Review of Metasploit: The Penetration Tester's Guide Posted

Amazon.com just posted my four star review of Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni. From the review:Metasploit: The Penetration Tester's Guide (MTPTG), is a great book about the Metasploit Framework. I first tried MSF in April 2004 (noted in one of my blog posts) and have since used it to test detection mechanisms, as well as simulate activity by certain threat groups. I've read...

Read More

Review of Hacking: The Art of Exploitation, 2nd Ed Posted

Amazon.com just posted my five star review of Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson. From the review:This is the last in a recent collection of reviews on "hacking" books. Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader...

Read More

Review of Gray Hat Hacking, 3rd Ed Posted

Amazon.com just posted my three star review of Gray Hat Hacking, 3rd Ed by Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams. From the review:Critical reviews are my least favorite aspect of my Amazon experience, but I believe readers expect me to be honest with them. Gray Hat Hacking, 3rd Ed (GHH3E) has a lot of potential, but it needs a reboot and a ruthless editor. I read and reviewed the original edition...

Read More

Review of Ninja Hacking Posted

Amazon.com just posted my four star review of Ninja Hacking by Thomas Wilhelm and Jason Andress. From the review:Ninja Hacking is not a typical digital security book. When I saw the title I expected the use of "Ninja" to be a reference to a style of digital attack. While this is true to a certain extent, Ninja Hacking is about actual Ninja concepts applied to the digital world. The book is an introduction to Ninja history and techniques, applied...

Read More

Review of Managed Code Rootkits Posted

Amazon.com just posted my five star review of Managed Code Rootkits by Erez Matula. From the review:Managed Code Rootkits (MCR) is one of the best books I've read in 2011. MCR is a one-man tour-de-force through the world of malicious software that leverages managed code for its runtime. Prior to reading the book I was only vaguely aware of the concept and implementation. After reading MCR, I am wondering when we might see more of this technique...

Read More

Review of Buffer Overflow Attacks Posted

Amazon.com just posted my two star review of Buffer Overflow Attacks, by James C. Foster, et al. From the review:I read "Buffer Overflow Attacks" as part of a collection of books on writing exploit code (reviewed separately). I have to give credit to the author team for writing one of the first books on this subject; Syngress published BOA in 2005, when the subject received less published coverage. However, better books are available now if you...

Read More

Risk Modeling, not "Threat Modeling"

Thanks to the great new book Metasploit (review pending), I learned of the Penetration Testing Execution Standard. According to the site, "It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. security evaluations)." I think this project has a lot of promise given the people involved.I wanted to provide one comment through my blog, since...

Read More

Noah Shachtman’s Pirates of the ISPs

Two posts in one day? I'm on fire! It's easy to blog when something interesting happens, and I can talk about it.I wanted to mention the publication of Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs by Noah Shachtman, acting in his capacity as a Nonresident Fellow for Foreign Policy in the 21st Century Defense Initiative at The Brookings Institution. I read and commented on an earlier draft, and I think you will...

Read More

SQL Injection Challenge and Time-Based Security

Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challenge. As stated on the challenge site, the goal is "To successful execute SQLi against the scanning vendor demo websites and to try and evade the OWASP ModSecurity CRS." The contestants need to identify a SQL injection vector within one of four demo websites, then enumerate certain information from the target....

Read More

Bejtlich Teaching in Abu Dhabi in December

I'm pleased to announce that on December 12-13 at Black Hat Abu Dhabi I will teach a special two-day edition of TCP/IP Weapons School 3.0. This class is designed for junior and intermediate security analysts. The "sweet spot" for the potential student is someone working in a security operations center (SOC) or computer incident response team (CIRT), or someone trying to establish one of those organizations. The class is very hands-on, and focuses...

Read More