TaoSecurity Blog

This morning I began training to test for the Cisco Certified Network Associate certification. I am in a class offered by GlobalNet Training in northern Virginia. My company ManTech agreed to pay my way, as they support sending engineers to a week's worth of training per year. My instructor is Todd Lammle , author of the recently updated CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801) study guide. Two weeks ago I saw Todd was personally teaching this class, so I immediately signed up. I'm probably not the easiest student to have in a networking class. When Todd asked if HTTP uses TCP, I felt it necessary to mention Universal Plug and Play Protocol (UPNP) which runs HTTP over UDP. I also mentioned that DNS uses TCP to answer queries when the response is larger than the 512 byte limit on UDP responses. Todd's tolerating me so far, but he said I have to provide a copy of my book. :) Why am I studying for the CCNA? Once in a while I find mysel

Amazon.com just posted my five star review of The Art of Computer Virus Research and Defense . From the review: " Peter Szor 's The Art of Computer Virus Research and Defense (TAOCVRAD) is one of the best technical books I've ever read, and I've reviewed over 150 security and networking books during the past 5 years. This book so thoroughly owns the subject of computer viruses that I recommend any authors seeking to write their own virus book find a new topic. Every technical computing professional needs to read this book, fast." This book absolutely blew me away. Read my review to see why, then order a copy!

The Virginia-Pilot reports that Monster Garage host Jesse James flew his modified Panoz Esperante Friday. As the image by photographer Drew C. Wilson shows, the car actually lifted off the runway. The story says "James didn’t get liftoff on the first pass as he tried to get a feel for the craft and the runway. On the second try, just as he reached 80 mph, the wheels lifted about two feet off the pavement, and the craft soared for about 3 seconds and about 120 feet." I should have driven our family down to North Carolina to see this in person!

Sometime during the last seven years I decided it was acceptable to read college texts as a way to learn advanced computing topics. These were the same books I was glad to ditch at the end of a college semester when I was a cadet at the Air Force Academy. Now I've received a new college text, and I'm looking forward to reading it. The new book, courtesy of Springer , is Introduction to Assembly Language Programming, 2nd Ed , by Sivarama P. Dandamudi. I already have Richard Blum's Professional Assembly Language on my reading list , but Prof. Dandamudi's book offers a twist. It doesn't just explain assembly programming on the Intel x86 architecture. Prof. Dandamudi also covers MIPS R2000 programming using the SPIM simulator available in the FreeBSD ports tree . The R2000 is an old processor, part of the MIPS R series ; however, it still makes a good programming example. I will post an Amazon.com review when done with this book.

I received Kevin Mitnick's new book The Art of Intrusion yesterday. This is a sequel to his 2001 book The Art of Deception . The new book is the result of Kevin's 2004 call for hackers where he said "I'm putting out a call to all current and former hackers to tell me about your sexiest hack. I'm not looking for those who simply downloaded and used pre-packaged exploits, but hackers who have shown innovation and ingenuity to compromise their targets." I gave Kevin's earlier book four stars , and I plan to read the new book very soon. I think we security professionals benefit from reading books about threats as well as vulnerabilities . Those of you who have followed this blog or read my book know the difference. By learning how structured threats think and behave, we can better prepare our defenses. If even some of the stories in The Art of Intrusion are true, we will gain a very valuable insight into the adversary's mind. Stay tuned for a fu

The logo-contest.freebsd.org site is operational. The competition ends 31 May. A cleaned-up announcement has the details. Note: "Beastie will be continue [sic] to represent the FreeBSD Project as our mascot." The English is poor, but the message is clear enough.

