Five years ago I reviewed the first edition of Network Warrior by Gary A. Donahue. Thank to O'Reilly I can post my "impressions" of the second edition of this great book. Although I read almost all of it, I am unable to post another review because Amazon.com has my previous review attached to the new edition.

In brief, Network Warrior, 2nd Ed is the book to read if you are a network administrator trying to get to the next level. All of my praise from the previous review apply to the new book. The book is really that good, primarily because it combines very clear explanations with healthy doses of real-world experience. Thanks to Mr Donahue for taking the time to update his book!

TweetCopyright 2003-2011 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Mark Russinovich and Aaron Margosis have written another awesome addition to the Microsoft Press catalog, Windows Sysinternals Administrator's Reference. Per my policy, because I did not read the whole book I am only posting "impressions" here and not a full Amazon.com review.

In brief this book will tell you more about the awesome Sysinternals tools than you might have thought possible. One topic that caught my attention was using Process Monitor to summarize network activity (p 139). This reminded me of Event Tracing for Windows and Network Tracing in Windows 7. I remain interested in this capability because it can be handy for incident responders to collect network traffic on endpoints without installing new software, relying instead on native OS capabilities.

I suggest keeping a copy of this book in your team library if you run a CIRT. Thorough knowledge of the Sysinternals tools is a great benefit to anyone trying to identify compromised Windows computers.

TweetCopyright 2003-2011 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Six years ago I reviewed Michal Zalewski's first book, Silence on the Wire. Michal is a security researcher who has consistently created high-quality content for a very long time, so I was pleased to receive a review copy of his newest book The Tangled Web.

I did not read the whole book, hence I'm posting only my "impressions" here. I recommend reading this book if you want to know a lot, and I mean a lot, about how screwed up Web browsers, protocols, and related technologies truly are. Because many points of the book are tied to specific browser versions, I suspect its shelf life to degrade a little more rapidly than some other technical titles. Still, I am shocked by the amount of research and documentation Michal performed to create The Tangled Web.

As always, Michal's content is highly readable, very detailed, and well-sourced. It's a great example for other technical authors. Great work Michal!

TweetCopyright 2003-2011 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

The toughest question in digital security is "who cares?"

The recent Tweet by hogfly (@4n6ir) made me ponder this question. He points to an Aviation Week story by David Fulghum, Bill Sweetman, and Amy Butler titled China's Role In JSF's Spiraling Costs. It says in part:

How much of the F-35 Joint Strike Fighter’s spiraling cost in recent years can be traced to China’s cybertheft of technology and the subsequent need to reduce the fifth-generation aircraft’s vulnerability to detection and electronic attack?

That is a central question that budget planners are asking, and their queries appear to have validity. Moreover, senior Pentagon and industry officials say other classified weapon programs are suffering from the same problem. Before the intrusions were discovered nearly three years ago, Chinese hackers actually sat in on what were supposed to have been secure, online program-progress conferences, the officials say.

The full extent of the connection is still being assessed, but there is consensus that escalating costs, reduced annual purchases and production stretch-outs are a reflection to some degree of the need for redesign of critical equipment. Examples include specialized communications and antenna arrays for stealth aircraft, as well as significant rewriting of software to protect systems vulnerable to hacking.

It is only recently that U.S. officials have started talking openly about how data losses are driving up the cost of military programs and creating operational vulnerabilities, although claims of a large impact on the Lockheed Martin JSF are drawing mixed responses from senior leaders. All the same, no one is saying there has been no impact.

While claiming ignorance of details about effects on the stealth strike aircraft program, James Clapper, director of national intelligence, says that Internet technology has “led to egregious pilfering of intellectual capital and property. The F-35 was clearly a target,” he confirms.

The point of this article is to question the impact, in business and operational terms, of the cyberwar China continues to prosecute against the West.

The toughest question in digital security is "who cares" because it is usually extremely difficult to determine the impact of an intrusion. Consider the steps required to define the business and operational impact of the theft of intellectual property (as one example -- there are many others).

1. The victim must learn that an intrusion occurred.
2. The victim must determine exactly what IP was stolen.
3. The victim must understand the adversary's capability and intention to exploit the stolen IP.
4. The victim must recognize when the adversary exploits the stolen IP by using it in an operational context.
5. The victim must determine what countermeasures or changes in courses of actions are possible to mitigate the adversary's exploitation of the stolen IP.
6. The victim must synthesize most or all of the previous points into an assessment of the business and operational cost of the IP theft.

Steps 1 and 2 are largely technical, but 3-6 are more business-focused. From what I have seen, everyone who is a victim in the ongoing cyberwar struggles to conduct "battle damage assessment" (BDA) for digital intrusions. Articles like the one I cited are examples showing how difficult it is to determine if anyone should care about China's exploitation of Western IP.

TweetCopyright 2003-2011 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)