[ISN] REVIEW: "WiFi Security", Stewart S. Miller

From: InfoSec News (isnat_private)
Date: Thu Feb 27 2003 - 22:51:14 PST

Fowarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>

BKWIFISC.RVW   20030209

"WiFi Security", Stewart S. Miller, 2003, 0-07-141073-2,
%A   Stewart S. Miller wifiat_private
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2003
%G   0-07-141073-2
%I   McGraw-Hill Ryerson/Osborne
%O   U$49.95/C$78.95/UK#40.00 800-565-5758 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0071410732/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/0071410732/robsladesin03-20
%P   309 p.
%T   "WiFi Security"

When a book starts out with a preface that is basically an advertising
pitch for the author's consulting services, one can be forgiven for
doubting the author's dedication to the task of informing the
audience.  This work is yet another attempt to jump on a hot topic

Supposedly chapter one introduces us to the standards for wireless LAN
security.  Instead, the material meanders through an unstructured
collection of security and wireless topics.  The material is limited,
random, and not particularly informative.  Even when dealing with
strictly technical areas, such as the various types of spread spectrum
technologies, the text seems to have been lifted wholesale from
marketing brochures, and fails to explain much of anything.  There
isn't much "Technology Comparison" in chapter two unless we are
comparing apples and oranges: again there is a haphazard compilation
of topics, with Bluetooth getting the lion's share of the ink. 
Instead of considering security factors, chapter three lists some
basic attacks against systems in general.  The "issues in wireless
security" are a little more on topic in chapter four.

Chapter five mentions a few terms related to the 802.11 family of
standards.  There isn't much about the promised 802.11 security
infrastructure in chapter six: instead we have another amalgam of
security problems.  Miller demonstrates his limited understanding of
the technology, in chapter seven, with common mistakes such as the
comparison of "40" and "128" bit WEP (Wired Equivalent Privacy) keys
(WEP keys are composed of either 40 or 104 bit base keys concatenated
with 24 bit initialization vectors, for total lengths of 64 or 128
bits respectively), so it is no surprise that the analysis of the
weaknesses of WEP is only half a page long, and misses all the
fundamental problems.

Chapter eight is a generic warning that people might snoop on you. 
The authentication topics jump around so much that it is impossible to
say what chapter nine is really talking about.  A number of
technologies are mentioned, but those discussed together frequently
come from completely separate protocols or functions.  Similarly,
chapter ten is entitled "Direct Sequence Spread Spectrum," but doesn't
explain anything about DSSS at all, and isn't even consistent in terms
of the subject area under discussion.  Chapter eleven does stick to
the topic of equipment issues, but does not provide any useful
direction to the reader.  Cross-platform issues are rather confused,
in chapter twelve, although there is a reasonable discussion of the
WEP initialization vector reuse problem--which should have been
covered in chapter seven.  The vulnerabilities listed in chapter
thirteen constitute another grab bag: since we have been discussing
wireless LANs throughout the book, why do we now bring up the topic of
the "WAP (Wireless Access Protocol) gap," which only affects Internet
enabled cell phones?  Chapter fourteen and fifteen mostly duplicate
content from nine, with a few minor additions.  Chapter sixteen
repeats a lot of other material, adding a tiny bit on risk assessment. 
PDA security issues are reviewed in chapter seventeen.  Chapter
eighteen collects another random assortment of duplicated topics for a
supposed look to the future.

This is an arbitrary and disorganized conflation of subjects, with
very little of value to anyone.  There are a few salient and helpful
facts, which, if brought together, might fill a few pages.  However,
these tidbits are buried in a deluge of impenetrable verbiage,
designed more to impress the naive reader than to inform anyone.

copyright, Robert M. Slade, 2003   BKWIFISC.RVW   20030209

ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 01:09:49 PST