Stealing the Network: How to Own the Box
by Ryan Russell, et al
Syngress Publishing, Inc, 2003
Review score: *** out of *****
Stealing the Network: How to Own the Box is a book about breaking into computer systems by various means, ranging from obtaining physical access to network intrusion. There are lots of books on computer security and on breaking into computer systems. What is unusual about this book is that it is composed of fictional stories based around various "exploits" to gain access to computer systems. The book has nine authors: Ryan Russel, Tim Mullen, FX, Dan Kaminsky, Joe Grand, Ken Pfeil, Ido Dubrawsky, Mark Burnett and Paul Craig. Each wrote a chapter, except for Ryan Russel who edited the book and wrote two chapters. All of the authors are involved in computer security or computer intrusion (or perhaps both at differing points in their lives).
The fictional nature of the book makes it readable, although Stealing the Network is not exactly Neuromancer. Most of the chapters revolve around a different fictional character using various methods for gaining unauthorized access to computer systems. These include "social engineering" - obtaining information or physical access by gaining the confidence of people at a company. Some are attacks are sophisticated. One vignette involves a beautiful woman hacker who specializes in hacking into printers.
One of the objectives of the authors of Stealing the Network is to get you to think about computer security in new ways. Before reading Stealing the Network I had never thought of printers as possible targets for intrusion attack. Printers have evolved into full network devices that run some form of operating system, which supports the network stack software. Although printers are increasingly powerful computers, they started out as dumb devices (raise your hand if you remember the old "chain" printers) so there is a tendency keep thinking of them as the dumb devices. This means that the network security on a printer may be non-existent. Since the printer can communicate with the rest of the network, it can serve as a platform for attack (as a network proxy if nothing else).
Although the characters in Stealing the Network are fictional, the techniques and software tools are real. The attack described in each chapter also includes a description of the software tools used (in some cases including the web site that publishes the software). The details of the attack are also broken down. Unless you have a real passion for the fine details of computer security and intrusion, these accounts can become tedious in places.
The appendix of Stealing the Network is titled Laws of Computer Security which attempts to summarize some of the issues raised in the stories. Stealing the Network is a valuable reference for those who want to understand current security exploits. The usefulness of the book as a reference is harmed by the fact that it does not include an index.
We wouldn't have to spend so much time, money, and effort on network security if we didn't have such bad software security. Think about the most recent security vulnerability about which you've read. Maybe it's a killer packet that allows an attacker to crash some server by sending it a particular packet. Maybe it's one of the gazillions of buffer overflows that allow an attacker to take control of a computer by sending it a particular malformed message. Maybe it's an encryption vulnerability that allows an attacker to read an encrypted message or to fool an authentication system. These are all software issues.
Bruce Schneier, from the forward to Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw, Addison-Wesley, 2002
Computer security is viewed by many people as "cool". Case, the cyberspace cowboy in Neuromancer hacking into computer systems. The mirror of Case is the computer security guru who protects the system with their vast store of knowledge. Some computer security "gurus" have even gained their fifteen minutes of media fame (can you say Satan). The truth is that network computer systems are vulnerable because of human limitations. While computer security is important, it may come as a shock to those who attend conferences like Black Hat to learn that computer security is not as cool as they think it is.
The design and implementation of secure computer networks, or at least networks that will not fall to most of the attacks described in Stealing the Network are not waiting for new results from computer science research or software engineering. As Bruce Schneier points out above, the problems that are encountered in computer security are frequently the result of well understood issues. For example, many of the computer network attacks that are described in Stealing the Network are buffer overflow attacks. Methods for avoiding buffer overflow problems have been known for something like 30 years.
There are two major historical factors that have lead to the poor state of computer security that prompts me to read books like Stealing the Network. These are:
Susceptibility to buffer overflow attack (as noted above)
The C/C++ programming languages have been used to implement every major operating system in use today (e.g., Windoz, UNIX and Linux). This includes the operating systems that run on network routers, like Cisco's IOS. Most, if not all, of the buffer overflow attacks result from the lack of compiled range checks in C/C++.
A range check allows buffer (array) overflows to be caught at runtime. For example, a potential buffer overflow problem exists in the code below (which calls the POSIX function gets).
#define SIZE 80 char buf[SIZE]; while (! gets( buf )) { .... }
In this code a stream of text, terminated by a newline character, is read from the POSIX standard input (which might be connected to a TCP/IP socket). If the stream of text is longer than 80 characters, it will overwrite data which is stored following buf. A text stream of just the right size may overwrite the return address for a function (possibly the function that called the current function), allowing the attacker to insert and execute their own code.
Compilers for languages like Pascal and Java insert code that checks that an array (buffer) access is within the bounds of the memory allocated for the array. If there is an access beyond the end of the array, a runtime error will result. The software will fail, but the intruder will not gain access to the system.
The equality between arrays and pointers in C makes it very difficult, if not impossible to compile range checked into C. The designers of C (Kernighan and Ritchie) might have designed the language differently if they had realized that it would become the lingua franca of software. C was designed so that it could be efficiently translated into the Digital Equipment Corporation PDP instruction set. This allowed C to be used as an efficient vehicle to implement operating system software (e.g., the early versions of UNIX). The extra code generated by the compiler to support range checks was anathema to the concentration on efficiency in C.
Since every operating system in wide spread use has been implemented in C (or C++), the historical decisions in the C programming language resulted in many of the computer network vulnerabilities that exist today.
Microsoft Software
The most commonly attacked and penetrated computer systems run various versions of Microsoft's Windows operating system. The original root of the security problems in Windows based operating systems comes from the fact that Microsoft's model for computation is a computer system, running Microsoft Windows, on every desktop, joined by a network that supports simple operations like printing. Unlike UNIX, which evolved on systems joined by the Internet, the Internet was not part of Microsoft's world view until it exploded into popular culture. In Microsoft's view, computers running Windows would only communicate with other computers running Windows within a corporate network. The Web did not exist in this world view and computer networks where not heavily connected to the outside world. As a result, network security was not an issue Microsoft considered much.
Microsoft implemented features like OLE (Object Linking and Embedding) which allows a Microsoft Word document to include a spread sheet constructed with Microsoft Excel. By clicking on the spread sheet you can bring up Excel and make changes in the spread sheet. By allowing code execution to be started from a document, which could be sent via e-mail, Microsoft laid the foundation for security holes which are probably still not fixed.
All this is old history with Microsoft and a larger question exists: Why did Microsoft not take action to re-architect their software when it became obvious that the foundation for their design view was wrong? The fact that viruses have exploited vulnerabilities in Microsoft e-mail for years is simply inexcusable.
As Stealing the Network points out, there is no way to build a computer system that cannot be successfully attacked by some means. If nothing else, high levels of security make computer systems difficult to use. UNIX was designed in reaction to the secure, but difficult to use, MULTICS operating system. Systems that are difficult use to may be compromised as their users open holes to make their jobs easier.
While recognizing the limitations of computer security, it is still obvious that computer security could be greatly improved if people simply applied the knowledge that engineers and computer scientists have had for many years. Many of the vulnerabilities exploited by the characters in Stealing the Network would not exist if this happened. Firewalls and network intrusion detection systems exist to protect against problems that could have been avoided.
The computer security/hacker community, like any community, has developed their own set of jargon. Some of this is generally familiar in the software world. The one term that I found unfamiliar was the term "0-day exploit". I did not find an explaination for this term in this book, but I later found that it means an exploit with 0-days of warning before the attack.
For example, it frequently happens that a vulnerability is announced for Microsoft operating systems. An attack does not appear for some number of days, so there is some chance to install software to protect the system.
In a 0-day exploit a previously unknown exploit becomes known only as a result of a successful attack. Those who manage the computer system have 0-days of warning. The security research community hopes to keep ahead of those who attack computer systems. But as the potential profits from system attacks increase 0-day attacks become inevitable.
Ian Kaplan
September 2003
Last updated on: October 2003