As you may remember, I started a little contest Monday morning to pass a few classic infosec books along to a new owner with the hopes that they’ll get as much out of them as I have. Over the weekend @taosecurity put out a bunch of reviews and I happened to have three of his recommended books (all 4 and 5 stars). To enter the contest all you needed to do was tweet or RT the following phrase.

“I want 2 win 3 @taosecurity recommended books from @grecs. #infosecclassics http://bit.ly/cUiA4K”

Well … after around 40 tweets (and a few negative ones as well ), I headed over to Random.org and had it select a number between 1 and 40. The site came back with 5 so I chose the 5th person who tweeted or retweeted the magic phrase.

And the winner is … @bvPredator!

According to his Twitter profile Mark describes himself as a “Geek, Hacker, IT Support Specialist, Hardware Guru, Infosec noob!” I really like seeing that “infosec noob” part as I feel he’ll get a lot out of the books.

Congrats to Mark and thanks to everyone that entered. (Mark: Please DM me @grecs to arrange delivery.) See ya!

I’ve been meaning put out a post ever since our failed book giveaway attempts last year (here, here, and here). Then over the weekend Richard Bejtlich (@taosecurity) put out a bunch of reviews on several infosec classics. I happened to have three of those so it looked like a great time to try to pass these books onto someone else. Below are the books with part of Richard’s review and my comments.

Code Version 2.0: “Code Version 2.0 (CV2) is a compelling and insightful book. Author Lawrence Lessig is a very deep thinker who presents arguments in a complete and methodical manner. I accept his thesis that “cyberspace” has abandoned its tradition as an ungovernable, anonymous playground and risks becoming the most regulated and “regulable” “place” in which one could spend any time. …” (full review) (TaoSecurity Rating: 4 of 5 stars)

Although Richard seemed to like this book and found it very “compelling and insightful” I found it quite a bore. Now I do only have Version 1.0 so maybe it’s been spiced up over the past several years. About the only time I look at this book is when I can’t sleep. Within about 5 minutes I’m out. I’m not saying it’s bad … but it’s probably just a little too theological for my taste. (Grecs Rating: 1 of 5 stars)

Crypto: “Steven Levy’s ‘Crypto’ is a fascinating look at part of the story of modern cryptography, at least from the point of view of key non-government cryptographers. The author clearly conducted plenty of research into the lives of certain individuals, such as Whit Diffie and Marty Hellmen, the RSA trio, and other entrepreneurs. …” (full review) (TaoSecurity Rating: 4 of 5 stars)

I really enjoyed this book and agree wholeheartedly with Richard on this one. I would almost give it five stars over Richard’s four. This is one of the few books from my early 2000s infosec classes that I actually couldn’t put down. It was very interesting to see the basis on which most of today’s crypto is based. (Grecs Rating: 5 of 5 stars)

The Cuckoo’s Egg: “Cliff Stoll’s ‘The Cuckoo’s Egg’ (TCE) is the best real-life digital incident detection and response book ever written. I know something about this topic; I’ve written books on the subject and have taught thousands of students since 2000. I’ve done detection and IR since 1998, starting in the military, then as a consultant and defense contractor, and now as director of IR for a Fortune 5 company. …” (full review) (TaoSecurity Rating: 5 of 5 stars)

Totally agree again with Richard on this one … another story I couldn’t put down. One of the more fascinating aspects of this book is seeing how attackers are using the same basic concepts today as they did over 30 years ago. (Grecs Rating: 5 of 5 stars)

Well … that is it for the books I’ll be passing along. To enter to win these three slightly used books, all you need to do is tweet the following:

“I want 2 win 3 @taosecurity recommended books from @grecs. #infosecclassics http://bit.ly/cUiA4K”

The contest will run for two days through today and Tuesday. At that time I will randomly pick someone and contact them to arrange delivery.

This week we are featuring a new NoVA Blogger, @geminisecurity. Please take a moment to check out their Twitter feed and welcome them to the local infosec community.

While he doesn’t have a post featured this week, we would also like to introduce local NoVA blogger @bobgourley. Please take a moment to visit his Twitter feed or his blog and welcome him to the local infosec community.

Now, to the posts!

#3 – The Mystery of SSL: The post “How does SSL work anyway?” post published by @geminisecurity this week was not only useful, but witty. Likening SSL to a handshake—“[i]t’s like the secret handshake you used in grade school to get into your clubhouse”—@geminisecurity had some useful tips and tricks about Server Authentication, Client Authentication, References, and other SSL protocols. You can check out the full post here.

#2 – Resources Galore: It seems that @mubix is the man to talk to if you’re looking for great security resources. Posting what he described as “Getting your fill of Security,” this week, @mubix is now keeping a running list of security podcasts, security bloggers, security-related Twitter accounts, and sites that you’re free to hack. You can check out the list here. You can also check out our list of security resources for additional information.

#1 – 60 Day Surprise: After President Obama gave his remarks on Cyber Security earlier in the week, Richard Bejtlich wasted no time before blogging his own thoughts about the President’s controversial speech. While we read a lot of tweets and blog posts this week that dealt with Obama’s ultimate stance on Cyber Security, we felt that Bejtlich’s was by far the best. Not only did he provide an intelligent commentary about what President Obama said, he also created an ‘imaginary’ speech of “what I would have liked to have heard [from President Obama].” This is a must-read post for anyone in the field, as the President’s stance on Cyber Security will affect all of us in some way. You can read the full post here.

