization  44
   Working Code-Do It Yourself  46
Prevention  48
Food for Thought 49
3
TEN HEADS OF THE HYDRA 51
Where we explore several other tempting scenarios that occur very early an in the process
of communications
Revealing Emissions: TEMPEST in the TV 52
Privacy, Limited 53
   Tracking the Source: "He Did lt!" 54
   "Oops" Exposure: *_~lq'@@ . . . and the Password Is . . . 55
4
WORKING FOR THE COMMON GOOD 57
Where a question of how the computer may determine the intent of its user is raised and
left unanswered
PART II: SAFE HARBOR
On the threats that lurk in between the computer and the Internet
5
BLINKENLIGHTS 65
Where we conclude that pretty can also be deadly, and we learn to read from LEDs
The Art of Transmitting Data  66
   From Your Email to Loud Noises . . . Back and Forth 68
   The Day Today73
   Sometimes, a Modem Is Just a Modem 74
   Collisions Under Control 75
   Behind the Scenes: Wiring Soup and How We Dealt with It 76
   Blinkenlights in Communications 78
The Implications of Aesthetics 80
Building Your Own Spy Gear . . . 81
. . . And Using It with a Computer 82
Preventing Blinkenlights Data DiscIosure - and Why It Will Fail 85
Food for Thought 88
6
ECHOES OF THE PAST 89
Where, on the example of a curious Ethernet flaw, we learn that it is good to speak
precisely
Building the Tower of Babel 90
   The OSI Model 91
The Missing Sentence 92
Food for Thought 94
7
SECURE IN SWITCHED NETWORKS 95
Or, why Ethernet LANs cannot be quite fixed, no matter how hard we try
Some Theory 96
   Address Resolution and Switching 96
   Virtual Networks ond Traffic Management 97
Attacking the Architecture 99
   CAM cmd Traffic Interception I00
   Other Attack Scenarios: DTP, STP, Trunks 100
Prevention of Attacks 101
Food for Thought 101
8
US VERSUS THEM 103
What else can appen in the local perimeter of “our" network? Quite a bit!
Logical Blinkenlights and Their Unusual Application 105
   Show Me Your Typing, and I Will Tell You Who You Are 105
The Unexpected Bits: Personal Data All Around 106
Wi-Fi Vulnerabilities 107
PART III: OUT IN THE WILD
Once you are on the Internet, it gets dirty
9
FOREIGN ACCENT 113
Passive fingerprinting: subtle differences in how we behave can help others tell who
we are
The Language of the Internet 114
   Naive Routing 115
   Routing in the Real World 116
   The Address Space 116
   Fingerprints on the Envelope 118
Internet Protocol 118
   Protocol Version 119
   The Header Length Field 119
   The Type of Service Field (Eight Bits)  120
   The Total Packet Length (16 Bits) 120
   The Source Address 120
   The Destination Address 121
   The Fourth Layer Protocol Identifier 121
   Time to Live (TTL) 121
   Flags and Offset Parameters 122
   Identification Number  123
   Checksum 124
Beyond Internet Protocol 124
User Datagram Protocol  125
   Introduction to Port Addressing  125
   UDP Header Summary 126
Transmission Control Protocol Packets 126
   Control Flags: The TCP Handshake 127
   Other TCP Header Parameters 130
   TCP Options 132
Internet Control Message Protocol Packets 134
Enter Passive Fingerprinting 135
   Examining IP Packets: The Early Days 135
   Initial Time to Live (IP Layer)  136
   The Don’t Fragment Flag (IP Layer)  136
The IP ID Number (IP Layer)  137
   Type of Service (IP Layer) . 137 
   Nonzero Unused and Must Be Zero Fields (IP and TCP Layers)  138 
   Source Port (TCP Layer)  138
   Window Size (TCP Layer)  139
   Urgent Pointer and Acknowledgment Number Values (TCP Layer)  139
   Options Order and Settings (TCP Layer)  140
   Window Scale (TCP Layer, Option)  140
   Maximum Segment Size (TCP Layer, Option)140
   Time-Stamp Data (TCP Layer, Option)  140
   Other Passive Fingerprinting Venues  142
Passive Fingerprinting in Practice  142
Exploring Passive-Fingerprinting Applications  143
   Collecting Statistical Data and Incident Logging  144
   Content Optimization 144
