Skip to main content
SpringerLink
Log in

Law 1: Attackers Will Always Find Their Way

  • Chapter
  • First Online:
Ten Laws for Security

  • 1387 Accesses

Abstract

No secure system is infallible. Any secure system is doomed to fail. Attackers will always find a way to defeat it. Security designers must not deny this fact, but rather put this heuristic at the heart of their design.

The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.

ADAMS D., Mostly Harmless [5]

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 79.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Three can keep a secret if two are away (sometimes also found as “Three can keep a secret if two are dead”).

  2. 2.

    Sigurd killed the dragon Fafnir. Following the advice of the God Odin, he bathed in its blood to become invulnerable. Unfortunately, a leaf sticking on his shoulder created a weak point in this otherwise armored skin. Of course, his opponent, Gottrum, would defeat him through this unique vulnerable point.

  3. 3.

    Julius Caesar’s substitution algorithm was extremely rudimentary. The encrypted character is the original character shifted by a fixed value within the alphabet. For instance, if the shift value is 3, A becomes D, B becomes E, …, and X becomes A. With this key, “ WHQ ODZV IRU VHFXULWB ” is the cipher text of “ TEN LAWS FOR SECURITY .” Obviously, this type of encryption can be easily broken. The easiest method is to make a statistical analysis of the frequency of occurrence of the encrypted characters in the cipher text and then try to match their distribution with the Gaussian distribution of the supposed language. For instance, in English, the three most frequent characters are E, T, and A, whereas in French they are E, S, and A. The analysis is even more efficient when using pairs of characters or groups of three characters. If the encrypted message is long enough, then the identification of these most frequent characters is easy. The correspondence reveals the “key” and thus the original message. Al Kindi introduced this statistical method for cryptanalysis in the ninth century [8].

  4. 4.

    In 2015, Jung Hoon Lee was rewarded $225,000 for three successful exploits on Chrome, Safari, and Internet Explorer 11.

  5. 5.

    Section 15.3 provides an explanation of the hash function.

  6. 6.

    Some fault injection attacks are more intrusive as they require the depackaging of the component. Depackaging is the operation that removes the silicon die package and sometimes removes some physical layers. This is the case with white light and laser attacks.

  7. 7.

    memcmp is a standard function of the libc library that compares two blocks of consecutive bytes. If the blocks are the same, the returned value is true; else the returned value is false.

  8. 8.

    For over 25 years, the CCC has been the largest European hacker’s group. The activities of the club extend from technical research and dissemination to political engagement [38]. Each year, its December conference gathers many of the most influential hackers worldwide. Many new exploits are disclosed during this event.

  9. 9.

    Since October 28, 1998, the DMCA [42] defines the US copyright laws. Normally, under the DMCA, it is illegal to circumvent any security measure. Nevertheless, there are some exemptions to this rule. Since its inception, five such amendments were issued in 2000, 2003, 2006, 2010, and 2014, defining new exemptions to the DMCA rules.

  10. 10.

    iOS 9.0.2 was the latest version of iOS at the time of editing this chapter.

  11. 11.

    Nevertheless, there are also “rooting” exploits available for Android. One example is Towelroot , designed by GeoHot [48].

  12. 12.

    The Secure Set Identifier (SSID) is the alphanumeric string that is part of the header of the packets over wireless local area networks.

  13. 13.

    A new protocol called Wi-fi Protected Setup (WPS) allows users to bypass this clumsy, complex phase of dialing long passwords. Unfortunately, once more, some weak implementations of this protocol undermined the security of some devices [50].

  14. 14.

    Brute force attacks explore systematically every possible value of the key until one succeeds. Thus, in the case of 32 bits, it means at maximum 4,294,967,296 trials. Unfortunately, with current computers, exploring a 32-bit space is extremely fast. A brute force attack is the simplest attack. The defense is to increase the length of the key.

  15. 15.

    In the case of Mac OS, the ROM is indeed an electrically erasable programmable Read-Only Memory (EEPROM). This allows a potential upgrade of after its deployment.

  16. 16.

    The permission is com.google.googlevoice.RECEIVE_SMS .

  17. 17.

    EMC is the company that owns RSA Ltd.

  18. 18.

    Cryptography Research Incorporated (CRI) is the company founded by Paul Kocher who designed the first side-channel attacks: timing analysis and power analysis. In 2013, Rambus acquired CRI.

  19. 19.

    To be precise, many modern computers have the possibility to implement such a Root of Trust because they are equipped with Trusted Platform Modules (TPMs). Unfortunately, the major operating systems do not take advantage of this feature.

  20. 20.

    In some reported cases, ransomware blocked the screen by displaying pornographic pictures or even pedophilia [98] to shame the blackmailed person. The authors of such ransomware expected that the hacked person would not dare to call for help. It seems that this tactic was rather efficient as the ratio of paid ransoms was rather high. This is a very nice, dirty piece of social engineering.

  21. 21.

    Indeed, cryptocurrencies such as Pecunix, AlertPay, PPcoin, Litecoin, Feathercoin, or Zerocoin are the payment methods used by the black market of the Darknet [104].

  22. 22.

    CryptoLocker is the most well-known ransomware.

  23. 23.

    Amazon Elastic Compute Cloud (Amazon EC2) is a Web service that provides resizable computational capacity in a cloud.

Author information

Authors and Affiliations

  1. Sony Pictures Entertainment, Culver City, California, USA

    Eric Diehl

Authors
  1. Eric Diehl
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Diehl .

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Diehl, E. (2016). Law 1: Attackers Will Always Find Their Way. In: Ten Laws for Security. Springer, Cham. https://doi.org/10.1007/978-3-319-42641-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-42641-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-42639-6

  • Online ISBN: 978-3-319-42641-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation