Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Beautiful Security
SPECIAL OFFER: Upgrade this ebook with O’Reilly Preface
Why Security Is Beautiful Audience for This Book Donation Organization of the Material Conventions Used in This Book Using Code Examples Safari® Books Online How to Contact Us
1. Psychological Security Traps
Learned Helplessness and Naïveté
A Real-Life Example: How Microsoft Enabled L0phtCrack Password and Authentication Security Could Have Been Better from the Start Naïveté As the Client Counterpart to Learned Helplessness
Confirmation Traps
An Introduction to the Concept The Analyst Confirmation Trap Stale Threat Modeling Rationalizing Away Capabilities
Functional Fixation
Vulnerability in Place of Security Sunk Costs Versus Future Profits: An ISP Example Sunk Costs Versus Future Profits: An Energy Example
Summary
2. Wireless Networking: Fertile Ground for Social Engineering
Easy Money
Setting Up the Attack A Cornucopia of Personal Data A Fundamental Flaw in Web Security: Not Trusting the Trust System Establishing Wireless Trust Adapting a Proven Solution
Wireless Gone Wild
Wireless As a Side Channel What About the Wireless Access Point Itself?
Still, Wireless Is the Future
3. Beautiful Security Metrics
Security Metrics by Analogy: Health
Unreasonable Expectations Data Transparency Reasonable Metrics
Security Metrics by Example
Barings Bank: Insider Breach
The players How it happened What went wrong Barings: “What if...” Barings: Some security metrics
TJX: Outsider Breach
The players How it happened What went wrong TJX: “What if...” TJX: Some security metrics
Global metrics Local metrics
More Public Data Sources
Summary
4. The Underground Economy of Security Breaches
The Makeup and Infrastructure of the Cyber Underground
The Underground Communication Infrastructure The Attack Infrastructure
The Payoff
The Data Exchange Information Sources Attack Vectors
Exploiting website vulnerabilities Malware Phishing, facilitated by social-engineering spam
The Money-Laundering Game
How Can We Combat This Growing Underground Economy?
Devalue Data Separate Permission from Information Institute an Incentive/Reward Structure Establish a Social Metric and Reputation System for Data Responsibility
Summary
5. Beautiful Trade: Rethinking E-Commerce Security
Deconstructing Commerce
Analyzing the Security Context
Weak Amelioration Attempts
3-D Secure
3-D Secure transactions Evaluation of 3-D Secure
Secure Electronic Transaction
SET transactions Evaluation of SET
Single-Use and Multiple-Use Virtual Cards
How virtual cards work
Broken Incentives
Consumer Merchant and service provider Acquiring and issuing banks Card association He who controls the spice
E-Commerce Redone: A New Security Model
Requirement 1: The Consumer Must Be Authenticated Requirement 2: The Merchant Must Be Authenticated Requirement 3: The Transaction Must Be Authorized Requirement 4: Authentication Data Should Not Be Shared Outside of Authenticator and Authenticated Requirement 5: The Process Must Not Rely Solely on Shared Secrets Requirement 6: Authentication Should Be Portable (Not Tied to Hardware or Protocols) Requirement 7: The Confidentiality and Integrity of Data and Transactions Must Be Maintained
The New Model
6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West
Attacks on Users
Exploit-Laden Banner Ads Malvertisements Deceptive Advertisements
Advertisers As Victims
False Impressions Escaping Fraud-Prone CPM Advertising
Gaming CPC advertising Inflating CPA costs
Why Don’t Advertisers Fight Harder? Lessons from Other Procurement Contexts: The Special Challenges of Online Procurement
Creating Accountability in Online Advertising
7. The Evolution of PGP’s Web of Trust
PGP and OpenPGP Trust, Validity, and Authority
Direct Trust Hierarchical Trust Cumulative Trust The Basic PGP Web of Trust Rough Edges in the Original Web of Trust
Supervalidity The social implications of signing keys
PGP and Crypto History
Early PGP Patent and Export Problems The Crypto Wars From PGP 3 to OpenPGP
Enhancements to the Original Web of Trust Model
Revocation
The basic model for revocation Key revocation and expiration Designated revokers Freshness Reasons for revocation
Scaling Issues
Extended introducers Authoritative keys
Signature Bloat and Harassment
Exportable signatures Key-editing policies
In-Certificate Preferences The PGP Global Directory Variable Trust Ratings
Interesting Areas for Further Research
Supervalidity Social Networks and Traffic Analysis
References
8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits
Enter Honeyclients Introducing the World’s First Open Source Honeyclient Second-Generation Honeyclients Honeyclient Operational Results
Transparent Activity from Windows XP Storing and Correlating Honeyclient Data
Analysis of Exploits Limitations of the Current Honeyclient Implementation Related Work The Future of Honeyclients
9. Tomorrow’s Security Cogs and Levers
Cloud Computing and Web Services: The Single Machine Is Here
Builders Versus Breakers Clouds and Web Services to the Rescue A New Dawn
Connecting People, Process, and Technology: The Potential for Business Process Management
Diffuse Security in a Diffuse World BPM As a Guide to Multisite Security
Social Networking: When People Start Communicating, Big Things Change
The State of the Art and the Potential in Social Networking Social Networking for the Security Industry Security in Numbers
Information Security Economics: Supercrunching and the New Rules of the Grid Platforms of the Long-Tail Variety: Why the Future Will Be Different for Us All
Democratization of Tools for Production Democratization of Channels for Distribution Connection of Supply and Demand
Conclusion Acknowledgments
10. Security by Design
Metrics with No Meaning Time to Market or Time to Quality? How a Disciplined System Development Lifecycle Can Help Conclusion: Beautiful Security Is an Attribute of Beautiful Systems
11. Forcing Firms to Focus: Is Secure Software in Your Future?
Implicit Requirements Can Still Be Powerful How One Firm Came to Demand Secure Software
How I Put a Security Plan in Place
Choosing a focus and winning over management Setting up formal quality processes for security Developer training When the security process really took hold
Fixing the Problems Extending Our Security Initiative to Outsourcing
Enforcing Security in Off-the-Shelf Software Analysis: How to Make the World’s Software More Secure
The Best Software Developers Create Code with Vulnerabilities Microsoft Leading the Way Software Vendors Give Us What We Want but Not What We Need
12. Oh No, Here Come the Infosecurity Lawyers!
Culture Balance
The Digital Signature Guidelines The California Data Privacy Law Security’s Return on Investment
Communication
How Geeks Need Lawyers Success Driven from the Top, Carried Out Through Collaboration A Data Breach Tiger Team
Doing the Right Thing
13. Beautiful Log Handling
Logs in Security Laws and Standards Focus on Logs When Logs Are Invaluable Challenges with Logs Case Study: Behind a Trashed Server
Architecture and Context for the Incident The Observed Event The Investigation Starts Bringing Data Back from the Dead Summary
Future Logging
A Proliferation of Sources Log Analysis and Management Tools of the Future
Conclusions
14. Incident Detection: Finding the Other 68%
A Common Starting Point Improving Detection with Context
Improving Coverage with Traffic Analysis Correlating with Watch Lists
Improving Perspective with Host Logging
Building a Resilient Detection Model
Summary
15. Doing Real Work Without Real Data
How Data Translucency Works A Real-Life Example Personal Data Stored As a Convenience Trade-offs Going Deeper References
16. Casting Spells: PC Security Theater
Growing Attacks, Defenses in Retreat
On the Conveyor Belt of the Internet Rewards for Misbehavior A Mob Response
The Illusion Revealed
Strict Scrutiny: Traditional and Updated Anti-Virus Scanning
The evolution of the blacklist method The whitelist alternative Host-based Intrusion Prevention Systems Applying artificial intelligence
Sandboxing and Virtualization: The New Silver Bullets
Virtual machines, host and guest Security-specific virtualization Security of saved files in Returnil
Better Practices for Desktop Security Conclusion
A. Contributors Index About the Authors Colophon SPECIAL OFFER: Upgrade this ebook with O’Reilly
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion