TaoSecurity Blog

Four years ago I posted Reading Tips , where I offered some ideas on how to read technical books. Recently I've received emails and questions via Twitter on the same subject. In this post I'd like to offer another perspective. Here I will introduce different "types of reading." In other words, I don't see all reading as equal, and what some people might call "reading," I don't consider to be reading at all! After reading this post you may find you can adopt one or more (or really all) methods in your own knowledge journey. The key to this post is to recognize that different types of reading exist, and you have to decide how you are going to approach a book, article, or other printed resource. My list follows. Proofreading is a very intense activity where the reader scrutinizes every aspect of a book. The reader pays attention to technical accuracy, grammar, production value (quality of screen captures, etc.) and all other customer-facing element...

Amazon.com just published my four star review of Hacking Exposed: Web Applications, 3rd Ed by Joel Scambray, Vincient Liu, and Caleb Sima. From the review : This is the third Hacking Exposed: Web Applications (HE:WA) book I've reviewed, having reviewed the second edition in 2006 and the first edition in 2002. While I gave the earlier editions each five stars, I don't think HE:WA3E quite meets my expectations of a five star web application security book -- at least not one bearing the Hacking Exposed (HE) series name. In my opinion, the winning formula for a good HE book was set by the first in the series, back in 1999: 1) explain a technology of interest; 2) show exactly how to exploit it; 3) recommend countermeasures. For me, these three steps MUST be followed, and any book with HE in the title that fails to follow this recipe is likely to fall flat. The reason I like this approach is simple; in many cases, defenders first encounter a new technology only after a researcher o...

Amazon.com just posted my three star review of iOS Forensic Analysis by Sean Morrissey. From the review : I've read many forensics books over the last decade and written one as well. I believe that iOS Forensic Analysis (IFA) offers some useful information, but the manner in which the author presents it is not as effective as it could be. If the author were to write a second edition that structures the material in the way I recommend, I believe it would merit a four or five star review. Tweet

Amazon.com just published my three star review of Computer Incident Response and Product Security by Damir Rajnovic. From the review : When I first learned that Cisco Press was publishing a book about product security (Computer Incident Response and Product Security, or CIRAPS), I was excited to see what they might create. Cisco's Product Security Incident Response Team (PSIRT) is one of the best in the industry, with a long history and mature processes. Furthermore, no published book currently provides extensive coverage for companies trying to design, build, and run their own PSIRT. Rather than focusing on this topic and thoroughly examining it, however, CIRAPS spends only 100 pages out of a 215 page book talking about PSIRT issues. While there are parts of CIRAPS that I found interesting, I don't think they justify reading the whole book. Tweet

Amazon.com just posted my five star review of pfSense: The Definitive Guide by Christopher M. Buechler and Jim Pingle and published by Reed Media . From the review : I have to admit that pfSense: The Definitive Guide (pTDG) caught me off guard. I expected the book to mainly discuss installing and using the pfSense firewall appliance, which would have been enough for me to enjoy the book. However, I was pleased to see coverage of many issues related to network security and firewall design and operation. For me, these features elevated the entire book to five star status. If you're interested in learning how pfSense can help your organization, and what it means to deploy firewalls, pTDG is the right book. Tweet

Because I wrote a three star review of the first edition of The Book of Pf by Peter N.M. Hansteen, Amazon.com won't allow me to write a review of the second edition. So, I added the following comment to my old review indicating that I think the second edition deserves four out of five stars: Amazon won't allow me to write a review of the second edition of this book, so I'm adding this comment. I'm pleased to say that I believe the author accepted much of the feedback in my first review as well as feedback from other reviewers. He's improved the book so much that I think it warrants 4 out of 5 stars. He spends more time explaining key concepts rather than simply including them in the text. For example, the author introduces features like macros (p 18) whereas in the first edition he just started using them. The book is also fairly up-to-date, with coverage of OpenBSD 4.8, FreeBSD 8.1, and NetBSD 5.0. Reading how to use Pf on all three platforms was very helpful. ...

Amazon.com just posted my four star review of Kingpin by Kevin Poulsen. I read this book by checking it out of my library! From the review : I've read and reviewed almost all of the non-fiction computer crime and espionage books written since the 1980s. Kingpin by Kevin Poulsen is one of my favorites. I will recommend this book to fellow digital security professionals and those who would like insights into our world. Kingpin's coverage of Max Ray Butler's (MRB) constant entanglement with the dark side is a lesson for anyone contemplating using their skills for evil. On a related note, in late 2007 I posted Max Ray Butler in Trouble Again and followed that in 2010 with Max Ray Butler Sentenced (Again) . Tweet

Similar to my post Report on Instances of US Forces Abroad , I again thank Steven Aftergood for his post No-Fly Zones: Considerations for Congress . He points to a new report titled Declarations of War and Authorizations for the Use of Military Force: Historical Background and Legal Implications (.pdf). This is a good resource for those trying to determine what is war, what isn't war, and what happens in each situation. From the report summary: From the Washington Administration to the present, Congress and the President have enacted 11 separate formal declarations of war against foreign nations in five different wars. Each declaration has been preceded by a presidential request either in writing or in person before a joint session of Congress. The reasons cited in justification for the requests have included armed attacks on United States territory or its citizens and threats to United States rights or interests as a sovereign nation. Congress and the President have also ena...