NetworkWorldFusion features a debate between two authors. One writes Employees [are] the biggest threat to network security . The other says Intruders [are] the biggest threat to network security . My personal opinion is that rogue insiders have the potential to cause the most damage, but the frequency with which they appear and cause havoc is lower than people think. Outsiders, on the other hand, are frequently attacking and exploiting enterprises, but they are not often causing the sort of damage a rogue insider could. What do you think? Which group presents the bigger risk? I decided to frame this question with respect to risk, since one can estimate risk using the equation risk = threat X vulnerability X cost of asset (replacement) or "asset value" On a related note, I found this October 2004 article by Anton Chuvakin to be interesting: Issues Discovering Compromised Machines . He begins by questioning the claim made by the authors of the book Exploiting Software

More details are emerging regarding the Paris Hilton cellphone incident . I'd like to use this case to take a look at the various approaches used to perform incident response. The first two methods are technical, and the third is non-technical. First we have the assessment approach. This involves probing target systems which may have been involved in the incident. Assessors look for security weaknesses in services and applications they believe could have yielded the information acquired by the intruders. Jack Koziol's recent blog entry is an example of this approach. In my opinion this method is least likely to yield useful information, and is often a waste of time, as far as determining the details of the incident at hand. The assessment approach is largely speculation, albeit with access to some or all of the systems which could have been victimized. From a forensic standpoint, this is a poor way to investigate an intrusion. Assessors typically interact directly wit

Google-fu master J0hnny Long announced the Google Hack Honeypot (GHH) last week. The introduction states: "GHH emulates a vulnerable web application by allowing itself to be indexed by search engines. It's hidden from casual page viewers, but is found through the use of a crawler or search engine. It does this through the use of a transparent link which isn't detected by casual browsing but is found when a search engine crawler indexes a site. The transparent link (when well crafted) will reduce false positives and avoid a fingerprint of the honeypot. The honeypot connects to a configuration file, and the configuration file writes to a log file which is chosen during configuration. The log file contains information about the host, including IP address, referral information, and user agent. Using the information gathered in the log file, an administrator can learn more about attackers doing reconnaissance against their site. An administrator can cross reference logs an

My friend James Rodgers pointed me towards a European hacking magazine, Hakin9 . It's been around for a while, but the English edition just launched last month. Looking through the contents, the articles appear more tech-oriented and certainly more advanced than the average 2600 magazine. The cover story, pictured at right, by Kamil Folga, discusses Cisco IOS security. It's well-written, with command syntax, diagrams, output listings, screen shots, and helpful advice. A one year, 6 issue, hard copy subscription costs 38 EUR or US $51. The .pdf version is 19 EUR or US $25.

I am happy to report that myself, my book The Tao of Network Security Monitoring , and our suite Sguil have been "Bilanoed." I have coined this term to refer to being parodied by Mr. Billy B. Bilano . I first became aware of this fictional (man, I hope he's fictional) character when he described a " crypto virus " on the Full-Disclosure list. Watching people feed the troll was hilarious. Bill's latest message can be found in his posting to Snort-users . Here is an excerpt: "See, at first I decided I would use this Squil IDS thing but that crazy Russian guy that wrote down the docs said I needed to keep every packet in a database (who has time for being a packet rat like that?) to make sure I don't get hackered by the nerds! Well that makes a whole hell of a lot of sense! If you keep them online in a database and you get hacked then the hacker will be able to just copy and paste them packets and whammo! Instant replay attack! Maybe I should I

Reuters reporter Andy Sullivan asked me to comment for his story Paris Hilton Exposed on Web After Phone Hacked . I believe this is a continuation of the T-Mobile database incident I blogged earlier . Chances are the original perpetrators obtained T-Mobile customer credentials (user names and passwords) and kept them to themselves, initially. Then, to impress their friends, the intruders shared some or all of the data. Eventually the credentials were passed to one or more parties who thought to make themselves "famous" by posting sensitive information fraudulently obtained with those user names and passwords. This "disclosure cycle" is similar to the way exploits circulate through the underground. One or more people independently or jointly discover a vulnerability and code an exploit. They keep it closely guarded, perhaps using it to access sensitive targets. If they are professional black hats, they never reveal the fact they have the exploit. If they are

