Thoughts on Vista

To mark the launch of Microsoft Windows Vista, CSO Online asked me to write this article. The editor titled it "Security In Microsoft Vista? It Could Happen." I think I took a balanced approach. Let me know what you think. I was pleased to see my FreeBSD reference survived the editor's revi...

Read More

FreeBSD 7.0 Snapshot with SCTP

I've been busy playing with various protocols in preparation for TCP/IP Weapons School in about two weeks. Recently I saw this post by Randall Stewart indicating that Stream Control Transmission Protocol (SCTP) had been added to FreeBSD CURRENT. I poked around in src/sys/netinet/ and found various SCTP files dated 3 Nov 06. Rather than update a FreeBSD 6.x system to 7.0, I decided to look for the latest FreeBSD snapshot. Sure enough, I found...

Read More

Digital Security Lessons from Ice Hockey

I'm struck by the amount of attention we seem to be paying to discovering vulnerabilities and writing exploits. I call this "offensive" work, in the sense that the fruits of such labor can be used to attack and compromise targets. This work can be justified as a defensive activity if we accept the full disclosure argument that truly bad guys already know about these and similar vulnerabilities, or that so-called responsible disclosure motivates...

Read More

Another Prereview

Recently I posted thoughts on a few security books on my shelf. Today I received an absolutely gigantic new book called The Art of Software Security Assessment: Identifying and Avoiding Software Vulnerabilities by Mark Dowd, John McDonald, and Justin Schuh. This is a 1200-page book on discovering vulnerabilities in all sorts of software. I plan to read it along with similar books over the next month or so. Books on how to break software in order...

Read More

Three Seven-Book Lists for Novice, Intermediate, Advanced Readers

I continue to receive feedback and questions on my No Shortcuts post. One of you prompted me to write three new Amazon.com Lists, organized thus: Digital Security Boot Camp Digital Security War College Digital Security Postgraduate School For the civilians out there, that's novice, intermediate, and advanced. :) I listed seven books for each category to keep things manageable. One of the problems I encountered with the advanced list, especially, is that coding becomes a big part of the equation when one starts to consider...

Read More

Pre-reviews and Comments

Several publishers have sent me new books recently, and I have one comment to make about an older book. I'll start with books that look good, but which I don't plan to read. The first is Linux Administration Handbook, 2nd Ed by Evi Nemeth, Garth Snyder, Trent R. Hein. There's no doubt this is a great general-purpose system administration book for Linux. I gave the 3rd edition of the Unix version three stars almost five years ago (and I'm hoping this 4th edition comes to fruition). The Linux book describes Red Hat Enterprise, Fedora Core, SuSE,...

Read More

No Shortcuts to Security Knowledge

Today I received a curious email. At first I thought it was spam, since the subject line was "RE: Help!", and I don't send emails with that subject line. Here is an excerpt:I cannot afford nor have the time to take a full collage course on the topic of network security but I would like to be as knowlageable about it as yourself and be able to protect my computer and others regarding this matter. If I was willing to pay you would you take the time to teach me what you know and/or point me in the direction I would need to learn what you know about...

Read More

Security, A Human Problem

I don't play Second Life or any video games these days. If I had the time I would play Civ IV. Neverthless, virtual worlds like SL are becoming increasingly interesting, as demonstrated by today's attack of the killer rings (pictured at left), also known as a "grey goo" attack. This comment in the accompanying Slashdot post explains that it's possible for a rogue user to exploit vulnerabilities in Second Life and introduce code that peforms a...

Read More

Further Thoughts on SANS Top 20

It seems my earlier post Comments on SANS Top 20 struck a few nerves, e.g. this one and others.One comment I'm hearing is that the latest Top 20 isn't "just opinion." Let's blast that idea out of the water. Sorry if my "cranky hat" is on and I sound like Marcus Ranum today, but Marcus would probably agree with me.First, I had no idea the latest "Top 20" was going to be called the "SANS Top-20 Internet Security Attack Targets" until I saw it posted on the Web. If that isn't a sign that the entire process was arbitrary, I don't know what is. ...

Read More

Another Reason for Privileged User Monitoring

No sooner did I write about a CEO gone bad do I read this: Ex-IT Chief Busted for Hacking:Stevan Hoffacker, formerly director of IT and VP of technology for Source Media, was arrested at his home yesterday on charges of breaking into the email system that he once managed.According to the FBI and the U.S. Attorney for the Southern District of New York, Hoffacker hacked into his former company's messaging server, eavesdropped on top executives' emails about employees' job status, and then warned the employees that they were about to lose their positions.I...

Read More

Bejtlich on Tenable Webinar Friday 10 AM EST

In less than 12 hours I will be speaking on the next Tenable Webinar. Please register here. Ron Gula wrote the foreword for my book and he always has something interesting to say about digital security. I expect he will have some good questions for ...

Read More

Bejtlich Amazon Book Review RSS Feed

This is a brief note to let you know that Amazon.com is now publishing an RSS feed of my book reviews. I'm not sure exactly how new this is, but I've been looking for it. I have a stack of books about exploit development and security tools that I hope to review as a group before the end of the year. I'm currently at 52 books reviewed for the year, and adding those 7 would make 59. I have several books on miscellaneous topics waiting as well, so we might see 60 reviews or more by year's end.Now it would be cool to see Amazon.com publish RSS...

Read More

Common Security Mistakes

I received an email asking me to name common enterprise security mistakes and how to avoid them. If I'm going to provide free advice via email, I'd rather just post my thoughts here. This is my answer:Failure to maintain a complete physical asset inventoryFailure to maintain a complete logical connectivity and data flow diagramFailure to maintain a complete digital asset/intellectual property inventoryFailure to maintain digital situational awarenessFailure to prepare for incidentsThe first three items revolve around knowing your environment....

