Computer security links and searches

(Return to Computer security).

Security web site search forms

	Search security websites for

Latest virus and hoax information from Sophos Anti-Virus

General Security Links

  Whitepapers, etc. from Outback Software and business associates

• Assessing the security of the Windows XP Internet Connection Firewall, a paper by Dave Collins.

  Security policy, architecture, management principles, coding standards

• Sample security policy documents from SANS Institute.

• Lists of policy resources from Ed Tittel, creator of the "Exam Cram" series of certification reviews: Security policy by example and More security policy by example.

• The lowest level of security policy includes directives that must be translated to configurations on firewalls, password-protected hosts, etc. This is error-prone, and a significant burden on system administrators. The future may look like XACML (eXtensible Access Control Markup Language), a standard for low-level security policy definition from the OASIS consortium.

• Justifying Security Spending (from NetworkMagazine.com) provides a helpful overview of how to quantify the value of security and justify it to top management.

• The National Strategy to Secure Cyberspace. Guidelines for securing home, business, and government networks; some commentary on the plan.

• Site Security Handbook (RFC2196) from the Network Working Group of the IETF (Internet Engineering Task Force).

• NIST (National Institute of Standards and Technology) Computer Security Resource Center.

• The Peon's Guide To Secure System Development offers some excellent down-to-earth advice for developers.

  Legislation with security impact

• An overview of U.S. Information security law from SecurityFocus: Part 1; part 2,

• HIPAA (the Health Insurance Portability and Accountability Act of 1996) provides mandates for the privacy and security of medical information in the U.S. The "final rule" was published in February 2003. THe SANS Institute HIPAA Consensus Research Project has an excellent short summary.

• Title V of the Gramm-Leach-Bliley Act (1999) regulates the privacy of customer information for U.S. banks.

• The USA PATRIOT Act has many implications for security, privacy, and prosecution of computer crimes.

• The Data Protection Act (1998) regulates the privacy of personal information in the U.K.

  The landscape of vulnerabilities and threats

• The Twenty Most Critical Internet Security Vulnerabilities from SANS Institute. The SANS/FBI "Top Twenty" list represents an industry expert consensus on the vulnerabilities that must be addressed in every installation. Broken down into general, Unix, and Windows vulnerabilities.

• The mission of The Honeynet Project is "To learn the tools, tactics, and motives of the blackhat community, and share those lessons learned". They do this by setting up networks and systems with default configurations, and monitoring the behavior of crackers attempting to break in. Their site has a wealth of information on vulnerabilities and how they are exploited.

• DShield.org provides up-to-the-minute statistical profiles of where attacks are directed and where they're coming from. You can contribute your own information (firewall logs, etc.) to the DShield database. Internet Storm Center at Incidents.org also reports DShield information, along with alerts on new threats and other topical security information.

• The Center For Internet Security (CIS) manages a consensus process for identifying security threats and developing Internet security benchmarks.

  Security advisories, general information, search engines

• CERT Coordination Center at Carnegie-Mellon. (Originally "computer emergency response team," formed at Carnegie-Mellon's Software Engineering Institute by DARPA in 1988.) Security advisories, general security information, research, and security "best practices".

• SANS Institute and the SANS Information Security Reading Room - in-depth security publications, whitepapers, news, information about SANS security conferences and training. Also from SANS: incidents.org offers breaking news, countermeasures, statistics, maps, etc., on intrusions and attacks; Critical Vulnerability Analysis ia a weekly e-mail alert service for the most critical vulnerabilities.

• Sophos, an anti-virus company, offers free subscriptions to e-mail virus alerts. The Anti-Virus Information Exchange Network is an early warning system for new viruses, offering discussion forums and e-mail alerts (requires payment of a fee to join). VMyths.com lists virus hoaxes and other misinformation on viruses.

• InfoSysSec security information portal - News, alerts and advisories, links, product information.

• searchSecurity - security-specific search engine, also has news, links, research, and information on security products and companies.

• SecurityFocus - news, research, and advisories; access and searches on the BugTraq vulnerability list.

• interrorem network security specialists - news, links, advisories.

  Certification and training

• Sans Institute offers certifications ranging from the general SANS Security Essentials to specialized subject areas such as firewalls, intrusion detection, and forensics. They also offer training curricula corresponding to the certifications.

• (ISC)² (International Information Systems Security Certification Consortium) offers the CISSP (Certified Information Systems Security Professional). CISSP and the SANS certifications are the best-known in the field.

  Tools and technical stuff

• A very good, detailed TCP/IP tutorial from IBM, available as HTML or PDF.

• IP Spoofing: An Introduction overviews various forms of attack involving spoofing, as well as defense mechanisms.

