Category: Cybersecurity Canon

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Steve Winterfeld: CRACK99: The Takedown of a $100 Million Chinese Software Pirate (2015) by David Locke Hall

Executive Summary

CRACK99: The Takedown of a $100 Million Chinese Software Pirate is the story of how the author, David Locke Hall, a federal prosecutor with no background in cyber forensics went after a cyber criminal. This is not a book that will help you develop better technical skills but rather help you understand how those outside the field deal with the challenges of applying their normal processes to the complexities of the virtual environment.

CRACK99 misses belonging in the Canon as it doesn’t develop a better cyber practitioner, but it is worth the read to understand the challenges the justice system faces in prosecuting cyber criminals. The style reminds me of Cuckoo’s Egg or Takedown with a lot of side stories about the writer’s life. There are also chapters on subjects like arresting an Iranian arms dealer for export violations, justice system, and national cyber strategy. The author does a reasonable job of tying these subjects together as the actual material about the crime is not enough to fill a book.

Review

CRACK99 is the true story of an Assistant United States Attorney (AUSA) who decided to go after a Chinese national who was selling stolen software. Most of the software was used in advanced design and simulation and had national economic/military implications. The AUSA decided to discreetly partner with Homeland Security Investigations (HSI). Normally a case like this would be handled by the Federal Bureau of Investigation (FBI), and the U.S. Attorney’s Office in Wilmington, Delaware would not focus resources on an international case. Finally, to keep the case with HSI, they classified it as smuggling.

One of the first applications they focused on was the Analytical Graphics Incorporated (AGI) Satellite Tool Kit (STK). The software normally sold for around $150,000; but, on the CRACK99website, an illegal copy cost only $1,000. STK was a simulation that could replicate the performance of satellites, drones or other military assets. This was one of a host of applications for sale, most of them using the same third party to enforce licensing. The AUSA thought that a rogue employee at that firm was the culprit; but, as he came to understand the technology involved, realized that was not likely.

They purchased a copy of STK for the investigation and were told to use a Western Union money transfer. Sending the wire transfer from Delaware helped establish a case that the AUSA could prosecute. The operator of the site gave the user’s name and address in China. His name was Xiang Li, and he not only delivered the software but would help by providing guidance on how to install it. This was enough to get a warrant for the Gmail account Xiang Li was using. Analysis of emails revealed that there were over 450 illegal software sales worth over $100 million. Additionally it showed that his wife was involved as the money manager, and most of the sales were in the U.S.

The investigators came up with a plan to engage Li as potential business partners and lure him into the U.S. via a meeting in Saipan (a U.S. territory). They got a grand jury for indictment on copyright infringement, traffic in access control circumvention, wire fraud, interstate transportation of stolen property, smuggling, and trafficking in counterfeit labels. Li met them; was arrested; and, initially, was cooperative with the investigation. One of the big questions was how he got the software and who cracked the licensing. It was mostly fan groups, web forums, and hackers – he found what he sold through open searches (many were in Russia), and some were given by customers who wanted them cracked. Xiang Li asked for mercy but got 12 years. Of all the U.S. buyers, only two were prosecuted: Mr. Best got 3 years, and Mr. Wedderburn received probation.

CRACK99 provides great background on the justice system. The Federal Bureau of Investigation (FBI) is the big dog with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and Drug Enforcement Agency (DEA) getting news coverage. Homeland Security Investigations (HSI) is bigger than both but only half the size of the FBI. HIS came out of Customs, which became Immigration and Customs Enforcement (ICE). In 2010 the FBI moved from crime to intelligence collection. The AUSA didn’t want to give the case to them because they would not push for jail time.