Read More

Five Blog Posts You Should Read

I found the following five posts to be very interesting. You might too:Playing for Keeps Across the BoardAndre Durand -- Firewall ThisInformation Security Must EvolveData Protection -- It's More Than A + B + CTeam Evil: Incident 2The first four are more conceptual, dealing with the need to collapse security measures around data instead of hosts. The fifth is a report of an incident with some decent detai...

Read More

Comments on SANS Top 20

You may have seen that the latest SANS Top 20 was released yesterday. You may also notice I am listed as one of several dozen "experts" (cough) who "helped create" the list. Based on last year's list, I thought I might join the development process for the latest Top 20. Maybe instead of complaining once the list was published, I could try to influence the process from inside?First let me say that project lead Rohit Dhamankar did a good job considering the nature of the task. He even made a last-minute effort to solicit my feedback, and some...

Read More

SCTP and OpenBSM in FreeBSD

Here are two quick notes on my favorite operating system. First, support for Stream Control Transmission Protocol (SCTP) has been added to FreeBSD CURRENT (i.e., 7.x). SCTP is a layer 4 alternative to TCP or UDP. I saw it mentioned in the final issue of Cisco's Packet magazine, in the context of NetFlow , specifically the new Flexible Netflow. When I get a chance to test this it will probably be using this technology.Second, Federico Biancuzzi...

Read More

Gvinum on FreeBSD

Two years ago I documented how I used Vinum on FreeBSD. Since then Vinum has been replaced by Gvinum, although it's not always clear when you should use either term. The Handbook documentation isn't easy to understand, either. Luckily I combined my old notes with this helpful tutorial to accomplish my goal.I wanted to take two separate partitions, /nsm1 on one disk and /nsm2 on a second disk, and make them look like a single /nsm partition. I...

Read More

ISSA NoVA Meeting Next Thursday

The next ISSA NoVA meeting will take place 1730 Thursday 16 Nov 06 at Oracle Corp in Reston, VA. Marcus Sachs will be the guest speaker. Please RSVP as soon as possible. Unfortunately a new NoVA Snort Users Group decided to ignore this meeting of 100+ security practitioners by scheduling their first meeting at exactly the same time. Hopefully future NoVA SUG meetings will take a look at their surroundings before scheduling future events or at least respond to posts about their gro...

Read More

Who Needs CISSP for Ethics?

Last year I discussed the value of the CISSP with respect to its code of ethics. Today while renewing my ISSA membership, I was presented with the following: The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its...

Read More

Registration Deadlines for TaoSecurity Training

This is a reminder for those interested in attending one or more of the training classes I'm conducting in December. These will be the last public classes for several months. I have consulting and private classes occupying my time in Q107, although I'll have some public work in Q207.For Enterprise Network Instrumentation at SANS CDI East 2006 on 14-15 Dec 06 in Washington, DC, the discounted registration ends tomorrow, 8 Nov 06.For Network Security Monitoring with Open Source Tools at USENIX LISA 2006, on 8 Dec 06, discounted registration ends...

Read More

Bejtlich Cited in Sourcefire IPO Story

Bill Brenner published this quote in his story Sourcefire IPO could fuel Snort, users say:The infrastructure to support Snort isn't cheap and Sourcefire isn't flush with cash, said Richard Bejtlich, founder of the Washington, D.C.-based consultancy Tao Security. "The money to keep Snort thriving has to come from somewhere, and an IPO could give Snort more legs," he said.I based this thought on the following from Sourcefire's S-1, listed under Risks Related to Our Business:We have incurred operating losses each year since our inception in 2001....

Read More

When Laws Aren't Enough

CIO Magazine published The Global State of Information Security 2006. The story contained what I consider to be some fairly disappointing results.Complacency, it seems, abounds. A large proportion of security execs admitted they're not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions, up to and including prison time for executives. Some of these regulations—such...

Read More

Review of Hack the Stack

Amazon.com just posted my three star review of Hack the Stack by Michael Gregg, et al. From the review:I teach a course called "TCP/IP Weapons School" that involves walking students up the OSI model. We look at network traces generated by tools and techniques to defeat security measures. When I saw "Hack the Stack" (HTS) I thought it might make a good resource for my class, since HTS seemed to advocate a similar approach. Unfortunately, technical...

Read More

Real Insider Threats

Just the other day I read the following in Cliff Berg's book High-Assurance Design:Roles should be narrowly defined so that a single role does not have permission for many different functions, at least not without secure traceability. The CTO of a Fortune 100 financial services company once bragged to me over dinner that if he wanted to, he had the ability to secretly divert a billion dollars from his firm, erase all traces of his actions, and disappear...

Read More

Air Force Cyberspace Command

According to Air Force Link, 8th Air Force will become the new Air Force Cyberspace Command. This appears to be the next step following the creation of a Air Force Network Operations Command structure in August. That came on the heels of the Air Force Information Warfare Center being redesignated as the Air Force Information Operations Center. That was a result of the Air Force Tactical Fighter Weapons Center being redesignated as the Air Force Warfare Center. In a related move, the former 67th Information Operations Wing is now the 67th Network...

Read More

Reviews of Six Software Security Books

Amazon.com just posted my six new reviews on books about software security. The first is Software Security by Gary McGraw. This was my favorite of the six because it was the most logically organized. Here is a link to the five star review.The second is Security Development Lifecycle by Microsoft's Michael Howard and Steve Lipner. I thought it was neat to read about Microsoft's software development practices with respect to security. Just...

Read More