TaoSecurity Blog

Kevin Mitnick was kind enough to send me a galley copy of his upcoming autobiography Ghost in the Wires . Amazon.com won't let me post a review yet, so I'll write what I would have supplied to the site. In 2002 I reviewed Kevin Mitnick's first book, The Art of Deception . In 2005 I reviewed his second book, The Art of Intrusion . I gave both books four stars. Mitnick's newest book, however, with long-time co-author Bill Simon, is a cut above their previous collaborations and earns five stars. As far as I can tell (and I am no Mitnick expert, despite reading almost all previous texts mentioning him), this is the real deal. Mitnick addresses just about everything you might want to know about. For me, the factor that made the book very unique was the authors' attention to detail. This sounds like it might have been a point of contention between the co-authors, but I found the methodical explanation of the social engineering and technical attacks to be rele...

Amazon.com just posted my five star review of Windows Internals, 5th Ed by Mark Russinovich and David Solomon, with Alex Ionescu. Microsoft Press provided a free review copy. From the review : Windows Internals, 5th Ed (WI5E) by Mark Russinovich and David Solomon, with Alex Ionescu, is a remarkable technical achievement. I read the book to better understand Windows to improve my security knowledge. I am not a Windows programmer, but I thought WI5E would provide context for some of the exploit and vulnerability information I occasionally encounter. I absorbed as much of WI5E as I could, but quickly found the scope and depth of the material to be incredible. While there is no substitute for reading source code, the explanations in WI5E come close! So many aspects of Windows are described, to such a deep level, that you might find yourself wanting to use Windows just to see WI5E's descriptions at work. Tweet

Amazon.com just posted my five star review of Windows System Programming, 4th Ed by Johnson M. Hart. Addison-Wesley provided a free review copy. From the review : I read Windows System Programming, 4th Ed (WSP4E) by Johnson M. Hart after finishing Windows via C/C++, 5th Ed (WVCP5E) by Richter and Nasarre. While I liked WVCP5E, I found WSP4E to be the better book for the sort of understanding I was trying to achieve. I'm not a professional Windows programmer, but I wanted to learn more about how Windows works. Hart's book did the trick, especially for a person like me with more of a Unix background. If you want to better know how to program on Windows, and specifically recognize differences among using the C libraries, the Windows API, and Windows "convenience functions," WSP4E is the book for you too. Tweet

Amazon.com just posted my four star review of Windows via C/C++, 5th Ed by Jeffrey M. Richter and Christophe Nasarre. Microsoft Press provided a free review copy. From the review : I will admit right away that I am probably not the target audience for this book, because I am not a professional Windows programmer. However, I am very interested in learning how Windows works, and Windows via C/C++, 5th Ed (WVCP5E) is one of the books that will help develop that expertise. Had I not also read Windows System Programming, 4th Ed (WSP4E) by Hart, I would have given WVCP5E 5 stars. Both are strong books, but WSP4E received 5 stars in a separate review. Still, I very strongly believe that WVCP5E by Richter and Nasarre is a must-read for anyone who wants to know more about Windows applications. Tweet

Amazon.com just posted my five star review of Beginning Visual C++ 2010 by Ivor Horton. Wrox provided a free review copy. From the review : I read Ivor Horton's Beginning Visual C++ 2010 (BVCP2) to gain some familiarity with the C++ programming language. Prior to this book I read Mr Horton's Beginning C book. Between the two books, I hoped to learn enough about C and C++ to prepare me to read a third book titled Windows via C/C++, 5th Ed by Richter and Nasarre. As a security professional, being able to grasp the essence of C and C++ as they are used in Windows helps me understand security advisories and related discussion of vulnerabilities in exploits. BVCP2 is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C++ for Windows programmer. I highly recommend it to both sorts of readers. Tweet

Amazon.com just posted my five star review of Beginning C by Ivor Horton. Apress provided a free review copy. From the review : I read Ivor Horton's Beginning C to gain some familiarity with the C programming language. As a security professional, being able to grasp the essence of C helps me understand security advisories and related discussion of vulnerabilities in exploits. Beginning C is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C programmer. I highly recommend it to both sorts of readers. Tweet

Amazon.com just posted my four star review of Programming Amazon EC2 by Jurg van Vliet and Flavia Paganelli. O'Reilly provided a free review copy. From the review : Because this is a short book, I'll write a short review. Programming Amazon EC2 (PAE) explains how to use certain elements of Amazon Web Services to deploy applications in Amazon's cloud infrastructure. The discussion centers on the authors' experiences deploying live, production Web sites (like Kulitzer) using AWS. I found this approach refreshing and novel, because it reads like a playbook for recreating similar infrastructure for the reader's own purposes. Tweet

