Showing posts from March, 2012

Inside a Commission Hearing on the Chinese Threat

This morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities . In the picture taken by Mrs Bejtlich (thanks for attending!) I'm seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey. As stated on their Web site, the U.S. Congress created the U.S.-China Economic and Security Review Commission in October 2000 with the legislative mandate to monitor, investigate, and submit to Congress an annual report on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China, and to provide recommendations, where appropriate, to Congress for legislative and administrative action. The Commission holds hearings to solicit testimony from subject matter experts and builds on those hearings to produce an excellent annual report. You can access the 2011 report on the Commission Web site,

Impressions: Fuzzing

Fuzzing by Michael Sutton, Adam Greene and Pedram Amini struck me as a good overview of many types of fuzzing techniques. If you read the reviews , particularly the verdict by Chris Gates, you'll see what I mean. For my purposes, the degree to which the authors covered the material was just right. If you're more in the trenches with this topic, you would probably want more from a book on fuzzing. I liked the following aspects of the book: integration of history, real examples, diversity of approaches, case studies, and examples. I thought the book was easy to read and well presented. Paired with more specific, newer books on finding vulnerabilities, I think Fuzzing is a winner. My only real dislike involved the quotes by former US President George W. Bush at the start of each chapter. I thought they were irrelevant and a distraction. Tweet

Impressions: Hunting Security Bugs

I don't hunt security bugs for a living, but I've worked on teams that do and I find the process important to understand. A defender should appreciate the work that an adversary must perform in order to discover a vulnerability and weaponize an exploit. That is the spirit with which I read Hunting Security Bugs by Tom Gallagher, Bryan Jeffries, and Lawrence Landauer. When the book was published in 2006 all the authors worked at Microsoft and Microsoft Press published the book. (Yes, I did wait a long time to take a look at this title...) Despite the passage of time, I thought HSB stood up very well. Most of the problems discussed in the book and the techniques to find them should still work today. The targets have changed somewhat (XP was the target in the book; Windows 7 would be more helpful today -- thought not everywhere). Again, this is an impression and not a review, so I only offer thoughts and not opinions or judgements on the text. From what I saw, the book

Impressions: The Web Application Hacker's Handbook, 2nd Ed

In late 2009 I reviewed the first edition of The Web Application Hacker's Handbook . It was my runner-up for Best Book Bejtlich Read 2009 . Now authors Dafydd Stuttard and Marcus Pinto have returned with The Web Application Hacker's Handbook, 2nd Ed . This is also an excellent book, although I did not read it thoroughly enough to warrant a review. On p xxix the authors note that 30% of the book is "new or extensively revised" and 70% of the book has "minor or no modifications." I was very impressed to see the authors outline changes by chapter on pages xxx-xxxii. That is not common in second editions, in my experience. The book is very thorough and introduces technology along with attacks and defenses. Their "hack steps" sections provide a playbook for assessing Web applications. Some sections even mention logging and/or alerting -- I'd like to see more of that here and elsewhere! The book also includes end-of-chapter questions with

Impressions: Web Application Security: A Beginner's Guide

As you might remember, when I write impressions of a book it means I didn't read the book thoroughly enough (in my mind) to write a review . In that spirit, I read Web Application Security: A Beginner's Guide by Bryan Sullivan and Vincent Liu. I liked the book because the authors spend the time explaining the technology in question. For example, I appreciated the discussion on the same origin policy, featuring memorable advice like "the same origin policy can't stop you from sending a request; it can only stop you from reading the response" (p 175). I had one small issue with the book, and that involved its introduction to Microsoft's STRIDE model. I blogged about this years ago in Someone Please Explain Threats to Microsoft . The Web sec book says on p 36: STRIDE is a threat classification system originally designed by Microsoft security engineers. STRIDE does not attempt to rank or prioritize vulnerabilities ... instead, the purpose of STRIDE is

Review of SSH Mastery Posted

Image just published my five star review of SSH Mastery by Michael W. Lucas. From the review : This is not an unbiased review. Michael W. Lucas cites my praise for two of his previous books, and mentions one of my books in his text. I've also stated many times that MWL is my favorite technical author. With that in mind, I am pleased to say that SSH Mastery is another must-have, must-read for anyone working in IT. I imagine that most of us use OpenSSH and/or PuTTY every day, but I am sure each of us will learn something about these tools and the SSH protocol after reading SSH Mastery. Tweet

Bejtlich's Take on RSA 2012

Last week I attended RSA 2012 in San Francisco. I believe it was my third RSA conference; I noted on my TaoSecurity News page speaking at RSA in 2011 and 2006. This year I spoke at the Executive Security Action Forum on a panel moderated by PayPal CISO Michael Barrett alongside iDefense GM Rick Howard and Lockheed Martin CISO Chandra McMahon. I thought our panel offered value to the audience, as did much of the remainder of the event. Most of the speakers and attendees (about 100 people) appeared to have accepted the message that prevention eventually fails and that modern security is more like a counterintelligence operation than an IT operation. After ESAF (all day Monday) I divided my time among the following: speaking to visitors to the Mandiant booth, discussing security issues with reporters and industry analysts, and walking the RSA exposition floor. I also attended the Wednesday panel where one of our VPs, Grady Summers, explained how to deal with hacktivists. S

Keep CIRT and Internal Investigations Separate

A recent issue of the Economist featured an article titled Corporate fraud: Mind your language -- How linguistic software helps companies catch crooks . It offered the following excerpts: To spot staff with the incentive to steal (over and above the obvious fact that money is quite useful), anti-fraud software scans e-mails for evidence of money troubles ... Ernst & Young (E&Y), a consultancy, offers software that purports to show an employee’s emotional state over time : spikes in trend-lines reading “confused”, “secretive” or “angry” help investigators know whose e-mail to check, and when. Other software can help firms find potential malefactors moronic enough to gripe online, says Jean-Fran├žois Legault of Deloitte, another consultancy... Dick Oehrle, the chief linguist on the project, explains how it works. First, the algorithm digests a big bundle of e-mails to get used to employees’ language. Then human lawyers code the same e-mails, sorting things as irrelevant, relev

TaoSecurity Blog Wins Most Educational Security Blog

I'm pleased to announce that TaoSecurity Blog won Most Educational Security Blog at the 2012 Social Security Bloggers Awards . I attended the event held near RSA and spent time talking with a lot of security bloggers and security people in general. I'd like to thank the sponsors of the event, depicted on the photo of the back of the T-shirt at left. Props to whomever designed the shirt -- it's one of my favorites. The award itself looks great, and the gift certificate to the Apple store will definitely help with an iPad 3, as intended! Long-time readers may remember that I won Best Non-Technical Blog at the same event in 2009. Winning this award has given me a little more motivation to blog this year. I admit that communicating via Twitter as @taosecurity is much more seductive due to the presence of followers and the immediate feedback! Speaking of Twitter, SC Magazine named @taosecurity as one of their 5 to follow , which I appreciate. And speaking of SC Ma