Favorite Books I Read and Reviewed in 2006

2006 was my most productive reading and reviewing year yet. I read and reviewed 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005. This year I read and reviewed 52 books. I was determined to make as big a dent as possible in the huge stack of books sent to me by publishers and blog readers, and I made a lot of progress. My ratings yielded the following: 1 star: 0 books2 stars: 1 book3 stars: 9 books4 stars: 29 books5 stars:...

Read More

Prereview: Inside the Machine

Thank you to Patricia at No Starch for sending me two copies of Jon Stokes' Inside the Machine. I was drawn to this book by an Amazon.com review which said this:This book is an introduction to computers that fills the gap between classic and challenging books like Hennesy and Patterson's, and the large number of "How Your Computer Works" books that are too basic for engineers.I like the fact the book covers a variety of microprocessor types. Comparison is a great teaching method. I didn't know who Jon Stokes was, but you can follow that link...

Read More

I've Been Blog-Tagged

It would be nice if the Tag in this situation were a watch, but it turns out Martin McKeay has blog-tagged me. I'm supposed to mention five items you probably don't know about me, and then name five of my fellow bloggers. Here goes.I'm a 1994 graduate of the US Air Force Academy. I graudated third of 1024 cadets, with degrees in history and political science, and minors in French and German. However, my whole life I wanted to attend my backyard school, the Massachusetts Institute of Technology (MIT). I was accepted to USAFA first, and when...

Read More

Snort Report 1 Posted

SearchSecurityChannel.com (SSC) has posted my first Snort Report. This is a new monthly series I'm writing for SSC that is starting at ground zero with Snort and working towards greater levels of complexity. I thought it would be helpful to begin by explaining how to install Snort in a manner that allows easy testing of new versions while running older versions. I also discuss the modes Snort supports. Next month I describe the snort.conf file...

Read More

Lessons from Analog Security

As a security person I try to take notice of security measures in non-digital settings. These are a few I noticed this week.When visiting a jewelry store, I saw a sign say the following: "Our insurance policy does not permit us to remove more than one item at a time from this display case." This sign was attached to a case containing the store's most valuable jewelry. This is an example of limiting exposure by restricting access to one asset at a time. In a more generic sense, the digital version might involve following guidelines applied by...

Read More

Pervasive Network Awareness via Interop SpyNet

In my 2005 book Extrusion Detection (p. 27) I defined the term pervasive network awarenesss (PNA):A truly defensible network permits security administrators to achieve pervasive network awareness. Pervasive network awareness is the ability to collect the network-based information -- from the viewpoint of any node on the network -- required to make decisions.Today while perusing Webcasts at Gigamon University, I listened to a Gigamon presentation...

Read More

FreeBSD Developments

I wanted to quickly highlight two FreeBSD developments. First, FreeBSD 6.2 RC2 is available. Assuming nothing serious happens, expect FreeBSD 6.2 RELEASE in about two weeks. This post explains the various .iso images. This post explains real weaknesses in the FreeBSD installation documentation, from the standpoint of a person not familiar with FreeBSD. Second, Dru Lavigne explained how the new modular X.org works:xorg 7.x is modular. In practical...

Read More

Solera DataEcho

I came across this press release from Solera Networks on their open source DataEcho application. DataEcho is a Windows program that captures live traffic or reads traces in Libpcap format. It's best used for interpreting Web traffic, as shown in this screen capture of a visit to www.bejtlich.net recorded in Wireshark and fed to DataEcho.My Web site doesn't render that well because it uses CSS, but you can see how DataEcho breaks down the Web traffic....

Read More

How Many Spies?

This is a follow-up to Incorrect Insider Threat Perceptions. I think security managers are worrying too much about insider threats compared to outsider threats. Let's assume, however, that I wanted to spend some time on the insider threat problem. How would I handle it? First, I would not seek vulnerability-centric solutions. I would not even really seek technological solutions. Instead, I would focus on the threats themselves. Insider threats are humans. They are parties with the capability and intention to exploit a vulnerability in an...

