- Copyright 2001
- Dimensions: 7-3/8" x 9-1/4"
- Edition: 1st
-
Book
- ISBN-10: 0-201-71114-1
- ISBN-13: 978-0-201-71114-1
"Avi Rubin does a great job of explaining the motivations behind many security solutions, as well as providing practical information about how you can solve real-world problems. White-Hat Security Arsenal is an invaluable resource--a judicious mix of practical information and the theory behind it."
--Marcus J. Ranum, CTO, NFR Security, Inc.
"White-Hat Security Arsenal ups the ante for the good guys in the arms race against computer-based crime. Like a barrage of cruise missiles, Avi's excellent book attains air superiority by leveraging smarts and advanced GPS technology to zero in on critical targets. Intended to educate and inform information security professionals with a no-nonsense, hold-the-hype approach to security, this book is a critical weapon for modern information warriors. If you wear a white hat and are on the good guys' team, buy this book. Don't go into battle without it!"
--Gary McGraw, Ph.D., CTO, Cigital
How do I allow secure remote access to my site? How do I protect data on my laptop in case it's stolen? How should I configure my firewall? Will I regret using my credit card online? How will the bad guys attack? If these are some of the questions that keep you awake at night, you need to read this book.
As a computer security expert at AT&T Labs, author Avi Rubin regularly meets with IT staffs from all types of companies. When asked to recommend resource material to his customers, Rubin realized that there just wasn't a book on the market that would give them concise, direct answers to all their security questions. So he wrote one.
Using a problem-oriented approach, Rubin walks you through everything from protecting against network threats to using credit cards on the Web. Each chapter begins with a problem statement, continues with a description of the threat, explains the technologies involved, and then offers solutions. Chapters conclude with one or more case studies.
You'll find easy-to-understand information that will help you
- Identify the risks
- Put attacks in perspective
- Store information securely
- Perform reliable and secure backups
- Transfer information securely across hostile networks
- Understand Public Key Infrastructure (PKI) and its limitations
- Protect against network threats
- Set up firewalls
- Deal with denial of service attacks
- Understand online commerce and privacy
Whether you are an IT professional, a system administrator, an academic, or simply a regular Internet user, White-Hat Security Arsenal is full of information you can't afford to miss.
0201711141B05222001
Online Sample Chapter
Secure Backup: Protecting Your Data
Downloadable Sample Chapter
Click below for Sample Chapter related to this title:
rubinch6.pdf
Table of Contents
Foreword.
Preface.
I: IS THERE REALLY A THREAT?
1. Shrouded in Secrecy. 2. Computer Security Risks. What Is at Risk.
Data, Time, and Money.
Confidentiality.
Privacy.
Resource Availability.
Why Risks Exist.
Buggy Code.
The User.
Poor Administration.
Exploiting Risks.
Moving On.
3. The Morris Worm Meets the Love Bug: Computer Viruses and Worms. Terminology.
A Touch of History.
The Morris Worm.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Melissa.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
CIH Chernobyl.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Happy.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Worm.ExploreZip.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Bubbleboy.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Babylonia.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
The Love Bug.
When It Hit and What It Did.
How and Why It Worked.
The Consequences.
How We Recovered.
Lessons Learned.
Summary.
II: STORING DATA SECURELY.
4. Local Storage. Physical Security.
Cryptographic Security.
What Can Be Achieved with Cryptography.
Cryptography Is Not Enough.
Basic Encryption and Data Integrity.
Protecting Data with Passwords.
Graphical Passwords.
Cryptographic File Systems.
Case Studies.
CFS.
PGPDisk.
EFS in Windows 2000.
Further Reading.
5. Remote Storage. Remote Storage.
NFS Security.
Adding Security.
User Authentication.
Strengthening Passwords.
Access Control Lists and Capabilities.
AFS.
Case Study.
Pathnames.
Further Reading.
6. Secure Backup. Secure Backups.
Physical Security.
Backup over a Network.
Key Granularity.
Backup Products.
@backup.
BitSTOR.
Secure Backup Systems.
BackJack.
Datalock.
NetMass SystemSafe.
