Posts

Showing posts from 2012

Best Book Bejtlich Read in 2012

Image
It's time to name the winner of the Best Book Bejtlich Read award for 2012 ! I started seriously reading and reviewing digital security books in 2000. This is the 7th time I've formally announced a winner; see my bestbook label for previous winners. I posted yesterday that 2012 was the year I changed what I read . For example, in 2011 I read and reviewed 22 technical books. In 2012, which a change in my interests, I only read and reviewed one technical book. Thankfully, it was a five star book, which means it is my BBBR 2012 winner! As you might have figured out yesterday, this year's winner is SSH Mastery by Michael W Lucas . Feel free to read my Amazon.com review for details. Note that I bought a Kindle version from Amazon.com, and later MWL mailed me a print copy. Besides the excellent style and content, one of the reasons I read the book was to experience MWL's first release of a self-published technical book. I think it was a successful endeavor, although I

2012: The Year I Changed What I Read

Image
If you've been reading this blog for a while, you probably know that reading and reviewing technical books has been a key aspect since the blog's beginning in January 2003. In fact, my first blog post announced a review of a book on Border Gateway Protocol (BGP). Looking at my previous reviews , it's clear that my interest in reading and reviewing technical books expired in the summer of 2011. Since then, the only technical book I wanted to read and review was Michael W. Lucas' excellent SSH Mastery . MWL is such a great author that I read just about anything he writes, and I was interested in his first self-published technical work. So what happened? Becoming CSO at Mandiant in April 2011 contributed to my changing interests. Since that time I've spoken to almost a hundred reporters and industry analysts, and hundreds of customers and prospects, answering their questions about digital threats and how best to live in a world of constant compromise. (I listed some

Five No Starch Books for Kids, Reviewed by Kids

Image
No Starch was kind enough to send me five books for kids, which I asked my 6- and 8-year-old daughters to read. (I didn't need to "ask," really -- like my wife and I, our daughters think reading is something you have to be told "not" to do, e.g., "put the book down; we don't read at the dinner table.") I did have to encourage my daughters to review the books. Although the older one writes book reports for school, she's not accustomed to writing reviews for books sent by publishers. The five books, with links to the Amazon.com reviews, are: Python for Kids The Unofficial LEGO Technic Builder's Guide The Unofficial LEGO Builder's Guide The LEGO Adventure Book, Vol. 1: Cars, Castles, Dinosaurs & More! Wonderful Life with the Elements: The Periodic Table Personified I agree with my daughters: all five of these books are excellent. However, for readers of this blog who have kids, I would most strongly recommend the Python boo

The Value of Branding and Simplicity to Certifications

Image
At the risk of stirring the cyber pot (item 3, specifically) I wanted to post a response to a great mailing list thread I've been following. A reader asked about the value of the CISSP certification. Within the context of the mailing list, several responders cited their thoughts on SANS certifications. Many mentioned why the CISSP tends to be so popular. I'd like to share my thoughts here. In my opinion, the primary reason the CISSP is so successful is that it is easy to understand it , which facilitates marketing it. It is exceptionally easy for a recruiter to search LinkedIn profiles, other databases, or resumes for the term "CISSP." If you encounter a person with the CISSP, you basically know what the person had to do to get the certification. Before continuing, answer this quick question: what are the following? 1) SSCP, 2) CAP, 3) CSSLP? Let me guess -- you didn't recognize any of them, just like I did? Now, let me see if you recognize any of the fo

Why Collect Full Content Data?

Image
I recently received the following via email: I am writing a SANS Gold paper on a custom full packet capture system using Linux and tcpdump. It is for the GSEC Certification, so my intent is to cover the reasons why to do full packet capture and the basic set up of a system (information that wasn't readily available when setting my system up)... I am already referencing The Tao of Network Security Monitoring . These are the questions that I came up with based on questions other peers have asked me... Here are the questions, followed by my answers. Most of this is covered in my previous books and blog posts, but for the sake of brevity I'll try posting short, stand-alone responses. As an information security analyst in today's threat landscape why would I want to do full packet capture in my environment? What value does have? Full content data or capturing full packets provides the most flexibility and granularity when analyzing network-centric data. Unlike vario

Spectrum of State Responsibility

Image
"Attribution" for digital attacks and incidents is a hot topic right now. I wanted to point readers to this great paper by Jason Healey at the Atlantic Council titled Beyond Attribution: Seeking National Responsibility in Cyberspace . ACUS published the report in February, but I'm not hearing anyone using the terms described therein. Probably my favorite aspect of the paper is the chart pictured at left. It offers a taxonomy for describing state involvement in digital attacks, ranging from "state-prohibited" to "state-integrated." I recommend using the chart and ideas in the paper as a starting point the next time you have a debate over digital attribution. Tweet

Recommended: The Great Courses "Art of War" Class

Image
I recently purchased and listened to an audio course titled The Art of War (TAOW) by Prof Andrew R. Wilson and published by The Great Courses . From the first few minutes I knew this series of six 30 minute lessons was going to be great. For example, did you know that "Sun Tzu" didn't write "The Art of War?" An anonymous author wrote the book in the 4th century BC, based on Sun Tzu's lessons from his time in the 6th century BC. Also, "The Art of War" isn't even the name of the book! It's actually "Master Sun's Military Method." Furthermore, the use of the term "Master" is significant as it was a term not usually associated with generals. I especially like two aspects of the course. First, the lecturer, paraphrasing his own words, didn't choose to simply peruse TAOW looking for trite phrases. He equates that approach with telling a stock broker to "buy low, sell high." Instead, Prof Wilson is more c

Commander's Reading List

Image
Last month a squadron commander asked me to recommend books for his commander's reading list. After some reflection I offer the following. I've divided the list into two sections: technical and nontechnical. My hope for the technical books is to share a little bit of technical insight with the commander's intended audience, while not overwhelming them. The plan for the nontechnical items is to share some perspective on history, policy, and contemporary problems. The list is in no particular order. Nontechnical books: America the Vulnerable by Joel Brenner Cyber War by Richard Clarke and Robert Knake Crypto by Steven Levy Geekonomics by David Rice Security Metrics by Andrew Jaquith The Victorian Internet by Tom Standage The Cuckoo's Egg by Cliff Stoll Tiger Trap by David Wise Technical books: Software Security by Gary McGraw The Art of Computer Virus Research and Defense by Peter Szor Real Digital Forensics by Keith Jones, Curtis Rose, and Ric

Do Devs Care About Java (In)Security?

Image
In September InformationWeek published an article titled Java Still Not Safe, Security Experts Say . From that article by Matthew J. Schwartz: Is Java 7 currently safe to use? Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in the case of the Java 7 fix, the new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass the Java sandbox. In other words, while fixing some flaws, Oracle opened the door to another one. In light of that situation, multiple security experts said that businesses should continue to temporarily disable all Java use, whenever possible. "There are still not-yet-addressed, serious security issues that affect the most recent version of Java 7," said Adam Gowdiak, CEO and founder of Poland-based Security Explorations, which initially disclosed the exploited vulnerabilities to Oracle in April. "In that context, disab

Review of Super Scratch Programming Adventure! Posted

Image
Amazon.com just posted a joint review by myself and my daughter of No Starch's new book Super Scratch Programming Adventure! . From the five star review : I asked my almost-8-year-old to share her thoughts on Super Scratch Programming Adventure! She chose five stars and wrote the following: "I think it's a very great book. I love the storyline, but my main concern is that I could not find a trace of the Super Scratch folder. How hard is it to draw the Mona Lisa? I have Scratch version 1.4, and I found it difficult drawing Le Louvre. On the flip side, I learned a lot. Who knew you could make Scratchy move with 1) arrow keys and 2) a medium sized Script? I enjoyed watching the Magic Star Web change colors. Overall, I think it's a very great book, and I highly recommend it to anyone who is interested in programming." I agree that this is a great book. My daughter wanted to learn how to program a video game, and I thought it would be a lot more difficult. Sho

Washington National Guard: Model for Cyber Defense?

Image
My friend Russ McRee pointed me to an article recently: WA National Guard focusing on cyber security . From the article: The Washington National Guard is leveraging a decade of investment in cyber security at Camp Murray in Lakewood into projects that could protect state and local governments, utilities and private industry from network attacks. The aim is to bring to the digital world the kind of disaster response the National Guard already lends to fighting wildfires and floods, said Lt. Col. Gent Welsh of the Washington Air National Guard. “Just as ‘Business X’ needs the National Guard to come in and fill sand bags, ‘Business X’ might need to call the National Guard if it’s overwhelmed on the cyber side,” Welsh said. The new task plays to a growing strength in the state’s National Guard, which draws on employees from companies including Microsoft and Amazon to provide special expertise in its network warfare units. I first learned of this initiative when Russ Tweeted abou

Inside Saudi Aramco with 60 Minutes

Image
I just watched a recent episode of 60 Minutes on CNBC and enjoyed the segment on oil production in Saudi Arabia. It featured a story from late 2008 on Saudi Aramco. You may recall this name from recent news, namely data destruction affecting 30,000 computers . A recent Reuters article said the following: Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems. "All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday. "Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus." It is standard industry practice to shield plant operating networks from hackers by running them on separate operating systems that are protected from the Internet. While wat

Netanyahu Channels Tufte at United Nations

Image
This is not a political blog, and I don't intend for this to be a political post. I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure. However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes place at approximately the 26 minute mark. The screen capture at left shows this event. The reason this caught my attention was that it reminded me of the Best Single Day Class Ever , taught by Edward Tufte. I attended his class in 2008 and continue to recommend it. I've since blogged about Tufte on several occasions. Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and the world, that Israel is setting a "red line" involving Iran's nuclear weapons pr

Celebrate Packt Publishing's 1000th Title

Image
I'm pleased to announce a special event involving Packt Publishing . The company told me, as a way to celebrate their 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members. I'm interested in two recent titles: Metasploit Penetration Testing Cookbook by Abhinav Singh Advanced Penetration Testing for Highly-Secured Environments by Lee Allen In a few months a third book will arrive: BackTrack 5 Cookbook At this point I don't have personal experience with any of these titles, but I plan to take a look. Thank you Packt for sharing part of your library with us! Tweet

Top Ten Ways to Stir the Cyber Pot

Image
I spent a few minutes just now thinking about the digital security issues that people periodically raise on their blogs, or on Twitter, or at conferences. We constantly argue about some of these topics. I don't think we'll ever resolve any of them. If you want to start a debate/argument/flamewar in security, pick any of the following. "Full disclosure" vs "responsible disclosure" vs whatever else Threat intelligence sharing Value of security certifications Exploit sales Advanced-ness, Persistence-ness, Threat-ness, Chinese-ness of APT Reality of "cyberwar" "Builders vs Breakers" "Security is an engineering problem," i.e., "building a new Internet is the answer." "Return on security investment" Security by mandate or legislation or regulation Did I miss any subjects people raise to "stir the cyber pot?" Tweet

Unrealistic "Security Advice"

Image
I just read a blog post (no need to direct traffic there with a link) that included the following content: This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents. For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices. This author is well-meaning, but he completely misses the bigger picture. Against a sufficiently

To Be Hacked or Not To Be Hacked?

Image
People often ask me how to tell if they might be victims of state-serving adversaries . As I've written before , I don't advocate the position that "everyone is hacked." How then can an organization make informed decisions about their risk profile? A unique aspect of Chinese targeted threat operations is their tendency to telegraph their intentions. They frequently publish the industry types they intend to target, so it pays to read these announcements. Adam Segal Tweeted a link to a Xinhua story titled China aims to become world technological power by 2049 . The following excerpts caught my attention: China aims to become a world technological power by 2049 and strives to be a leading nation in innovation and scientific development, according to a government document released on Sunday. The document, released by the Communist Party of China Central Committee and the State Council, or the Cabinet, namely opinions on "deepening technological system reform

Understanding Responsible Disclosure of Threat Intelligence

Image
Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the trail. You open the package and realize you've discovered a " dead drop ," a clandestine method to exchange messages. You notice the contents of the message appear to be encoded in some manner to defy casual inspection. You decide to take pictures of the package and its contents with your phone, then return the items to the place you found them. Returning home you eagerly examine your photographs. Because you're clever you eventually decode the messages captured in your pictures. Apparently a foreign intelligence service (FIS) is using the dead drop to communicate with spies in your area! You're able to determine the identities of several Americans working for the FIS, as well as the identities of their FIS handlers. You can't believe it. What should you do? You decide to take this information to the world via your bl

Over Time, Intruders Improvise, Adapt, Overcome

Image
From TaoSecurity Today I read a well-meaning question on a mailing list asking for help with the following statement: "Unpatched systems represent the number one method of system compromise." This is a common statement and I'm sure many of you can find various reports that claim to corroborate this sentiment. I'm not going to argue that point. Why am I still aggravated by this statement then? This sentiment reflects static thinking. It ignores activity over time . For both opportunistic and targeted threats, when exploiting unpatched vulnerabilities no longer works, over time they will escalate to attacks that do work. I recognize that if you have to start your security program somewhere, addressing vulnerabilities is a good idea. I get that as a Chief Security Officer. However, the tendency for far too many involved with security, from the CTO or CIO perspective, is to then conclude that "patched = secure." At best, patching reduces a certain a

Does Anything Really "End" In Digital Security?

Image
Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit . He said in part: 15 years ago Aleph One published “ Smashing the Stack for Fun and Profit .” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end. Now, I'm not a programmer, and I don't play one at Mandiant. However, Adam's last sentence in the excerpt caught my attention. My observation over the period that Aleph One's historic paper was written is this: we don't seem to "solve" any security problems. Accordingly, no "era" seems to end!

Encryption Is Not the Answer to Security Problems

Image
I just read Cyber Fail: Why can't the government keep hackers out? Because the public is afraid of letting it , an article in the new Foreign Policy National Security channel . I've Tweeted on Mr Arquilla's articles before, but this new one published today offers a solution to security problems that just won't work. Consider these excerpts: Back in President Bill Clinton's first term, the "clipper chip" concept was all about improving the security of private communications . Americans were to enjoy the routine ability to send strongly encoded messages to each other that criminals and snoops would not be able to hack, making cyberspace a lot safer. I see two errors in this section. First, having lived through that time, and having read Steven Levy's excellent book Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age , I disagree with Mr Arquilla's statement. The Clipper Chip was the government's last attem

Bejtlich Interviewed on This Week in Defense News

Image
Last week Vago Muradian from This Week in Defense News with Vago Muradian interviewed me for his show. You can see the online version here . The online version is about two minutes longer than the broadcast version. We recorded the extra material separately and the video staff added it in the middle of the session. They were so smooth I didn't originally notice the change! Vago asked questions about how companies can defend themselves from digital threats. He wanted to know more about state-sponsored intrusions and how to differentiate among different types of threat actors. In the extra session Vago and I talked about recent SEC activities and how to tell if your organization has been victimized by a targeted attacker. There's a possibility Vago will invite me back to participate on a panel discussing digital security. I look forward to that if it happens! If you have any questions on the video, please post a comment and I'll answer. Thank you. Tweet

My Role in Information Warfare during the Yugoslav Wars

Image
This morning I read a Tweet from @AirForceAssoc reminding me that: Today in Airpower History, August 30, 1995: NATO and U.S. aircraft began airstrikes on Serbian ground positions in Bosnia-Herzegovina to support the U.N. Operation Deliberate Force. The airstrikes, with a Bosnian-Croatian ground attack, convinced the Serbs to accept peace terms in late 1995. I'm not particularly fond of commemorating airpower campaigns, but the Tweet did remind me of the small part I played in the Yugoslav Wars of the 1990s. Many Americans remember the 1990s, and especially the Clinton presidency, as a "quiet decade" between the first Gulf War led by President GHW Bush and the so-called "Global War on Terror" led by President GW Bush. Instead of a quiet decade, I remember a an exceptionally busy time for the Air Force, including some of the first "information operations" that combined digital and physical effects. In fact, fifteen years ago, almost to the week

DOJ National Security Division Pursuing Cyber Espionage

Image
I just read Justice Department trains prosecutors to combat cyber espionage by Sari Horowitz, writing for the Washington Post. The article makes several interesting points: Confronting a growing threat to national security, the Justice Department has begun training hundreds of prosecutors to combat and prosecute cyber espionage and related crimes, according to senior department officials. The new training is part of a major overhaul following an internal review that pinpointed gaps in the department’s ability to identify and respond to potential terrorist attacks over the Internet and to the rapidly growing crime of cyber espionage, the officials said, describing it for the first time. In recent weeks, Justice has begun training more than 300 lawyers in Washington and nearly 100 more across the county in the legal and technical skills needed to confront the increase in cyber threats to national security... Under the reorganization, teams of specialized lawyers within NSD in Wa

Israeli Agents Steal Korean Tech for Chinese Customer

Image
Thanks to the show Asia Biz Today I learned of an industrial espionage case involving South Korea, Israel, and China. In brief, agents of the South Korean branch of an Israeli company stole technology from two South Korean companies, and passed the loot to Chinese and Taiwanese companies. On June 27th the Yonhap news agency in South Korea reported the following: Key technologies to manufacture advanced flat-panel displays at Samsung Mobile Display and LG Display have been leaked by an local unit of an Israeli company, local prosecutors said Wednesday, raising concerns the leakage could pose a major threat to the national interest. The Seoul Central District Prosecutors' Office indicted under physical detention three employees at the local unit of an Israeli inspection equipment supplier, including a 36-year-old man surnamed Kim, on charges of leaking key local technologies used to produce active-matrix organic light-emitting diode (AMOLED) displays and white organic lig

Impressions: Three "Internals" Books for Security

Image
As of last month I'm no longer reviewing technical books. However, I wanted to mention a few that I received during the last few months. All three have an "internals" focus with security implications, and all three are written by authors I've reviewed before. The first is The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, Second Edition by Bill Blunden. I reviewed the first edition two years ago. I am not in a position to comment on the merit of Bill's technical approach (Greg? Jamie?) but I can say the following about the book. First, it appears current, with references to developments over the last few years. Second, it is well-sourced, with lots of footnotes. For me, that is a sign that the author cares about attribution and scholarship. Third, I must admit I am very happy to see several references to posts on this blog and also tools and techniques authored by Mandiant (such as Redline and Memoryze . With respect to citin

Not Just Clowns, But Criminals

Image
It turns out my April post Clowns Base Key Financial Rate on Feelings, Not Data was too generous. I cited an Economist story which outlined how LIBOR rates — and the returns on $360 trillion of financial contracts related to them, five times global GDP — are based on best guesses rather than hard data. I continue to cover this story because the financial industry routinely scoffs at the "risk management" practices of non-financials, as I wrote in 2007 . It turns out that these clowns are actually malicious, as reported in Lies, damn lies, and LIBOR: Barclays, Diamond, and a devalued benchmark : A pattern of deception extending over a period of years. A flouting of the law to profit at the expense of others on three different continents. And a belief that the rules did not apply to them. No, not the latest mafia family to be taken down by a special prosecutor. But Barclays PLC, the sprawling British banking group that recently paid a $450 million fine for seeking to ri

How to Kill Teams Through "Stack Ranking"

Image
The newest Vanity Fair offers an article titled Microsoft’s Downfall: Inside the Executive E-mails and Cannibalistic Culture That Felled a Tech Giant . It starts with the following: Analyzing one of American corporate history’s greatest mysteries — the lost decade of Microsoft — two-time George Polk Award winner (and V.F.’s newest contributing editor) Kurt Eichenwald traces the “astonishingly foolish management decisions” at the company that “could serve as a business-school case study on the pitfalls of success.” Relying on dozens of interviews and internal corporate records — including e-mails between executives at the company’s highest ranks — Eichenwald offers an unprecedented view of life inside Microsoft during the reign of its current chief executive, Steve Ballmer, in the August issue... Eichenwald’s conversations reveal that a management system known as “stack ranking” — a program that forces every unit to declare a certain percentage of employees as top performers, go

Thoughts on Lessons from Our Cyber Past: The First Cyber Cops

Image
In May I was pleased to attend Lessons from Our Cyber Past: The First Cyber Cops hosted by Jay Healey at the Atlantic Council and featuring Steven R. Chabinsky, Shawn Henry, and Christopher M. Painter. The transcript as well as audio for the event are now online. All of the attendees made great points, and I wanted to highlight a few. Mr. Chabinsky: I think that we’re getting to this point where we really have to reflect upon what risk mitigation looks like in this area, whether our policies that focus predominantly on vulnerability mitigation, are actually a successful long-term security model. If you think of most security models, I think predominantly you’d find that they rely on threat deterrence , that the notion that the actor won’t act because there will be some penalty-based deterrent at the end of it – they’ll be captured, they’ll have some penalty. Here [in digital security] we have a model where people are predominantly focused on hardening the target , patching