You may have read of The Jericho Forum in the latest SC Magazine . The Jericho Forum describes itself as "an international forum of IT customer and vendor organisations dedicated to the development of open standards to enable secure, boundaryless information flows across organisations." I read stories on them as early as March 2004 , two months after they formed. The group appears to be built from representatives of European companies. They are attracting attention for their "de-perimeterisation" and "open network" ideas, which their " Visioning White Paper " define as follows: "de-perimeterisation: the act of applying organisational and technical design changes to enable collaboration and commerce beyond the constraints of existing perimeters, through cross-organisational processes, services, security standards and assurance" "open network: a network freely accessible at low or no cost to arbitrary communicationg parties, suc

On Friday Lockheed Martin announced it is buying The Sytex Group for $462 million. Sytex's revenue for 2004 was $425 million, not much less than the asking price. It shows that service companies sell for much less than product companies. According to the cited story, about 85 percent of Sytex’s revenue comes from the US Department of Defense. I guess those contracts are not worth as much in forward-looking terms as one might expect?

Everyone's probably visited Hot or Not at some point. The site allows visitors to rate pictures supposedly uploaded by the person depicted. Matt Gibson of Flewid Productions expanded on the idea with his Rate My Network Diagram site. Powered by I-Rater , like Hot or Not, Rate My Network Diagram lets visitors critique network plans uploaded by users. Although the site has been operating since September 2003, I just became aware of it. I like the idea of being able to browse network diagrams and devising ways to improve their security or visibility. Another source of network diagrams is Network Computing's Centerfolds .

We move from a purely managerial topic in my last blog entry to an exceedingly technical one. Apple I Replica Creation: Back to the Garage by Tom Owad is as unique a technical book as you'll ever see. The book shows the reader how to assemble an Apple 1 replica using a kit from Briel Computers . Author Tom Owad explains soldering, digital logic, and programming in assembly and BASIC. Appendices also cover hacking a Macintosh SE and elementary electrical engineering. If you really want to get close to bare metal with computers, you'll probably love this book. I unfortunately don't have the time to follow this book's guidance, so I don't plan to read it.

I recently received Mapping Security: The Corporate Security Sourcebook for Today's Global Economy by Tom Patterson and Scott Gleeson Blue, published by Addison-Wesley for Symantec Press . This is the second book from Symantec's new publishing venture. The first was The Executive Guide to Information Security: Threats, Challenges, and Solutions by Mark Egan and Tim Mather. Their third and latest is The Art of Computer Virus Research and Defense by Peter Szor, which looks so good I'm starting to read it this week. I will probably never read Mapping Security since it is a non-technical book for managers, and my reading list is stacked for the next year. I want to mention it here, however, because it is unique. Author Tom Patterson presents a global survey of doing security work in a variety of countries. I know of no other book like this, and I think it would be invaluable for managers of multinational corporations, international salespeople, and globe-trotting con

As I originally suspected the ChoicePoint fraud case has expanded to a national scope. The Associated Press is reporting that half a million people across the United States may have had their information stolen. Attorneys general from 38 states have demanded that ChoicePoint warn any victims in their states, beyond those in California. So far a 41-year-old Nigerian, Olatunji Oluwatosin, has been sentenced to 16 months in jail. According to AP, Oluatosin "was arrested on Oct. 27 when ChoicePoint faxed him some paperwork at a Kinko's store in a sting operation. He pleaded no contest and did not agree to help authorities in the probe." Politicians are getting angry, according to AP: "On Wednesday, Sen. Dianne Feinstein, D-Calif., called for hearings on her proposed national version of the California law, while Sen. Bill Nelson, D-Fla., asked federal regulators Friday to oversee data-brokering companies the same way they do other companies that handle financial a

