Secrets and Lies: Digital Security in a Networked World

Secrets and Lies: Digital Security in a Networked World

4.9 7
by Bruce Schneier
     
 

View All Available Formats & Editions

Welcome to the businessworld.com. It's digital: Information is more readily accessible than ever. It's inescapably connected: businesses are increasingly —if not totally—dependent on digital communications. But our passion for technology has a price: increased exposure to security threats. Companies around the world need to understand the

Overview

Welcome to the businessworld.com. It's digital: Information is more readily accessible than ever. It's inescapably connected: businesses are increasingly —if not totally—dependent on digital communications. But our passion for technology has a price: increased exposure to security threats. Companies around the world need to understand the risks associated with doing business electronically. The answer starts here.

Information security expert Bruce Schneier explains what everyone in business needs to know about security in order to survive and be competitive. Pragmatic, interesting, and humorous, Schneier exposes the digital world and the realities of our networked society. He examines the entire system, from the reasons for technical insecurities to the minds behind malicious attacks. You'll be guided through the security war zone, and learn how to understand and arm yourself against the threats of our connected world.

There are no quick fixes for digital security. And with the number of security vulnerabilities, breaches, and digital disasters increasing over time, it's vital that you learn how to manage the vulnerabilities and protect your data in this networked world. You need to understand who the attackers are, what they want, and how to deal with the threats they represent. In Secrets and Lies, you'll learn about security technologies and product capabilities, as well as their limitations. And you'll find out how to respond given the landscape of your system and the limitations of your business.

With its accessible style, this practical guide covers:

• The digital threats and attacks that you must understand

• The security products and processes currently available

• The limitations of technology

• The steps involved in product testing to discover security flaws

• The technologies to watch for over the next couple of years

• Risk assessment in your company

• The implementation of security policies and countermeasures

Secrets and Lies offers the expert guidance you'll need to make the right choices about securing your digital self.

Editorial Reviews

From the Publisher
"...make yourself better informed. Read this book." (CVu, The Journal of the ACCU, Vol 16(3), June 2004)

TECHNOLOGY YOU By Stephen H. Wildstrom
THE SECRETS LIES OF CYBER-SECURITY
A computer virus shuts down your corporate e-mail for a day. Hackers deface your Web site with pornography. The need to share data with customers and vendors exposes critical corporate information to online theft. With your business ever more dependent on safe use of the Internet, security savvy has become as important as understanding marketing or finance.
Such savvy, however, has been hard for non-techie executives to acquire. Books and articles on security generally came in two equally useless varieties: incomprehensible or sensationalized. Remember all those books on how the Y2K bug would end civilization as we knew it? Now, Bruce Schneier, a highly respected security expert, has stepped into the breach with Secrets Lies: Digital Security in a Networked World (John Wiley Sons, $29.99). The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be.
Schneier brings strong credentials to the job. His book Applied Cryptography is a classic in the field, and he is one of t he creators of the Twofish algorithm, a finalist in the U.S. government's competition for the Advanced Encryption Standard. Schneier serves as chief technology officer of Counterpane Internet Security (www.counterpane.com), which manages computer security for corporations.
Although this is a book for the general reader, it's not always easy going. But Secrets Lies requires no prior knowledge of computer or security technology and should be accessible to anyone who is willing to put in a little effort. For example, Schneier explains encryption, essentially a mathematical process, without resorting to a single equation. While Schneier is not an elegant writer, he has a nice ability to use analogies to make the obscure understandable.
The book has two main thrusts. First is Schneier's mantra: "Security is a process, not a product." Anyone who promises you a hacker-proof system or offers to provide "unbreakable" encryption is selling you snake oil. There is simply no way to wave a magic wand over a system to make it -and keep it- secure. Second, Schneier says, getting security right is hard, and small mistakes can be deadly.
Risk Management. Schneier backs his opinions with real-world examples. For instance, Hollywood was terrified of piracy and worked hard on a scheme to encrypt digital videodisks so that only authorized players could read the disks. The encryption would have been hard to break, but hackers didn't have to do it. A design flaw made it easy to steal the decryption keys from the software players supplied with PC's. Similarly, most e-commerce sites use a technology called SSL to protect transaction data from online snoopers. SSL works fine, but some e-tailers left customers' credit card information in files where hackers could swipe it.
The last third of the book is most valuable to managers. In it, Schneier discusses the process by which people should assess security vulnerabilities and decide what to do about them. His central point: Computer security is basically risk management. Banks and credit-card companies can tolerate a considerable amount of credit risk and fraud because they know how to anticipate losses and price their services accordingly. That's good, since zero tolerance would put them out of business. Similarly, seeking perfect security would make a system useless because anything worth doing carries some risk.
Unfortunately, the art of computer security has not progressed to the point where Underwriters Labs can certify that a firewall can protect you against attack for two hours, as can be done for safes and fire doors. But with the crude tools that are available, managers have to decide what they are trying to protect and how much they are willing to spend, both in cost and convenience, to defend it. This is a business issue, not a technical one, and executives can no longer leave such decisions to techies. That's why Secrets and Lies belongs in every manager's library. (Business Week, September 18, 2000)