Thank you to anyone who voted for me to join the board of the Open Information Security Foundation . They are most famous for their Suricata intrusion detection engine, but I expect additional outputs as time passes. I appreciate those of you who supported my goal to join their board. I will try to provide fair and useful input to the project. I believe we will have our first board phone call next week. Are there any issues you would like me to raise, or consider for future meetings? I am personally interested in OISF because I think they bring a level of enthusiasm, openness, and innovation to the open source network security monitoring space, alongside tools like Bro and Snort and others I mentioned in my January post Seven Cool Open Source Projects for Defenders . OISF is also a US nonprofit, a 501c(3) group, so I like the idea of helping that sort of organization. Tweet

Today RSA's Art Coviello announced the following: Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA... Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack... This is one of the problems with debates over terminology. If we all accepted the actual definition of APT as created by the Air Force in 2006, we would know what Mr Coviello is...

In June 2007 I posted that I was joining General Electric as Director of Incident Response . Since then I helped build and lead GE-CIRT from an "army of one" into a team of 40 analysts. It was an honor and a privilege to work with my team, but today I am announcing that I've accepted a new challenge. Effective 1 April I will be Chief Security Officer and Security Services Architect for MANDIANT , where I will build teams, tools, and capabilities to provide managed detection and response services. You can read the press release at the MANDIANT Web site or Businesswire if you're so inclined, as well as a MANDIANT blog post . I am really looking forward to this new opportunity. I worked for Kevin Mandia in 2002-2004 with Foundstone and for Travis Reese in 2004-2005 at ManTech International Corp.'s CFIA division. When I left ManTech to concentrate 100% on TaoSecurity, the first consulting I did was for Red Cliff, the precursor to MANDIANT. I also know many cu...

Thanks to Steven Aftergood's post Instances of US Forces Abroad I learned of a new Congressional Research Service report of the same name -- Instances of Use of United States Armed Forces Abroad, 1798-2010 (pdf). From the introduction: Eleven times in its history the U.S. has formally declared war against foreign nations. These eleven U.S. war declarations encompassed five separate wars: the war with Great Britain declared in 1812; the war with Mexico declared in 1846; the war with Spain declared in 1898; the First World War, during which the U.S. declared war with Germany and with Austria-Hungary during 1917; and World War II, during which the U.S. declared war against Japan, Germany, and Italy in 1941, and against Bulgaria, Hungary, and Rumania in 1942. Some of the instances were extended military engagements that might be considered undeclared wars. These include the Undeclared Naval War with France from 1798 to 1800; the First Barbary War from 1801 to 1805; the Second Barbar...

Through a custom arrangement with Black Hat I am pleased to announce that I will teach a special session of TCP/IP Weapons School 3.0 at the Government Technology Expo & Conference (GTEC) on Tuesday 31 May and Wednesday 1 June 2011 in Washington, DC. The conference organizers set the price for my class at $2200. I am not sure if the price increases as we get closer to the class date. This is a good opportunity for people in the DC area to attend my TWS 3 class without having to pay for travel to Las Vegas, where I will teach two sessions of TWS 3 at Black Hat USA this summer. I recommend registering soon because I expect this class to fill quickly due to the DC location. Please let me know if you have any questions by posting a comment or sending email to training [at] taosecurity [dot] com. Thank you. Tweet

Several weeks ago I attended an outstanding one day conference by the Jamestown Foundation titled China Defense & Security 2011 . The conference consisted of a series of speakers discussing various aspects of US-China national defense and security. Only one speaker concentrated on digital (or "cyber," love that word) items. The rest dealt with a wide range of topics. I took several pages of notes that I thought my benefit those not in attendance. I did not take notes on the one session that was considered "off the record." In this post I will summarize my second page of notes. Please see Experts Talk US-China Security Issues, Part 1 if you want to see what I discussed prior to this post. Tai Ming Chung discussed Chinese innovation, specifically the nation's maturation from "imitation to innovation," specifically "architectural defense innovations." He described three models present in China: Techno-nationalist "strategic mo...

Several weeks ago I attended an outstanding one day conference by the Jamestown Foundation titled China Defense & Security 2011 . The conference consisted of a series of speakers discussing various aspects of US-China national defense and security. Only one speaker concentrated on digital (or "cyber," love that word) items. The rest dealt with a wide range of topics. I took two pages of notes that I thought my benefit those not in attendance. I did not take notes on the one session that was considered "off the record." In this post I will summarize one page of notes. For the second page please see Experts Talk US-China Security Issues, Part 2 . Arthur Waldron cited three ways to view events in China: 1) nothing new is happening; 2) something is happening, but if we had an "expert" in the White House we would be able to deal with it better; or 3) something is happening, but because we're not sure exactly what, it doesn't matter who is in ...

Amazon.com just posted my three star review of Cyber Attacks by Edward Amoroso. From the review : Writing a book isn't easy, especially when you're trying to develop a framework and solutions that apply to a topic as vast as protecting national infrastructure. I applaud Dr Amoroso's efforts in Cyber Attacks, but I fear he is solving yesterday's problems with yesterday's answers. This book might have been more relevant in 2006 when one could have plausibly pointed to botnets as "clearly the most important security issue on the Internet today" as Dr Amoroso oddly says on p 12. Unfortunately for readers, Cyber Attacks does not have the perspective needed to provide workable solutions to modern problems. Tweet

In January I taught the first TCP/IP Weapons School 3.0 class at Black Hat DC 2011 . This is a completely new class written from the ground up. I'm very pleased with how it has developed and the students enjoyed the new content. For example, one of the feedback comments was the following: "I felt that the pace and level of difficulty was well managed, and the defense-then-offense aspect was a great way to learn!" I'm happy to announce that registration for TCP/IP Weapons School 3.0 at Black Hat USA 2011 is now open. I will teach two sessions, on 30-31 July and 1-2 August in Las Vegas. Black Hat has four remaining price points and deadlines for registration. Early ends 30 April Regular ends 15 June Late ends 29 July Onsite starts at the conference Seats are filling -- it pays to register early! While keeping the distinctions from other offerings that I described last year , I've extended this third version of the class to include explicit offensive and def...