I received the February 2005 issue of SC Magazine last week. It features a cover story on the Air Force's Chief Information Officer, John Gilligan, and the $500 million contract consolidation effort that will save the AF $100 million over six years. I commented on this last year and earlier this week . Now I see that Mr. Gilligan has won the SC Magazine US Editors Award . Ostensibly Mr. Gilligan was given this award because he is working to standardize Microsoft software deployed across the Air Force. I would rather have seen him win the award for making a bold, and more correct, decision to implement a phase-out of Microsoft software. Unfortunately, it seems "no one is fired for buying Microsoft." Incidentally, prior to becoming AF CIO in 2001, Mr. Gilligan served as CIO of the US Department of Energy -- the same DoE that has scored an F for computer security every year grades have been assessed, including 2000. Contrast Mr. Gilligan's position with that of R

This is the US House Committee on Government Reform 2004 report card for US Federal government security. I wrote about the report for CY 2003 at the end of 2003 . The big news for this year's report card are the huge swings made by some agencies. Justice and Interior improved from F's to B- and C+, respectively, while State marginally moved out of the failing category by progressing from F to D+. Others regressed, some substantially; the NSF dropped from an A- to C+, Commerce from C- to F, and the VA from C to F. Overall, 7 out of 24 agencies received F's, balanced by 7 with B's or better. The "Report Grading Elements" ( .pdf ) used the following major categories to grade agencies: 1. The percentage of the agency's programs and systems reviewed, including contractor operations or facilities in FY04 by CIOs and IGs. 2. The degree to which agency program officials and the agency CIO have used appropriate methods to ensure that contractor provided ser

I was pleased to see WAN protocols like Border Gateway Protocol (BGP) covered in Computer Networking: Internet Protocols in Action , especially since BGP traces appear on the book's CD. In conjunction with her BGP discussion, author Jeanna Matthews mentions BGP resources like traceroute.org , the University of Oregon Route Views Project , Merit Network 's Routing Assets Database , and Looking Glass sites. I also found a Router Server Wiki and a Looking Glass Wiki . A route server is a router which peers with BGP routers for the purpose of letting researchers and others look at routing tables. For example, if one connects to a route server, you may be able to get a BGP summary like this: route-server>sh ip bgp summary BGP router identifier 12.129.193.235, local AS number 1838 BGP table version is 4152117, main routing table version 4152117 153391 network entries and 306780 paths using 28990811 bytes of memory 56813 BGP path attribute entries using 3182032 bytes of memor

Amazon.com just posted my five star review of Computer Networking: Internet Protocols in Action . From the review: "I eagerly anticipated reading Jeanna Matthews' Computer Networking: Internet Protocols in Action (CN:IPIA). I am always looking for good networking books to recommend to people asking how to enter the digital security field. I am pleased to report that CN:IPIA is an excellent, hands-on, packet-oriented introduction to networking, suitable for all entry-level analysts. Even those with several years of experience may learn a trick or two, as I did." This is a great book. I also learned that we can freely download copies of certain IEEE 802 standards from Get IEEE 802 , like the ubiquitous 802.3 CSMA/CD standard. These are hundreds of pages long, and really only useful to hardware and protocol developers. However, if you need to reference an authoritative source, you can't beat these documents.

I listened to President Bush announce that he's selected Ambassador to Iraq John Negroponte as the new Director of National Intelligence. No one seems to be publishing the story that current head of the National Security Agency, Michael Hayden , will be Ambassador Negroponte's deputy. I think General Hayden is an excellent choice. He could have been the Director, rather than the deputy. I worked as a lieutenant at Air Intelligence Agency when General Hayden was the AIA commander. I think everyone who ever met him was impressed by his intelligence, good nature, and command of information operations concepts. I have a lot of confidence in General Hayden's selection.

