Microsoft Protocols Programs

Thanks to Robert Graham for pointing me to the fact that Microsoft has started a Protocols Program. This project includes thousands of pages of documentation (in .pdf format, w00t) divided into categories like Microsoft Communications Protocol Program (MCPP, for "server software that interoperates with Windows desktop operating systems") and Microsoft [Work Group] Server Protocol Program (WSPP, for "server software that interoperates with Microsoft...

Read More

First They Came for Bandwidth...

One of the problems with being a defender is a tendency towards a lack of imagination. As I've maintained for years, sophisticated intruders are unpredictable -- so much so that I call them intrupreneurs. Most defense is reactive (filling holes in the highway instead of deploying flying cars), with Attacker 3.0 outgunning Security 1.0.This came to mind when I read Ukrainian Hacker Makes a Killing in Stock Market Fraud by Kim Zetter. She writes:The...

Read More

Three Capabilities, Three Companies

Recently I've been working to augment my team's detection and response capabilities. I've identified three functions for which I've turned to the commercial software community for assistance. I'd like to highlight three capabilities and three companies which may be able to meet my requirements.First, I need high-end network forensics. I plan to use my open source tools to do a good deal of collection and some analysis, but in certain cases I need...

Read More

Snort Report 13 Posted

My 13th Snort Report titled How to use shared object rules in Snort is posted. From the start of the article:Shared object (SO) rules were introduced in Snort 2.6.0 in early 2006 to provide a means to obscure the exact detection mechanism used in the rule and allow for more flexible detection criteria. However, for the most part, organizations have continued to rely upon traditional Snort rules. This may be about to change, in light of a recent...

Read More

Review of The Dark Visitor

In this post I review The Dark Visitor (TDV) by Scott J. Henderson, owner of the blog of the same name -- The Dark Visitor. Scott generously sent me a copy of his book after I found his blog and learned what the book discussed. The term "dark visitor" is Henderson's translation of the Chinese characters for "hacker". TDV is a fascinating book, and if I could have reviewed it at Amazon.com I would have rated it 4 out of 5 stars. TDV is the only...

Read More

ShmooCon Ticket on eBay

I've had a change of plans and won't be able to attend ShmooCon this weekend, so I just listed my ShmooCon ticket on eBay. If you have any questions please contact ...

Read More

Review of Router Security Strategies Posted

Amazon.com just posted my four star review of Router Security Strategies: Securing IP Network Traffic Planes by Gregg Schudel and David J. Smith. From the review:Router Security Strategies (RSS) is the sort of Cisco security book I like to read. Some of you were surprised by my three star review of another recent Cisco security book -- LAN Switch Security (LSS). I suggest the authors of that book take a look at RSS as a model for writing a second...

Read More

Wired on Air Force Cyber Command

Kudos to Marty Graham of Wired for writing Welcome to Cyberwar Country, USA. This is original reporting on the Air Force Cyber Command, focusing on the question of where to formally house the command. I personally hope it is located near Washington, DC. Given that the JTF-GNO and NSA are nearby, it would make sense for the Air Force to be physically close to coordinate work and draw on local tale...

Read More

Reminder: Last Day for Web Registration for Bejtlich's Black Hat DC 2008 Training

I just wanted to remind interested readers that Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled TCP/IP Weapons School training class in 2008. The cost for this single two-day class is now $2400, and online registration is supposed to close today. Register while seats are still available -- both of...

Read More

NSM at the Endpoint

For many years I've advocated Network Security Monitoring (NSM) as a powerful way to improve digital situational awareness in an independent, self-reliant, and cost-effective manner. NSM relies on watching network traffic to identify suspicious and malicious activity, which prompts incident response and remediation activities. An underlying assumption is that the asset of interest is using a network you own and have adequately instrumented. What...

Read More

Review of Beginning Perl, 2nd Ed Posted

Amazon.com just posted my five star review of Beginning Perl, 2nd Ed by James Lee. From the review:I read Beginning Perl, 2nd Ed (BP2E) to gain some familiarity with Perl 5. I do not plan to really write anything in Perl, but I find myself using other people's code quite a bit! In those situations I would like to know how the code works. I also enjoy being able to make small changes if the code does not work as expected. Perl is basically everywhere,...

Read More