Showing posts from August, 2010

GE Looking for Business Response Team Leader

GE continues to hire security professionals to help reduce IT risk at our company. I should be posting additional jobs for my team ( GE-CIRT ) next month, but right now my boss (our CISO) asked me to help find a Business Response Team (BRT) Leader for our Corporate entity. Visit and search for job 1251700 to find the role. From the summary: The Business Response Team (BRT) Leader is responsible for working with business peers and the GE Computer Incident Response Team (GE-CIRT) to better protect GE Corporate from digital intruders. The BRT Leader limits and assesses the damage caused by digital intruders, evaluates the posture and configuration of business computers, provides direct security support to business initiatives, and works to improve the security of the business. This role is in Connecticut in order to be close to our HQ. Tweet

Bejtlich on Silver Bullet Podcast

Gary McGraw was kind enough to interview me for his Silver Bullet Podcast . Gary is a real pro; he does his homework. After describing the interview process to my wife, she thought Gary's approach sounded like James Lipton and Inside the Actor's Studio! We talked about a lot of subjects and Gary tailored his questions to relate to my incident detection and response duties and relations to software security. Tweet

Review of Least Privilege Security Posted

Image just posted my four star review of Least Privilege Security for Windows 7, Vista and XP by Russell Smith. From the review : Russell Smith's Least Privilege Security for Windows 7, Vista, and XP (LPS) is a helpful contribution to the toolbox of many enterprise system administrators. Numerous organizations are finally realizing that the Internet is too hostile an environment to let normal users function with elevated privileges. Although by no means a panacea for preventing intrusions, users operating with least privilege are somewhat more able to resist some attack vectors. Beyond resisting attacks, users operating with least privilege are more likely to meet organizational rules. Thanks to LPS, administrators running Windows 7, Vista, and XP can apply the author's lessons and guidance to their own environment. Tweet

Bejtlich Teaching at Black Hat Abu Dhabi 2010

The teaser page for Black Hat Abu Dhabi 2010 is now live, and I am pleased to announce that I will teach TCP/IP Weapons School 2.0 there on 8-9 November. Preregistration appears to be available. This will truly be the last edition of TWS version 2.0. I have been in contact with experts from the United Arab Emirates Computer Emergency Response Team (aeCERT) and I hope to have students from the region participate in my class. For those interested in TWS 2.0 but not familiar with it, I described the class in this blog post titled Sample Lab from TCP/IP Weapons School 2.0 . I described differences between my class and SANS in this post . I am also developing version 3.0 for Black Hat DC 2011 in January. When I have details on that class I will post them here. Tweet

Review of IT Security Metrics Posted

Image just published my five star review of IT Security Metrics by Lance Hayden . From the review : I was not sure what to expect as I started reading IT Security Metrics (ISM). I had just discarded another new book, published in July 2010, supposedly about security metrics but really about nothing useful to anyone anchored in the operational IT world. Would ISM be another disappointment? Since Andrew Jaquith published Security Metrics in 2007, no other book had appeared to help security professionals measure their worlds. Thankfully, I can strongly recommend Lance Hayden's ISM as a very strong contributor to the discussion on security metrics. ISM's subtitle, "A Practical Framework for Measuring Security & Protecting Data," really does explain the purpose and value of this great new book. Tweet

Review of Practical Lock Picking Posted

Image just posted my five star review of Practical Lock Picking by Deviant Ollam . From the review : Practical Lock Picking (PLP) is an awesome book. I don't provide physical testing services, but as a security professional familiar with Deviant's reputation I was curious to read PLP. Not only is PLP an incredible resource, it should also serve as a model text for others who want to write a good book. First, although the book is less than 250 pages, it is very reasonably priced. Second, Deviant wastes NO space. There is no filler material, background found in other readily available texts, reprinted Web site content, etc. Third, the writing is exceptionally clear and methodical, with extreme attention to detail and a master's approach to educating the reader. Finally, the diagrams, pictures, and figures are superb. When necessary they convey the most subtle elements of lock or key design, and they are the appropriate size and clarity. Overall, this book is helpful f

Consider Reading Network Flow Analysis

If I could write an book review of Network Flow Analysis by Michael W Lucas , I would give it five stars. Why won't I? The reason is that Michael asked me to be the technical reviewer for the book, and I don't feel comfortable publishing a review when I am potentially identified with the content. Michael did such an awesome job writing his newest book that my tech edit was fairly easy. However, I would prefer to say a few words on my blog rather than assign stars at (Note: for those of you who do some research and find my review of the excellent Linux Firewalls by Michael Rash , you'll see I issued a disclaimer that I wrote the foreword. I felt that writing a foreword is different than tech editing, because a tech editor is partially responsible for the content of the entire book. A foreword author is more or less writing an endorsement, like a review that's published in the book itself. You may not agree with this differentiation -- it

World's Worst Security Visualization?

