"The trick to sound security is to begin early, know your threats,...design for security, and subject your design to thorough objective risk analyses and testing. This book will help." From the Foreword by Gary McGraw, CTO of Cigital, and coauthor of Building Secure SoftwareAs wireless technology emerges into the mainstream of the networking and communications markets, the wireless development community has a unique opportunity to be proactive, rather than reactive, in its approach to security. At this early point in the wireless industry, developers can anticipate future security needs and integrate security considerations into every stage of the development process. Wireless Security and Privacy shows developers how to take advantage of this exceptional opportunity. Written for wireless development professionals new to security, and for security professionals moving into the wireless arena, this book presents the foundation upon which to design and develop secure wireless systems. It looks in depth at the key issues faced by those who develop wireless devices and applications, describes the technology and tools that are now available, and offers a proven methodology for designing a comprehensive wireless risk management solution.In particular, Wireless Security and Privacy documents the I-ADD process, which offers a standardized, systematic approach for identifying targets, analyzing vulnerabilities, defining strategies, and designing security into the entire development lifecycle of a wireless system. The book also examines such important topics as:Fundamental wireless and security principlesSpecific wireless technologies, including 802.1 1b, Bluetooth, and WAPThe security implications of the architecture of PDAs, cell phones, and wireless network cards for laptopsThe security shortcomings of wireless development languagesDevelopment of a risk model for a wireless systemCryptography essentialsPrivacy policy and legal issuesThe role of COTS products in a comprehensive security solutionAnalysis of known and theoretical attacksSecurity, financial, and functionality tradeoffsSeveral case studies run throughout the book, illustrating the application of important concepts, techniques, strategies, and models.In all, this practical guide book builds a framework for understanding the present and future of wireless security and offers the specific security strategies and methodologies that are critical for success in this fast-moving market. 0201760347B08072002

Table of Contents:
Foreword. Preface. About the Authors. Acknowledgments. I. ESTABLISH A FOUNDATION. 1. Wireless Technologies. An Introduction to Wireless Architecture. Usage Models. Internet Bridge. Conference. Multipurpose Phone. Synchronizer. Devices. Cell Phones and Personal Digital Assistants (PDAs). Wireless Laptops. Consumer Issues. Technical Issues. Network Arrangements and Technologies. 802.11b. The Wireless Application Protocol (WAP). Wireless Wide Area Networks. Local Area Networks. Personal Area Networks and Bluetooth. Wireless LAN Appeal. Case Studies. The Hospital. The Office Complex. The University Campus. The Home. 2. Security Principles. Security Principles. Authentication. Access Control and Authorization. Nonrepudiation. Privacy and Confidentiality. Integrity. Auditing. Development and Operation Principles. Functionality. Utility. Usability. Efficiency. Maintainability. Scalability. Testability. Management Principles. Schedule. Cost. Marketability. Margin. The Security Analysis Process-I-ADD. Identify. Analyze. Define. Design. Repeat. The Foundation. II. KNOW YOUR SYSTEM. 3. Technologies. 802.11 and 802.11b. 802.11 System Components. 802.11 Architecture Modes. 802.11b Physical Layer. 802.11 Media Access Control Layer. 802.11b Security and Wired Equivalent Privacy (WEP). Bluetooth. Bluetooth Physical Layer. Bluetooth Protocol Architecture. Bluetooth Profiles. Bluetooth Security. WAP. WAP Overview. Wireless Application Environment (WAE). WAP Security. 4. Devices. Personal Digital Assistants. Palm OS Devices. Palm Security. Palm OS 4.0. Pocket PC Devices. BlackBerry (RIM 950 and 957). BlackBerry APIs. BlackBerry Security. 5 Languages. Wireless Application Protocol (WAP). WAP Browsers. Wireless Markup Language (WML). WMLScript. J2ME. The Future of J2ME. III. PROTECT YOUR SYSTEM. 6. Cryptography. Applied Cryptography Overview. The Office Complex Case Study. Primitives and Protocols. Symmetric and Asymmetric Algorithms. Cryptographic Attacks. Symmetric Cryptography. Symmetric Primitives. Symmetric Protocols. Asymmetric Cryptography. Asymmetric Primitives. Asymmetric Protocols. Common Problems. Cryptography by Itself. Proprietary Cryptographic Protocols. Common Misuses. Choices. Performance. Effectiveness. Decision Trade-Offs. Key Points. 7. COTS. COTS versus Custom Software. Custom Software. Virtual Private Network (VPN). Hardware-Based VPNs. Firewall-Based VPNs. Software-Based VPNs. Tunneling. The Seven-Layer OSI Model. PPTP. L2TP. IPSec. SmartCards. Biometric Authentication. 8. Privacy. The Online Privacy Debate in the Wired World. Privacy in the Wireless World. The Players. Related Privacy Legislation and Policy. The Communications Assistance for Law Enforcement Act (CALEA). E-911. The Wireless Communications and Public Safety Act of 1999. The U.S.A. Patriot Act of 2001. Location-Based Marketing and Services and GPS. The Middle Ground Answer. Progress in the Wired World. IV. I-ADD. 9. Identify Targets and Roles. Identify Targets. The Wireless Device. The Service Provider. Identify Roles. Malicious Users. Mapping Roles to Targets. 10. Analyze Attacks and Vulnerabilities. Known Attacks. Device Theft. The Man in the Middle. War Driving. Denial of Service. The DoCoMo E-Mail Virus. Vulnerabilities and Theoretical Attacks. Vulnerabilities of the Wireless Device. Vulnerabilities of the Service Provider. Vulnerabilities of the Gateway. Vulnerabilities of the Web Server and the Backend Server. 11. Analyze Mitigations and Protections. Protecting the Wireless Device. Limiting the Vulnerability to Loss. Limiting the Vulnerability to Theft. Protecting the Physical Interface. Protecting Access to the User Interface. Protecting Personal Data on the PDA. Protecting Corporate or Third-Party Information. Protecting Access to Network and Online Services. Protecting the Transceiver. Protecting Vulnerabilities of the Service Provider. Protecting the Transceiver Services. Protecting Access to Its Subscribers. Protecting the Transceiver. Protecting the Administrative Server. Protecting User-Specific Data. Protecting the Network Server. Protecting Corporate Proprietary Data and Resources. Protecting Vulnerabilities of the Gateway. Prioritizing. Building Trust-Application Security. 12. Define and Design. The Case Studies Revisited. The Hospital. The Office Complex. The University Campus. The Home. Case Studies Conclusion. Just the Beginning. Afterword: The Future of Wireless Security. Bibliography. Index. 0201760347T08232002