Saf-T-Net.
Safeguard Interactive.
Veritas Telebackup.
Deleting Backups.
Case Study.
The Client Software.
Incremental Backups.
Further Reading.
III: SECURE DATA TRANSFER.
7. Setting up a Long-Term Association. What Is Identity?
Identity in Cyberspace.
Exchanging Public Keys in Person.
Certification Authorities.
Public Key Certificates.
Certificate Hierarchies.
Long-Term Relationships within an Organization.
Global Trust Register.
Revocation.
Long-Term Relationships in the Wild.
Managing Private Keys.
Symmetric Keys.
Case Study.
Summary.
Further Reading.
8. Deriving Session Keys. Long-Term Keys Are Not Enough.
What Are Session Keys?
Key Exposure.
Perfect Forward Secrecy.
Security Associations.
Picking a Random Key.
Session Keys from Symmetric Long-Term Keys.
Kerberos.
Another Approach.
Session Keys from Long-Term Public Keys.
Diffie-Hellman Key Exchange.
Session Keys in SSL.
Protocol Design and Analysis.
Case Study.
Clogging Attacks.
ISAKMP Exchanges.
Key Refreshment.
Primes in OAKLEY.
Further Reading.
9. Communicating Securely After Key Setup. Protecting Information.
Encryption.
Authentication.
Which Layer Is Best for Security?
Encapsulation.
The Link Layer.
The Network Layer.
The Transport Layer.
The Application Layer.
Replay Prevention.
Case Study.
ESP.
AH.
Further Reading.
IV: PROTECTING AGAINST NETWORK THREATS.
10. Protecting a Network Perimeter. Insiders and Outsiders.
Network Perimeter.
Benefits of Firewalls.
Types of Firewalls.
Packet Filters.
Application-Level Gateways.
Using the Firewall.
Configuring Rules.
Web Server Placement.
Exit Control.
Remote Access8.
Logging in Directly.
Dial-up Access.
VPN Access.
Web-Only Access.
Case Study.
Further Reading.
11. Defending against Attacks. Bad Guys.
Mapping.
Attacks.
Denial of Service.
Defense.
Defending against Mapping.
Monitoring the Traffic.
Intrusion Detection.
Defense against DDOS.
Other Tools.
Case Study.
Further Reading.
V: COMMERCE AND PRIVACY.
12. Protecting E-Commerce Transactions. Credit Cards on the Web.
The SSL Protocol.
Protocol Overview.
Configuring a Browser.
Configuring a Server.
Security.
Performance.
Caching.
Case Study.
How Passport Works.
Risks of Passport.
Further Reading.
13. Protecting Privacy. Online Privacy.
What Is at Risk?
E-Mail Privacy.
Protecting E-Mail with Cryptography.
Anonymous E-Mail.
How Is Personal Privacy Compromised?
Direct Methods.
Indirect Methods.
Defense Mechanisms and Countermeasures.
Protecting Data on Your Machine.
Protecting Credit Card Information.
Safeguarding Your Browsing History.
Hiding Your Surfing.
Posting Anonymously to the Web.
Case Study.
Summary.
Further Reading.
Glossary. Bibliography. Index. 0201711141T01 001.
Preface
Why I Wrote This Book
As a computer security expert at AT&T Labs, I often find myself meeting with members of IT departments of our large customers. This year, for example, I've met with, among others, the CIO of Ford Motor Company, the CTO of JP Morgan, and a Vice President of American Axle Manufacturing. In each case, they bring along an entourage of system administrators and other members of their team, and they come loaded with problems. How do I allow secure remote access to my site? How should I configure my firewall? How do employees store information securely on laptops? The list of questions goes on and on. I listen to them and offer my advice and expertise.
The customers always ask me what book I recommend to solve all of their problems. There are some good books on security out there. However, they are written from a disciplinary approach. There is usually a chapter on cryptography, a chapter on protocols, a chapter on SSL, and so on. So, I set out to write a book that directly answers the questions that these large IT departments face.
What sets this book apart from others is the problem-oriented approach. Each chapter starts out with a problem statement using Alice and sometimes Bob, borrowing these characters from the cryptography literature.
