Bejtlich and Bradley on SANS Webcast Monday 2 Nov

Ken Bradley and I will conduct a Webcast for SANS on Monday 2 Nov at 1 pm EST. Check out the sign-up page. I've reproduced the introduction here.Every day, intruders find ways to compromise enterprise assets around the world. To counter these attackers, professional incident detectors apply a variety of host, network, and other mechanisms to identify intrusions and respond as quickly as efficiently as possible.In this Webcast, Richard Bejtlich,...

Read More

Partnerships and Procurement Are Not the Answer

The latest Federal Computer Week magazine features an article titled Cyber warfare: Sound the alarm or move ahead in stride? I'd like to highlight a few excerpts.Military leaders and analysts say evolving cyber threats will require the Defense Department to work more closely with experts in industry...Indeed, the Pentagon must ultimately change its culture, say independent analysts and military personnel alike. It must create a collaborative environment...

Read More

Initial Thoughts on Cloud A6

I'm a little late to this issue, but let me start by saying I read Craig Balding's RSA Europe 2009 Presentation this evening. In it he mentioned something called the A6 Working Group. I learned this is related to several blog posts and a Twitter discussion. In brief:In May, Chris Hoff posted Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit” Clauses, where Chris wrote Cloud providers I have spoken to are being...

Read More

Wednesday is Last Day for Discounted SANS Registration

In my off time I'm still busy organizing the SANS WhatWorks in Incident Detection Summit 2009, taking place in Washington, DC on 9-10 Dec 09. The agenda page should be updated soon to feature all of the speakers and panel participants. Wednesday is the last day to register at the discounted rate.I wrote the following to provide more information on the Summit and explain its purpose.All of us want to spend our limited information technology and...

Read More

Review of Hacking Exposed: Web 2.0 Posted

Amazon.com just posted my three star review of Hacking Exposed: Web 2.0 by Rich Cannings, Himanshu Dwivedi, Zane Lackey, et al. From the review:I have to agree with the other 3-star reviews of Hacking Exposed: Web 2.0 (HEW2). This book just does not stand up to the competition, such as The Web Application Hacker's Handbook (TWAHH) or Web Security Testing Cook (WSTC). I knew this book was in trouble when I was already reading snippets mentioning...

Read More

Review of Web Security Testing Cookbook Posted

Amazon.com just posted my five star review of Web Security Testing Cookbook by Paco Hope and Ben Walther. From the review:I just wrote five star reviews of The Web Application Hacker's Handbook (TWAHH) and SQL Injection Attacks and Defense (SIAAD). Is there really a need for another Web security book like Web Security Testing Cookbook (WSTC)? The answer is an emphatic yes. While TWAHH and SIAAD include offensive and defensive material helpful for...

Read More

Review of SQL Injection Attacks and Defense Posted

Amazon.com just posted my five star review of SQL Injection Attacks and Defense by Justin Clarke, et al. From the review:I just finished reviewing The Web Application Hacker's Handbook, calling it a "Serious candidate for Best Book Bejtlich Read2009." SQL Injection Attacks and Defense (SIAAD) is another serious contender for BBBR09. In fact, I recommend reading TWAHH first because it is a more comprehensive overview of Web application security....

Read More

Review of The Web Application Hacker's Handbook Posted

Amazon.com just posted my five star review of The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto. From the review:The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. The text is very well-written, clear, and thorough. While the book is not suitable for beginners, it is accessible and easy to read for those even without Web development...

Read More

"Protect the Data" from the Evil Maid

I recently posted "Protect the Data" from Whom?. I wrote:[P]rivate citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat.Joanna Rutkowska provides a great example of the importance of knowing the adversary in her post Evil Maid goes after TrueCrypt!, a follow-up to her January post Why do I miss Microsoft BitLocker?Her post describes how she and...

Read More

Report on Chinese Government Sponsored Cyber Activities

Today's Wall Street Journal features the following story:China Expands Cyberspying in U.S., Report Says by Siobhan Gorman. I've reprinted an excerpt below and highlighted interested aspects. I can vouch for the quality of the Northrop Grumman team that wrote this report and for their experience in this arena.Congressional Advisory Panel in Washington Cites Apparent Campaign by Beijing to Steal Information From American FirmsWASHINGTON -- The Chinese...