As an editor at a computer publication in the early 1990s, I hired a freelance security expert to evaluate anti-virus software. After extensive testing he faxed the results; unfortunately, the fax went to one of my publication's direct competitors. His gaffe demonstrated why we will never see fail-safe computer security: human error.
That premise emerged as a central theme of a new book written by the same freelancer, now a leading security expert. "Secrets and Lies: Digital Security in a Networked World" (John Wiley Sons, 2000, $29.99), by Bruce Schneier, is a compelling brief on the industry's most obsessive anxiety.
It's not a story for the faint of heart. Schneier's scary world makes the Wild West—to which the Internet is often compared—look like kindergarten. (For every gory detail on computer crime, check out "Tangled Web," by Richard Power; Que, 2000, $25.)
"Secrets and Lies" is well-timed on the heels of an apparently unstoppable wave of security foul-ups, hacks and government surveillance revelations. The best-known attacks—such as the breach of Microsoft's corporate network revealed last week, disruptions of Yahoo, EBay and other top Web sites early this year, and the "Love Bug" virus, which infected millions of computers—made headlines.
Paranoids have delighted in recent revelations about "Echelon," the government's once super-secret system for monitoring worldwide voice and data communications, and the FBI's "Carnivore" technology, which sniffs millions of supposedly private e-mail messages.
A burgeoning underground of Internet vandals, network nihilists, data thieves and those who probe vulnerabilities as an intellectual exercise begs a scorecard to distinguish "hackers" from "crackers," "white hats" from "black hats."
"Script kiddies"—wannabes who use turnkey hacking tools they find posted on the Web—may be emerging as the biggest threat.
Schneier explains the reasons for this grim scenario in simple truths:

• In the hacking wars, technology favors offense over defense.

• Complexity is the enemy of security, and the Internet is the mother of all complex systems.

• Software is buggy. Experts suggest that every 1,000 lines of computer programming code contains between five and 15 mistakes, some of which inevitably open security holes. Consider that Windows 2000 shipped with some 63,000 known bugs and incompatibilities.

• People are often foolish. Early this month the National Institute of Standards and Technology adopted an encryption algorithm (a mathematical formula used to scramble digital data) that it said would take more than 149 trillion years to crack. Then again, if you use your name or the word
"password" as a decoding key—typical among lazy computer users—a neophyte hacker would need about five minutes.
Any security scheme can and will be subverted. Little wonder that software licensing agreements specifically disclaim responsibility for the product working as advertised.
It's not hard to imagine why security software developers would be short on confidence—their products are nearly always developed in a vacuum.
"A common joke from my college physics class was to 'assume a spherical cow of uniform density,' " Schneier writes. "We could only make calculations on idealized systems; the real world was much too complicated for the theory. Digital system security is the same way"—probably reliable in the lab, always vulnerable in the wild. Part of the problem is that conventional thinking about Internet security is drawn from the physical world, where some kinds of security are "good enough."
"If you had a great scam to pick someone's pocket, but it only worked once every hundred thousand tries, you'd starve before you robbed anyone," Schneier writes. "In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance. You'd probably find a couple dozen every day."
A big part of the solution, he writes, is to recognize that "security is a process, not a product." Virus-protection software and "firewalls" designed to guard private networks can be effective only as part of a comprehensive strategy about security. This means that network users—as individuals or employees—must understand their role in protecting information—instead of naively relying on software tools to work without human vigilance.
So how to reach people with this geeky material? Schneier, founder of Counterpane Internet Security Inc. in San Jose, peppers the book with lively anecdotes and aphorisms, making it unusually accessible. But I still wouldn't have judged it suitable for the average reader. So I wasstonished to find "Secrets and Lies" recently ranked 68th on Amazon.com's sales list. Unless all the buyers are hackers, that's a hopeful sign.
So take Schneier's good advice, but don't panic: Like security, fear-mongering is a process. Exploiting that fear has become a growth industry. Hundreds of security companies shamelessly hype every new virus or hacking to pump up business. Consider that while it's theoretically possible to bring down much of the Internet with a single orchestrated hack, the most damaging episodes so far have affected only a few sites out of millions. The worst ones, such as Love Bug, though genuinely harmful,
fade in a couple of weeks.
Dopey business plans are a bigger threat to the "dot-com" world, and the sale of personal data by marketers a bigger threat to individuals,than hackers will ever be.

Monday, October 30, 2000, 'Lies' Propagates One Truth: No One Can Get a Lock on Net Security
Los Angeles Times by Charles Piller

A Security State of Mind
It's not encryption. It's not a password. It's not connecting through a VPN or an anonymizing service. Security means vastly different things to a national government, an e-commerce site, or a home user.
Governments are rightly paranoid about little things like their military preparedness, new weapons systems, communications codes, and sensitive information about other governments. E-commerce sites amass records for millions of consumers; a break-in could net huge numbers of credit cards. Businesses are constantly evolving, and your chief competitor would love to know what you're up to.
On the personal level, most of us don't have anything quite so vital as state secrets to protect, but theft of numbers and information that we use every day can make our lives a living hell. You only have to talk to one victim of identity theft to understand the excruciating-agony of suddenly being victimized by technology, as computers reject your bank and credit cards, and credit reports repeatedly reflect some crook's misadventures with your name and money.

SCHNEIER SAYS
Security expert Bruce Schneier's new book, Secrets and Lies, details the challenges of maintaining security in a networked world. Time and again, he makes the depressing point that security ultimately depends on human nature. The person who doesn't follow procedure, the careless user who leaves a password on a sticky note, and the one who attaches a modem connected to an outside line to a machine behind the firewall are all committing security breaches. And those are the ones without malfeasance.
Schneier's book is an excellent read. Although he's a mathematician and security expert, the book is largely nontechnical-and even amusing, once you get past some of the horror stories. Unlike some other nontechnical security resources, Schneier's book is authoritative because he's been there and done that, having invented-and cracked-a couple of equally important algorithms. He understands the issues and the issues behind the issues.
If you're not a hacker, or if you're new to the scene, you'll gain an appreciation for why designers of security systems and inventors of encryption algorithms put their documentation into public view and invite attacks. Basically, if someone can point out a flaw in your logic or a vulnerability in the system, then you can eliminate the weakness. And if attackers can't break in with full knowledge of the mechanism you're using to keep them out, that's good security.
The book also shows you why formerly secure algorithms are no longer secure. In many cases it's simply that machines have gotten so fast that previously impossible numbers of calculations are now possible. Or that hundreds or thousands of machines working in concert over network can outperform some of the largest supercomputers in decryption.
But in his introduction, Schneier says, "I have written this book...to correct a mistake." The mistake was his earlier contention that cryptography would keep all our information safe and be the key to a sophisticated digital world. As things have turned out, cryptography is a small but necessary ingredient in the much more complex recipe for security and privacy.

FOR YOUR EYES ONLY?
I regard privacy as a special instance of security. It's information security on the personal level: Your phone number. Your purchasing habits. Your bookmarked Web sites. Your credit card numbers. Your e-mail address. Your bank account number. Your vices. Your IP address.
We have different levels of sensitivity. My phone number is listed; perhaps yours isn't. I shop online with credit cards; maybe you don't. You browse without much thought to where you've been; I purge cookies and anonymize.
Virtually all e-commerce sites collect as much data on users as they can in order to amass demographic and psychographic profiles. This helps them personalize your on-line experience. In theory, it costs them less to sell more, and we should all benefit. But when private information becomes a corporate asset to be bought, bartered, and sold, as it recently did with Amazon.com's revised privacy policy, we have to pay attention to the ramifications.
Schneier's book will give you a firm foundation in what it takes to establish and maintain network security, but you should also think afresh about personal security. I recently found an uncharacteristically useful government-issued document in the form of a booklet, "Know the Ruls; Use the Tools," from Senator Orrin Hatch's Judiciary Committee, available online at http://judiciary.senate.gov/Drivacv.htm. Download it. Read it. Use it. (PC Magazine, November 21, 2000, p. 91)

Think You're Safe Online? Think Again!
Let's assume for a moment that you are not a techie or a hacker. You're browsing in a bookstore and happen to pick up a copy of Secrets and Lies: Digital Security in a Networked World (John Wiley Sons, $29.99). As you idly flip through it, all you see are dense paragraphs on arcana: the role of symmetric algorithms in encryption systems, the relative merits of code signing and access control at the interfaces, and what a one-way hash function does. Whoa! This is way over your head, you think, as you sheepishly put the book down and look for the latest Grisham thriller.
Not so fast. Despite big chunks of esoteric techspeak, Secrets and Lies is a thriller of subtler sort. Author Bruce Schneier, chief technology officer at counterpane Internet Security in San Jose, wrote a 1994 book called Applied Cryptography that became the bible of the field. Since then, while consulting for clients like Hewlett-Packard, Intel, and Merrill Lynch, he has done some deep and imaginative thinking on whether digital security is in fact an oxymoron. (As he says in the preface, if you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.) The result is a startlingly lively treatise on, among many other things, why our basic decency, trust, and willingness to help others will always allow "social engineers" (a hacker term for con artists) to leapfrog even the most elaborate firewall. There are, however, ways to minimize the damage, which Schneier spells out in user-friendly language, with lots of colorful asides: In a discussion of page-jacking, he mentions that the dial telephone was invented in 1887 by a Kansas City funeral director named Almon Strowger, who suspected that operators were routing his phone calls to rival undertakers.
But Secrets and Lies is also a jewel box of little surprises you can actually use. See, for example, Schneier's persuasive analysis of why writing down your password (in defiance of your system administrator's pleas) can make your computer, and your network, more secure rather than less. One thing's certain: This book will make you think twice about ever again using your Visa card on a secure Website. (Anne Fisher, Fortune Magazine, November 27, 2000, p. 304)

Attack Defense
Laymen have no idea just how hard maintaining security really is. For a more readable but rather depressing look at just how tough it can be, read Secrets and Lies: Digital Security in a Networked World (Wiley, $30), in which cryptographer and security consultant Bruce Schneier minces no words in describing the many ways computer systems can be compromised. The problem, it turns out, is as much human as technological. System managers often fail to install important security fixes. Users don't like systems that get in their way - like having to use passwords that are hard to remember. Miscreants may find it simpler to ask or pay someone for a password or trick them into divulging it rather than using sophisticated technical means. It can happen to you.
And you can minimize the risk. When it comes to security software, says Schneier, "Testing for all possible weaknesses is impossible." But he adds that "mediocre security now is better than perfect security never."
So keep that antivirus software updated, follow the other suggestions I offered in our June 12 issue and get yourself a firewall. I can't pretend to be able to test all the ins and outs of firewall software - Schneier makes it clear what a daunting task that is - but Zone-Alarm from Zone Labs seems to do a good job not just of fending off outsiders but also of warning you when the kind of malware that apparently bit Microsoft attempts to make mischief via the Net from inside your machine. It's free for personal and nonprofit users, $40 or less per machine for others.
Like other firewalls, ZoneAlarm will force you to make some decisions about permission that you are probably ill-equipped to make. But even if you get a few of those calls wrong, it's better than perfect security never. (Forbes Magazine, 11/27/00)

Bruce Schneier's latest book on security is a rare achievment, as it takes a highly technical and often deadly dull topic and creates a surprisingly acessible and often fascinating read for even the least techy exec. "Secrets and Lies" lays out the current landscape of network security- from the challenges presented by hackers and viruses to the often ineffectual state of corporate security systems. Schneier offers enough gritty history, cautionary tales, and colorful explinations to keep readers engrossed, whether they're new to the security field or seasoned professionals. In addition, he has managed to pepper his text (especially the latter sections) with plenty of useful tips and advice that can help companies battle their way through the dangerous and often confusing task of securing their most valued assets. —Daintry Duffy (CIO Magazine, page 58, November 15, 2000)

"The great thing about the book - the thing that makes it an essential read - is that Schneier is an excellent teacher. .... At times the book is even funny, which makes even technical chapters an easy read..."(Computing, 22nd March 2001)

"Bruce Schneier's book is a common-sense, practical guide..."(Computing, 22nd March 2001)

"As a thoughtful read, prior to planning or reviewing your business's security strategy, you could not do better...." (Unixnt, February 2001)

"...worth a read..." (The Journal, November 2000)

"...essential reading for security practitioners..." (Computer Bulletin - Book of the Month, January 2001)

"...provides a timely debunking of myths...an invaluable reference point" (Computer Business Review, November 2000)

"not only is it entertaining, but it is likely to end up on the reference shelf of thousands of CIOs worldwide." (Information Age, December 2000)

"...a good read..." "The book is interesting [and] educational..." (E-business, Jan 2001)

"...a pragmatic, stimulating and rather readable guide..." (The Bookseller, 17th November 2000)

"This book is a must for any business person with a stake in e-commerce." (EuroBusiness, December 2000)

"...a jewel box of little surprises you can actually use" "...a startlingly lively treatise..." (Fortune, 27th November 2000)

"A thoroughly practical and accessible guide..." (Webspace, November 2000)

"[It's] written like a thriller (and a good one at that)..." (Managing Information Strategies, November 2000)

"Anyone who does business online should buy this book and read it carefully." (QSDG, December 2000)

"The book is an impressive 'how to think' like a hacker." (Supply Management, 16th November 2000)

"Schneier writes with a pleasingly readable style." (MacFormat, December 2000)

"Setting himself apart, Schneier navigates rough terrain without being overly technical or sensational..." (Computer Weekly, 26th October 2000)

"...a very practical guide..." (Webspace, October 2000)

"If you only have time to read a single book on the subject, this is the one to read." "I think you owe it to yourself to take the time to read this book" "Highly recommended to all." (Overload, September 2000)

"A thoroughly practical and accessible guide to achieving security" (Webspace, August 2001)

"...if you haven't read Secrets and Lies yet, you should. If you have but it's been a while, take it along for your next plane ride..." (Technology and Society, 7 February 2003)

bn.com
The Barnes & Noble Review
Finally in paperback: what may be the world’s most thoughtful guide to computer and network security. Bruce Schneier’s Secrets and Lies is for anyone who needs to address security: businesspeople and technical people alike.

Schneier begins with a paradox: “Even as we learn more about security... we build things with less security.” This book explains why -- and what can (and can’t) be done about it.

The problem starts with systems. They’re complex. They interact. They’re buggy. And they have “emergent” properties their creators never anticipated. The best (if imperfect) response: prevention, detection, and reaction. (Most networks rely primarily on prevention. Not enough.)

Schneier then explains why attacks are becoming more frequent, widespread, automated, and difficult to track. What to do? Working from the premise that technology isn’t nearly everything, he carefully explains today’s key security technologies. Never expected to understand public-key encryption or digital signatures? You finally will.

Today’s most common attacks are covered; so are the best available responses (often far from foolproof). There’s also a brutally realistic chapter on the human side of computer security: how people perceive risks, the futility of asking them to make intelligent security decisions, and the dangers of “social engineering.”

Part III is dedicated to high-level response strategies -- including Schneier’s own “attack trees” technique, the first systematic way to describe threats, countermeasures, and overall security.

Schneier’s updated this edition with a new introduction: “What Has Changed Since 9-11.” Like the rest of this book -- and his many public writings on homeland security -- it’s very much worth reading. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2003 and Upgrading & Fixing Networks for Dummies, Second Edition.

Business Week
A computer virus shuts down your corporate e-mail for a day. Hackers deface your Web site with pornography. The need to share data with customers and vendors exposes critical corporate information to online theft. With your business ever more dependent on safe use of the Internet, security savvy has become as important as understanding marketing or finance. Such savvy, however, has been hard for non-techie executives to acquire. Books and articles on security generally came in two equally useless varieties: incomprehensible or sensationalized. Remember all those books on how the Y2K bug would end civilization as we knew it? Now, Bruce Schneier, a highly respected security expert, has stepped into the breach with Secrets Lies: Digital Security in a Networked World. The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be. Schneier brings strong credentials to the job. His book Applied Cryptography is a classic in the field, and he is one of the creators of the Twofish algorithm, a finalist in the U.S. government's competition for the Advanced Encryption Standard. Schneier serves as chief technology officer of Counterpane Internet Security, which manages computer security for corporations. Although this is a book for the general reader, it's not always easy going. But Secrets Lies requires no prior knowledge of computer or security technology and should be accessible to anyone who is willing to put in a little effort. For example, Schneier explains encryption, essentially a mathematical process, without resorting to a single equation. While Schneier is not an elegantwriter, he has a nice ability to use analogies to make the obscure understandable. The book has two main thrusts. First is Schneier's mantra: "Security is a process, not a product." Anyone who promises you a hacker-proof system or offers to provide "unbreakable" encryption is selling you snake oil. There is simply no way to wave a magic wand over a system to make it -and keep it- secure. Second, Schneier says, getting security right is hard, and small mistakes can be deadly.

