Saturday, April 30, 2011

Early Review of Ghost in the Wires

Kevin Mitnick was kind enough to send me a galley copy of his upcoming autobiography Ghost in the Wires. won't let me post a review yet, so I'll write what I would have supplied to the site.

In 2002 I reviewed Kevin Mitnick's first book, The Art of Deception. In 2005 I reviewed his second book, The Art of Intrusion. I gave both books four stars. Mitnick's newest book, however, with long-time co-author Bill Simon, is a cut above their previous collaborations and earns five stars.

As far as I can tell (and I am no Mitnick expert, despite reading almost all previous texts mentioning him), this is the real deal. Mitnick addresses just about everything you might want to know about. For me, the factor that made the book very unique was the authors' attention to detail. This sounds like it might have been a point of contention between the co-authors, but I found the methodical explanation of the social engineering and technical attacks to be relevant and interesting. Mitnick just doesn't say he social engineered a target; rather, he walks you through every step of the event! It's amazing, audacious, and in many cases beyond the pale.

One surprise for me was the amount of technical hacking Mitnick describes. He wasn't just crafty with a phone; he spent a lot of time at the keyboard executing technical exploitation of Unix variants. Interestingly, this may or may not include the so-called "Mitnick attack" whereby Tsutomu Shimomura's computer suffered the only documented TCP blind spoofing incident. In Ghost in the Wires, Mitnick says an Israeli hacker nicknamed JSZ wrote the code to implement the attack, and JSZ executed the Christmas Day 1994 exploitation of Shimomura's computer (p 326). Later on p 334, however, Mitnick notes the same attack worked against a different target (blackhole dot inmet dot com), so he may have executed that previously undocumented incident himself?

Ghost in the Wires also shares the human side of Mitnick's story. His description of solitary confinement and his anxiety of returning to those conditions seemed very real. They appear ever more relevant given recent treatment of Bradley Manning. One has to wonder about "cruel and unusual punishment" of those who are not convicted, such that they will sign plea deals just to avoid solitary confinement. Beyond prison issues, Mitnick's love for his family (especially his mother and grandmother) were clear throughout the book.

I very much enjoyed reading Ghost in the Wires, and I believe the majority of the computer security community would too.

Update: I posted this to

Review of Windows Internals, 5th Ed Posted just posted my five star review of Windows Internals, 5th Ed by Mark Russinovich and David Solomon, with Alex Ionescu. Microsoft Press provided a free review copy. From the review:

Windows Internals, 5th Ed (WI5E) by Mark Russinovich and David Solomon, with Alex Ionescu, is a remarkable technical achievement. I read the book to better understand Windows to improve my security knowledge. I am not a Windows programmer, but I thought WI5E would provide context for some of the exploit and vulnerability information I occasionally encounter. I absorbed as much of WI5E as I could, but quickly found the scope and depth of the material to be incredible. While there is no substitute for reading source code, the explanations in WI5E come close! So many aspects of Windows are described, to such a deep level, that you might find yourself wanting to use Windows just to see WI5E's descriptions at work.

Review of Windows System Programming, 4th Ed Posted just posted my five star review of Windows System Programming, 4th Ed by Johnson M. Hart. Addison-Wesley provided a free review copy. From the review:

I read Windows System Programming, 4th Ed (WSP4E) by Johnson M. Hart after finishing Windows via C/C++, 5th Ed (WVCP5E) by Richter and Nasarre. While I liked WVCP5E, I found WSP4E to be the better book for the sort of understanding I was trying to achieve. I'm not a professional Windows programmer, but I wanted to learn more about how Windows works. Hart's book did the trick, especially for a person like me with more of a Unix background. If you want to better know how to program on Windows, and specifically recognize differences among using the C libraries, the Windows API, and Windows "convenience functions," WSP4E is the book for you too.

Review of Windows via C/C++, 5th Ed Posted just posted my four star review of Windows via C/C++, 5th Ed by Jeffrey M. Richter and Christophe Nasarre. Microsoft Press provided a free review copy. From the review:

I will admit right away that I am probably not the target audience for this book, because I am not a professional Windows programmer. However, I am very interested in learning how Windows works, and Windows via C/C++, 5th Ed (WVCP5E) is one of the books that will help develop that expertise. Had I not also read Windows System Programming, 4th Ed (WSP4E) by Hart, I would have given WVCP5E 5 stars. Both are strong books, but WSP4E received 5 stars in a separate review. Still, I very strongly believe that WVCP5E by Richter and Nasarre is a must-read for anyone who wants to know more about Windows applications.

Review of Beginning Visual C++ 2010 Posted just posted my five star review of Beginning Visual C++ 2010 by Ivor Horton. Wrox provided a free review copy. From the review:

I read Ivor Horton's Beginning Visual C++ 2010 (BVCP2) to gain some familiarity with the C++ programming language. Prior to this book I read Mr Horton's Beginning C book. Between the two books, I hoped to learn enough about C and C++ to prepare me to read a third book titled Windows via C/C++, 5th Ed by Richter and Nasarre. As a security professional, being able to grasp the essence of C and C++ as they are used in Windows helps me understand security advisories and related discussion of vulnerabilities in exploits. BVCP2 is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C++ for Windows programmer. I highly recommend it to both sorts of readers.

Review of Beginning C Posted just posted my five star review of Beginning C by Ivor Horton. Apress provided a free review copy. From the review:

I read Ivor Horton's Beginning C to gain some familiarity with the C programming language. As a security professional, being able to grasp the essence of C helps me understand security advisories and related discussion of vulnerabilities in exploits. Beginning C is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C programmer. I highly recommend it to both sorts of readers.

Review of Programming Amazon EC2 Posted just posted my four star review of Programming Amazon EC2 by Jurg van Vliet and Flavia Paganelli. O'Reilly provided a free review copy. From the review:

Because this is a short book, I'll write a short review. Programming Amazon EC2 (PAE) explains how to use certain elements of Amazon Web Services to deploy applications in Amazon's cloud infrastructure. The discussion centers on the authors' experiences deploying live, production Web sites (like Kulitzer) using AWS. I found this approach refreshing and novel, because it reads like a playbook for recreating similar infrastructure for the reader's own purposes.

Wednesday, April 13, 2011

UBM Cancels GTEC, Bejtlich Considers Alternatives

I received word this week that the venue hosting my special session of TCP/IP Weapons School 3.0 was cancelled! That means no GTEC and no extra DC class.

I'm sad to hear this because I'm receiving word from students wondering what happened.

As best I understand it, the current Federal budget situation made hosting this conference a tough prospect for the DC crowd.

At this point I'm evaluating options, including hosting a class myself. If you would be interested in attending a group class of TCP/IP Weapons School 3.0 in northern VA this year, please email training [at] taosecurity [dot] com. I think a class late in the year, hopefully during FY 2012 (so 1 Oct or later), might be the best option for Federal workers enduring budget woes.

I'd rather teach within another venue, like Black Hat, but if there's enough demand from the cancelled GTEC event I'll see what it takes to offer a solo class.

As noted on my Training site, I am teaching Two Sessions of TWS3 at Black Hat USA in Las Vegas this summer. That is another option for those who will miss the GTEC class.

I'm also still working out details to offer training at USENIX Security 2011 in San Francisco in August. I expect word from USENIX on that before the end of the month. Thank you.

Cooking the Cuckoo's Egg

In February I spoke at the DoJ Cybersecurity Conference. My abstract for the talk was the following:

In 1989 Berkeley astronomer Cliff Stoll wrote the most important book in the history of computer incident response, The Cuckoo's Egg. Twenty years after first reading the book, Richard Bejtlich, [then] Director of Incident Response for General Electric, re-read The Cuckoo's Egg in search of lessons for his Computer Incident Response Team (GE-CIRT). In the first ten pages, Bejtlich identified seven lessons for his team, and in the next twenty pages, ten more lessons. By the time he finished re-reading the book, Bejtlich identified dozens of lessons that are key to the incident response process, whether it's 1990, 2000, 2010, or beyond. In this presentation, Bejtlich will share the keys to professional incident response, originally documented by an unintentional computer pioneer.

