(Part 2) Reddit mentions: The best computer security & encryption books

Worthwhile sidebar: "anonymized" data is almost never actually anonymous. Sorry for the extensive quote, but it's really relevant here. From Bruce Schneier's excellent book, Data and Goliath:

> "Most techniques for anonymizing data don't work, and the data can be de-anonymized with surprisingly little information.

> "In 2006, AOL released three months of search data for 657,000 users: 20 million searches in all. The idea was that it would be useful for researchers; to protect people's identity, they replaced names with numbers. So, for example, Bruce Schneier might be 608429. They were surprised when researchers were able to attach names to numbers by correlating different items in individuals' search history.

> "In 2008, Netflix published 10 million movie rankings by 500,000 anonymized customers, as part of a challenge for people to come up with better recommendation systems than the one the company was using at that time. Researchers were able to de-anonymize people by comparing rankings and time stamps with public rankings and time stamps in the Internet Movie Database.

> "These might seem like special cases, but correlation opportunities pop up more frequently than you might think. Someone with access to an anonymous data set of telephone records, for example, might partially de-anonymize it by correlating it with a catalog merchant's telephone order database. Or Amazon's online book reviews could be the key to partially de-anonymizing a database of credit card purchase details.

> "Using public anonymous data from the 1990 census, computer scientist Latanya Sweeney found that 87% of the population in the United States, 216 million of 248 million people, could likely be uniquely identified by their five-digit ZIP code combined with their gender and date of birth. For about half, just a city, town, or municipality name was sufficient. Other researchers reported similar results using 2000 census data.

> "Google, with its database of users' Internet searches, could de-anonymize a public database of Internet purchases, or zero in on searches of medical terms to de-anonymize a public health database. Merchants who maintain detailed customer and purchase information could use their data to partially de-anonymize any large search engine's search data. A data broker holding databases of several companies might be able to de-anonymize most of the records in those databases.

> "Researchers have been able to identify people from their anonymous DNA by comparing the data with information from genealogy sites and other sources. Even something like Alfred Kinsey's sex research data from the 1930s and 1940s isn't safe. Kinsey took great pains to preserve the anonymity of his subjects, but in 2013, researcher Raquel Hill was able to identify 97% of them.

> "It's counterintuitive, but it takes less data to uniquely identify us than we think. Even though we're all pretty typical, we're nonetheless distinctive. It turns out that if you eliminate the top 100 movies everyone watches, our movie-watching habits are all pretty individual. This is also true for our book-reading habits, our Internet-shopping habits, our telephone habits, and our web-searching habits. We can be uniquely identified by our relationships. It's quite obvious that you can be uniquely identified by your location data. With 24/7 location data from y our cell phone, your name can be uncovered without too much trouble. You don't even need all that data; 95% of Americans can be identified by name from just four time/date/location points.

> "The obvious countermeasures for this are, sadly, inadequate. Companies have anonymied data sets by removing some of the data, changing the time stamps, or inserting deliberate errors into the unique ID numbers they replaced names with. It turns out, though, that these sorts of tweaks only make de-anonymization slightly harder.

> "This is why regulation based on the concept of 'personally identifying information' doesn't work. PII is usually defined as a name, unique account number, and so on, and special rules apply to it. But PII is also about the amount of data; the more information someone has about you, even anonymous information, the easier it is for her to identify you."

So I would remove the first part of your explanation, and just go with "it's basically making what they are already doing/have been doing for who knows how long legal." It gives the government explicit permission to collect all your Internet activity and searches.

Based on some of your responses to other answers, it seems like you want to know a lot more about encryption than just the keys: TLS for instance is a protocol for initiating an encrypted session, and has little to do with your original question directly. Applied Cryptography is an excellent and authoritative source, but I’d also recommend the shorter, more concise “Cryptography ” from the Very Short Introduction series for beginners. But in short:

A symmetric key is a specific constant applied to a message with a encryption algorithm. Say we take the ASCII decimal value of each letter in the message “The Eagle has landed” => [84, 104, 101, 32, 69, 97, 103, 108, 101, 32, 104, 97, 115, 32, 108, 97, 110, 100, 101, 100]. The algorithm (we call it the cipher, here) is to multiply each character by “x” to encrypt the message; to decrypt the message we divide by “x”. In this case, the value of “x” is the key.

An asymmetric key is different in that it is a one-way operation. Here, “x” is broken into two parts, and where encryption takes place with one part, you need the other to decrypt. By encrypting the message, you make the message practically unrecoverable without the private key. This is effected in many encryption schemes by using a modulus, which is the operation such that “1 x n mod 3 = 1, 2 x n mod 3 = 2, and 3 x n mod 3 = 0”. The idea being, if counting an ordered set of numbers to whatever, every time you count up to the modulus value, wrap around again and continue from 0. One of the most basic asymmetric operations that works this way is using the modulus 33, where one part of the key is 3 and the other 7; let the public key be (33, 3) and the private key be (33, 7).

As before, we take the message and encrypt it with an algorithm. In this case however, our algorithm is the ascii value of the char to the power of the public key, modulo 33, or (where ‘c’ is the character value), c^3 mod 33. This gives us [24, 26, 8, 32, 27, 25, 31, 3, 8, 32, 26, 25, 4, 32, 3, 25, 11, 1, 8, 1] for the message. Notice that you can’t invert this algorithm — a modulus can’t be “reversed” by any means mathematically. What you can do though is apply the same algorithm with the other key, “7”, and this will result in the original. A short proof of this can be found here.

Since it’s the same operation, note that you can use either 3 or 7 as your public key — the choice of which is public and which is private is arbitrary.

When discussing protocols like TLS, this is instead specifying how to set up an encrypted channel for communication, which often involves an initial stage of passing messages using a combination of symmetric and asymmetric keys to establish a secure line of communication, with an initial, temporary key created on-the-fly for that particular session, and which is thrown away following each “block” of messages. Since this gets outside of your original question, I won’t go into it here.

It's alway sa asgood thing to see different per spectives on a given topic or strategy.

However, how do you see your offering as being different, more informative, etc., than the courseware the SANS.org offers on the topic...

https://www.sans.org/webcasts/purple-powershell-current-attack-strategies-defenses-109700

... or the Secure Code strategies that have been in play via the MS SDL (Secure Development Lifecycle) for the last couple of decades?

>About Microsoft SDL
>
>https://www.microsoft.com/en-us/securityengineering/sdl/about
>
>Microsoft Security Development Lifecycle (SDL)
>
>https://www.microsoft.com/en-us/securityengineering/sdl
>
>SDL Resource List
>
>https://www.microsoft.com/en-us/securityengineering/sdl/resources
>
>Writing Secure Code (Developer Best Practices) 2nd Edition, Kindle Edition
>
>https://www.amazon.com/Writing-Secure-Code-Developer-Practices-ebook/dp/B00JDMP718/ref=sr_1_2?keywords=secure+code&qid=1555311132&s=gateway&sr=8-2
>
>Secure By Design 1st Edition
>
>https://www.amazon.com/Secure-Design-Daniel-Deogun/dp/1617294357/ref=sr_1_1?keywords=secure+code&qid=1555311132&s=gateway&sr=8-1
>
>SCFM: Secure Coding Field Manual: A Programmer's Guide to OWASP Top 10 and CWE/SANS Top 25
>
>https://www.amazon.com/SCFM-Secure-Coding-Manual-Programmers/dp/1508929572/ref=sr_1_4?keywords=secure+code&qid=1555311132&s=gateway&sr=8-4

Though there are particluars to a given language, and none of the above are PowerShell specific. The SDL thought, design and implemention relative to a give goal is the same.

Now, the real issue here is all the noise about PowerShell hacking and org leaders using that as the excuse to not allow PowerShell, without fully realizing that the use of PowerShell is a post exploit thing. The hacker got into your system another way, that was not properly defined, managed, protected, understood and or reacted to.

​

Also, there are whole websites and business offering conver Defensice PowerShell, and PowerShell forRed/Blue/Purple Teams.

Example:

https://devblogs.microsoft.com/powershell/defending-against-powershell-attacks/

http://www.defensivepowershell.com/

https://artofpwn.com/offensive-and-defensive-powershell-ii.html

https://adsecurity.org/?tag=powershell-defenses

https://devblogs.microsoft.com/powershell/powershell-security-at-derbycon/

https://nsfocusglobal.com/Attack-and-Defense-Around-PowerShell-Event-Logging

​

Learning how to attack with adn defend against, grants one greater edification on how they need to be thinking about writing and using PowerShell.

But good article. Looking forward to the rest.

The question is, will this renew Sec+. Also, keep in mind this does not replace OSCP. It's more of a Wireshark certification. The book will be released on June 5th.

Offical annoucement from Kali's blog



>Please Note: This is not a penetration testing course. This course is focused on teaching the student how to get the most out of the Kali Linux Penetration Testing Platform, not how to use the packaged tools in an offensive manner. Attending students will receive a signed copy of the “Kali Linux Revealed” book as well as a free voucher to sit the KLCP exam in a nearby Pearson VUE certification centre.


EDIT: I also want to put out there, that there are some great books to learn about Kali with already on the market and for fairly inexpensive.

Basic Security Testing with Kali Linux 2 and updated version released last year. I have read the first edition.

Packtpub also has a lot of Kali books, some are good, others are not.

Most of these books come in under $30 a piece. So great inexpensive resources to start learning.

I was going to study for it through the remainder of the year. From what I have read on forums the following holds:

1. The Green Book from (ISC)2
   
   
2. Security Engineering by Ross Anderson
   
   
3. Security Patterns in Practice by Eduardo Fernandez (really good security architecture book in general, not that it will get you through the ISSAP test)
   
   
4. Security Patterns: Integrating Security and Systems Engineering by Markus Schumacher (good overall philosophy of integrating security into systems, again not that it will get you through the ISSAP test)
   
   
5. Anything on Crypto - seems to be a lot of it in the exam
   
   
6. SABSA/SOMF Frameworks
   
   
7. NIST SP 800-30, 48, 64. You might want to skim the draft NIST SP 800-160 as well on security engineering
   
   
8. Re-review your CISSP documents like the Shaun Harris AIO
   
   I passed the ISSEP exam about a month ago (1023 in the US last count) and have not heard back from the folk at (ISC)2 yet - can't put in on my tag line until then. The ISSAP looked interesting given my background in Software Architecture and Design/Systems Engineering. So I will start studying for it in the next 6 months.

Given your background as a programmer, I would recommend starting with SQL exploits. You need to have at least a working knowledge in how programs and script work, and it gives you the framework for understand how to be clever with the existing code logic and how to think outside the box.

If that ends up being too easy or once you get a good handle on that, take a look at metasploit and the exploit database associated with that. Rather than just using the exploits, look at the code and get an idea of how the individual exploits work (which are all the same on the base level: using logic in a creative way the original programmers didn't think of or intend).

As for books, I recommend This One as a primer. It's not exactly up to date, but the theory is sound (giving you a solid foundation on how exploits are made and the thought process behind them).

I really like This One for learning metasploit and getting a further understanding of exploit scripts.

And I just love This Book in general. Once you take a look, you'll see why.

I completely disagree that the agency is "out of control and costing far more than its usefulness is worth."

We know that other countries spy on our government and corporations. We know that there's a huge number of criminal organizations looking to gain control of everyday people's computers. Imagine what would happen if someone with sinister motives was able to gain control of key infrastructure? It's no secret that computer security is far from perfect. There's a great book on computer security called Worm that goes into great detail to how governments don't take cyber security seriously. Turn on Windows XP without SP2 and see how quickly your computer is compromised. While I don't agree with CSEC spying on Canadians, I think arguing against their existence is ignorant.

Well said. I strongly encourage anyone even vaguely interested to read Bruce Schneier's latest book Data & Goliath which explores this.

GIAC GSE here and I had successfully pass 4-5 GIAC certification via self-study. I can relate your situation completely since I am exactly in the same situation as you 8 years ago.

​

Google up the course authors and buy their Amazon books. Countermeasure Art Active Defense is by John Strand and a course author/instructor for GCIH. The content may be different by underlying concepts is always the same. Buy those books that are written by people who had an affiliation with SANS in a way or another.

​

If books by SANS affiliated authors are not available, then get those books with high reviews that are related to the topic you are studying for.

​

https://www.amazon.com/Offensive-Countermeasures-Art-Active-Defense-ebook/dp/B00DQSQ7QY

https://www.amazon.com/gp/product/B01M3USWQ2/ref=dbs_a_def_rwt_bibl_vppi_i2

https://www.amazon.com/Cybersecurity-Incident-Response-Eradicate-Incidents/dp/1484238699

​

Once you are done with the books, indexed them and buy a practice test to test the book's contents against the exam. Google up any information that the books don't cover and print them out. If you can pass the practice test with those books, then you will do well to pass the exams with those books + google printouts on the actual exams.

Although "security through obscurity" by itself is not useful. The book Offensive Countermeasures: The Art of Active Defense by Strand, John; Asadoorian, Paul; Donnelly, Benjamin; Galbraith, Bryce; and Robish, Ethan argues effectively that security through obfuscation can be useful when combined with monitoring and detection.

For those of us who have been in Surveillance Studies and Security Studies, this is not surprise. If you want to get acquainted with surveillance topics and issues, I'd recommend anything written by Dr. David Lyon, a pioneer in this field. Gary T. Marx, Torin Monahan, Elias Zureik, David Murakami Wood are all good scholars in this field as well.

If you don't have time to check them all out, here is a book that gives the basics on surveillance: http://www.amazon.ca/Routledge-Handbook-Surveillance-Studies-Kirstie/dp/0415588839

I haven't read it before, but from the Amazon and Goodreads reviews, it looks like more of a history book with some intro to cod breaking math.

Textbooks and/or technical papers/tutorials would probably be a more useful intro to code breaking.

A book was recently released on Stuxnet, discussing the event and what it could mean for the future: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter.

I haven't gotten to it yet but it's received excellent reviews from just about everyone.

There are a ton of books out there documenting the whole cyberwar. The warhead theft was an unclassified presentation at a security conference and is well known in security circles. It's covered in the book.

Digital Forensic workbook is a great source for building foundational knowledge on many of the general computer forensic techniques. It covers info such as file system forensics, acquisition, software write blocking, registry analysis, email analysis, internet history analysis, recovering data in unallocated space, etc. Labs are included with the book so you can test the content learned against sample data.

Learning Malware Analysis Guides you through static analysis, dynamic analysis, using IDA pro, and other dismembers to determine the intent of malicious files.

Practical Malware Analysis

Wireshark Network Analysis

For anyone interested in a scientific data driven analysis of body language, check out Dr. Paul Ekman's research:

https://en.wikipedia.org/wiki/Paul_Ekman

And for practical application of this research, check out Chris Hadnagy's Unmasking the Social Engineer: The Human Element of Security:

http://www.amazon.com/Unmasking-Social-Engineer-Element-Security/dp/1118608577

Pretty good book on this topic, https://www.amazon.com/Data-Driven-Computer-Security-Defense-Should/dp/1549836536

It goes more into a philosophy on what to secure based on companies specific threats. Make a list of the top X threats your company is likely to face based on analytics / SIEM events / past breaches. Then order them based on importance / risk factor.