The book is divided into five parts. Each part is written to be self-contained, so there is some redundancy of information across parts. Within each part (except the first), there are chapters, each of which represents a problem. Within the chapter is a description of the threat model, explanations of the technologies involved, and some solutions. The chapters conclude with one or more case studies. The idea is to give the readers enough information to understand the problem in detail, to have the ability to evaluate solutions, and even to be able to solve the problem themselves.
Intended Audience
There are several different kinds of people who can benefit from this book. I have tried to identify the computer security problems that are the most common and the most interesting to study. Some of you will read this book to figure out the solution to a particular problem. Others will read it to educate themselves about certain risks. Whether you are a practicing information technology professional, a system administrator, a graduate student in computer science, or simply an end user, there is something for you in this book. Some problems that I cover are less complex and little technical training is needed to understand the solutions. Other problems require intricate technical solutions that may seem incomprehensible to someone without a computer science or math background. To facilitate your reading experience, I have identified each chapter by the level of difficulty and the intended audience. At the beginning of each chapter, I display icons that represent the intended audience. The leftmost icon is the most relevant audience for the chapter, and the icons are thus ordered from left to right.
The Surfer/End User Surfers or "end users" are those who surf the Web, read e-mail, and use computers in their everyday lives. They don't necessarily have any formal computer science training, but they are proficient in day-to-day uses of computers. For example, they know how to install software and how to change the settings in their browsers.
The IT Professional Information technology professionals are those who are quite knowledgeable about computers. They may be in charge of a large network deployment, programmers, system architects, or even managers. It is safe to assume that these people have a computer science or CIS degree, and that they have been working with computers for some time.
The Academic Academic are usually either professors or graduate students. Academics are usually interested in the technical details and the theory behind a solution, as much as in the solution itself. Academics are likely to consult other references to further understand the material, and the gory details are welcome, rather than feared.
The System Administrator System administrators are those who are often responsible for the security of a site. They are usually the ones putting out fires, and their jobs may be on the line if information is lost, or if a major break-in occurs. These people are interested in making sure that their systems are safe, and while they would normally love to study and understand the theory behind the solutions, there is no time for that. What they really want is to figure out exactly how to solve the problem that is pressing at the moment.
Each chapter in this book presents the solution to a problem that is important to some subset of these characters. While you may or may not fit exactly into one of these descriptions, I hope that the icons at the beginnings of the chapters will give you a good idea of what level of detail and complexity to expect when you read it.
Guide to the Book
There are five parts to the book:
Part I The first part is intended to motivate the rest of the book. No problems are identified here; rather, I address the issue of threat and why people need to worry about solving computer security problems.
- Chapter 1 This chapter deals with the fact that it is difficult to get companies to admit to computer security incidents. As a result, it is hard to estimate the true damage from security incidents.
- Chapter 2 This chapter covers what is at risk, in order to help the reader understand the threats.
- Chapter 3 This chapter is unique in this book. Computer viruses and worms are the security problems that receive the most press and that people are most acutely aware of. Rather than focus on the problem and its solutions, I thought that I would use viruses and worms to help the reader appreciate the level of threat posed to computers and networks. The chapter puts these attacks in perspective and explains how they work.
Part II The second part deals with secure storage of information. The following problems are addressed:
- Chapter 4 Alice has some important information that she wishes to store on her computer. How does she protect the data so that even if her machine falls into the hands of an adversary, the data will remain confidential, and she will be able to detect any tampering with the information? Ideally, Alice would like a solution that is easy to use and is applicable to multiple applications.
- Chapter 5 Alice uses a file system that stores files remotely. How can she protect the authenticity and confidentiality of the data from an adversary who is on the network or in control of the remote file server?
- Chapter 6 Alice considers her data very important. She has been around long enough to experience the painful loss of files due to arbitrary failures of software and hardware. The data on Alice's machine are of a very sensitive nature. She is very good at physically securing her machine and protecting her data while it is in her possession, but how does she back up her data in such a way that the backups are reliable and also secure?
Part III The third part is the most technical in the book. It deals with transferring information securely on vulnerable networks. The following problems are addressed:
- Chapter 7 How does Alice identify Bob in such a way that she can guarantee that future communications with Bob are identifiable and so that no other party is able to establish communication with Alice that appears to be from Bob? In addition, if Alice realizes that some other party, Evil, may potentially impersonate her, how does Alice recover to limit the damage that can be caused by Evil?
- Chapter 8 Assume that Alice and Bob have a long-term association. They either know each other's public keys, share a symmetric long-term key with a trusted authority, or share a symmetric long-termkey with each other. How do Alice and Bob securely establish symmetric session keys to protect their information?
- Chapter 9 Assume that Alice and Bob have session keys for encryption and authentication. How do they protect their communication? Where in the protocol stack is the best place to put their security?
Part IV The fourth part of this book has to do with protecting against network threats. This includes setting up firewalls, detecting intrusions, and dealing with denial-of-service attacks. The following problems are addressed:
- Chapter 10 Alice is in charge of the security of a network. The network is too large and complex for her to harden every host and protect network resources from attack. How does she define a perimeter, set a uniform policy for the network, and defend against malicious external attacks? Once she defines the perimeter, how does she allow remote access for legitimate users while excluding others?
- Chapter 11 Alice is in charge of the security of a network. How does she defend a network against attacks? How does she detect intrusions and respond? How can she deal with massive denial-of-service attacks?
Part V The fifth and final part of the book deals with online commerce and privacy. The part covers issues such as using credit cards on the Web and the privacy of Web browsing. The following problems are addressed:
- Chapter 12 Alice runs an online store. How does she make sure that her customers can shop online without the threat of their credit cards being stolen by an active attacker on the network? She would like to add security while not adversely affecting the performance of her server. Bob likes to shop online. Should he put his credit card into a Web form? What is he risking by doing so?
- Chapter 13 Alice likes to use the Internet. She browses the Web on interesting topics, purchases things online, participates in e-mail discussion groups and chats, and maintains her own Web site. How does Alice preserve the privacy of her personal information? How does she prevent third parties from collecting information about her and tracking her online presence?
How to Read This Book
There are several ways to read this book. If you are reading it because you have some of the problems mentioned here, then the best thing to do is to jump to the chapter that addresses your problem and read it. If it is in the middle of a part, you may find that some of the material in the earlier chapters is needed, so I recommend that you find the part that contains your problem and read that whole part.
If you are interested in learning about all of the problems, or security in general, then read the book from start to finish. There is no dependence on order in the parts, so you can read them in whatever order you like, but it is best to read the chapters within a part in the order they appear.
At the end of each chapter there is a listing of all of the references that are cited within the text. The books, articles, and Web sites are listed in the order that they appear. I have done my best to reference only Web sites that I expect to be around for a while, and I have tested all of them several times since I wrote each section, but of course, the Web is dynamic, so there are no guarantees. I maintain a Web site with all of the links in the book, and I keep it as up to date as possible. The URL is http://white-hat.org/. Please let me know if you find a broken link there. At the end of the book is the full bibliography listed by the numbers that are used for citation within the text.
There is a glossary of acronyms used throughout the book, so if you come across a term you do not understand, it may help to check there.
