TaoSecurity Blog

Longtime readers know that I have no problem with foreign countries replacing American vendors with local alternatives. For example, see Five Reasons I Want China Running Its Own Software . This is not a universal principle, but as an American I am fine with it. Putting my computer network operations (CNO) hat on, I want to share a few thoughts about the intersection of the anti-American vendor mindset with the recent Spectre and Meltdown attacks . There are probably non-Americans, who, for a variety of reasons, feel that it would be "safer" for them to run their cloud computing workloads on non-American infrastructure. Perhaps they feel that it puts their data beyond the reach of the American Department of Justice. (I personally feel that it's an over-reach by DoJ to try to access data beyond American borders, eg Microsoft Corp. v. United States .) The American intelligence community and computer network operators, however, might prefer to have that data outside Am...

As of last month I'm no longer reviewing technical books. However, I wanted to mention a few that I received during the last few months. All three have an "internals" focus with security implications, and all three are written by authors I've reviewed before. The first is The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, Second Edition by Bill Blunden. I reviewed the first edition two years ago. I am not in a position to comment on the merit of Bill's technical approach (Greg? Jamie?) but I can say the following about the book. First, it appears current, with references to developments over the last few years. Second, it is well-sourced, with lots of footnotes. For me, that is a sign that the author cares about attribution and scholarship. Third, I must admit I am very happy to see several references to posts on this blog and also tools and techniques authored by Mandiant (such as Redline and Memoryze . With respect to citin...

Fuzzing by Michael Sutton, Adam Greene and Pedram Amini struck me as a good overview of many types of fuzzing techniques. If you read the Amazon.com reviews , particularly the verdict by Chris Gates, you'll see what I mean. For my purposes, the degree to which the authors covered the material was just right. If you're more in the trenches with this topic, you would probably want more from a book on fuzzing. I liked the following aspects of the book: integration of history, real examples, diversity of approaches, case studies, and examples. I thought the book was easy to read and well presented. Paired with more specific, newer books on finding vulnerabilities, I think Fuzzing is a winner. My only real dislike involved the quotes by former US President George W. Bush at the start of each chapter. I thought they were irrelevant and a distraction. Tweet

I don't hunt security bugs for a living, but I've worked on teams that do and I find the process important to understand. A defender should appreciate the work that an adversary must perform in order to discover a vulnerability and weaponize an exploit. That is the spirit with which I read Hunting Security Bugs by Tom Gallagher, Bryan Jeffries, and Lawrence Landauer. When the book was published in 2006 all the authors worked at Microsoft and Microsoft Press published the book. (Yes, I did wait a long time to take a look at this title...) Despite the passage of time, I thought HSB stood up very well. Most of the problems discussed in the book and the techniques to find them should still work today. The targets have changed somewhat (XP was the target in the book; Windows 7 would be more helpful today -- thought not everywhere). Again, this is an impression and not a review, so I only offer thoughts and not opinions or judgements on the text. From what I saw, the book ...

In late 2009 I reviewed the first edition of The Web Application Hacker's Handbook . It was my runner-up for Best Book Bejtlich Read 2009 . Now authors Dafydd Stuttard and Marcus Pinto have returned with The Web Application Hacker's Handbook, 2nd Ed . This is also an excellent book, although I did not read it thoroughly enough to warrant a review. On p xxix the authors note that 30% of the book is "new or extensively revised" and 70% of the book has "minor or no modifications." I was very impressed to see the authors outline changes by chapter on pages xxx-xxxii. That is not common in second editions, in my experience. The book is very thorough and introduces technology along with attacks and defenses. Their "hack steps" sections provide a playbook for assessing Web applications. Some sections even mention logging and/or alerting -- I'd like to see more of that here and elsewhere! The book also includes end-of-chapter questions with...

As you might remember, when I write impressions of a book it means I didn't read the book thoroughly enough (in my mind) to write a review . In that spirit, I read Web Application Security: A Beginner's Guide by Bryan Sullivan and Vincent Liu. I liked the book because the authors spend the time explaining the technology in question. For example, I appreciated the discussion on the same origin policy, featuring memorable advice like "the same origin policy can't stop you from sending a request; it can only stop you from reading the response" (p 175). I had one small issue with the book, and that involved its introduction to Microsoft's STRIDE model. I blogged about this years ago in Someone Please Explain Threats to Microsoft . The Web sec book says on p 36: STRIDE is a threat classification system originally designed by Microsoft security engineers. STRIDE does not attempt to rank or prioritize vulnerabilities ... instead, the purpose of STRIDE is ...

Five years ago I reviewed the first edition of Network Warrior by Gary A. Donahue. Thank to O'Reilly I can post my "impressions" of the second edition of this great book. Although I read almost all of it, I am unable to post another review because Amazon.com has my previous review attached to the new edition. In brief, Network Warrior, 2nd Ed is the book to read if you are a network administrator trying to get to the next level. All of my praise from the previous review apply to the new book. The book is really that good, primarily because it combines very clear explanations with healthy doses of real-world experience. Thanks to Mr Donahue for taking the time to update his book! Tweet

Mark Russinovich and Aaron Margosis have written another awesome addition to the Microsoft Press catalog, Windows Sysinternals Administrator's Reference . Per my policy, because I did not read the whole book I am only posting "impressions" here and not a full Amazon.com review . In brief this book will tell you more about the awesome Sysinternals tools than you might have thought possible. One topic that caught my attention was using Process Monitor to summarize network activity (p 139). This reminded me of Event Tracing for Windows and Network Tracing in Windows 7 . I remain interested in this capability because it can be handy for incident responders to collect network traffic on endpoints without installing new software, relying instead on native OS capabilities. I suggest keeping a copy of this book in your team library if you run a CIRT. Thorough knowledge of the Sysinternals tools is a great benefit to anyone trying to identify compromised Windows computers. ...

Six years ago I reviewed Michal Zalewski's first book, Silence on the Wire . Michal is a security researcher who has consistently created high-quality content for a very long time, so I was pleased to receive a review copy of his newest book The Tangled Web . I did not read the whole book, hence I'm posting only my "impressions" here. I recommend reading this book if you want to know a lot, and I mean a lot , about how screwed up Web browsers, protocols, and related technologies truly are. Because many points of the book are tied to specific browser versions, I suspect its shelf life to degrade a little more rapidly than some other technical titles. Still, I am shocked by the amount of research and documentation Michal performed to create The Tangled Web. As always, Michal's content is highly readable, very detailed, and well-sourced. It's a great example for other technical authors. Great work Michal! Tweet

I'll be honest -- on the same trip on which I took The Art of Software Security Assessment , I took The Art of Software Security Testing (TAOSST) by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. After working with TAOSSO, I'm afraid TAOSST didn't have much of a chance. TAOSST is a much shorter book, with more screen captures and less content. My impressions of TAOSST is that it is a good introduction to "identifying software security flaws" (as indicated by the subtitle), but if you want to truly learn how to accomplish that task you should read TAOSSA. Tweet

I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book. One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters. In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and...

I just finished reading Tiger Trap by David Wise. I read the whole book (so my "impressions" label isn't really accurate, because I use that for books I didn't fully read). I don't feel like writing an entire review but I wanted to capture a few thoughts. First, if you know nothing about Chinese espionage against the United States, read Tiger Trap. I didn't think Tiger Trap was the easiest book to read about the subject, but I haven't seen any other source cover so much history in one volume. Second, it seems the Chinese prefer to use human resources to steal classified information, mainly because accessing classified networks is tougher than accessing unclassified networks. Still, there are plenty of cases where humans physically stole unclassified but sensitive information. Most of these predate the Web however. Third, the Chinese like to "get good people to do bad things," as I Tweeted last week (citing page 16). In other words, China ...

My final book in this batch is Android Forensics by Andrew Hoog. Due to the nature of Android and the author's experience with it, this book has a lot of great content. (In contrast, on page xiii, the author thanks iPhone and iOS Forensics co-author Katie Strzempka "for generally taking care of that other book." Hmm, maybe I should have known that before trying to assess that "other book?") My only real concern with this book is that it might lack the focus required by a normal investigator. I'm sure many investigators simply want to know where to find key data (email, Web history, etc.) and then retrieve and analyze it in a forensically sound manner. It's the "so what" question that hangs over many forensics books. I would have liked a case study focusing on that sort of material to show how an investigator would make sense of the data and structures unearthed by the author throughout the book. Tweet

The third forensics book in this batch is iPhone and iOS Forensics (IAIF) by Andrew Hoog and Katie Strzempka. This book is similar to iOS Forensic Analysis: for iPhone, iPad, and iPod touch by Sean Morrissey, in the sense that neither book is as strong as I might have hoped. Oddly enough, the aspects of Morrissey's book that were most compelling (like his overview of the various i-devices and attention to each of them) are weaker in IAIF. I found IAIF to be a little confusing in its approach, with lack of rigor around discussing iPhone vs other platforms. I felt the authors should have either focused on one platform or given all of them equal attention. I also disliked mixing of what seemed to be jailbroken and non-jailbroken content. I prefer for forensics books to avoid using jailbreak techniques where possible, but it would have been helpful for the authors to be very clear where and why they use such methods. Chapter 4 was supposed to cover security, but it was o...

Next is Xbox 360 Forensics (X3F) by Steven Bolt. This book offers a lot of technical detail, but it seems to read more like a coroner's report than a guide for those doing forensics on the Xbox 360 platform. The author spends a lot of time documenting his analysis of the Xbox 360, but after perusing the book I took myself out of the role of scientist and into that of investigator. An investigator (such as a law enforcement person) is likely to say "that's all nice, but can I read the suspect's email? Can I review his Web browsing history? Can I inspect the content of his instant messaging? How do I do that?" These are practical questions that do not really appear in X3F. Sure, the author tears apart the platform and its file system, but I don't see a way for an investigator to easily move from the current text to answering fundamental investigation questions. Tweet

For my fourth impressions post, I'll turn to the digital forensics world for Digital Forensics with Open Source Tools (DFWOST) by Cory Altheide and Harlan Carvey. I took a lot of notes but didn't read closely enough in my opinion to merit a full review. I didn't like the way this book started. I can't tell if the authors expect the reader to be familiar with open source software or not. The book needed to start in chapter 2 with something like "let's start by selecting Ubuntu for our operating system. We like it for the following reasons..." In contrast, the reader suddenly finds himself in the "Working with Images" section trying to use losetup, mmls, doing math, etc. That's too fast! Many reading this book are going to get lost on page 23 between "sudo apt-get install libfuse-dev libexpat1-dev" and advice to use "a simple ./configure..." Beyond the rough start, however, I thought the rest of the book was ...

The third book for which I'd like to share my impressions is The Shellcoder's Handbook, 2nd Ed (TSH2E) by Chris Ainley, John Heasman, FX, and Gerardo Richarte. I liked TSH2E, but I could tell that the collaboration among four authors caused some issues that could have been addressed by better editing. For example, early parts of the book use both Intel and AT&T assembly syntax, but the reader doesn't get an explanation of either until chapter 7. For me, the best aspect of TSH2E was the integration of real-world obstacles to exploiting victims. The book (although published in 2008) expertly addressed various defenses introduced in operating systems over the past decade. The authors usually start with simple concepts, promising to address tougher challenges later -- and they deliver. One item early in the text caught my attention though. The book includes the following code to demonstrate spawning a shell: int main(){ char *name[2]; name...

I took a lot of notes while reading Reversing: Secrets of Reverse Engineering (RSORE) by Eldad Eilam, but I didn't read enough of the book to qualify in my opinion to write a true review. What I did read, though, was awesome. RSORE is very well written, clear, interesting, and features high production value and quality. Although Wiley published the book in 2005, I believe it's as relevant now as it was six years ago. In fact, I recommend pairing it with IDA Pro, 2nd Ed for a one-two RE punch. The introduction part provided sound foundations, great coverage of low-level concepts, a helpful overview of the Win32 environment (albeit with a 32 bit focus) and a quick tools discussion. The applied engineering part includes hunting for undocumented (as of 2005) native Windows APIs, analyzing the file format of an encryption program, auditing the vulnerability in idq.dll exploited by Code Red, and reversing a backdoor that communicates via IRC. The cracking part featured...

What better way to start my new book impressions technique than The IDA Pro Book, 2nd Ed (TIDP2E) by Chris Eagle. I didn't read the entire book because I am not a reverse engineer, nor am I an IDA Pro user. However, I find the field, the tools, and the people who do reverse engineering to be interesting. My overall impression is that TIDP2E is an excellent book. Chris Eagle appears to have written an incredibly detailed and current text on IDA Pro. I noticed he cited material from RECon 2011, which happened earlier this year! Besides teaching how to use IDA Pro, TIDP2E appears to teach programming and operating system concepts. The book compares various ways to disassemble code (primarily linear sweep vs recursive descent) as well as complementary tools. I like the regular use of footnotes and external references, and the production quality was very high. Take a look at TIDB2E if you need a modern reference to this powerful tool suite. Tweet