Wednesday, April 23, 2014

Currently Reading: Schneier on Security

A book that I am currently reading is Schneier on Security (2008) by Bruce Schneier.

I would hope that most security professionals out there are familiar with Bruce.  He has written several books and numerous articles.  His blog, Schneier on Security, is well known as is his monthly e-newsletter Crypto-Gram (go to his blog to read and subscribe).

For myself, I've read many of his materials and seldom disagree with his views.  I think mainly where I think he may not have all the info, I disagree with his conclusions.  Frankly, I find that too many other security experts of his caliber are sadly a bit stuck in their ways and the views are too off.

Schneier is known for actually criticizing many of the so-called "security" measures put into place for really failing to make us more secure.  He called this "security theater".  So while some so-called experts push for new IDs or more surveillance, Schneier points out that all this stuff doesn't do what it claims, and may, in fact, make us less secure.  You have to wonder what the real reason some people push these methods?

Schneier on Security is a collection of essays written between 2002 and 2008 that have appeared in various magazines, newspapers, websites and Crypto-Gram.  A few he updated at the time of the publication of the book (2008), and all cite the original publication.  Sadly, being over 5 years old, some of the statements are now a little dated, but if you overlook that, there are many interesting items here.

The book is organized into a dozen chapters:
  1. Terrorism and Security
  2. National Security Policy
  3. Airline Travel
  4. Privacy and Surveillance
  5. ID Cards and Security
  6. Election Security
  7. Security and Disasters
  8. Economics of Security
  9. Psychology of Security
  10. Business of Security
  11. Cybercrime and Cyberwar
  12. Computer and Information Security
Because each essay is fairly short (2-3 pages max), and most are just gathered into each chapter by common topic, one can jump around and read what sparks your interest.  In fact, that's what I have been doing.

As some of the topics go beyond just technical information security that many of us in the infosec world focus on, I think its good that we have a better understanding of security outside of IT, as well as the impact of what we do affects other areas.

So check it out.  And if you like what you see, check out his other works as well.  His latest book, Carry On, is actually a "sequel" to this work, collecting articles from 2008-2013.  I don't have it yet, but plan on getting it soon.

<updated 5/1/2014>

Sunday, April 13, 2014

20 Books: Neuromancer

This is part of a sub-series of postings based on the "20 Books Cybersecurity Professionals Should Read Now".

William Gibson's Neuromancer (1984) is considered one of the seminal works of cyberpunk.  Ok, so what is "cyberpunk"?  Its a genre of science-fiction that is set in the near-future.  It shows a world that has both high tech, such as advanced information technology and cybernetics, but also shows a degree of breakdown of the social order.  Some could even be a bit dystopic.  Cyberpunk would spawn other genres.  Attempts to push the ideas of cyberpunk into prior technology periods would result in "steampunk" and "dieselpunk" genres.  And other genres would be spawned that would be thispunk and thatpunk that got tiresome.

Why we as info sec professionals should care is that in much of the cyberpunk genre, cyberspace, the world on-line, usually has a big place in the stories.  And as such, hacking and security and all that will have a big part to play.

Gibson is considered one of the main originators of the genre, and Neuromancer was his first novel, and the first in his "Sprawl" series.  I read it and other cyberpunk works soon after they came out.  As a young computer science major in college, I recall trying to grasp the world being explained.  Keep in mind that at the time the Internet was not available to many people.  The idea of cyberspace was then pure science fiction.  We didn't have the Internet, WWW, and all the rest to reference to.

As one of the first cyberpunk works, it sets the stage for others, so I think its important to be familiar with it, and the world of hackers and the computer underground it shows.  If you haven't already read it, check it out.

I should point out that the Keanu Reaves movie, Johnny Mneumonic is loosely based on a short story of the same name that precedes Neuromancer,  But the movie doesn't quite match up with the story.  Big surprise.

Thursday, April 10, 2014

20 Books: Cuckoo's Egg

This is part of a sub-series of postings based on the "20 Books Cybersecurity Professionals Should Read Now".

Clifford's Stoll's book, The Cuckoo's Egg (or to use it's full title The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage) is an early (1989) work on computer breaches and espionage.  I read it when it first came out, and I thought it fascinating at the time.

For those not aware, let's get into it.

Clifford Stoll was at the time (1986) an unemployed astronomer working as a Unix sysadmin at the Lawrence Berkeley National Laboratory.  His boss asked him to looking to a 75cents error in computer usage.  Back in those days, you would be charged for computer usage.