Avi Rubin rubin@research.att.com 0201711141P06122001
Index
A
Absent, 216-219, 220
Access control. See Access control lists (ACLs); Capabilities model
Access control lists (ACLs), 86, 93-96
firewalls and, 201, 203-204, 223
Access control matrices, 95, 96
ACSnet, xxv
ActiveX control attacks, 35-36, 233
Address Resolution Protocol (ARP), 234, 241, 242
Adleman, Len, 17
Administrator. See System administrator
Advanced Encryption Standard (AES), 55, 56-58, 180
in backups, 112
Web site, 180
Aggressive exchange, 173
Algebraic rewriting systems, 166
Algorithm independence, 170
Algorithms, 54, 56. See also Advanced Encryption Standard (AES); Data Encryption Standard (DES); MD5 algorithm; RSA algorithm
Blowfish, 106, 108
CAST, 57, 106, 109
DESX, 79, 80
MARS, 57
Quicksort, 148
RC series, 55, 57, 265, 270
Secure Hash (SHA), 58, 59, 60, 144, 149, 162, 186
Serpent, 57
Twofish, 57, 181
American Express, 261
Analyzer, 243
Andrew File System (AFS), 86-87, 96
access control, 93-96
Needham and Schroeder protocol, 151
passwords, 87-92
Anonymity and session keys, 169-170, 172
Anonymizer, 294
Anonymous Diffie-Hellman, 158-160
Anonymous posting, 296-298
Anonymous remailers, 287-288
Anonymous surfing, 294-295, 296
attacks, 295-296
AntiSniff, 243
Antivirus Research Center, 39
Antivirus software. See Virus protection software
Apache-SSL, 268
Application-layer security, 181, 184, 186-187
remote access, 212
Application-level data
firewalls and, 203
sniffers, 241
Application-level gateways, 201, 202, 203-204
mapping and, 238
toolkits, 204
ARPAnet, xxv
ASN.1 notation, 127
Asymmetric cryptography. See Cryptography, public key
@backup, 108
@stake, 88
Attack programs, 85, 108, 229-230
DDOS, 237
hijacking, 234
ICMP, 203
mapping, 229, 250-253
password, 88
proxies, 231-232
remote control, 12, 230-231, 232
sniffers, 105, 209, 238, 239-243
wardialers, 212
Attacks, 5, 227, 229-237, 250-253. See also specific attacks
defenses against, 237-250
Java/JavaScript and, 295-296
single sign-on, 278-280
Audit systems, 198
E-commerce privacy, 292
financial institutions, 4
Augmented Key Exchange (AKE), 90-91, 92
Authentication, 48-49, 179, 180. See also Cryptography
in backup programs, 108, 110, 114
confidentiality vs., 54, 60, 180
credentials, 63
exit control, 206
IPsec, 192-193
MACs, 58-61, 144-145, 192-193
NFS, 86
session keys, 143-145
Authentication Header (AH), 189-190, 192-193
Authentication-only exchange, 172-173
Authentication, server, 121, 209
SFS, 97, 98
SSL/TLS, 261
Authentication, user, 87-92, 179, 180. See also Identity; Passwords
backup and, 105, 108, 109, 112-113, 114
biometrics, 209-210
certificates, 126-129, 130-131, 133-140
confidentiality vs., 154, 190
long-term relations, 120-141, 143-175
NFS, 85, 86
public key cryptography, 90, 120-132, 133-140, 157-175
register, 129-130
remote access, 209-219, 220
session keys, 143-175
SFS, 97
SSL/TLS, 261
symmetric cryptography, 132, 149-156
Authorization certificates, 126. See also Permissions
Axent Technologies, 244
Intruder Alert, 246
Net Prowler, 246
B
Babylonia, 37-39
Back doors, 12, 230-231
BackJack, 109
BackOrifice (BO2K), 12, 230-231, 232
Backup database, incremental, 113-114
Backups, 48, 49, 103-111
deleting, 110-111
in EFS, 79
encrypted, 104, 122
exit control as, 206
incremental, 109, 113-114
in NFS, 85
product checklist, 107
public key certificates, 137
remote, 105-106
restoring, 112-113, 114
system design, 111-114
threat model, 103
unattended, 106, 108, 109, 112
viruses/worms and, 31, 33, 34, 36
Web sites, 107, 108, 109, 110
Bad guys, 227
Errata
Click below for Errata related to this title:
Errata
Praise For White-Hat Security Arsenal: Tackling the Threats
"I can recommend this book to anybody who is novice in the world of computer security as it will provide you with a good clue what you're up against, and how to deal with it. For all of you out there seeking information about the security protocols and ciphers, also." - HelpNetSecurity 12/2001
Review 5/5 Star Rating: "This book by Dr. Aviel D. Rubin...is probably the best overall introduction to computer and security I've seen so far." - Swynk.com 12/2001
"Rubin's superior explanations make this an essential book to read whether to overcome a specific and immediate obstacle or to generate a security policy. [This book] provides an exceptional reference for anyone involved with system security, protection and defense." - Sys Admin Magazine
"As a researcher, Avi has produced excellent work in a number of areas, and is an engaging writer. With the vast new opportunities on the Internet come problems, complex and confusing. . . . This book considers many of these
problems, analyzes them, and presents fine solutions. More importantly, [Avi] presents approaches to the solutions, which generalize to related problems you will encounter. . . . A book like this is a tremendous aid."
--From the foreword by William R. Cheswick
"This is one of the most readable yet exhaustive books on a vital aspect of computer technology. All computer users, whether they be hackers, IT professionals, academics, or just lay users, will benefit from its content and derive pleasure from its clear and user-friendly style. Rubin has done a great service by identifying and explicating the complexities and subtleties of computer security."
--Jack Goldman, Ph.D., Founder of Xerox PARC
"White-Hat Security Arsenal is an enormously valuable toolkit for anyone who depends on the Internet today. It gives a refreshingly realistic and hype-free picture of the threats, with practical and up-to-date guidance not only on how to protect yourself, but on what to worry about if you don't."
--Matt Blaze, Ph.D., AT&T Labs-Research
"Avi's book has breadth and depth relating to information security defense needs. It tackles your shackles and threats in Nets with blistery history and constructive realism."
--Peter G. Neumann, Ph.D., Principal Scientist, Computer Science Lab, SRI International, author of Computer-Related Risks, moderator of the ACM Risks Forum
"Avi Rubin has done a stunning job of presenting the material and correctly stressing key points. . . . I can't wait to recommend this book to security folks in my own company and other companies with whom I am affiliated. It is extremely well done and offers many you-can-use-them-today insights."
--Sandra Henry-Stocker, Lead Systems Engineer, E Trade, and
Security Columnist, UNIX Insider
"White-Hat Security Arsenal is an intelligent, informative, and well-written book. It's one of the most readable computer science books I've ever picked up."
--Bruce Davie, Ph.D., Cisco Fellow, Cisco Systems, Inc., coauthor of
Computer Networks: A Systems Approach
"Avi's book examines commonly encountered security problems and offers sufficient insight for even the most lay computer user to appreciate the nature of threats and vulnerabilities associated with Internet-connected computers. But the book offers much more than basic diagnosis and treatment. More advanced network and security professionals should learn enough about the building blocks of security from this book to feel confident in designing, selecting, and implementing security systems and services."
--David M. Piscitello, Core Competence, Inc.
"An excellent resource for students and professionals wishing to learn about computer security. Each chapter directly delves into a specific branch of computer security. Rubin succinctly presents the main challenges and common solutions to each topic. Throughout the book the discussion is motivated by many entertaining real world examples. The reader is quickly exposed to various security blunders and cutting-edge systems designed to defend against such blunders. Overall, this book is fun to read and introduces the reader to all current techniques used in computer security."
--Dan Boneh, Ph.D., Computer Science Professor, Stanford University
"This book is not your standard how-to security book. This is a well-designed, well-written volume on just what the threats are, how they work, and what you have on hand to resist them. Viruses, worms, and denial of service attacks are just the beginning. Most interestingly, Rubin dissects the Morris Worm, Melissa, I Love You, and several other malicious invertebrates. His explanations of just how these infiltrative beasties work are just brilliant. This is a 'different' security book, and it's one you really need."
--Peter H. Salus, Ph.D., Chief Knowledge Officer, Matrix.Net, author of
A Quarter Century of UNIX and Casting the Net
"Avi Rubin does a great job of explaining the motivations behind many security solutions, as well as providing practical information about how you can solve real-world problems. White Hat Security Arsenal is an invaluable resource—a judicious mix of practical information and the theory behind it."
—Marcus J. Ranum, CTO NFR Security, Inc.