The book also covers organizations like the Department of Justice (DOJ) Office of International Affairs, Mutual Legal Assistance Treaty (MLAT), Defense Criminal Investigative Services (DCIS), Office of the National Counterintelligence Executive (ONCIX). It provides insight into which law to prosecute under: economic espionage, smuggling, copyrights, conspiracy (too abstract for the jury), pen register (wiretap) rules, lure, embargo, or acts like the National Stolen Property Act and Sound Recordings Act. It also list resources like executive orders, commercial reports (Mandiant), and the Department of Defense (DOD) Science Board. The author also shares his opinion on case law, such as his belief that the Supreme Court was wrong in the Dowling decision.

While the author didn’t propose a strategy, he did frame many of the issues and possible solutions. One key theme was the concept that most law enforcement is hooked on fast food – low hanging fruit that is easy to prosecute but has no impact. He compares this to U.S. cyber strategy – a lot of talk and papers with strategy in the title but no actionable strategy. For example, much was made of Coreflood botnet being taken down, but nobody was arrested. The U.S. government indicted members of the Chinese People’s Liberation Army; but, again, there was no expectation they would be prosecuted. It was more of a political name and shame policy.

As part of his review of arresting arms dealers trying to avoid embargo restrictions, he said, “Dubai is a monument to the failure of the United States to control the proliferation of its own goods and technology.” He talks about the parallels to a lack of cyber strategy or concerted effort. The DOJ bragging sheet that covers their key cases had nothing about theft of intellectual property or cases against China – this despite the example of Microsoft having an application update downloaded 30 million times for one legitimate license. There is a real disconnect between the DOJ and national security / economic threats.

Conclusion

CRACK99 should be read by anyone who wants to understand more about how one prosecutor in the justice system took on a cyber criminal. The author does a decent job of covering both the tactical aspects of an investigation and the national strategy issues involved with the case. His side stories about getting pulled in to work other cases, such as those of drug dealers and even a mail carrier case that ended in a plea agreement, are interesting. It feels like he wrote the book over a period of years without updating some activities referenced. He talks about reports/actions ranging from 2011 to 2015. He also spends a lot of time talking about his Navy background and the potential Chinese government/military involvement but ends up with no proof.

Bottom line – this is not a Canon candidate but a quick and worthwhile read.

Steve Winterfeld

[Palo Alto Networks Blog]

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Steve Winterfeld: Information Warfare: Chaos on the Electronic Superhighway (1994) by Winn Schwartau

Executive Summary

So why am I recommending a book from 20 years ago? Because Information Warfare: Chaos on the Electronic Superhighway shows both how far we have come and how little things have changed. Books like this and Bruce Schneier’s Secrets and Lies from 15 years ago stand the test of time and still have something to contribute. This was one of the first books that really laid out the concepts of how economic and military warfare would evolve online.

Information Warfare shows both those foundational ideas on cyber warfare and how some of the issues that are hot now might fade into the background. This book belongs in the Canon due to the foundational and timeless issues it addresses for our industry. It is a quick read and provides critical perspective for anyone serious about strategic issues around cyber warfare.

Review

For context, in the mid-1990s, we had flip cellphones, personal digital assistants (PDAs), U.S. President Bill Clinton and Russian President Boris Yeltsin signed the Kremlin accords, the movie Sneakers was in theaters, DEFCON Conference started, and Kevin Mitnick was arrested. As the threat of apocalyptic global warfare was receding into history, it was being replaced by economic warfare. In the information age, that quickly became information warfare.

Information Warfare is not a technical, how-to guide but rather talks about the strategy and methods involved in information warfare. It is organized as a series of topics, starting with the large picture of Econo-Politics and information’s role in it; then goes from Internet infrastructure issues down to malicious code. Next comes predictions about hardware and chip vulnerabilities, use of electromagnetic eavesdropping, high-energy radio frequency (HERF) guns and electromagnetic pulse (EMP) weapons. Then comes the introduction to the hacker culture at the time, the military perspective, and the categories to frame discussion about info war (i.e., personal, corporate and global). Finally there is a review of defensive techniques for each of the types of warfare and his view on a National Information Policy: A Constitution for Cyberspace and an Electronic Bill of Rights – both of these are still very relevant.

He missed on whether or not techniques like Electromagnetic Pulse, HERF and EMP would become commonly used. In other areas like economic impacts leading to cybercrime, military implications of the Internet, and Cryptography becoming a commercial capability (at the time NSA had declared crypto software like DES to be a weapon), he was right on target.

While the early chapters covered the political landscape of the day, and focused on terrorism heavily, the ideas (while dated) are still applicable today. The discussion on phone phreak hackers stealing long distance reminds us that the hackers have always changed their focus based on business models – now banks are online, so they can go directly to the source. The conversations with some hackers of the time shows how they have evolved from hobbyist to full time. Interestingly while he doesn’t use the present-day term “Internet of Things (IoT),” he does foreshadow the concept.

Conclusion

Information Warfare should be read by anyone who wants a strong background in strategic and military around the concepts and principles of information/cyber warfare. While the use of the term “information warrior” is ubiquitous for both hackers and government agents, their activities and methods still ring true today. Also the national policy debates presented are still going on. Finally defending the digital device is still relevant. This is a quick read that provides understanding around how long the “cyber warfare” issues we are dealing with today have been around.

Steve Winterfeld

[Palo Alto Networks Blog]

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Ben Rothke: Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (2015) by Ted Koppel

Executive Summary

One of the most successful television commercials in history was for the financial firm E. F. Hutton, based around the catchphrase, “When E. F. Hutton talks, people listen.”

In the world of broadcast journalism, when Ted Koppel speaks, people listen. And when he writes, people read. And read indeed, as his new book Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath is in the Amazon top 200.

Yet, with his over 50 years of journalistic experience, this book shows that, just because you are a world-renowned reporter, that doesn’t mean you always get the story right.

Review

In the superb, Canon-worthy book Threat Modeling: Designing for Security, author Adam Shostack shows how to use threat modeling to enhance software security. By applying threat modeling, information security can be enhanced. Shostack’s book offers a structured, methodical framework, and a model for determining a threat and its entire lifecycle, such that each of the key elements are identified and adequately assessed.

The problem with Koppel’s book is that his approach to the topic is anything but structured and methodical. He sets up a straw man question, never fully identifies the threats facing the power grid, and never gives specific weights to those threats, such that the reader is left with Chicken Little meets the power grid. The book’s premise is that a major and devastating cyberattack on America’s power grid is imminent. While it’s a disturbing hypothesis, never once does Koppel detail how such an attack would actually take place.

Throughout the book, Koppel sets up his straw man and uses terms such as imagine, may, could and similar, tenuous phrases. While these doomsday and worst-case scenarios are indeed terrifying, never does the book detail the specific how. Much of the book contains details of Koppel’s travels and narratives of the people he meets. From preppers in Montana, to leaders of the Mormon Church, whose doctrines include planning for cataclysmic events, and more. This is a detail of Ted’s great adventure.

One of the more disturbing interviews is with Jeh Johnson, Secretary of the Department of Homeland Security. Johnson comes across somewhat clueless of the energy sector cyberthreat, about which Koppel noted that, while Johnson’s answer to Koppel’s question lasted 13 minutes, he never addressed the question, and it was an area in which Johnson conceded that he had little expertise.

Koppel admits that he is not proficient in the complicated energy sector. To help him navigate through the arcane world of grid reliance standards and the evolving relationship between power industry groups and federal regulators, Koppel engaged the services of Dr. Ryan Ellis of the Cyber Security Project at Harvard University. Koppel notes that he sent transcripts of key interviews and rough drafts of relevant chapters to Dr. Ellis for his review and comments. Incredulously and disconcertingly, Koppel states that he didn’t always follow the advice of Dr. Ellis.

What Koppel did is speak to a lot of very senior people and put what he gleaned into writing. What’s conspicuously missing is his speaking to any cybersecurity expert with experience in SCADA, malware or related areas. In an interview for CSO Online, Koppel was asked if he interviewed penetration testers who have experience in the electric generation and transmission sector. Incredulously, he said “no.” I don’t think Koppel understands the significance of that exclusion, and therein is the fundamental problem with this book.

