I wanted to help put some of you in the mindset of a DoD person when reading recent news, namely Defense official discloses cyberattack and Pentagon considers preemptive strikes as part of cyber-defense strategy , both by Washington Post reporter Ellen Nakashima. I’ll assume you read both articles and the references. Deputy Defense Secretary Lynn’s article (covered by the first Post story) is significant, perhaps for reasons that... 

Amazon.com just posted my five star review of Hacking Exposed: Wireless, 2nd Ed by Johnny Cache, Joshua Wright and Vincent Liu. From the review : I reviewed the first edition of Hacking Exposed: Wireless (HEW) in May 2007, and offered four stars. Three years later I can confidently say that Hacking Exposed: Wireless, 2nd Ed (HEW2) is a solid five star book. After reading my 2007 review, I believe the authors took my suggestions seriously, …  Read More →

GE continues to hire security professionals to help reduce IT risk at our company. I should be posting additional jobs for my team ( GE-CIRT ) next month, but right now my boss (our CISO) asked me to help find a Business Response Team (BRT) Leader for our Corporate entity. Visit www.ge.com/careers and search for job 1251700 to find the role. From the summary: The Business Response Team (BRT) Leader is responsible for working with business peers... 

Amazon.com just posted my four star review of Least Privilege Security for Windows 7, Vista and XP by Russell Smith. From the review : Russell Smith’s Least Privilege Security for Windows 7, Vista, and XP (LPS) is a helpful contribution to the toolbox of many enterprise system administrators. Numerous organizations are finally realizing that the Internet is too hostile an environment to let normal users function with elevated privileges.... 

The teaser page for Black Hat Abu Dhabi 2010 is now live, and I am pleased to announce that I will teach TCP/IP Weapons School 2.0 there on 8-9 November. Preregistration appears to be available. This will truly be the last edition of TWS version 2.0. I have been in contact with experts from the United Arab Emirates Computer Emergency Response Team (aeCERT) and I hope to have students from the region participate in my class. For those interested... 

Amazon.com just published my five star review of IT Security Metrics by Lance Hayden . From the review : I was not sure what to expect as I started reading IT Security Metrics (ISM). I had just discarded another new book, published in July 2010, supposedly about security metrics but really about nothing useful to anyone anchored in the operational IT world. Would ISM be another disappointment? Since Andrew Jaquith published Security Metrics... 

Amazon.com just posted my five star review of Practical Lock Picking by Deviant Ollam . From the review : Practical Lock Picking (PLP) is an awesome book. I don’t provide physical testing services, but as a security professional familiar with Deviant’s reputation I was curious to read PLP. Not only is PLP an incredible resource, it should also serve as a model text for others who want to write a good book. First, although the book... 

I’m speaking at VizSec 2010 next month. My topic is Is Security Visualization Useful in Production? I already asked do you use visualization in production? I realized it would also be great to show the world’s worst security visualizations. So, what have you seen? What is just horrible yet supposed to be awesome? I’ll select the most interesting responses and integrate them into my presentation. Feel free to comment here or... 

Amazon.com just published my five star review of Wireshark Network Analysis by Laura Chappell . From the review : Wireshark Network Analysis (WNA) is a very practical, thorough, comprehensive introduction to Wireshark, written in an engaging style and produced in a professional manner. WNA provides a variety of methods for teaching network analysis with Wireshark, including description, screen shots, user-supplied case studies, review questions... 

Last week while teaching at Black Hat, one of my students wanted to know how I find new tools. One of the ways I do that is to subscribe to FreshPorts , a site created by Dan Langille. FreshPorts tracks additions to the FreeBSD ports tree, so when someone makes it easy for me to run a new app on FreeBSD I find out. Every week I get an email of new additions to the tree, and…  Read More →

Thanks to Lieutenant Colonel Gregory Conti and Lieutenant Colonel Jen Easterly for pointing me to their article Recruiting, Development, and Retention of Cyber Warriors Despite an Inhospitable Culture . They are doing a real service by examining cultural issues challenging the success of a Cyber Command. I’d like to provide a few excerpts: Until the end of the 20th Century combat arms expertise ruled the day, but in the 21st Century kinetic... 

The August 2010 issue of Digital Forensics Magazine is available for subscribers. There’s a variety of interesting articles and you can tell there is the additional care provided as a result of charging a subscription. Rob Lee wrote a good article on Becoming a Digital Forensics Professional, as well. Copyright 2003-2010 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)  Read More →

The August 2010 Hakin9 magazine is available for free download in .pdf format. I think they are publishing shorter magazines, but more frequently? I always like Matt Jonkman’s articles. He mentions creating a new commercial IDS ruleset, which he announced in late June in Emerging Threats Announces Call for Developers to Create New and Improved Rule Set . I missed it until now however. Copyright 2003-2010 Richard Bejtlich  Read More →

I think “Project Vigilant” is largely a publicity stunt, meaning it was just invented and it’s so-called “history” is an extension of someone’s imagination. As we say on my team, “This ain’t my first rodeo.” In other words, I’ve been around for a while. While I recognize some of the “principals” in this “group,” I’ve never heard of them organized into a... 

Time is an important aspect of Network Security Monitoring. If you don’t pay close attention to the time shown in your evidence, and recognize what it means, it’s possible you could misinterpret the values you see. My students and I encountered this issue in TCP/IP Weapons School at Black Hat this week. Let’s look at the first ICMP packet in one of our labs. I’m going to show the output using the Hd tool and then identify...