Read More

DojoCon to Stream Talks Live

As I mentioned last month I will be speaking at DojoCon, on Saturday 7 November at Capitol College in Laurel, MD. Organizer Marcus Carey asked me to share the following:DojoCon will Stream Live all of the talks on the Internet for free as they happen. I believe this is first time a group of speakers of this caliber will be available to the information security community for free. We are also offering real-life attendees the full conference for $150...

Read More

Bejtlich Teaching at Black Hat DC 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I will be teaching TCP/IP Weapons School 2.0. Registration is now open. Black Hat set five price points and deadlines for registration.Super Early ends 15 NovEarly ends 1 DecRegular ends 15 JanLate ends 30 JanOnsite starts at the...

Read More

"Protect the Data" -- What Data?

This is another follow-on from my "Protect the Data" Idiot! post. If you think about the "protect the data" mindset, it's clearly a response to the sorts of data loss events that involve "records" -- credit card records, Personally Identifiable Information (PII), and the like. In fact, there's an entire "product line" built around this problem: data loss prevention. I wrote about DLP earlier this year in response to the rebranding effort taken...

Read More

"Protect the Data" Where?

I forgot to mention another thought in my last post "Protect the Data" from Whom? Intruders are not mindly attacking systems to access data. Intruders direct their efforts toward the sources that are easiest and cheapest to exploit. This produces an interesting corollary. Once other options have been eliminated, the ultimate point at which data will be attacked will be the point at which it is useful to an authorized user. For example, if a...

Read More

"Protect the Data" from Whom?

This is a follow-on from my "Protect the Data" Idiot! post. Another question to consider when someone says "protect the data" is this: "from whom?" The answer makes all the difference. I remember a conversation I overheard or read involving Marcus Ranum and a private citizen discussing threats from nation-state actors.Questioner: How do you protect yourself from nation-state actors?MJR: You don't.Q: What do you do then?MJR: You lose.In other words,...

Read More

"Protect the Data" Idiot!

The 28 September 2009 issue of InformationWeek cited a comment posted to one of their forums. I'd like to cite an excerpt from that comment.[W]e tend to forget the data is the most critical asset. yet we spend inordinate time and resources trying to protect the infrastructure, the perimeter... the servers etc. I believe and [sic] information-centric security approach of protecting the data itself is the only logical approach to keep it secure at...

Read More

NSM in Products

A blog reader recently asked: I've been tasked with reevaluating our current NSM / SIEM implementation, and I see that you posted about a NetFlow book you are techediting for Lucas.My question is this, Outside of Sguil, what do you prefer/recommend in the way of NSM products/solutions?Our current NSM uses a modified version NetFlow and our Networking team also uses Cisco Netflow elsewhere...While I find it useful to collect header data, the current...

Read More

Technical Visibility Levels

It's no secret that I think technical visibility is the key to trustworthy technology. Via Twitter I wrote The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset. This topic has consumed me recently as relatively closed but IP-enabled systems proliferate. This ranges from handheld computers (iPhone, Blackberry, etc.) all the way to systems hosted in the cloud. How...

Read More

Hakin9 5/2009 Issue

I just received a review copy of the 5/2009 issue of Hakin9 magazine. Several articles look interesting, such as Windows Timeline Analysis by Harlan Carvey, The Underworld of CVV Dumping by Julian Evans, and a few others on malware analysis and ASLR. Check it o...

Read More

Incident Handler, Incident Analyst, Threat Analyst, and Developer Positions in GE-CIRT

My team just opened five more positions. These candidates will report to me in GE-CIRT. Information Security Incident Handler (1093498)Information Security Incident Analyst (two openings, 1093494)Cyber Threat Analyst (1093497)Information Security Software Developer (1093499)These candidates will sit in our new Advanced Manufacturing & Software Technology Center in Van Buren Township, Michigan. We don't have any flexibility regarding the location...

Read More

Traffic Talk 7 Posted

I just noticed that my 7th edition of Traffic Talk, titled How to deploy NetFlow v5 and v9 probes and analyzers, was posted on 28 September. I submitted it back in mid-August but it's on the Web now. On a related note, I am tech editing a forthcoming book on NetFlow by Michael Lucas titled Network Flow Analysis. Michael is probably my favorite technical author, so keep an eye open for his book in May 20...

Read More