Best Book Bejtlich Read in 2012

It's time to name the winner of the Best Book Bejtlich Read award for 2012! I started seriously reading and reviewing digital security books in 2000. This is the 7th time I've formally announced a winner; see my bestbook label for previous winners. I posted yesterday that 2012 was the year I changed what I read. For example, in 2011 I read and reviewed 22 technical books. In 2012, which a change in my interests, I only read and reviewed one technical...

Read More

2012: The Year I Changed What I Read

If you've been reading this blog for a while, you probably know that reading and reviewing technical books has been a key aspect since the blog's beginning in January 2003. In fact, my first blog post announced a review of a book on Border Gateway Protocol (BGP). Looking at my previous reviews, it's clear that my interest in reading and reviewing technical books expired in the summer of 2011. Since then, the only technical book I wanted to read and...

Read More

Five No Starch Books for Kids, Reviewed by Kids

No Starch was kind enough to send me five books for kids, which I asked my 6- and 8-year-old daughters to read. (I didn't need to "ask," really -- like my wife and I, our daughters think reading is something you have to be told "not" to do, e.g., "put the book down; we don't read at the dinner table.") I did have to encourage my daughters to review the books. Although the older one writes book reports for school, she's not accustomed to writing reviews...

Read More

The Value of Branding and Simplicity to Certifications

At the risk of stirring the cyber pot (item 3, specifically) I wanted to post a response to a great mailing list thread I've been following. A reader asked about the value of the CISSP certification. Within the context of the mailing list, several responders cited their thoughts on SANS certifications. Many mentioned why the CISSP tends to be so popular. I'd like to share my thoughts here. In my opinion, the primary reason the CISSP is so successful...

Read More

Why Collect Full Content Data?

I recently received the following via email: I am writing a SANS Gold paper on a custom full packet capture system using Linux and tcpdump. It is for the GSEC Certification, so my intent is to cover the reasons why to do full packet capture and the basic set up of a system (information that wasn't readily available when setting my system up)... I am already referencing The Tao of Network Security Monitoring. These are the questions that I came...

Read More

Spectrum of State Responsibility

"Attribution" for digital attacks and incidents is a hot topic right now. I wanted to point readers to this great paper by Jason Healey at the Atlantic Council titled Beyond Attribution: Seeking National Responsibility in Cyberspace. ACUS published the report in February, but I'm not hearing anyone using the terms described therein. Probably my favorite aspect of the paper is the chart pictured at left. It offers a taxonomy for describing state...

Read More

Recommended: The Great Courses "Art of War" Class

I recently purchased and listened to an audio course titled The Art of War (TAOW) by Prof Andrew R. Wilson and published by The Great Courses. From the first few minutes I knew this series of six 30 minute lessons was going to be great. For example, did you know that "Sun Tzu" didn't write "The Art of War?" An anonymous author wrote the book in the 4th century BC, based on Sun Tzu's lessons from his time in the 6th century BC. Also, "The Art of War"...

Read More

Commander's Reading List

Last month a squadron commander asked me to recommend books for his commander's reading list. After some reflection I offer the following. I've divided the list into two sections: technical and nontechnical. My hope for the technical books is to share a little bit of technical insight with the commander's intended audience, while not overwhelming them. The plan for the nontechnical items is to share some perspective on history, policy, and contemporary...

Read More

Do Devs Care About Java (In)Security?

In September InformationWeek published an article titled Java Still Not Safe, Security Experts Say. From that article by Matthew J. Schwartz: Is Java 7 currently safe to use? Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in the case of the Java 7 fix, the new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass...

Read More

Review of Super Scratch Programming Adventure! Posted

Amazon.com just posted a joint review by myself and my daughter of No Starch's new book Super Scratch Programming Adventure!. From the five star review: I asked my almost-8-year-old to share her thoughts on Super Scratch Programming Adventure! She chose five stars and wrote the following: "I think it's a very great book. I love the storyline, but my main concern is that I could not find a trace of the Super Scratch folder. How hard is it to draw...

Read More

Washington National Guard: Model for Cyber Defense?

My friend Russ McRee pointed me to an article recently: WA National Guard focusing on cyber security. From the article: The Washington National Guard is leveraging a decade of investment in cyber security at Camp Murray in Lakewood into projects that could protect state and local governments, utilities and private industry from network attacks. The aim is to bring to the digital world the kind of disaster response the National Guard already lends...

Read More

Inside Saudi Aramco with 60 Minutes

I just watched a recent episode of 60 Minutes on CNBC and enjoyed the segment on oil production in Saudi Arabia. It featured a story from late 2008 on Saudi Aramco. You may recall this name from recent news, namely data destruction affecting 30,000 computers. A recent Reuters article said the following: Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems...

Read More

Netanyahu Channels Tufte at United Nations

This is not a political blog, and I don't intend for this to be a political post. I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure. However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes...

Read More

Celebrate Packt Publishing's 1000th Title

I'm pleased to announce a special event involving Packt Publishing. The company told me, as a way to celebrate their 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members. I'm interested in two recent titles: Metasploit Penetration Testing Cookbook by Abhinav Singh Advanced...

Read More

Top Ten Ways to Stir the Cyber Pot

I spent a few minutes just now thinking about the digital security issues that people periodically raise on their blogs, or on Twitter, or at conferences. We constantly argue about some of these topics. I don't think we'll ever resolve any of them. If you want to start a debate/argument/flamewar in security, pick any of the following. "Full disclosure" vs "responsible disclosure" vs whatever elseThreat intelligence sharingValue of security certificationsExploit...

Read More

Unrealistic "Security Advice"

I just read a blog post (no need to direct traffic there with a link) that included the following content: This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the...

Read More

To Be Hacked or Not To Be Hacked?

People often ask me how to tell if they might be victims of state-serving adversaries. As I've written before, I don't advocate the position that "everyone is hacked." How then can an organization make informed decisions about their risk profile? A unique aspect of Chinese targeted threat operations is their tendency to telegraph their intentions. They frequently publish the industry types they intend to target, so it pays to read these announcements....

Read More

Understanding Responsible Disclosure of Threat Intelligence

Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the trail. You open the package and realize you've discovered a "dead drop," a clandestine method to exchange messages. You notice the contents of the message appear to be encoded in some manner to defy casual inspection. You decide to take pictures of the package and its contents with your phone, then return the items...

Read More

Over Time, Intruders Improvise, Adapt, Overcome

From TaoSecurityToday I read a well-meaning question on a mailing list asking for help with the following statement: "Unpatched systems represent the number one method of system compromise."This is a common statement and I'm sure many of you can find various reports that claim to corroborate this sentiment. I'm not going to argue that point. Why am I still aggravated by this statement then? This sentiment reflects static thinking. It ignores activity...

Read More

Does Anything Really "End" In Digital Security?

Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit. He said in part: 15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory,...

Read More

Encryption Is Not the Answer to Security Problems

I just read Cyber Fail: Why can't the government keep hackers out? Because the public is afraid of letting it, an article in the new Foreign Policy National Security channel. I've Tweeted on Mr Arquilla's articles before, but this new one published today offers a solution to security problems that just won't work. Consider these excerpts: Back in President Bill Clinton's first term, the "clipper chip" concept was all about improving the security...

Read More

Bejtlich Interviewed on This Week in Defense News

Last week Vago Muradian from This Week in Defense News with Vago Muradian interviewed me for his show. You can see the online version here. The online version is about two minutes longer than the broadcast version. We recorded the extra material separately and the video staff added it in the middle of the session. They were so smooth I didn't originally notice the change! Vago asked questions about how companies can defend themselves from digital...

Read More

My Role in Information Warfare during the Yugoslav Wars

This morning I read a Tweet from @AirForceAssoc reminding me that: Today in Airpower History, August 30, 1995: NATO and U.S. aircraft began airstrikes on Serbian ground positions in Bosnia-Herzegovina to support the U.N. Operation Deliberate Force. The airstrikes, with a Bosnian-Croatian ground attack, convinced the Serbs to accept peace terms in late 1995. I'm not particularly fond of commemorating airpower campaigns, but the Tweet did remind me...

Read More

DOJ National Security Division Pursuing Cyber Espionage

I just read Justice Department trains prosecutors to combat cyber espionage by Sari Horowitz, writing for the Washington Post. The article makes several interesting points: Confronting a growing threat to national security, the Justice Department has begun training hundreds of prosecutors to combat and prosecute cyber espionage and related crimes, according to senior department officials. The new training is part of a major overhaul following an...

Read More

Israeli Agents Steal Korean Tech for Chinese Customer

Thanks to the show Asia Biz Today I learned of an industrial espionage case involving South Korea, Israel, and China. In brief, agents of the South Korean branch of an Israeli company stole technology from two South Korean companies, and passed the loot to Chinese and Taiwanese companies. On June 27th the Yonhap news agency in South Korea reported the following: Key technologies to manufacture advanced flat-panel displays at Samsung Mobile Display...

Read More

Impressions: Three "Internals" Books for Security

As of last month I'm no longer reviewing technical books. However, I wanted to mention a few that I received during the last few months. All three have an "internals" focus with security implications, and all three are written by authors I've reviewed before. The first is The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, Second Edition by Bill Blunden. I reviewed the first edition two years ago. I am not in a position...

Read More

Not Just Clowns, But Criminals

It turns out my April post Clowns Base Key Financial Rate on Feelings, Not Data was too generous. I cited an Economist story which outlined how LIBOR rates — and the returns on $360 trillion of financial contracts related to them, five times global GDP — are based on best guesses rather than hard data.I continue to cover this story because the financial industry routinely scoffs at the "risk management" practices of non-financials, as I wrote in...

Read More

How to Kill Teams Through "Stack Ranking"

The newest Vanity Fair offers an article titled Microsoft’s Downfall: Inside the Executive E-mails and Cannibalistic Culture That Felled a Tech Giant. It starts with the following: Analyzing one of American corporate history’s greatest mysteries — the lost decade of Microsoft — two-time George Polk Award winner (and V.F.’s newest contributing editor) Kurt Eichenwald traces the “astonishingly foolish management decisions” at the company that “could...

Read More

Thoughts on Lessons from Our Cyber Past: The First Cyber Cops

In May I was pleased to attend Lessons from Our Cyber Past: The First Cyber Cops hosted by Jay Healey at the Atlantic Council and featuring Steven R. Chabinsky, Shawn Henry, and Christopher M. Painter. The transcript as well as audio for the event are now online. All of the attendees made great points, and I wanted to highlight a few. Mr. Chabinsky: I think that we’re getting to this point where we really have to reflect upon what risk mitigation...

Read More