JustinS posted a comment asking about the difference between a thin client like Sun's new Sun Ray 170 and alternative devices. I specifically mentioned Wyse in a previous story. This is the form factor for their Winterm S30 and their Winterm S50 . The S30 runs Windows CE 5.0 while the S50 runs a Linux distro with the 2.6 kernel. In my opinion, these aren't "thin clients" at all, but rather "embedded" devices. In contrast, the Sun Ray does not run a conventional operating system. It doesn't run embedded Windows, Linux, or Solaris. There is enough logic on the Sun Ray to support a TCP/IP stack and display graphics. That's it. All of the work is done on the Sun Ray Server . With version 3.0, the server can run on Solaris or several Linux distros. I personally plan to run Red Hat or Fedora. You can confirm my claims by reading the Sun Ray Overview .pdf . You could argue that the Sun Ray is running some sort of operating system, but I woul

The latest SANS Newsbites happily reports on a FCW article titled OMB likes Air Force's patch strategy . The US Office of Management and Budget 's Karen Evans reportedly likes the US Air Force's plans to "deliver standardized and securely configured Microsoft software throughout the service." Brig. Gen. Ronnie Hawkins, director of communications operations in the Air Force's Office of the Deputy Chief of Staff for Installation and Logistics, says "We'll decide which configurations will be acceptable in the Air Force... We'll then implement these configurations and then lock the desktops down." This should have been done ten years ago when I was using Windows for Workgroups 3.11 as an Air Force lieutenant. This approach is fighting the last war, since it relies on running hundreds of thousands of personal computers with general purpose operating systems. All of these systems will still need applications installed, and those apps and

Today I received the first of several books which I hope will illuminate the world of hardware specially-built for networking tasks. This book is Network Processors: Architectures, Protocols, and Platforms by Panos Lekkas and published by McGraw-Hill . A network processor is a programmable processor designed specifically for processing packets. They are an alternative to Application-Specific Integrated Circuits (ASICs), which cost about $1 million each to design. The same day I received this book, I also got the new copy of Cisco's IP Journal . This is a free quarterly newsletter I recommend every networking professional read. In a dash of Police -esque synchronicity , the first article is by Douglas Comer and introduces readers to network processors. I am looking forward to reading Prof. Comer's Network Systems Design with Network Processors, Agere Version . His article alludes to a version of that book for the Intel 2xxx family of network processors.

According to this TechWeb story , Microsoft is denying access to MSN Messenger clients older than version 6.2.0205. This is a response to Core Security's advisory , which Microsoft followed with MS05-009 . A malformed buddy image could exploit a vulnerable user's instant messaging (IM) client. Microsoft even posted a dedicated page explaining the problem to IM users. This is the first time I recall a vendor (at least Microsoft) denying access to a service because a user is running vulnerable software. This would be like refusing to let a person browse the Web because their version of Internet Explorer is too old, or refusing to let them check mail because Outlook is out-of-date. This is a form of "network addmission control" (Cisco-speak) or "network access protection" (Microsoft-speak) taken to a whole new level. I hope to see more of this in the future. Of course, I would prefer all of this to be transparent to users who don't care. I would

I read at MSNBC that 30,000 - 35,000 California residents were warned that "unauthorized third parties" may have accessed their personal information, such as their names, addresses, Social Security numbers, credit reports and other information. The data was stolen from ChoicePoint , an Atlanta-based firm that describes itself as "a trusted source and leading provider of decision-making information that helps reduce fraud and mitigate risk. ChoicePoint has grown from the nation's premier source of data to the insurance industry into the premier provider of decision-making intelligence to businesses and government." ChoicePoint claims the data was stolen through 50 fake companies that were set up to access the data. MSNBC says "The incident was discovered in October, when ChoicePoint was contacted by a law enforcement agency investigating an identity theft crime. In that incident, suspects had posed as a ChoicePoint client to gain access to the firm's

Amazon.com just posted my five star review of Google Hacking for Penetration Testers . In short, this book rocks. From the review: "'Google Hacking for Penetration Testers' (GHFPT) should be a wake-up call for organizations that consider 'information leakage' a theoretical problem. 'Information leakage' refers to the unintentional disclosure of sensitive information to public forums, like the Web. Security staff can use the tools and techniques outlined in Johnny Long's GHFPT to assess the degree of information leakage affecting their organizations. They can then propose, implement, and test remedies. When Google says they are clean, they can be reasonably assured they are." I recommend visiting the author's site at johnny.ihackstuff.com to download his Shmoocon slides. They are a good overview of the book.