Read More

Incorrect Insider Threat Perceptions

Search my blog for "insider threat" and you'll find plenty of previous posts. I wanted to include this post in my earlier holiday reading article, but I'd figure it was important enough to stand alone. I'm donning my flameproof suit for this one.The cover story for the December 2006 Information Secuirty magazine, Protect What's Precious by Marcia Savage, clued me into what's wrong with security managment and their perceptions. This is how the...

Read More

Holiday Reading Round-up

During some holiday downtime I managed to catch up on some reading. Recently I mentioned the ISO/IEC 27001 standard. The November 2006 ISSA Journal featured an article by Taiye Lambo of eFortresses, an ISO/IEC 27001 consultancy. From what I read it seems ISO/IEC 27001 is a good option for organizations leaning towards related ISO standards like 9000. After posting NAC Is Fighting the Last War, I read another ISSA Journal article titled Beyond NAC: The value of post-admission control in LAN security by Jeff Prince of ConSentry. Jeff uses the...

Read More

Starting Out in Digital Security

Today I received an email which said in part:I'm brand new to the IT Security world, and I figure you'd be a great person to get career advice from. I'm 30 and in the process of making a career change from executive recruiting to IT Security. I'm enrolled in DeVry's CIS program, and my emphasis will be in either Computer Forensics or Information Systems Security. My question is, knowing that even entry-level IT jobs require some kind of IT experience, how does someone such as myself, who has no prior experience, break into this exciting industry?...

Read More

Christmas Wish: VMware FreeBSD Host Support

I noticed this BSD News story mentioned a long-running VMTN thread showing requests for FreeBSD to be supported as a VMware host OS. This means you could run VMware on FreeBSD, instead of Windows, Linux, or (soon) Mac OS X.If you share this interest, please post to the VMTN thread and let your desire be known. Thank y...

Read More

Application Security Monitoring

I found the following quote by Microsoft's Ray Ozzie, in The Web 2.0 World According to Ozzie, to be fascinating:"In terms of managing trust boundaries, one of the huge challenges that enterprises are going to have is...managing trust between components of composite applications..."We believe there should be significant auditing within service components—such that when you do expose a partner to certain enterprise data...you have a complete record of the kinds of things that their app did." (emphasis added)I think Mr. Ozzie is advocating application...

Read More

TIME on Risk

TIME magazine's cover story a few weeks ago was Why We Worry About The Things We Shouldn't... ...And Ignore The Things We Should. There's no direct relationship to digital security, but I found it interesting to read about risk perceptions in the analog wor...

Read More

Wireshark Substitute Encourages Defensible Software

Thanks to nikns in #snort-gui for pointing me towards this 23rd Chaos Communication Congress talk on an alternative to Wireshark created by Andreas Bogk and Hannes Mehnert. This blog post explains the rationale behind this new tool, still in its infancy and nowhere nearly feature-complete as Wireshark. Two implementations exist. Here is a screenshot of GUI-sniffer:Here is a screenshot of Network Night Vision:These applications are written in the...

Read More

Zone-H Explains Defacement

Web site defacement mirror Zone-H posted a revealing report on the recent defacement of their own site. The intrusion resulted from a combination of human and technical failures.The moral of the story is that anyone can be compromised, because the attacker has the initiative. The attacker is usually more motivated and has more time, and resources than the defender. In a world where anyone can be compromised, there is no excuse for not monitoring and preparing for incident response. Every digital resource is a future victim.The "solution" to...

Read More

NAC Is Fighting the Last War

My post on the IETF Network Endpoint Assessment Working Group elicited a comment that suggested I expand on my thoughts, namely that Cisco Network Admission Control (NAC) / Microsoft Network Access Protection (NAP) / Trusted Network Connect (TNC) "are all fighting the last war." Let's see what the comment poster's own company has to say about NAC.(Please note that although I use NAC in the text that follows [as used by my sources], I could just as easily say NAP or TNC or NEA. I only single out Cisco because they are investing so much effort...