Now, the amount was strange.  An anomaly.  That is important. Otherwise why bother?  It's a trivial amount.  Some companies would just write off a bill of that size as not worth their time.  But this is what triggered things, as it indicated that it wasn't a system error, but a human error.  Someone was hiding (or trying to hide) their tracks.  And this mistake lead to the anomaly, which lead to Stoll looking into it.

Keep in mind this was way before the various cybersecurity systems we think of existed.  No firewalls.  No IDS/IPS or the like.  This was because access was being done in many cases over modems, NOT the Internet.  From his 10 month investigation, Stoll realized this was bigger then just a simple accounting error, and soon brought in the authorities.  Its also interesting that Stoll's girlfriend actually recommended he setup what today would be known as a "honeypot" to attract the hackers and keep them on-line so they could be traced.

It developed that the hackers were from Germany.  It also seemed they'd accessed LBL by mistake, thinking it was Lawrence Livermore National Laboratory, where they do nuclear research.  Thanks to Stoll's efforts, the hacker and a confederate were captured and put on trial.  It would later be shown that the hackers (or some of them) were doing espionage for the KGB.

Stoll wrote up the matter in a more technical article for the Association of Computing Machinery (ACM) called "Stalking the Wiley Hacker" in 1988.  You can read this

The book came next, written for the general audience.

And they then did an episode of the PBS science series NOVA on it:  "The KGB, The Computer, and Me" in 1990.  Interestingly, many of the people involved played themselves.

While the technology may seem primitive, it shows how small, anomalous things can point to bigger issues.  Clearly, you don't want to have to spend 10 months tracking down the source of a computer breach, but having an idea of what is normal on your systems such that abnormal things, no matter how small, can point to bigger issues.

All these works are highly recommended by me.  Check them out!

Wednesday, April 9, 2014

Security BSides Orlando 2014

This past weekend I attended the Security BSides Orlando conference.  I have heard of these conferences held around the country, but it was my first time attending any.

For those not aware, Security BSides Conferences are community lead and organized conferences.  They are intended to be a way for the information security community to be able to come together and share ideas in a more informal setting, often at a very low cost to the attendees.  A model or framework has been set down in which people can setup their own conferences.  You can read more about this HERE.

Here in Florida we have had 2 in Orlando, one in Tampa Bay, and one coming up in Jacksonville.  Would love to see one in South Florida.  (hint hint)

I have had experience with other security conferences (Hacker Halted, South Florida ISSA and South Florida ISACA, HackMiami).  I would say it was more similar to HackMiami's conference in terms of being more low key then what I've seen with the others, but also a lot cheaper then HackMiami's.

There were 2 tracks of speakers, with another on Saturday of more class type sessions.  There was also a small vendor room that had a few of the sponsors, as well as a "lockpick village" to try out lock picking, and a Maker Lab (FemiLab from central Florida) in attendance.  Also in the room they had a CTF event going on as well all weekend.  This was also rounded out with a party on Saturday night.

Overall, a good event.  Look forward to next year's event.  I hope to submit a proposal for a talk as well.

20 Books Cybersecurity Professionals Should Read Now

At the recent RSA Conference, Rick Howard, CSO for Palo Alto Networks, gave a popular talk where he gave a recommended list of works he felt cybersecurity professionals should read.

Some are technical, some fiction, and others non-fiction for the general reader.

I have read several, a few I have on my "to read" list, and a few I wasn't aware of.  But with that in mind, I plan on reading and reviewing these works over the next few months as possible.

The List?  Here it is in alphabetical order.

  • The Blue Nowhere, Jeffery Deaver (2001)
  • Breakpoint, Richard A. Clarke (2007)
  • The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud), Dawn M. Cappelli, Andrew P. Moore, and Randall F. Trzeciak (2012)
  • Confront and Conceal:  Obama’s Secret Wars and Surprising Use of American Power, David Sanger (2013)
  • Cryptonomicon, Neal Stephenson (1999)
  • The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll (1989)
  • Cyber War: The Next Threat to National Security and What to Do about It, Richard Clarke and Robert Knake (2010)
  • Daemon (2006) and Freedom™ (2010), Daniel Suarez
  • Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet, Joseph Menn (2010)
  • The Girl with the Dragon Tattoo, Stieg Larssen (2011)
  • Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground, Kevin Poulsen (2011)
  • Neuromancer, William Gibson (1986)
  • Reamde, Neil Stephenson (2011)
  • Security Metrics: Replacing Fear, Uncertainty, and Doubt, Andrew Jacquith (2007)
  • Snow Crash, Neal Stephenson (1992)
  • We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency, Parmy Olson (2012)
  • Worm: The First Digital World War, Mark Bowden (2011)
  • Zero Day (2011) and Trojan Horse (2012), Mark Russinovich 

For those wanting to obtain them: