TaoSecurity Blog

This morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities . In the picture taken by Mrs Bejtlich (thanks for attending!) I'm seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey. As stated on their Web site, the U.S. Congress created the U.S.-China Economic and Security Review Commission in October 2000 with the legislative mandate to monitor, investigate, and submit to Congress an annual report on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China, and to provide recommendations, where appropriate, to Congress for legislative and administrative action. The Commission holds hearings to solicit testimony from subject matter experts and builds on those hearings to produce an excellent annual report. You can access the 2011 report on the Commission Web site,...

Fuzzing by Michael Sutton, Adam Greene and Pedram Amini struck me as a good overview of many types of fuzzing techniques. If you read the Amazon.com reviews , particularly the verdict by Chris Gates, you'll see what I mean. For my purposes, the degree to which the authors covered the material was just right. If you're more in the trenches with this topic, you would probably want more from a book on fuzzing. I liked the following aspects of the book: integration of history, real examples, diversity of approaches, case studies, and examples. I thought the book was easy to read and well presented. Paired with more specific, newer books on finding vulnerabilities, I think Fuzzing is a winner. My only real dislike involved the quotes by former US President George W. Bush at the start of each chapter. I thought they were irrelevant and a distraction. Tweet

I don't hunt security bugs for a living, but I've worked on teams that do and I find the process important to understand. A defender should appreciate the work that an adversary must perform in order to discover a vulnerability and weaponize an exploit. That is the spirit with which I read Hunting Security Bugs by Tom Gallagher, Bryan Jeffries, and Lawrence Landauer. When the book was published in 2006 all the authors worked at Microsoft and Microsoft Press published the book. (Yes, I did wait a long time to take a look at this title...) Despite the passage of time, I thought HSB stood up very well. Most of the problems discussed in the book and the techniques to find them should still work today. The targets have changed somewhat (XP was the target in the book; Windows 7 would be more helpful today -- thought not everywhere). Again, this is an impression and not a review, so I only offer thoughts and not opinions or judgements on the text. From what I saw, the book ...

In late 2009 I reviewed the first edition of The Web Application Hacker's Handbook . It was my runner-up for Best Book Bejtlich Read 2009 . Now authors Dafydd Stuttard and Marcus Pinto have returned with The Web Application Hacker's Handbook, 2nd Ed . This is also an excellent book, although I did not read it thoroughly enough to warrant a review. On p xxix the authors note that 30% of the book is "new or extensively revised" and 70% of the book has "minor or no modifications." I was very impressed to see the authors outline changes by chapter on pages xxx-xxxii. That is not common in second editions, in my experience. The book is very thorough and introduces technology along with attacks and defenses. Their "hack steps" sections provide a playbook for assessing Web applications. Some sections even mention logging and/or alerting -- I'd like to see more of that here and elsewhere! The book also includes end-of-chapter questions with...

As you might remember, when I write impressions of a book it means I didn't read the book thoroughly enough (in my mind) to write a review . In that spirit, I read Web Application Security: A Beginner's Guide by Bryan Sullivan and Vincent Liu. I liked the book because the authors spend the time explaining the technology in question. For example, I appreciated the discussion on the same origin policy, featuring memorable advice like "the same origin policy can't stop you from sending a request; it can only stop you from reading the response" (p 175). I had one small issue with the book, and that involved its introduction to Microsoft's STRIDE model. I blogged about this years ago in Someone Please Explain Threats to Microsoft . The Web sec book says on p 36: STRIDE is a threat classification system originally designed by Microsoft security engineers. STRIDE does not attempt to rank or prioritize vulnerabilities ... instead, the purpose of STRIDE is ...

Amazon.com just published my five star review of SSH Mastery by Michael W. Lucas. From the review : This is not an unbiased review. Michael W. Lucas cites my praise for two of his previous books, and mentions one of my books in his text. I've also stated many times that MWL is my favorite technical author. With that in mind, I am pleased to say that SSH Mastery is another must-have, must-read for anyone working in IT. I imagine that most of us use OpenSSH and/or PuTTY every day, but I am sure each of us will learn something about these tools and the SSH protocol after reading SSH Mastery. Tweet

Last week I attended RSA 2012 in San Francisco. I believe it was my third RSA conference; I noted on my TaoSecurity News page speaking at RSA in 2011 and 2006. This year I spoke at the Executive Security Action Forum on a panel moderated by PayPal CISO Michael Barrett alongside iDefense GM Rick Howard and Lockheed Martin CISO Chandra McMahon. I thought our panel offered value to the audience, as did much of the remainder of the event. Most of the speakers and attendees (about 100 people) appeared to have accepted the message that prevention eventually fails and that modern security is more like a counterintelligence operation than an IT operation. After ESAF (all day Monday) I divided my time among the following: speaking to visitors to the Mandiant booth, discussing security issues with reporters and industry analysts, and walking the RSA exposition floor. I also attended the Wednesday panel where one of our VPs, Grady Summers, explained how to deal with hacktivists. S...