There are indeed threats to the power grid. But, if you want to know about those – the real threats and how they can be dealt with – this is not your book.

Ben Rothke

[Palo Alto Networks Blog]

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Brian Kelly: Metasploit: The Penetration Tester’s Guide (2011) by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni

Executive Summary

Learning to think like a criminal, or in this case a cybercriminal, is a requirement for all penetration testers. Fundamentally, penetration testing is about probing an organization’s systems for weakness.
While the goal of Metasploit: The Penetration Tester’s Guide is to provide a useful tutorial for beginners, it also serves as a reference for practitioners.

The authors write in the Preface that, “This book is designed to teach you the ins and outs of Metasploit and how to use the Framework to its fullest.” While the book is focused on using the Metasploit Framework, it begins by building a foundation for penetration testing and establishing a fundamental methodology.

Using the Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. While Metasploit has been used by security professionals for several years now, the tool can be hard to grasp for first-time users. This book fills the gap by teaching readers how to harness the Framework and interact with the active community of Metasploit contributors.

While the Metasploit Framework is frequently updated with new features and exploits, the long-term value of this book is its emphasis on Metasploit fundamentals, which, when understood and practiced, allow the user to be comfortable with both the frequent updates of the tool and also the changing penetration testing landscape.

Review

Metasploit: The Penetration Tester’s Guide is laid out in two sections, Chapters 1 to 5 introduce the basics of penetration testing and the Metasploit framework with the remaining 11 chapters outlining specific areas of the framework, building on the fundamental concepts introduced in the first section. The bulk of the book takes the penetration tester through using the framework with examples of both use cases and the syntax required. The examples begin with the very basics techniques of the craft and move through carrying out exploits and gaining value from the post-exploitation capabilities of Meterpreter.

The authors give a short overview of each topic before jumping right into the hands on – showing readers the commands to use and then dissecting the output – explaining step by step what is happening and what was accomplished. The book allows readers to move quickly from the basics of penetration testing through using the platform to perform the different phases of intelligence gathering and exploitation.

The exploitation sections cover a wide range of techniques, including attacking MS SQL, dumping password hashes, pass the hash and token impersonation, killing antivirus, and gathering intelligence from the system to pivot deeper into the target network.

Conclusion

Metasploit: The Penetration Tester’s Guide is written in a hands-on, tutorial-like style that is great for beginners, as well as folks who prefer to learn by doing. This is an excellent book for anyone interested in a hands-on learning approach to cybersecurity and the fundamentals of penetration testing. It is also a great reference book for the seasoned Metasploit user and those new to Metasploit who want a step-by-step instruction manual.

The craft of penetration testing is covered deeply and broadly. However, the book’s greatest source of value is how the concepts being applied are explained and demonstrated with well-annotated examples. The authors’ experiences in formal instruction and practice are evident. This book achieves a good balance between concept and practicality.

The goal of the Cybersecurity Canon is to identify a list of must-read books for all cybersecurity practitioners — be they from industry, government or academia — where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete. Finally, the books must provide timeless technical know-how. Metasploit: The Penetration Tester’s Guide achieves these goals, and I believe it is worthy of inclusion in the Cybersecurity Canon candidate list. It is a valuable resource for all cybersecurity professionals’ libraries, whether they be novices or experienced practitioners.

Brian Kelly

[Palo Alto Networks Blog]

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Ben Rothke: America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (2011) by Joel Brenner

Executive Summary

Speak to a civil engineer, and it won’t take long until the conversation turns to the sorry state of America’s infrastructure. The civil engineer will let you know that far too many bridges, canals, roads and highways, dams, tunnels, and more are in dangerous condition due to neglected maintenance. Much of America’s infrastructure is highly vulnerable, given that it’s over 50 years old and long overdue for an overhaul.

In America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare, author Joel Brenner, an attorney who was the senior counsel at the NSA until 2009, takes the conversation to a different infrastructure, namely the digital and network world. Brenner’s premise is that, since much of the digital world and information superhighway haven’t been adequately secured, much of the U.S. digital and critical infrastructure remains vulnerable to hackers, foreign governments, terrorists and numerous other threats and adversaries.

In this 250 page call to action, Brenner lays out, in detail, the dangers the U.S. faces to its freedom and national security if action is not taken – and taken quickly.

Review

In the movie Field of Dreams, a farmer repeatedly hears a voice whispering, “if you build it, he will come,” which leads the main character to build a baseball diamond. In the digital world, the reality is such that, if you don’t secure it, they will come and take your data and intellectual property. America the Vulnerable lays out the case that an insecure digital infrastructure almost begs adversaries to comes and attack it, which in turn places the entire nation at risk.

This book is 4 years old, and, while many of the events may have been yesterday’s news, the underlying message Brenner evangelizes is still highly relevant as our digital infrastructure is woefully insecure. Unless this changes, the number of attacks and breaches will only increase in both scope and magnitude.

A quick and fascinating read, Brenner does a great job of telling the story for the reader without a strong technical background. While there is a lot of finger pointing that could be done, Brenner rises above that and focuses on the issues and problems, rather than laying blame.

China plays a leading role in the book. While they have long denied any notion of state-sponsored hacking, even with evidence to the contrary, the book details China’s long view: namely, its attempt to regain its role as a world power. The book notes that China had the world’s largest economy for eighteen of the past twenty centuries. The two exceptions were those of America’s youth and rise to power. The last 200 years has seen a decrease in this dominance, but the book notes that China does not regard Western domination as normal. With that, China has made it a priority to reestablish its place in the international order. And a large part of the reestablishment process includes taking data and intellectual property from U.S. firms.

Part of the problem is that, while China has made it a priority to reestablish itself and that approach includes hacking, the U.S. has not conversely created a unified approach to dealing with the myriad digital threats. The U.S. response has been heavily fragmented. Part of the reason for this is that, as a democracy with 50 states, it’s much harder to create a unified security response. As a totalitarian state, China has it much easier. Perhaps that’s why they have been able to remotely download terabytes of data from U.S. Department of Defense networks on numerous occasions. The book also quotes, then NSA Director and a U.S. Army four-star general, Keith Alexander that, as far back as 2010, the U.S. found that their classified networks had been penetrated by China.

In every chapter, Brenner lays out the case and provides many examples of the problem of how vulnerable the U.S. is. Brenner is no Chicken Little, and, if anything, in the four years since the book was published, the information security sky has indeed been falling.

The underlying issue that Brenner so eloquently and clearly writes about is that, in the rush to get the U.S. into the digital age and to wire nearly everyone, every business, and every school to the Internet, it has created a network that is highly porous and vulnerable to attack.

This is not simply about networks ordering Girl Scout cookies; this is the critical infrastructure of the U.S. at risk, including everything from the networks that control the financial system and energy grid, to keeping planes in the sky, and much more.

In chapter after chapter, Brenner describes somewhat of a bleak future. Chapter 10 closes with a number of recommendations for both the government and private sector. While many of them are a good start, the reality is that a much more aggressive approach needs to be taken to stem the tide. The truth is that it’s much easier to write about the problem than detail comprehensive solutions.

Conclusion

The sound you hear is that of petabytes of proprietary and highly confidential data being stolen out from under our network noses – silence. This data is quietly being stolen, and the victims include many of the Fortune 1000, along with countless individuals. How big this breach is in the data dam is debatable; what’s eminently clear is that something must be done – and done quickly.

Like the good attorney that he is, Brenner has laid out the case in America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare. It’s now up to our leaders and cybersecurity professionals to take action to stop the flow. If not, the consequences could be terrible.

Brenner has written an important book, and, while its stories may be a few years old, its message remains quite relevant.

Ben Rothke

[Palo Alto Networks Blog]