Abstract
No secure system is infallible. Any secure system is doomed to fail. Attackers will always find a way to defeat it. Security designers must not deny this fact, but rather put this heuristic at the heart of their design.
The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.
ADAMS D., Mostly Harmless [5]
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Three can keep a secret if two are away (sometimes also found as “Three can keep a secret if two are dead”).
- 2.
Sigurd killed the dragon Fafnir. Following the advice of the God Odin, he bathed in its blood to become invulnerable. Unfortunately, a leaf sticking on his shoulder created a weak point in this otherwise armored skin. Of course, his opponent, Gottrum, would defeat him through this unique vulnerable point.
- 3.
Julius Caesar’s substitution algorithm was extremely rudimentary. The encrypted character is the original character shifted by a fixed value within the alphabet. For instance, if the shift value is 3, A becomes D, B becomes E, …, and X becomes A. With this key, “ WHQ ODZV IRU VHFXULWB ” is the cipher text of “ TEN LAWS FOR SECURITY .” Obviously, this type of encryption can be easily broken. The easiest method is to make a statistical analysis of the frequency of occurrence of the encrypted characters in the cipher text and then try to match their distribution with the Gaussian distribution of the supposed language. For instance, in English, the three most frequent characters are E, T, and A, whereas in French they are E, S, and A. The analysis is even more efficient when using pairs of characters or groups of three characters. If the encrypted message is long enough, then the identification of these most frequent characters is easy. The correspondence reveals the “key” and thus the original message. Al Kindi introduced this statistical method for cryptanalysis in the ninth century [8].
- 4.
In 2015, Jung Hoon Lee was rewarded $225,000 for three successful exploits on Chrome, Safari, and Internet Explorer 11.
- 5.
Section 15.3 provides an explanation of the hash function.
- 6.
Some fault injection attacks are more intrusive as they require the depackaging of the component. Depackaging is the operation that removes the silicon die package and sometimes removes some physical layers. This is the case with white light and laser attacks.
- 7.
memcmp is a standard function of the libc library that compares two blocks of consecutive bytes. If the blocks are the same, the returned value is true; else the returned value is false.
- 8.
For over 25 years, the CCC has been the largest European hacker’s group. The activities of the club extend from technical research and dissemination to political engagement [38]. Each year, its December conference gathers many of the most influential hackers worldwide. Many new exploits are disclosed during this event.
- 9.
Since October 28, 1998, the DMCA [42] defines the US copyright laws. Normally, under the DMCA, it is illegal to circumvent any security measure. Nevertheless, there are some exemptions to this rule. Since its inception, five such amendments were issued in 2000, 2003, 2006, 2010, and 2014, defining new exemptions to the DMCA rules.
- 10.
iOS 9.0.2 was the latest version of iOS at the time of editing this chapter.
- 11.
Nevertheless, there are also “rooting” exploits available for Android. One example is Towelroot , designed by GeoHot [48].
- 12.
The Secure Set Identifier (SSID) is the alphanumeric string that is part of the header of the packets over wireless local area networks.
- 13.
A new protocol called Wi-fi Protected Setup (WPS) allows users to bypass this clumsy, complex phase of dialing long passwords. Unfortunately, once more, some weak implementations of this protocol undermined the security of some devices [50].
- 14.
Brute force attacks explore systematically every possible value of the key until one succeeds. Thus, in the case of 32 bits, it means at maximum 4,294,967,296 trials. Unfortunately, with current computers, exploring a 32-bit space is extremely fast. A brute force attack is the simplest attack. The defense is to increase the length of the key.
- 15.
In the case of Mac OS, the ROM is indeed an electrically erasable programmable Read-Only Memory (EEPROM). This allows a potential upgrade of after its deployment.
- 16.
The permission is com.google.googlevoice.RECEIVE_SMS .
- 17.
EMC is the company that owns RSA Ltd.
- 18.
Cryptography Research Incorporated (CRI) is the company founded by Paul Kocher who designed the first side-channel attacks: timing analysis and power analysis. In 2013, Rambus acquired CRI.
- 19.
To be precise, many modern computers have the possibility to implement such a Root of Trust because they are equipped with Trusted Platform Modules (TPMs). Unfortunately, the major operating systems do not take advantage of this feature.
- 20.
In some reported cases, ransomware blocked the screen by displaying pornographic pictures or even pedophilia [98] to shame the blackmailed person. The authors of such ransomware expected that the hacked person would not dare to call for help. It seems that this tactic was rather efficient as the ratio of paid ransoms was rather high. This is a very nice, dirty piece of social engineering.
- 21.
Indeed, cryptocurrencies such as Pecunix, AlertPay, PPcoin, Litecoin, Feathercoin, or Zerocoin are the payment methods used by the black market of the Darknet [104].
- 22.
CryptoLocker is the most well-known ransomware.
- 23.
Amazon Elastic Compute Cloud (Amazon EC2) is a Web service that provides resizable computational capacity in a cloud.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Diehl, E. (2016). Law 1: Attackers Will Always Find Their Way. In: Ten Laws for Security. Springer, Cham. https://doi.org/10.1007/978-3-319-42641-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-42641-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-42639-6
Online ISBN: 978-3-319-42641-9
eBook Packages: Computer ScienceComputer Science (R0)