• Gibson Research offers several free tools for vulnerability testing, such as the popular ShieldsUP! Steve Gibson's fact and opinion pieces on various topics are sometimes cranky and eccentric, but always enlightening.

• SamSpade.org - useful tools for finding information on specific domain names, URLs, IP addresses, etc., executable from your browser. Among other things, it will show you the actual HTTP being sent by a web site.

• PC Pitstop offers a free online (browser-based) virus scan for Windows systems.

• HackerWhacker offers a free online (browser-based) port scan.

• BrowserSpy does an online test to determine and report on various things about your browser such as security settings, what plugins are installed, etc.

• @stake - research, products, and information from the famous L0pht Heavy Industries group. They sell products such as LC4, the most recent release of the well-known L0phtCrack password cracker.

• Computer Security and Cryptography links from Professor Michael Anshel (CCNY). Includes links to technical information and tutorials on cryptography and cryptanalysis, steganography, biometrics, etc.

• A tutorial on digital forensics and anti-forensics from Phrack. Includes a description of "The Defiler's Toolkit", a hacker tool designed to defeat The Coroner's Toolkit, a widely-used forensics tool.

  Cracker tools and attacks

• "Cracker Tools and Techniques: Faster, Stealthier . . . More Dangerous" (June 2002). Article by Edward Skoudis (author of Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses) on a new breed of cracker tools, and countermeasures that can defeat them. The Golden age of hacking rolls on is an October 2002 update given by Skoudis at a SANS Institute conference.

• Wireless LAN attacks explained.

• Phrack, one of the oldest and most respected cracker 'zines. Reports on vulnerabilities and methods of exploiting them.

• 2600, another classic 'zine. Originally focused on phone phreaking, they now cover general cracking.

• The Underground Hacker Community - links to various "underground" sites from Neil F. Johnson. Niel's page also has lots of useful information and links on cryptography and cryptanalysis, steganography, security tools, etc.

• Links to "underground and hacker sites" from SearchSecurity.com.

• Ever wonder what those script kiddies are talking about, with stuff like "man that d00d's a l33t hax0r"? Check out this grammar and glossary of l33t-speak for decoding instructions.

  Books

  The links are to information on the books at Amazon.com:

• Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems. New York: John Wiley & Sons, Inc., 2001. A comprehensive introduction to the principles, practices, and technology of computer security. If you have only one book on security, this should be it.

• Flannery, Sarah (with David Flannery). In Code: A Mathematical Journey. New York: Workman Publishing, 2001. This delightful book, written by a teenaged Irish mathematician who invented a new cryptographic algorithm, is an excellent, gentle introduction to the mathematics of modern cryptography. Among other things, it discusses the use of Mathematica in cryptography.

• Gaines, Helen Fouché. Cryptanalysis: a Study of Ciphers and Their Solutions. New York: Dover Publications, 1956. Originally published in 1939, this is the standard text on solving "classic" substitution and transposition ciphers. Of interest mainly to puzzle fans, and those wanting a deeper technical understanding of the historical ciphers covered in Kahn's The Codebreakers.

• The Honeynet Project. Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. A collection of information from members of The Honeynet Project on how to build a "honeynet" intended to attract crackers, and an analysis (technical and psychological) of behavior they have observed. (Includes a CD-ROM with tools and supporting material.)

• Jaworski, Jamie, and Paul J. Perrone. Java Security Handbook. Indianapolis: SAMS, 2000. A guide to designing and building a secure Java application, using the Java 2 security APIs.

• Kahn, David. The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet. New York: Scribner, 1996. This volume (almost 1200 pages) is the most thorough treatment of the techniques and history of cryptology through the mid-1960s. The material on developments after the 60s, added in the second edition, is rather cursory. Excellent as a reference and for the fascinating historical material. Compare the book by Singh.

• Singh, Simon. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. New York: Anchor Books, 1999. Covers much of the same ground as Kahn's The Codebreakers, but probably is preferable for most readers. This book is shorter (410 pages) and covers much less historical material, but it provides more technical depth on the mechanisms of cryptography and cryptanalysis. It is also more up to date than Kahn's book, with considerable material on public-key cryptography and quantum cryptosystems.

• Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons, 2000. An excellent, very readable introduction to computer security and insecurity. Even experienced practitioners will find his insights worthwhile.

• Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C. New York: John Wiley & Sons, 1996. The ultimate reference (700+ pages) for those wanting a detailed, implementation-level understanding of modern cryptography. Those without a good background in finite mathematics will benefit from reading Flannery's In Code as an introduction.

• Viega, John, and Gary McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Boston: Addison-Wesley, 2002. A detailed treatment of how to write secure code. Examples are in C, but can be readily applied to most other languages.