Well, that’s all for this week. As always, we’d love to know if there are any other NoVA bloggers out there would would like to be considered for our “Top NoVA Infosec Blog Posts of the Week” feature. If so, leave a comment below or send us a tweet @grecs.

o o o o o

How Ironclad is your information?

Where can you find a book review, information about the 60-day security review, and humorous commentary about the Verizon report all in one place? This post, of course. Finding the best posts by local security bloggers, we do our best to make your Mondays a little more interesting.

# 3 – Hack This Book Again: It turns out that @carnal0wnage isn’t the only one who decided to review Chained Exploits: Advanced Hacking Attacks from Start to Finish; Richard Bejtlich of TaoSecurity also reviewed Chained Exploits and arrived at a slightly different conclusion than @carnal0wnage. As you can see in our post from last week, @carnal0wnage felt that overall, the book wasn’t of particular use to professionals already in the security field. In contrast, Bejtlich says that while he agrees with some of the negative comments about Chained Exploits, he feels that many of the comments are unduly harsh. As he says in his review, “I don’t think it’s strictly necessary for a book to contain brand new security techniques in order to qualify for publication,” and that Chained Exploits does a good job of providing both old and new information. You can read the full review here.

#2 – 60 Days And Counting: With the 60-day security review nowhere in sight, @rybolov sums up our feelings perfectly when he says “I’m trying hard to be understanding here, I really am.  But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, ‘You can’t handle the truth!’” With the review supposedly turned into President Obama on the 17th, @rybolov makes the astute observation that “our information sharing from Government to private sector really sucks right now.” @rybolov then goes on to talk about how the government can’t seem to decide whether they’re a partner or a regulator, and why they need to choose one or the other instead of trying to (rather unsuccessfully) be both.  Because as @rybolov points out, the ‘are we a regulator or a partner’ conundrum is making it hard for the private sector to do their job. You can read the full post here.

#1 – Verizon in 5 Minutes or Less: If you didn’t get a chance to read our take on this year’s Verizon report, Bejtlich has a great summary of it that will take you about 5 minutes or less to read. Taking screenshots from the report and adding a small commentary to each of them, what he had to say seemed to spark quite a discussion with readers. You can view the full post here.

Well, that’s all for this week. Be sure to check out our Blogs/Podcasts page for more great security bloggers in and around the NoVA area. Also be sure to drop us a line if you know of a blog or podcast that should be added to the list.

###

In addition to registering for SANS events through NovaInfosecPortal, you can also help keep the site going by becoming a subscriber.

If you haven’t had the opportunity to check out some of NoVA’s local security bloggers, here’s your chance. We’ve found the cream of the crop, making it easier for you to identify bloggers you like and information you need.

This week, we’ve picked posts that cover everything from books to careers. There’s also some congratulations in order for one of NoVA’s very own bloggers that won “Best Non-Technical Security Blog” at RSA. Can you guess who it is? If not, we’ll reveal the answer at the end of this post.

#3 – Hack This Book: Discussing the book Chained Exploits: Advanced Hacking Attacks from Start to Finish by Andrew Whitaker, Keatron Evans, and Jack B. Voth, @carnal0wnage provided an interesting review that talked about how valuable Chained Exploits is for people in the industry. According to @carnal0wnage, one of the pros of Chained Exploits is that “I couldn’t think of another book that approaches the problem from the ‘chained exploit’ perspective meaning one exploit doesn’t give you the keys to the kingdom or your final end state.” But it seems that the pros of  Chained Exploits were outweighed by the cons, with @carnal0wnage saying that “the ‘chained exploit’ approach is valuable from a teaching point of view but anybody that pentests for a living has been doing this for awhile now, its just part of ‘the process.’” 2carnal0wnage also noted that while the idea  of ‘chained expolits’ might be new to print, it’s nothing new to the security community. You can read the full review here. 

#2 – Toot Those Horns: Using another great analogy to get his point across, Marcus (@marcusjcarey), stresses the importance of ‘tooting your own horn’ in the infosec community. In his “Toot Your Own Horn” post, Marcus says that the majority of us out there blog or tweet about stuff that’s said by the ‘big wigs’ or people who we perceive to be important in the security community, when really, we should be giving our own thoughts and opinions. In essence, ‘tooting’ our own horns. Part of ‘tooting your own horn’ also applies to interviewing, which Marcus talked about in his “Own Your Technical Interview” post. Don’t be afraid to show what you know, but as Marcus pointed out, don’t lie, and don’t be afraid to say ‘I don’t know.’

#3 – S.773: Finishing up his original posts about the Cybersecurity Act of 2009, @rybolov wrote parts three and four of his “Blow-By-Blow on S.773″ series. While @rybolov encourages readers to look at the actual bill, he does a great job of breaking it down so even the most non-politically savvy of us can understand what it’s all about. He also gives his own thought on each section of the bill, which we found to be immensely enlightening. It’s definitely something all of us should be aware of, so please take the time to read part 3 and part 4 if you haven’t already.

So, were you able to guess who the winner of the “Best Non-Technical Security Blog” at RSA was? Frequently featured in our “Top 3 Blog Posts of the Week” section, it’s Richard Bejtlich of TaoSecurity. If you haven’t already, please take the time to congratulate him!

Well, that’s all for now. Feel free to comment below or send us a tweet @grecs if you feel like we left out a post that should have been included this week.

###

Speaking of bloggers… we’re currently looking for some great guest bloggers to feature on NovaInfosecPortal. If you’re interested, drop us a line, or send us a tweet @grecs.