Don't forget Hadnagy's 2nd book, written with assistance from Paul Kelly and Dr. Paul Ekman
http://www.amazon.com/Unmasking-Social-Engineer-Element-Security/dp/1118608577

It's slightly shorter, and the focus is on body language and microexpressions, but I felt is was a good supplement to The Art of Human Hacking

Windows Forensics and Linux Forensics by Phil Polstra are 2 books about Forensics and IR that came out in 2015-2016. They go real in-depth about filesystems and teach you how to understand the parsing/processing and forensic analyses proces by creating your own python scripts instead of just running tools and rely on those. I can really recommend these books for starters.

https://www.amazon.com/Windows-Forensics-Dr-Philip-Polstra/dp/1535312432

https://www.amazon.com/Linux-Forensics-Philip-Polstra/dp/1515037630/ref=pd_sbs_14_t_2?_encoding=UTF8&psc=1&refRID=ZZV0H8ZCEWQDX1HNX8TW

William F. Friedman wrote 3 books on crypto that the NSA has declassified. These should be quite valuable to you:

• Volume 1
  
  
• Volume 2
  
  
• Volume 3
  
  EDIT: Check out Military Cryptanalytics too.

It is worth pointing out that at last a few of the "modules" talked about were lifted from actual black market malware. Both the p2p updating function and the ability to "ride" on USB and other media come from the conficker worm.

http://www.amazon.com/Worm-First-Digital-World-War/dp/0802119832

Follow the link for short answer, to quench your curiosity read the book Count Down to Zero Day by Kim Zetters, which is an in-dept account of Stuxnet and how it was carried out, I can guarantee it will knock your socks off!!

http://www.darkreading.com/vulnerabilities-and-threats/so-you-want-to-be-a-zero-day-exploit-millionaire/d/d-id/1101256?

http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/

http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

http://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/077043617X

Worm: The first Digital World War . It's new and badass.

It did something more clever than just that, it spun up the centrifuges in 'waves' so that they would fail at a slightly increased rate, but unlikely to be noticed in a daily operations manner.

Countdown to Zero Day is a great read on it.

Unfortunately, there was blood spilled (although it could be argued as a multi-prong approach to neutralize the nuclear capabilities, this may be considered separate from stuxnet).

This is probably the book by John Strand you mentioned: Offensive Countermeasures

Do you have a link to the Stuxnet article?

Edit: Are you referring to this book?

Check out both of these:

https://www.amazon.com/Windows-Forensics-Dr-Philip-Polstra/dp/1535312432/ref=pd_bxgy_14_2?_encoding=UTF8&psc=1&refRID=VQSKGZQB96FGFCZ6RDP6

https://www.amazon.com/Linux-Forensics-Philip-Polstra/dp/1515037630/ref=pd_sim_14_1?_encoding=UTF8&psc=1&refRID=2W8ANWN11ZRKGCDPZ1EQ

Worm: The First Digital World War?

Read this.

Also if you find a flash drive on the ground somewhere, don't claim it as your own. It's not like finding candy on the ground (that stuff is usually fine).

Die zwarte markt bestaat al decennia, er is een mooi boek over geschreven waar ondermeer uit blijkt hoe dat wereldje al lange lange tijd bestaat een werkt.

Countdown to Zerodays

Daarnaast is de wens van de overheid begrijpelijk (zij moeten een veilig bestaan voor hun burgers garanderen, en met de terroristische dreiging, is dat heel moeilijk. en is dit een voor de hand liggende wens (want dat konden ze altijd al)

Echter is de volgende vorm van versleuteling onbreekbaar. Zodra deze gebroken is, verandert het bericht en heeft de ontvanger het direct door. het heet quantum encryptie.
De geschiedenis van encryptie, van het begin in Egypte mede langs kraken van de Duitste enigma machine in WOII, eindigend bij quantum encryptie is erg leuk beschreven in:

The Code Book

Here's a short reading list I created yesterday about protecting your privacy:

Darknet: A Beginner's Guide to Staying Anonymous

How to Disappear: Erase Your Digital Footprint, Leave False Trails, And Vanish Without A Trace

Obfuscation: A User's Guide for Privacy and Protest

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

Complete Guide to Internet Privacy, Anonymity & Security

Tor and the Dark Art of Anonymity: How to Be Invisible from NSA Spying

I know

The point is, you were called on a bad example. Instead of graciously accepting bad example you went 'wah wah wah there are other ways.' You're not wrong but failing to acknowledge valid criticisim of your point is poor form.