Many publishers have been kind enough to send review copies of interesting books. I am especially grateful when publishers send books I definitely plan to read. Unfortunately, in some cases the time between my receipt of the book and my Amazon.com review is longer than I would like. The purpose of this blog entry is to let you know of the great books I have waiting on my bookshelf. They are the same ones listed on my reading list . As I receive books on my Amazon.com Wish List , I'll pre-review those as well. First up is Beginning Perl, 2nd Ed by James Lee and published by Apress . James also co-wrote Hacking Linux Exposed, 2nd Ed , which I enjoyed. I do not plan to read this book and become a Perl guru. Instead, I hope to become familiar enough with Perl to understand applications that use the langauge. Oinkmaster , the Snort rules update script, is one example. My plan to start seriously learning Python begins with Practical Python by Magnus Lie Hetland and publishe

I just posted an updated Sguil Installation Guide . The previous edition was slightly out-of-sync with the directory conventions introduced in Sguil 0.5.3. I also was careful to account for actions required when installing separate sensor, database, and sguild server components. The new guide does not yet describe installing Snort or Barnyard on FreeBSD using the ports tree. Once Paul Schmehl finishes his work on Sguil ports, I will redo the guide to try a ports-only installation. I may wait for Sguil 0.6.0, however, depending on when Bamm expects to release it.

I only recently learned that telecom giant MCI bought managed security services provider NetSec for $105 million . Other telecom companies might want to look at Lisa Phifer's Managed Security Service Provider Survey or Adam Stone's In MSSPs We Trust for acquisition candidates. I expect acquisitions to continue, as there are between one and two dozen small MSSPs available. There are also people like myself who know how to build MSSPs from the ground up (hint hint). :) Update: It must be confusing to work for NetSec. One minute you're working for MCI, the next you're working for Verizon !

I have two questions for readers: 1. What is the cheapest switch you've found that offers a SPAN port? 2. Is anyone interested in writing a chapter providing an overview of peer-to-peer protocols? I have been unable to contact the subject matter expert I hoped to contribute this section to my new book. I am looking for someone with experience detecting, interpreting, and controlling peer-to-peer protocols on internal networks. I am interested in providing the reader the following: - Overview of general p2p principles and networks - Discussion of popular p2p implementations -- Networks and clients -- General analysis of packet traces via Ethereal or Tethereal or Tcpdump captures (save captures for inclusion in book, if possible) - Ways to detect p2p activity - Ways to control (but not eliminate) p2p on internal networks; in other words, allow BitTorrent for downloading .iso's, but don't let it consume too much bandwidth - Other topics you find relevant and interest

Last month I wrote on the Caballes drug case. On Tuesday the former head of the US DoJ's computer crimes squad wrote Of Dog Sniffs and Packet Sniffs . In his article Mark Rasch says: "[T]he search by the dog into, effectively, the entire contents of a closed container inside a locked trunk, without probable cause, was 'reasonable' even though the driver and society would consider the closed container 'private' because the search only revealed criminal conduct. The same reasoning could easily apply to an expanded use of packet sniffers for law enforcement." Since Rasch is a Senior Vice President and the Chief Security Counsel (i.e., a lawyer) at Solutionary Inc., he may be on to something. The comments on Mark's article by those not trained as lawyers are in some cases amusing. He responds to several of them.

I was happy to learn that another friend and ex-Foundstone colleague, Nish Bhalla, has started his own consulting company: Security Compass . Nish most recently contributed to the new book Buffer Overflow Attacks , which I plan to read. Nish is an expert on Web and application security, so if you need a customized, in-depth assessment of those services give him a call!