"White-Hat Security Arsenal ups the ante for the good guys in the arms race against computer-based crime. Like a barrage of cruise missiles, Avi's excellent book attains air superiority by leveraging smarts and advanced GPS technology to zero in on critical targets. Intended to educate and inform information security professionals with a no-nonsense, hold-the-hype approach to security, this book is a critical weapon for modern information warriors. If you wear a white hat and are on the good guy's team, buy this book. Don't go into battle without it!" —Gary McGraw, Ph.D., CTO, Cigital
“[This book] tackles the difficult task of explaining technical details in a clear fashion very well…It is a helpful book supplemented with lots of short, good case studies and lots of relevant web site references. I am happy to recommend this book to hats of any color.” - Cipher: Electronic Newsletter of the IEEE Computer Society’s TCSP
“Rubin collects his experiences in the information security arena in this book and provides an excellent field guide to the fundamentals of securing computer systems against attack. Rubin gives a solid overview of each security problem…” - SecurityManagement.com
Praise for Aviel D. Rubin's White-Hat Security Arsenal
"As a researcher, Avi has produced excellent work in a number of areas, and is an engaging writer. With the vast new opportunities on the Internet come problems, complex and confusing.... This book considers many of these problems, analyzes them, and presents fine solutions. More importantly, [Avi] presents approaches to the solutions, which generalize to related problems you will encounter.... A book like this is a tremendous aid."
-From the foreword by William R. Cheswick
"This is one of the most readable yet exhaustive books on a vital aspect of computer technology. All computer users, whether they be hackers, IT professionals, academics, or just lay users, will benefit from its content and derive pleasure from its clear and user-friendly style. Rubin has done a great service by identifying and explicating the complexities and subtleties of computer security."
-Jack Goldman, Ph.D., Founder of Xerox PARC
"White-Hat Security Arsenal is an enormously valuable toolkit for anyone who depends on the Internet today. It gives a refreshingly realistic and hype-free picture of the threats, with practical and up-to-date guidance not only on how to protect yourself, but on what to worry about if you don't."
-Matt Blaze, Ph.D., AT&T Labs-Research
"Avi's book has breadth and depth relating to information security defense needs. It tackles your shackles and threats in Nets with blistery history and constructive realism."
-Peter G. Neumann, Ph.D., Principal Scientist, Computer Science Lab, SRI International, author of Computer-Related Risks, moderator of the ACM Risks Forum
"Avi Rubin has done a stunning job of presenting the material and correctly stressing key points.... I can't wait to recommend this book to security folks in my own company and other companies with whom I am affiliated. It is extremely well done and offers many you-can-use-them-today insights."
-Sandra Henry-Stocker, Lead Systems Engineer, E-Trade, and Security Columnist, UNIX Insider
"White-Hat Security Arsenal is an intelligent, informative, and well-written book. It's one of the most readable computer science books I've ever picked up."
-Bruce Davie, Ph.D., Cisco Fellow, Cisco Systems, Inc., coauthor of Computer Networks: A Systems Approach
"Avi's book examines commonly encountered security problems and offers sufficient insight for even the most lay computer user to appreciate the nature of threats and vulnerabilities associated with Internet-connected computers. But the book offers much more than basic diagnosis and treatment. More advanced network and security professionals should learn enough about the building blocks of security from this book to feel confident in designing, selecting, and implementing security systems and services."
-David M. Piscitello, Core Competence, Inc.
"An excellent resource for students and professionals wishing to learn about computer security. Each chapter directly delves into a specific branch of computer security. Rubin succinctly presents the main challenges and common solutions to each topic. Throughout the book the discussion is motivated by many entertaining real-world examples. The reader is quickly exposed to various security blunders and cutting-edge systems designed to defend against such blunders. Overall, this book is fun to read and introduces the reader to all current techniques used in computer security."
-Dan Boneh, Ph.D., Computer Science Professor, Stanford University
"This book is not your standard how-to security book. This is a well-designed, well-written volume on just what the threats are, how they work, and what you have on hand to resist them. Viruses, worms, and denial of service attacks are just the beginning. Most interestingly, Rubin dissects the Morris Worm, Melissa, I Love You, and several other malicious invertebrates. His explanations of just how these infiltrative beasties work are just brilliant. This is a 'different' security book, and it's one you really need."
-Peter H. Salus, Ph.D., Chief Knowledge Officer, Matrix.Net, author of A Quarter Century of UNIX and Casting the Net