Since several of you asked for the slides, I uploaded them here (.pdf, 60 slides). I don't usually use slides like this, but I told a story using screen captures from the really old NOVA episode about Cliff Stoll.

Tuesday, April 12, 2011

APT Drives Up Bomber Cost

Bill Sweetman wrote a good article on the new Air Force bomber program titled USAF Bomber Gets Tight Numbers. I found the following paragraph interesting:

One factor will drive up the cost of the bomber’s R&D: its status as a SAP [Special Access Program]. SAP status — whether the program is an acknowledged SAP, as the bomber is likely to be, or completely black — incurs large costs. All personnel have to be vetted before they are read into the program. Information within the program is compartmentalized, reducing efficiency. SAP status has been estimated to add 20% to a program’s cost.

Security for SAP isn't cheap! Sweetman elaborates:

The most likely reason for this measure is the sensitivity of ELO [extreme low-observable] technology, combined with the fact that the U.S. is the target of what may be the most extensive and successful espionage program in history — China’s Advanced Persistent Threat.

How much is the new bomber supposed to cost?

The magic numbers for the bomber are a fleet size of 80-100 and a flyaway cost of $500 million.

So, that's $50 billion, assuming 100 aircraft at $500 million each? Let's assume that cost includes SAP fees. If SAP protection adds 20%, that means without SAP the cost would be roughly $42 billion.

That means, for this program alone, the APT costs the US taxpayer $8 billion.

I find this sort of article really interesting because it demonstrates a real-world cost due to ongoing computer intrusions perpetrated by the APT.

Monday, April 04, 2011

Aviation Week on China's Military Capabilities

Today Richard D. Fisher, Jr. and Bill Sweetman published an online article for Aviation Week titled Sizing Up China's Military Capabilities. Of interest to my readers might be the following:

It is no secret that long-term U.S. Air Force and Navy planning is focused on China...

A decade ago, many U.S. analysts were unimpressed by the People’s Liberation Army (PLA)... By 2011, such hubris has given way to palpable concern...

The elements of this capability include:

Information attack. In the mid-2000s, U.S. intelligence agencies identified the Advanced Persistent Threat (APT), a pattern of cyberespionage largely traceable to China and aimed mainly at the U.S. defense industry and armed forces...

I really like to see organizations that are not selling digital security, but who are still defense experts, discuss APT!

Some of you probably think Aviation Week is part of the "create a new bogey man" strategy as we draw down forces in Iraq. Surely APT is just "yellow peril"? Think again:

In the Soviet era, it was commonplace for U.S. intelligence agencies to exaggerate Soviet capabilities and predict that new systems would enter service sooner and in larger numbers than actually happened. A consistent trend in analysis of China’s military capabilities is to do the reverse...

So how does the US military tend to think about the Chinese threat?

U.S. officials have tended to view this increasing A2/AD [“anti-access” or “area denial”] force through the prism of a potential conflict over the future of Taiwan or a contest for dominance in the Western Pacific.

In the event of a conflict, it is assumed the PLA would launch cyberstrikes against regional U.S. and allied military facilities and U.S. political and military leadership, while directing air, naval and special forces strikes against nearby American facilities in Okinawa and Guam.

Should Washington refuse to sue for peace, and deploy forces into the theater, the PLA would fashion joint missile, air and submarine strikes to deter or defeat naval and air forces.

I know the whole US military does not think solely in terms of Taiwan, but clearly the limited characterization of APT as "only" "espionage," and the "prism" of Taiwan show that too many people don't see the big picture.

On a related note, I look forward to reading this document:

China's National Defense in 2010.

Friday, April 01, 2011

Answering Questions on Reading Tips

A few of you asked questions via Twitter or comments on my All Reading Is Not Equal or Fast post, so I'll try answering them here.

When you review a book that was less than perfect or heck even one that was perfect could you also suggest some alternatives?