I'm speaking at VizSec 2010 next month. My topic is Is Security Visualization Useful in Production? I already asked do you use visualization in production? I realized it would also be great to show the world's worst security visualizations. So, what have you seen? What is just horrible yet supposed to be awesome? I'll select the most interesting responses and integrate them into my presentation. Feel free to comment here or email richard at taosecurity dot com. Please be sure to include an IMAGE so we can see the visualization you are describing! Respond no later than Monday 30 August. Thank you. Tweet

Do You Use Visualization in Production?

I'm speaking at VizSec 2010 next month. My topic is Is Security Visualization Useful in Production? I'd like to know if YOU are using visualization in production. What works? What doesn't? What do you need but don't have? I'll select the most interesting responses and integrate them into my presentation. Feel free to comment here or email richard at taosecurity dot com. Please be sure to include an IMAGE so we can see the visualization you are describing! Respond no later than Monday 30 August. Thank you. Tweet

Review of Wireshark Network Analysis Posted

Image just published my five star review of Wireshark Network Analysis by Laura Chappell . From the review : Wireshark Network Analysis (WNA) is a very practical, thorough, comprehensive introduction to Wireshark, written in an engaging style and produced in a professional manner. WNA provides a variety of methods for teaching network analysis with Wireshark, including description, screen shots, user-supplied case studies, review questions (with answers), "practice what you've learned" sections, and dozens of network traces (available online). Readers who approach the book as more of a class in printed (text) and electronic (trace file) forms will likely understand the higher-than-normal price tag. Anyone trying to learn how to use Wireshark, including basic protocol analysis, will greatly benefit by reading WNA.

Hexcompare and Finding New Tools

Last week while teaching at Black Hat, one of my students wanted to know how I find new tools. One of the ways I do that is to subscribe to FreshPorts , a site created by Dan Langille. FreshPorts tracks additions to the FreeBSD ports tree, so when someone makes it easy for me to run a new app on FreeBSD I find out. Every week I get an email of new additions to the tree, and I take a quick look to see if any catch my interest. For example, last week I saw a new port called devel/hexcompare . I visited the Sourceforge project page and decided to try it. Since I was using an Ubuntu desktop I tried to install the new app using apt-get, but it wasn't available yet. I could have turned to a FreeBSD system, but instead I decided Hexcompare was probably simple enough to compile by hand. It turns out the app was really simple, and I got it running quickly. The screen shot at the top shows the differences in a binary pcap file identified by Hexcompare. Basically I edited a few bytes

Conti and Easterly on Cyber Warriors

Thanks to Lieutenant Colonel Gregory Conti and Lieutenant Colonel Jen Easterly for pointing me to their article Recruiting, Development, and Retention of Cyber Warriors Despite an Inhospitable Culture . They are doing a real service by examining cultural issues challenging the success of a Cyber Command. I'd like to provide a few excerpts: Until the end of the 20th Century combat arms expertise ruled the day, but in the 21st Century kinetic combat arms soldiers must learn to co-exist, cooperate, and coordinate with non-kinetic cyber warriors... [E]xperience gained to date in building the Army Network Warfare Battalion (ANWB) overwhelmingly points to the critical need for a career path to effectively recruit, manage and retain cyber talent... In the world of cyber warfare, experts such as Mr. Kaminksy are the “Chesty Pullers” of the 21st Century... The problem often lies not in the talent or desire of these individuals, but in inflexible military human resource systems ... A big q

August 2010 Digital Forensics Magazine Published

The August 2010 issue of Digital Forensics Magazine is available for subscribers. There's a variety of interesting articles and you can tell there is the additional care provided as a result of charging a subscription. Rob Lee wrote a good article on Becoming a Digital Forensics Professional, as well.

July 2010 Hakin9 Magazine Published

The August 2010 Hakin9 magazine is available for free download in .pdf format. I think they are publishing shorter magazines, but more frequently? I always like Matt Jonkman's articles. He mentions creating a new commercial IDS ruleset, which he announced in late June in Emerging Threats Announces Call for Developers to Create New and Improved Rule Set . I missed it until now however.

Project Vigilant Is a Publicity Stunt

I think "Project Vigilant" is largely a publicity stunt, meaning it was just invented and it's so-called "history" is an extension of someone's imagination. As we say on my team, "This ain't my first rodeo." In other words, I've been around for a while. While I recognize some of the "principals" in this "group," I've never heard of them organized into a "project" -- certainly not with over 500 stealthy members! I'm going to link to a few articles and offer my opinions on the content. First we have the 21 June article Secret group aids fight against terror by Mark Albertson: For the past 14 years , a significant volunteer group of U.S. citizens has been operating in near total secrecy to monitor and report illegal or potentially harmful activity on the Web. 14 years? Please. If they have been active for 14 years, why does no one I've asked know who these guys are? The group claims over 500 cur