I learned of the furor over the upcoming FreeBSD logo contest by reading the recent Slashdot thread bearing the unfortunate title "FreeBSD Announces Contest To Replace Daemon Logo." There is no replacement going on. As I've written previously , FreeBSD has no logo . FreeBSD has a mascot, "Beastie" the daemon. Core team member Robert Watson has affirmed this , and I believe the forthcoming announcement at FreeBSD logo contest willl make this point crystal clear. The new contest is designing a logo to complement the Beastie mascot, not replace or remove him. A few people ( here , here , and here ) demonstrate an understanding of the difference between a logo and a mascot and have been brave enough to speak up. Unfortunately, the FUD is already flying. Kon Wilms started the Help Save the FreeBSD Mascot online petition and has enjoyed a healthy number of sign-ups. I've started a Save the FreeBSD Mascot and Create a Logo petition to counter Mr. Wilm

I haven't been reading the FreeBSD mailing lists regularly. Today I looked into the freebsd-stable list and saw the FreeBSD 5.4 Release Schedule posted. Highlights include: Feb. 23 newvers.sh starts to say 5.4-PRERELEASE Mar. 2 RELENG_5 code freeze begins Mar. 4 Public test release build called 5.4-PRERELEASE Mar. 16 Branch RELENG_5_4, unfreeze RELENG_5 Mar. 18 5.4-RC1 Mar. 25 5.4-RC2 Apr. 4 5.4-RELEASE You can watch the schedule and open issues pages as the release engineering process continues.

Amazon.com just posted my five star review of Internet Denial of Service . From the review: "'Internet Denial of Service' (IDOS) is an excellent book by expert authors. IDOS combines sound advice with a fairly complete examination of the denial of service (DoS) problem set. Although the authors write from the DoS point of view, as a network security monitoring advocate I found myself agreeing with many of their insights. Since there are no other books dedicated to DoS, I was very pleased to find this one is a powerful resource for managers and technicians alike." The "RST scan" controversy mentioned in the review refers to my paper Interpreting Network Traffic . I discussed the issue in The Tao as well. Two interesting projects I intend to research further are D-WARD and DefCOM .

Shmoocon finished today. Overall I found the con very worthwhile and an incredible financial bargain for the $199 late admission price I paid. I started the day in a briefing by Joe Stewart and Mike Wisener of LURHQ . I attended this talk primarily because Joe has been my point of contact at LURHQ for contributing several malware analysis case studies to my next book, Extrusion Detection . LURHQ analysts do some of the best technical research publicly available, and they are going to share some original write-ups in the new book. The title of the talk was "Binary Difference Analysis via Phase Cancellation." This didn't mean much to me initially, but I am definitely glad I attended. Joe and Mike explained a way to analyze compiled binaries. In other words, how does the code in compiled malware A resemble variant B? Alternatively, how does a patch to binary C change it into binary D? Joe cited work by Halvar Flake of SABRE Security on function signature plug-i

Here are a few impressions of the talks I saw during the second day of Shmoocon in Washington, DC. The day started with a rant by Riley "Caezar" Eller on the state of security. Caezar wrote Bypassing MSB Data Filters for Buffer Overflow Exploits on Intel Platforms and works for CoCo Corp . (CoCo appears to stand for Connection Optimizing Cryptographic Operator.) He pleaded for someone to invent a new Internet and asked why other speakers at security conventions do not make similar requests. Such pleas are similar to those who call for replacement of gasoline-powered automobiles with hydrogen-powered vehicles. It's easy to create an end-user product like a hydrogen-powered car, assuming the extra costs could be reduced. However, who will finance and build the infrastructure that makes such a vehicle worth buying and driving? Therefore, we see more success with incremental products like the Toyota Prius , which leverage existing fuel infrastructure while offeri