I received word this week that the venue hosting my special session of TCP/IP Weapons School 3.0 was cancelled! That means no GTEC and no extra DC class. I'm sad to hear this because I'm receiving word from students wondering what happened. As best I understand it, the current Federal budget situation made hosting this conference a tough prospect for the DC crowd. At this point I'm evaluating options, including hosting a class myself. If you would be interested in attending a group class of TCP/IP Weapons School 3.0 in northern VA this year, please email training [at] taosecurity [dot] com. I think a class late in the year, hopefully during FY 2012 (so 1 Oct or later), might be the best option for Federal workers enduring budget woes. I'd rather teach within another venue, like Black Hat, but if there's enough demand from the cancelled GTEC event I'll see what it takes to offer a solo class. As noted on my Training site, I am teaching Two Sessions of TWS3...

In February I spoke at the DoJ Cybersecurity Conference . My abstract for the talk was the following: In 1989 Berkeley astronomer Cliff Stoll wrote the most important book in the history of computer incident response, The Cuckoo's Egg. Twenty years after first reading the book, Richard Bejtlich, [then] Director of Incident Response for General Electric, re-read The Cuckoo's Egg in search of lessons for his Computer Incident Response Team (GE-CIRT). In the first ten pages, Bejtlich identified seven lessons for his team, and in the next twenty pages, ten more lessons. By the time he finished re-reading the book, Bejtlich identified dozens of lessons that are key to the incident response process, whether it's 1990, 2000, 2010, or beyond. In this presentation, Bejtlich will share the keys to professional incident response, originally documented by an unintentional computer pioneer. Since several of you asked for the slides, I uploaded them here (.pdf, 60 slides). I don...

Bill Sweetman wrote a good article on the new Air Force bomber program titled USAF Bomber Gets Tight Numbers . I found the following paragraph interesting: One factor will drive up the cost of the bomber’s R&D: its status as a SAP [Special Access Program]. SAP status — whether the program is an acknowledged SAP, as the bomber is likely to be, or completely black — incurs large costs. All personnel have to be vetted before they are read into the program. Information within the program is compartmentalized, reducing efficiency. SAP status has been estimated to add 20% to a program’s cost . Security for SAP isn't cheap! Sweetman elaborates: The most likely reason for this measure is the sensitivity of ELO [extreme low-observable] technology, combined with the fact that the U.S. is the target of what may be the most extensive and successful espionage program in history — China’s Advanced Persistent Threat. How much is the new bomber supposed to cost? The magic numbers for the bo...

Today Richard D. Fisher, Jr. and Bill Sweetman published an online article for Aviation Week titled Sizing Up China's Military Capabilities . Of interest to my readers might be the following: It is no secret that long-term U.S. Air Force and Navy planning is focused on China... A decade ago, many U.S. analysts were unimpressed by the People’s Liberation Army (PLA)... By 2011, such hubris has given way to palpable concern... The elements of this capability include: Information attack. In the mid-2000s, U.S. intelligence agencies identified the Advanced Persistent Threat (APT) , a pattern of cyberespionage largely traceable to China and aimed mainly at the U.S. defense industry and armed forces... I really like to see organizations that are not selling digital security, but who are still defense experts, discuss APT! Some of you probably think Aviation Week is part of the "create a new bogey man" strategy as we draw down forces in Iraq. Surely APT is just "yellow pe...

A few of you asked questions via Twitter or comments on my All Reading Is Not Equal or Fast post, so I'll try answering them here. When you review a book that was less than perfect or heck even one that was perfect could you also suggest some alternatives? I'll be honest. That could be more work than I'm willing to do in a free forum like Amazon.com and this blog. Sometimes I mention alternatives because they're fresh in my mind and I like the other options. Always mentioning alternatives can be a real chore. If I wrote reviews for formal publication I would do that. Otherwise, I recommend subscribing to my Amazon.com review RSS feed and staying current with my reviews. Where do you find the time to read the books? After family-time, work time and sleep-time..at what time of the day do u read and how much time do you invest? I keep trying to read books but I read 2-3 pages per day at night...thanks! When work is really busy, I probably read the most when on the r...

Amazon.com just published my four star review of Web Application Obfuscation by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay. From the review : I had really no idea what to expect when I started reading Web Application Obfuscation (WAO). I hoped it would address attacks on Web technologies, perhaps including evasion methods, but beyond that I didn't even really know how to think about whatever problem this book might address. After finishing WAO, it's only appropriate to say "wow." In short, I had no idea that Web browsers (often called "user agents" in WAO) are so universally broken. Web browser developers would probably reply that they're just trying to handle as much broken HTML as possible, but the WAO authors show this approach makes Web "security" basically impossible. I recommend reading WAO to learn just how crazy one can be when interacting with Web apps. Tweet