Read More

Smart Cards Everywhere?

One of my clients wants to know if it's possible to implement something like the DoD Common Access Card (CAC, not "CAC card") in a commercial setting. In other words, you use a single card for building access, PC access, etc. Is anyone using something like that in their organizati...

Read More

Thoughts on SAS 70 and Other Standards

I'm not an auditor or CPA, thank goodness. The first time I heard of SAS 70 (Statement on Auditing Standards No. 70, Service Organizations) happened when I visited Symantec in October. Last week, however, one of my clients asked what I knew about SAS 70. I knew Symantec used its SAS 70 results as a way to avoid having every Symantec managed security service client perform its own audit of Symantec. My client wanted to know if his company might also benefit from getting a SAS 70 audit.I found an exceptionally helpful CSO Online article by Michael...

Read More

Port-based Alerts Are a Bad Idea

For my 1700th post (as reported by the new Blogging infrastructure) I thought I would report on an issue I'm looking at in Sguil right now. I have 1586 of the following alerts like the following aggregated in my Sguil console. This is the text representation.Count:1 Event#1.130182 2006-12-15 15:57:32DOS MSDTC attempta.b.c.d -> e.f.g.hIPVer=4 hlen=5 tos=0 dlen=1388 ID=16858 flags=0 offset=0 ttl=55 chksum=38030Protocol: 6 sport=10000 -> dport=3372Seq=3640110148 Ack=536397245 Off=5 Res=0 Flags=***A**** Win=65535 urp=15810 chksum=0Payload:35...

Read More

Switched to New Blogger

I switched today to the new Blogger infrastructure. A few of my students from USENIX LISA were Google employees. They encouraged me to switch. I did try to do so last week, but I received an error saying my blog had too many postings (or something to that effect). Today, however, I was able to move all my blogs to the new system. Let me know if you see any problems. Thank y...

Read More

December 2006 (IN)SECURE Magazine

The December 2006 (.pdf) issue of (IN)SECURE Magazine is available. Interesting articles include Web 2.0 Defense with AJAX Fingerprinting and Filtering by Shreeraj Shah, and another "virtual trust" article by Ken Belva and Sam DeK...

Read More

IETF Network Endpoint Assessment Working Group

Dark Reading posting an article on the new Network Endpoint Assessment (nea) IETF working group. The description says, in part:Network Endpoint Assessment (NEA) architectures have been implemented in the industry to assess the "posture" of endpoint devices for the purposes of monitoring compliance to an organization's posture policy and optionally restricting access until the endpoint has been updated to satisfy the posture requirements. An endpoint that does not comply with posture policy may be vulnerable to a number of known threats that may...

Read More

Thoughts on Check Point Acquisition of NFR

Earlier this year I covered Check Point's attempt to purchase Sourcefire. Well, Check Point bought another vendor -- NFR -- for $20 million. Talk about market valuation; Sourcefire's sale price was $225 million. NFR is also down to 22 employees, according to the press release. Although the FAQ saysCheck Point intends to continue to sell, support, and develop an independent NFR Security product line.I doubt that will last. It doesn't make sense to buy the technology but not integrate it into Check Point's firewalls, and then discard the separate...

Read More

Two Prereviews

Two publishers were kind enough to send new books last week. I plan to read and review both early next year. The first is McGraw-Hill/Osborne's Hacking Exposed: VoIP by David Endler and Mark Collier. The best Hacking Exposed books introduce a new technology, then demonstrate ways to break it that a reader can duplicate. I like seeing new HE books on specific issues, rather than having everything rolled into a single book. The second is Syngress' Wireshark & Ethereal Network Protocol Analyzer Toolkit by Angela Orebaugh and friends. This...

Read More

Duronio Postscript: 97 Months

In June and July this year I devoted several posts to covering the Duronio intrusion where my friend Keith Jones served as prosecution expert witness. Keith called this week to tell me Roger Duronio was sentenced to 8 years and one month jail time for his crimes. Great work Kei...

Read More

Pointer to Snort 3.0 Briefing Summary

Saad Kadhi kindly pointed me to this blog post which summarizes a talk given by Marty Roesch. Saad describes Marty's plans for Snort 3.0, and I recommend taking a lo...

Read More

Matasano Is Right About Agents

I've been exceptionally busy teaching all week at USENIX LISA, so blogging has been pushed aside. However, I literally read the Matasano Blog first, of all the Bloglines feeds I watch. This evening I read their great post Matasano Security Recommendation #001: Avoid Agents. They really mean "Minimize Agents," as noted in their summary:Enterprise security teams should seek to minimize their exposure to endpoint agent vulnerabilities, by:1. Minimizing the number of machines that run agent software.2. Minimizing the number of different agents supported...

Read More

Bejtlich Book Signing Thursday 1230 in DC

I will attend a book signing event at USENIX LISA 06 at the Wardman Park Marriott Hotel in Washington DC from 1230-1330 on Thursday 7 December. Representatives from Reiters will be selling books there as part of the conference expo from 1000-1400 on Thursday. Please stop by to say hello if you'd like a book signed. I'll return to LISA on Friday to teach Network Security Monitoring with Open Source Tools. You can still sign up onsite if you'd...

Read More

TCP/IP Weapons School Part 1 Wrap-Up

I'd like to address a few issues that arose during class Sunday and Monday.First, someone asked about interoperability between the various Ethernet frame types. Page 75 of the excellent Troubleshooting Campus Networks statesTwo stations cannot communicate unless they share a common frame format, which is sometimes beneficial. For example, if you have two networks on a physical medium that you wish to keep separate for security reasons, you can...

Read More

Two Prereviews

Two publishers were kind enough to send new books last week. I plan to read and review both early next year. The first is Apress' Beginning C, 4th Ed by Ivor Horton. What, learn C? I don't expect or plan to become any C wizard by reading this and a few other books. Rather, I'd like to be able to understand code I come across, or perhaps make small modifications to otherwise useful programs. Any original programming I plan for 2007, I expect to use Python. Second is Syngress' FISMA Certification & Accreditation Handbook by Laura Taylor....

Read More

Notes for TCP/IP Weapons School Part 1 Students

This note is intended for students in days one and two of TCP/IP Weapons School on 3-4 December 2006 at USENIX LISA in Washington, DC.These are the tools that will be discussed. Remember, this is a class on TCP/IP -- tools are not the primary focus. However, I needed something to generate interesting traffic.NemesisArpingArpdigArpwatchArp-skDsniff suiteEttercapYersiniaFragrouteSingGnetcatPackitGont attacksICMPshellThe traces we will analyze are available at www.taosecurity.com/taosecurity_tws_v1_traces.zip. You will need to have Ethereal, Wireshark,...

Read More

Thoughts on Vista

To mark the launch of Microsoft Windows Vista, CSO Online asked me to write this article. The editor titled it "Security In Microsoft Vista? It Could Happen." I think I took a balanced approach. Let me know what you think. I was pleased to see my FreeBSD reference survived the editor's revi...

Read More

FreeBSD 7.0 Snapshot with SCTP

I've been busy playing with various protocols in preparation for TCP/IP Weapons School in about two weeks. Recently I saw this post by Randall Stewart indicating that Stream Control Transmission Protocol (SCTP) had been added to FreeBSD CURRENT. I poked around in src/sys/netinet/ and found various SCTP files dated 3 Nov 06. Rather than update a FreeBSD 6.x system to 7.0, I decided to look for the latest FreeBSD snapshot. Sure enough, I found...

Read More

Digital Security Lessons from Ice Hockey

I'm struck by the amount of attention we seem to be paying to discovering vulnerabilities and writing exploits. I call this "offensive" work, in the sense that the fruits of such labor can be used to attack and compromise targets. This work can be justified as a defensive activity if we accept the full disclosure argument that truly bad guys already know about these and similar vulnerabilities, or that so-called responsible disclosure motivates...

Read More