Risk Management. Schneier backs his opinions with real-world examples. For instance, Hollywood was terrified of piracy and worked hard on a scheme to encrypt digital videodisks so that only authorized players could read the disks. The encryption would have been hard to break, but hackers didn't have to do it. A design flaw made it easy to steal the decryption keys from the software players supplied with PC's. Similarly, most e-commerce sites use a technology called SSL to protect transaction data from online snoopers. SSL works fine, but some e-tailers left customers' credit card information in files where hackers could swipe it. The last third of the book is most valuable to managers. In it, Schneier discusses the process by which people should assess security vulnerabilities and decide what to do about them. His central point: Computer security is basically risk management. Banks and credit-card companies can tolerate a considerable amount of credit risk and fraud because they know how to anticipate losses and price their services accordingly. That's good, since zero tolerance would put them out of business. Similarly, seeking perfect security would make a system useless because anything worth doing carries some risk. Unfortunately, the art of computer security has not progressed to the point where Underwriters Labs can certify that a firewall can protect you against attack for two hours, as can be done for safes and fire doors. But with the crude tools that are available, managers have to decide what they are trying to protect and how much they are willing to spend, both in cost and convenience, to defend it. This is a business issue, not a technical one, and executives can no longer leave such decisions to techies. That's why Secrets and Lies belongs in every manager's library.

Charles Piller
Secrets and Lies" is well-timed on the heels of an apparently unstoppable wave of security foul-ups, hacks and government surveillance revelations. The best-known attacks—such as the breach of Microsoft's corporate network revealed last week, disruptions of Yahoo, EBay and other top Web sites early this year, and the "Love Bug" virus, which infected millions of computers—made headlines. Paranoids have delighted in recent revelations about "Echelon," the government's once super-secret system for monitoring worldwide voice and data communications, and the FBI's "Carnivore" technology, which sniffs millions of supposedly private e-mail messages.

A burgeoning underground of Internet vandals, network nihilists, data thieves and those who probe vulnerabilities as an intellectual exercise begs a scorecard to distinguish "hackers" from "crackers," "white hats" from "black hats." "Script kiddies"—wannabes who use turnkey hacking tools they find posted on the Web—may be emerging as the biggest threat. Schneier explains the reasons for this grim scenario in simple truths: * In the hacking wars, technology favors offense over defense. * Complexity is the enemy of security, and the Internet is the mother of all complex systems. * Software is buggy. Experts suggest that every 1,000 lines of computer programming code contains between five and 15 mistakes, some of which inevitably open security holes. Consider that Windows 2000 shipped with some 63,000 known bugs and incompatibilities. * People are often foolish. Early this month the National Institute of Standards and Technology adopted an encryption algorithm (a mathematical formula used to scramble digital data that itsaid would take more than 149 trillion years to crack. Then again, if you use your name or the word "password" as a decoding key—typical among lazy computer users—a neophyte hacker would need about five minutes.

Any security scheme can and will be subverted. Little wonder that software licensing agreements specifically disclaim responsibility for the product working as advertised. It's not hard to imagine why security software developers would be short on confidence—their products are nearly always developed in a vacuum.

"A common joke from my college physics class was to 'assume a spherical cow of uniform density,' " Schneier writes. "We could only make calculations on idealized systems; the real world was much too complicated for the theory. Digital system security is the same way"—probably reliable in the lab, always vulnerable in the wild. Part of the problem is that conventional thinking about Internet security is drawn from the physical world, where some kinds of security are "good enough."

"If you had a great scam to pick someone's pocket, but it only worked once every hundred thousand tries, you'd starve before you robbed anyone," Schneier writes. "In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance. You'd probably find a couple dozen every day. —'Lies' Propagates One Truth: No One Can Get a Lock on Net Security Los Angeles Times by Charles Piller <%AUTHOR%> individuals,A big part of the solution, he writes, is to recognize that "security is a process, not a product." Virus-protection software and "firewalls" designed to guard private networks can be effective only as part of a comprehensive strategy about security. This means that network users—as individuals or employees—must understand their role in protecting information—instead of naively relying on software tools to work without human vigilance.

So how to reach people with this geeky material? Schneier, founder of Counterpane Internet Security Inc. in San Jose, peppers the book with lively anecdotes and aphorisms, making it unusually accessible. But I still wouldn't have judged it suitable for the average reader. So I wasstonished to find "Secrets and Lies" recently ranked 68th on Amazon.com's sales list. Unless all the buyers are hackers, that's a hopeful sign. So take Schneier's good advice, but don't panic: Like security, fear-mongering is a process. Exploiting that fear has become a growth industry. Hundreds of security companies shamelessly hype every new virus or hacking to pump up business. Consider that while it's theoretically possible to bring down much of the Internet with a single orchestrated hack, the most damaging episodes so far have affected only a few sites out of millions. The worst ones, such as Love Bug, though genuinely harmful, fade in a couple of weeks.

Dopey business plans are a bigger threat to the "dot-com" world,and the sale of personal data by marketers a bigger threat to individuals, than hackers will ever be.

PC Magazine
FOR YOUR EYES ONLY? I regard privacy as a special instance of security. It's information security on the personal level: Your phone number. Your purchasing habits. Your bookmarked Web sites. Your credit card numbers. Your e-mail address. Your bank account number. Your vices. Your IP address. We have different levels of sensitivity. My phone number is listed; perhaps yours isn't. I shop online with credit cards; maybe you don't. You browse without much thought to where you've been; I purge cookies and anonymize.

Virtually all e-commerce sites collect as much data on users as they can in order to amass demographic and psychographic profiles. This helps them personalize your on-line experience. In theory, it costs them less to sell more, and we should all benefit. But when private information becomes a corporate asset to be bought, bartered, and sold, as it recently did with Amazon.com's revised privacy policy, we have to pay attention to the ramifications.

Schneier's book will give you a firm foundation in what it takes to establish and maintain network security, but you should also think afresh about personal security.

Anne Fisher
Think You're Safe Online? Think Again! Let's assume for a moment that you are not a techie or a hacker. You're browsing in a bookstore and happen to pick up a copy of Secrets and Lies: Digital Security in a Networked World (John Wiley Sons, $29.99. As you idly flip through it, all you see are dense paragraphs on arcana: the role of symmetric algorithms in encryption systems, the relative merits of code signing and access control at the interfaces, and what a one-way hash function does. Whoa! This is way over your head, you think, as you sheepishly put the book down and look for the latest Grisham thriller.

Not so fast. Despite big chunks of esoteric techspeak, Secrets and Lies is a thriller of subtler sort. Author Bruce Schneier, chief technology officer at counterpane Internet Security in San Jose, wrote a 1994 book called Applied Cryptography that became the bible of the field. Since then, while consulting for clients like Hewlett-Packard, Intel, and Merrill Lynch, he has done some deep and imaginative thinking on whether digital security is in fact an oxymoron. —p. 304 <%AUTHOR%> network,As he says in the preface, if you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. The result is a startlingly lively treatise on, among many other things, why our basic decency, trust, and willingness to help others will always allow "social engineers" (a hacker term for con artists to leapfrog even the most elaborate firewall. There are, however, ways to minimize the damage, which Schneier spells out in user-friendly language, with lots of colorful asides: In a discussion of page-jacking, hementions that the dial telephone was invented in 1887 by a Kansas City funeral director named Almon Strowger, who suspected that operators were routing his phone calls to rival undertakers. —Fortune Magazine

Forbes Magazine
Attack Defense Laymen have no idea just how hard maintaining security really is. For a more readable but rather depressing look at just how tough it can be, read Secrets and Lies: Digital Security in a Networked World (Wiley, $30, in which cryptographer and security consultant Bruce Schneier minces no words in describing the many ways computer systems can be compromised. The problem, it turns out, is as much human as technological. System managers often fail to install important security fixes. Users don't like systems that get in their way - like having to use passwords that are hard to remember. Miscreants may find it simpler to ask or pay someone for a password or trick them into divulging it rather than using sophisticated technical means. It can happen to you.

And you can minimize the risk. When it comes to security software, says Schneier, "Testing for all possible weaknesses is impossible." But he adds that "mediocre security now is better than perfect security never."

So keep that antivirus software updated, follow the other suggestions I offered in our June 12 issue and get yourself a firewall. I can't pretend to be able to test all the ins and outs of firewall software - Schneier makes it clear what a daunting task that is - but Zone-Alarm from Zone Labs seems to do a good job not just of fending off outsiders but also of warning you when the kind of malware that apparently bit Microsoft attempts to make mischief via the Net from inside your machine. It's free for personal and nonprofit users, $40 or less per machine for others.

Like other firewalls, ZoneAlarm will force you to make some decisions about permission that you are probably ill-equipped to make. Buteven if you get a few of those calls wrong, it's better than perfect security never.

Daintry Duffy
Bruce Schneier's latest book on security is a rare achievement, as it takes a highly technical and often deadly dull topic and creates a surprisingly acessible and often fascinating read for even the least techy exec. "Secrets and Lies" lays out the current landscape of network security- from the challenges presented by hackers and viruses to the often ineffectual state of corporate security systems. Schneier offers enough gritty history, cautionary tales, and colorful explanations to keep readers engrossed, whether they're new to the security field or seasoned professionals. In addition, he has managed to pepper his text (especially the latter sections with plenty of useful tips and advice that can help companies battle their way through the dangerous and often confusing task of securing their most valued assets. —CIO Magazine
Computing
The great thing about the book - the thing that makes it an essential read - is that Schneier is an excellent teacher. .... At times the book is even funny, which makes even technical chapters an easy read...
UNIX NT
Bruce Schneier's book is a common-sense, practical guide..."( Computing, 22nd March 2001"As a thoughtful read, prior to planning or reviewing your business's security strategy, you could not do better...
Journal
...worth a read...
Computer Bulletin
...essential reading for security practitioners...
Computer Business Review
...provides a timely debunking of myths...an invaluable reference point.
E-business
...a good read...The book is interesting [and] educational...
EuroBusiness
This book is a must for any business person with a stake in e-commerce.
Bookseller
...a pragmatic, stimulating and rather readable guide...
Fortune
...a jewel box of little surprises you can actually use...a startlingly lively treatise...
Webspace
...a very practical guide... —this is the one to read.
Managing Information Strategies
[It's] written like a thriller (and a good one at that...
QSDG
Anyone who does business online should buy this book and read it carefully.
Supply Management
The book is an impressive 'how to think' like a hacker.
MacFormat
Schneier writes with a pleasingly readable style.
Computer Weekly
Setting himself apart, Schneier navigates rough terrain without being overly technical or sensational...
Overload
I think you owe it to yourself to take the time to read this book" "Highly recommended to all.
Danny Yee

Bruce Schneier begins Secrets and Lies by saying "I have written this book partly to correct a mistake" -- that being the utopian vision of cryptography in his earlier Applied Cryptography. Of the wonders he predicted in that work, he now writes:

"Cryptography can't do any of that.
"... Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers."

Secrets and Lies, then, is a non-technical introduction to the full, messy complexity of digital security. Cryptography is covered, but only as part of the broader picture and without any mathematics at all. The result is broadly accessible, but many of the ideas it explains are misunderstood even by the technically trained, so it is a work that offers something to techs and managers as well as lay readers.

Part 1 is a 70-page overview of digital security which could (and perhaps should) be read by anyone who uses the Net. Schneier surveys the threats, covering not just the full range of criminal attacks but also publicity attacks and attacks using the legal system. He categorizes the attackers, who can include national intelligence organizations and the press as well as terrorists, insiders, lone criminals, and corporate spies. And he looks as the various kinds of security we need, among them privacy, anonymity, integrity, authenticity, and audit.

Part 2 looks at a broad range of security technologies (cryptography and its context, software reliability, secure hardware, identification and authentication, and certificates and credentials) and security domains (computer, networked-computer, and network security), with a final chapter on "the human factor." Schneier provides clear, non-technical explanations of everything from the problems with mobile code to the uses of secure hardware to the limitations of digital certificates. In the process he corrects many common misconceptions about security, including some of the rather misleading statements used in product marketing.

Part 3, on security strategies, covers the management of digital security. Schneier looks at vulnerabilities, attack methodologies, and countermeasures (protection, detection, and response), stressing the importance of threat modelling and risk assessment (including an approach of his own called "attack trees"). He also covers product testing and verification and the future of products. In the final analysis, however, digital security is about risk management: "security is not a product; it's a process."
Electronic Review of Computer Books

Booknews
Information security expert Schneier tells businesses what they need to know to protect themselves from the risks of the wired world. He examines many aspects of networked society, from the reasons for technical insecurities to what's in the minds of hackers who engineer viruses and other malicious attacks. He provides practical advice about the capabilities and limitations of security technologies and products as well as how to recognize and manage vulnerabilities and protect data. Schneier is also the author of . Annotation c. Book News, Inc., Portland, OR (booknews.com)
In April 1999, Bruce Schneier, mathematician, digital security expert and unlikely hacker-scene hero, had an epiphany. It prodded him to reorganize his company, Counterpane Internet Security, and altered his view of securing computer systems. The fruits of that thinking also make up the bulk of his engaging and exhaustive new book, Secrets and Lies: Digital Security in a Networked World.

Schneier, the creator of two widely used data-scrambling formulas and author of the definitive Applied Cryptography, realized that he and his colleagues were trained to view security as a hopeless prophylactic, a passive approach that relies too heavily on complex technologies to keep hackers and criminals out. "Too many system designers think about security design as a cookbook thing," writes Schneier. Add a firewall and a pinch of encryption, and eventually you'll have a secure system.

He concluded that technology, no matter how complex, can't solve all our problems. "Security is rooted in the physical world. The physical world is not logical. It is not orderly," he explains. "People don't play along. They do the unexpected; they break the rules."

In a land of rule-breakers, rules-based systems are not especially useful. Instead of building the digital equivalent of a Maginot Line, Schneier argues, it is far more effective to think of security as an ongoing process of "risk management" that includes not just protection, but also detection and reaction mechanisms.

Secrets and Lies, then, isn't so much a "how-to" as a "how-to-think" - a philosophical road map in which Schneier guides the reader along the same path that brought about his new thinking. With the single-minded discipline of a programmer, Schneier spends almost two-thirds of the 400-page book getting to know the mind of the enemy; surveying the methods hackers employ to break into systems, from automated programs to the person-to-person con games known as "social engineering."

The aim in mastering such arcana, according to Schneier, is "threat modeling," which is his way of teaching readers to think like the most methodic of thieves. Schneier provides a series of cognitive exercises designed to get crime-inspiring synapses firing. How might one rig an election or hack a stored-value smartcard without getting caught, for instance?

In one exhaustive deconstruction, Schneier walks readers through the process of getting free pancakes: "We can eat and run. We can pay with a fake credit card, a fake check or counterfeit cash. We can persuade another patron to leave the restaurant without eating and eat his food. We can impersonate (or actually become) a cook, a waiter or the restaurant owner ..." Schneier goes so far as to diagram these threat models - to near-comic effect - with what he calls "attack trees." With such deep knowledge of one's potential security flaws in hand, managers can far more effectively secure their systems.

Schneier is the right person to popularize these views. His prose is lively and his work is informed by current headlines about the I Love You virus, obscure historical facts about Germany's World War II "Enigma" data-scrambling device and ancient myth. (How did Zeus sneak into Danae's supposedly impenetrable bronze chamber? He turned himself into gold dust and showered down into Danae's lap through a hole in the roof.)

In the wake of this year's denial-of-service attacks on major Web sites, Schneier's book joins a host of other popular works on digital security - most notably Winn Schwartau's Cybershock. Setting himself apart, Schneier navigates rough terrain without being overly technical or sensational - two common pitfalls of writers who take on cybercrime and security. All this helps to explain Schneier's long-standing cult-hero status, even - indeed especially - among his esteemed hacker adversaries.

Business 2.0
Secrets is a comprehensive, well-written work on a topic few business leaders can afford to neglect.
--Business 2.0

Product Details

ISBN-13:
9780471253112
Publisher:
Wiley
Publication date:
08/28/2000
Pages:
432
Product dimensions:
6.44(w) x 9.28(h) x 1.36(d)

Read an Excerpt


Chapter 1: Introduction

During March 2000, I kept a log of security events from various sources. Here are the news highlights:

Someone broke into the business-to-business Web site for SalesGate.com and stole about 3,000 customer records, including credit card numbers and other personal information. He posted some of them on the Internet.

For years, personal information has "leaked" from Web sites (such as Intuit) to advertisers (such as DoubleClick). When visitors used various financial calculators on the Intuit site, a design glitch in the Web site's programming allowed information they entered to be sent to DoubleClick. This happened without the users' knowledge or consent, and (more surprising) without Intuit's knowledge or consent.

Convicted criminal hacker Kevin Mitnick testified before Congress. He told them that social engineering is a major security vulnerability: He can often get passwords and other secrets just by pretending to be someone else and asking. A Gallup poll showed that a third of online consumers said that they might be less likely to make a purchase from a Web site, in light of recent computer-security events. Personal data from customers who ordered the P1ayStation 2 from the Sony Web site were accidentally leaked to some other customers. (This is actually a rampant problem on all sorts of sites. People try to check out, only to be presented with the information of another random Web customer.)

Amazon.com pays commissions to third-party Web sites for referrals. Someone found a way to subvert the program that manages this, enabling anyone to channel information to whomever. It is unclear whether Amazon considers this a problem. The CIA director denied that the United States engages in economic espionage, but did not go on to deny the existence of the massive intelligence-gathering system called ECHELON.

Pierre-Guy Lavoie, 22, was convicted in Quebec of breaking into several Canadian and U.S. government computers. He will serve 12 months in prison.

Japan's Defense Agency delayed deployment of a new defense computer system after it discovered that the software had been developed by the members of the Aum Shinrikyo cult.

A new e-mail worm, called Pretty Park, spread across the Internet. It's a minor modification of one that appeared last year. It spreads automatically, by sending itself to all the addresses listed in a user's Outlook Express program.

Novell and Microsoft continued to exchange barbs about an alleged security bug with Windows 2000's Active Directory. Whether or not this is a real problem depends on what kind of security properties you expect from your directory. (I believe it's a design flaw in Windows, and not a bug.)

Two people in Sicily (Giuseppe Russo and his wife, Sandra Elazar) were arrested after stealing about 1,000 U.S. credit card numbers on the Internet and using them to purchase luxury goods and lottery tickets.

A hacker (actually a bored teenager) known as "Coolio" denied launching massive denial-of-service attacks in February 2000. He admitted to hacking into about 100 sites in the past, including cryptography company RSA Security and a site belonging to the US. State Department.

Attackers launched a denial-of-service attack against Microsoft's Israeli Web site. Jonathan Bosanac, a.k.a. "The Gatsby," was sentenced to 18 months in prison for hacking into three telephone company sites...

What People are saying about this

From the Publisher
"...this book is of value to anyone whose business depends on safe use of email, the Web, or other networked communications" and "belongs in every manager's library." —Business Week

"Schneier...peppers the book with lively anecdotes and aphorisms, making it unusually accessible." —Los Angeles Times

Schneier "offers a primer in practical computer security aimed at those shopping, communicating or doing business online—almost everyone, in other words." —The Economist

Schneier is "one of the foremost experts on computer security" and his 1995 Wiley book Applied Cryptography is "the landmark text on the security hazards of the Internet." —Time Out New York

Schneier "gives the state of the art on corporate security." —thestandard.com

Schneier "wrote the book on applied cryptography" —Information Security

Secrets & Lies is "a written, well researched exploration of digital security as a system." —slashdot.com

"Although Schneier's style is lively and spiced with unusual vocabulary (try looking up banausic and flagitious in your Funk and Wagnalls), no one is going to pick up this book for the sake of a a good read. They want the information contained therein." —eWEEK.com

"In Secrets and Lies the things that actually go wrong are explained by lots of concrete examples, some stunning." —New Scientist

"Schneier's book is an excellent read.... He understands the issues and the issues behind the issues." —Bill Machrone

Review Anne Fisher calls Secrets and Lies "a jewel box of little surprises you can actually use" and refers to the book as "a startlingly lively treatise." —Fortune, November 27, 2000, p. 304

"Secrets and Lies should begin to dispel the fog of deception and special pleading around security, and it's fun.." —New Scientist, 2nd September 2000

Meet the Author

BRUCE SCHNEIER is CTO and cofounder of Counterpane Internet Security, Inc., the first managed security monitoring services firm. He is the bestselling author of Applied Cryptography (Wiley) and a contributor to numerous business and technical publications. Schneier is also a frequent keynote speaker at conferences, and a creator of the Blowfish and Twofish encryption algorithms.

Customer Reviews

Average Review:

Write a Review

and post it to your social network

     

Most Helpful Customer Reviews

See all customer reviews >

Secrets and Lies: Digital Security in a Networked World 4.9 out of 5 based on 0 ratings. 7 reviews.
Guest More than 1 year ago
This is one of the two books i think really formed my view if Information Security. Between 'Secrets and Lies', and 'Inside the Security Mind', I think we are ushering in a new age of Infosec books.
Guest More than 1 year ago
This book looks to be extremly delightful, I think it would be a great book for anyone that has any doubt about their security in this digital world we call the internet, people just wanting to learn about security, or even just home users that would like to know how computer security works. GO BUY IT NOW!
Guest More than 1 year ago
After reading this text, I now understand more about online security and how people do the good and bad things that they do online. This work definitely makes think about what you do when shopping online.
Guest More than 1 year ago
Mr. Schneier has made an invaluable contribution to the new economy. He has written a very readable book that explains, in very plain English, the internet and network security issues with which everyone who has ever read or sent an email should be familiar. The book flows smoothly enough for you to read it at the beach, yet it contains so much critical information that after finishing it, you should bring it back to your office. The most compelling parts of the book point out the similarities and differences between security issues in the bricks and mortar world and the digital world.
Guest More than 1 year ago
I got about 40 pages into it over dinner and decided it was ready for the mandatory reading list here. If only it was required reading for everyone who does business online...
Guest More than 1 year ago
_Secrets and Lies_ is a necessary book for everyone who wonders about privacy and security on the Internet--that is to say, everyone. Schneier discusses the threats in cyberspace, the technologies to combat them, and (most importantly) the strategies that make those technologies work. It's not surprising that the technical information is solid. What might be surprising to some, though, is how lucid and funny Schneier's writing is. He doesn't talk down to readers, but you don't have to be a complete techie to understand what he's saying. Schneier's discussion of where things are and where they're going is fascinating and informative. I was especially interested by the legal stuff--many of the laws designed to enhance security and privacy actually damage it. Read this book, make your boss read it, make your IT manager read it, and send a copy to your congresscritter. It might just help make the Net safer.
Guest More than 1 year ago
I have just finished reading Schneier's most recent book - what an excellent piece of writing. I read it cover to cover and enjoyed almost every page. A very different approach than you took with Applied Cryptography which I also enjoyed.