Wireless Security and Privacy: Best Practices and Design Techniques
Authors: Tara M. Swaminatha and Charles R. Elden
Available for download is chapter 9 entitled “Identify Targets and Roles”.
Wireless security is certainly one of this year’s hot topics. Everybody is talking about wardriving, warchalking, and so on. Several software titles have been developed to help discover and/or protect wireless networks. There are wardriving events taking place where participants cruise around cities searching for vulnerable wireless networks, and the results are not that good – there are just too many insecure networks out there.
This is just the perfect time to release a book like this.
Who are the people behind this book?
Tara M. Swaminatha is an information security administrator for the International Finance Corporation, a part of the World Bank Group. Tara is responsible for educating the IFC about information security, conducting technical product evaluations, offering security classes to employees, and assisting with the definition and implementation of plans for security best practices and technologies.
Charles R. Elden is an independent security consultant. He has worked as a manager and software security consultant with Cigital’s Software Security Group. He has experience performing communication and software systems risk analysis and risk management. Previously, he worked for the Central Intelligence Agency for 12 years and has worked for more than 11 years in the Directorate of Science and Technology’s Office of Technical Services.
An interview with Charles R. Elden is available here.
And the story begins…
The book starts with an introduction to wireless architecture. The authors start by illustrating a generic system architecture and describing how it works. What follows is a presentation of usage models and devices. When it comes to devices, the authors went into great detail by noting some historical facts and ideas before dwelling into consumer and technical issues. Both are covered very well and give the reader some good starting points to think about if they plan on purchasing a wireless device.
Next, we get an overview of network arrangements and technologies. The three types of wireless technologies introduced here are:
- Wireless Application Protocol (WAP)
Later in the book these types are explained extensively.
The network arrangements examined are:
- Personal Area Networks (PANs)
- Local Area Networks (LANs)
- Wide Area Networks (WANs)
In order to offer some practical insight into wireless security, the authors present four case studies that focus mainly on WLANs. The case studies describe places where a wireless network is used instead of a wired one: a hospital, an office complex, a university campus and a home.
The authors start discussing security with the following statement: “Security is not the result of properly designed and developed software or systems. Rather, it is part of the process used throughout the entire software lifecycle, from design to development, testing, deployment, and obsolescence.” What the authors aim to provide is information that will aid the reader to evaluate the security risks of his/her system. We are presented with security, development and management principles. The security principles presented are:
- Access control and Authorization
- Privacy and confidentiality
There’s enough detail for everyone here.
There’s a great sentence in book that essentially says it all: “Treat your device as you do your wallet.” When discussing devices the authors present Personal Digital Assistants, PalmOS devices, Pocket PC devices and the Black Berry device.
When talking about devices though, the authors focus more on the features of every device and less on security. This is useful for people who are not that familiar with wireless devices.
Wireless application languages are also covered: Java 2 Micro Edition (J2ME), Wireless Markup Language (WML) and WMLScript. The authors illustrate how these differ from wired languages and continue by describing the basic forms of those languages, their specifics and security features. As the authors themselves note – the languages are not covered in great detail, they are presented with an overview with some good references. One of the books mentioned here is “Building Secure Software”, whose review you can read here.
What we get in this chapter is an overview of cryptography with important issues for wireless developers. This chapter is based on the unpublished work “Introduction to Applied Cryptography” by Tadayoshi Kohno. Among other things here we learn what applied cryptography is, what it can accomplish and how it should be used. The authors note that they have simplified some concepts in order to make them more understandable to to the non-cryptographer. Here we learn about: Applied Cryptography, Symmetric Cryptography, Asymmetric Cryptography, and more.
We all know that out-of-the-box software gives us a false sense of security. This, of course, applies also to wireless applications. The authors compare commercial and custom software and list the advantages and disadvantages of both. What we get here is an overview of Virtual Private Networks, Tunnelling, IPSec, Smart Cards and Biometric Authentication. I just wish there was more material on the latter two, which are covered very briefly.
“Privacy is an essential feature of any product or service – and a core business objective” note the authors. As an introduction to the topic the authors illustrate privacy problems in the wired world and, among other things, mention DCS1000 a.k.a Carnivore – the FBI e-mail tracking system.
Although wireless privacy issues are not much different from the privacy issues of the wired World, we learn that there are some greater concerns among wireless users:
- Privacy Policies – these obscure legal statements are very long and difficult to read on small screen so wireless carriers seek shorter privacy policies that inform the users without influencing their battery cycles and billing.
- Government and corporate Surveillance – the problem is not only what you are doing but also where you are doing it from.
When addressing privacy related problems, the authors write about the Wireless Communications and Public Safety Act of 1999, the U.S.A. Patriot Act of 2001 and much more.
In the last four chapters of the book we learn how to apply the I-ADD security analysis process which consists of four phases:
- Identify targets and roles
- Analyze known attacks, vulnerabilities, and theoretical attacks, generating mitigations and protections
- Define a strategy for security, mindful of security/functionality/management trade-offs
- Design security in from the start.
In my humble opinion
This is a good book depending on what you’re looking for. If you’re a person that likes technical books in which the material is not complemented with humour and witty remarks than you struck gold. What it lacks is descriptions of specific software titles and a CD-ROM. It would be immensely helpful for the reader to have something to use while reading the book.
A significant addition to this book is certainly the abundance of diagrams that greatly facilitate the understanding of the material. Without it, some of the material may be difficult to grasp.
If you’re looking for a book to get you started in the world of wireless security this is a good one but if you’re looking for advices on what software to use, to secure your wireless network, than you’ll have to look elsewhere.