I'll be honest. That could be more work than I'm willing to do in a free forum like and this blog. Sometimes I mention alternatives because they're fresh in my mind and I like the other options. Always mentioning alternatives can be a real chore. If I wrote reviews for formal publication I would do that. Otherwise, I recommend subscribing to my review RSS feed and staying current with my reviews.

Where do you find the time to read the books? After family-time, work time and what time of the day do u read and how much time do you invest? I keep trying to read books but I read 2-3 pages per day at night...thanks!

When work is really busy, I probably read the most when on the road. I try to get to airports early, so I could have 30 to 60 minutes at the gate. On the flight I hardly ever watch the movie(s) or work on a computer. I pretty much always read a technical book or read The Economist. Planes are especially good for concentrating my attention because I have no alternative and no distractions!

When I don't travel, I like to make some time early Saturday and Sunday mornings. I might also read a little at night, when my wife does the same.

Also, be prepared to read. Think one book will keep you busy on a trip? Take two. What if you're stuck at the airport, etc.? Whenever I take mass transit, I take something to read with me. The same goes for any time I expect to wait somewhere, like a doctor's office, before a meeting, and so on. This little stretches of time add up. And, if you face an unexpected delay, the little stretch becomes a reading-productive big stretch.

How do you maintain your list of books to read throughout the year? Do you look at upcoming books from specific publishers, books referenced in conferences and presentations, does Amazon offer pre-order recommendations and reviewer copies? How do you prioritize such a list?

Every once in a while I access this search page and do a keyword search for computer security terms, ordered by publication date.

I review the results and concentrate on titles from the mainstream publishers like Pearson imprints (Addison-Wesley, etc., including Cisco Press), No Starch, Wiley, Osborne/McGraw-Hill, Apress, O'Reilly (including Microsoft Press), Wrox, and Syngress. I never read Auerbach (sorry guys). I pretty much avoid everything else. You have to publish something extraordinary to catch my attention otherwise. Examples include books on FreeBSD or other BSD topics.

This method usually catches all books I care about in the next 9-15 months. I am rarely surprised, but that can happen! As a backup I subscribe to the blogs of major publishers who provide feeds on upcoming books (hint to publishers who do not do this -- you should!)

If I know and like the author already, I'll add the book to my Wish List immediately. I assign a priority based on how many months until the book will be published. I use Highest for published books and Lowest for books the farthest in the future.

Next I add books to my formal reading list. I usually have a queue stretching 9-12 months. My goal since probably 2000 or 2001 was to finish a calendar year having read all books available on my list, but it's never happened! (Will this be the year??)

My current list is more or less grouped by themes. I order the books based on the knowledge or familiarity I expect to need in order to understand the book. Hence, my current list shows books on C and Windows prior to books on exploitation develop and debugging Windows.

If a book seems really interesting, I'll put it on my schedule when the book is expected to be published. That may require rescheduling my reading. Not meeting my schedule can also force me to change the list.

The toughest part of my process involves seeing a book with an interesting title and subject written unknown author. Sometimes I'll take a leap of faith and add the book to my Wish List and reading schedule. Other times I'll wait until I can flip through it in the store. I always keep my Wish List and reading schedule synchronized, so you won't see me Wishing a book but not having it planned for a certain month.

How do you tackle/review books that are only distributed digitally?

I have yet to encounter this problem but I expect to at some point in 2012. I imagine by that time I'll just read the new book on an iPad or similar. I'll probably rely on note-taking on a separate piece of paper.

Thank you for your questions!

Review of Web Application Obfuscation Posted just published my four star review of Web Application Obfuscation by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay. From the review:

I had really no idea what to expect when I started reading Web Application Obfuscation (WAO). I hoped it would address attacks on Web technologies, perhaps including evasion methods, but beyond that I didn't even really know how to think about whatever problem this book might address. After finishing WAO, it's only appropriate to say "wow." In short, I had no idea that Web browsers (often called "user agents" in WAO) are so universally broken. Web browser developers would probably reply that they're just trying to handle as much broken HTML as possible, but the WAO authors show this approach makes Web "security" basically impossible. I recommend reading WAO to learn just how crazy one can be when interacting with Web apps.