   Policy Enforcement  144
   Poor Man‚ Security  145
   Security Testing and Preattack Assessment  145
   Customer Profiling and Privacy Invasion  145
   Espionage and Covert Reconnaissance  146
Prevention of Fingerprinting  146
Food for Thought: The Fatal Flow of IP Fragmentation 147
   Breaking TCP into Fragments  148
10
ADVANCED SHEEP-COUNTING STRATEGIES 151
Where we dissect the ancient art of determining network architecture and computer whereabouts
Benefits and Liabilities of Troditionol Passive Fingerprinting  151
A Brief History of Sequence Numbers 154
Getting More Out of Sequence Numbers  155
Delayed Coordinates: Taking Pictures of Time Sequences  156
Pretty Pictures: TCP/IP Stock Gallery  160
Attacking with Attractors  166
Back to System Fingerprinting  169
   ISNProber - Theory in Action 169
Preventing Passive Analysis  170
Food for Thought  171
11
IN RECOGNITION OF ANOMALIES  173
Or what can be learned from subtle imperfections of network traffic
Packet Firewoll Basics  174
   Stateless Filtering and Fragmentation  175
   Stateless Filtering and Out-of-Sync Traffic  176
   Stoteful Pocket Filters  177
   Packet Rewriting and NAT  178
   Lost in Translation  179
The Consequences of Masquerading  180
Segment Size Roulette 181
Stateful Tracking and Unexpected Responses   183
Reliability or Performance: The DF Bit Controversy  184
   Path MTU Discovery Failure Scenarios  184
   The Fight against PMTUD, and Its Fallout  186
Food for Thought  186
12
STACK DATA LEAKS  I89
Yet another short story on where to find what we did not intend to send out at all
Kristian‚ Server  189
Surprising Findings  190
Revelation: Phenomenon Reproduced  191
Food for Thought  192
13
SMOKE AND MIRRORS 193
Or how to disappear with grace
Abusing IP: Advanced Port Scanning  194
   Tree in the Forest: Hiding Yourself 194
   Idle Scanning  195
Defense against Idle Scanning  197
Food for Thought  198
14
CLIENT IDENTIFICATION: PAPERS, PLEASE! 199
Seeing through a thin disguise may come in handy on many occasions
Camouflage  200
Approaching the Problem 201
Towards a Solution  201
A (Very) Brief History of the Web  202
A HyperText Transfer Protocol Primer  203
Making HTTP Better  205
   Latency Reduction: A Nasty Kludge 205
   Content Caching 207
   Managing Sessions: Cookies  209
   When Cookies and Caches Mix  210
   Preventing the Cache Cookie Attack  211
Uncovering Treasons  211
   A Trivial Case of Behavioral Analysis  212
   Giving Pretty Pictures Meaning  214
   Beyond the Engine . . .  215
   . . . And Beyond Identification  216
Prevention  217
Food for Thought  217
15
THE BENEFITS OF BEING A VICTIM 219
In which we conclude that approaching life with due optimism may help us track down
the attacker
Defining Attacker Metrics 220
Protecting Yourself: Observing Observations  223
Food for Thought 224
PART IV: THE BIG PICTURE
Our legal department advised us not to say ‚the network is the computer here
16
PARASITIC COMPUTING, OR HOW PENNIES ADD UP 227
Where the old truth that having an army of minions is better than doing the job yourseh
is once again confirmed
Nibbling at the CPU 228
Practical Considerations  231
Parasitic Storage: The Early Days  232
Making Parasitic Storage Feasible  234
Applications, Social Considerations, and Defense 241
Food for Thought 242
17
TOPOLOGY OF THE NETWORK 243
On how the knowledge of the world around us may help track down friends and foes
Capturing the Moment 244
Using Topology Data for Origin Identification 245
Network Triangulation with Mesh-Type Topology Data  248
Network Stress Analysis  248
Food for Thought  251
18
WATCHING THE VOID 253
When looking down the albyss, what does not kill us makes us stronger
Direct Observation Tactics  254
Attack Fallout Traffic Analysis 256
Detecting Malformed or Misdirected Data 259
Food tor Thought  260
CLOSING WORDS 261
Where the book is about to conclude
BIBLIOGRAPHIC NOTES 263
INDEX 269