iPhone security

• Exploiting the iPhone, Independent Security Evaluators web site

General Computer Security Awareness

• Books
  • Security Engineering - The (online) Book, by Ross Anderson, John Wiley and Sons, 2001, ISBN 0-471-38922-6
• Inadequate/improper destruction of data is a HUGE problem!
  • Dangers of second-hand PC market: Thousands of PCs end up in second hand markets around the world. Bank account details of potentially thousands of Britons are being sold in West Africa for less than £20 each, BBC One, August 14, 2006
  • Dead disks yield live information: Identity thieves are gleaning personal information from scrapped computers, by Peter Warren, The Guardian, August 10, 2006
  • Disk drive researchers turn up IDs, child porn: Old hard drives handed to police, by Mark Ballard, The Register, August 15, 2006
  • Hard disks still scrapped with data intact, by John E. Dunn, Techworld, August 10, 2006
  • Wipe your iPod before selling it, RIAA warns, by Tony Smith, The Register, February 13, 2006
  • I just bought your hard drive, by Bob Sullivan, MSNBC, June 5, 2006
  • Remembrance of Data Passed: A Study of Disk Sanitization Practices, by Simson L. Garfinkel and Abhi Shelat, Massachusetts Institute of Technology, IEEE Security & Privacy, 2003
• Evans: 'People are losing data', bY Matthew Weigelt, FCW.com, November 2, 2006
• CERT/CC's Virtual Training Environment
• EDUCAUSE Security Task Force Computer Security Awareness Video Contest (These are great!)

• EDUCAUSE | Security Task Force | Data Incident Notification Toolkit
• Internet2 Effective Security Practices Guide
• Internet Threats: Spyware and Phishing Scams, The University of Missouri-Columbia Information & Access Technology Services

News items of interest

• The TJX intrusion - Largest data theft in U.S. history
  • TJX agrees to reimburse banks, by Ross Kerber, The Boston Globe, December 1, 2007
  • TJX e-mails tell the tale, by Donna Goodison, The Boston Herald, November 28, 2007
  • Authorities hope arrest of Ukraine man leads to TJX orchestrator, by Dan Kaplan, August 21, 2007
  • Report: TJX breach began in Minnesota Marshalls parking lot, by Dan Kaplan, SC Magazine, May 4, 2007
  • Breach of data at TJX is called the biggest ever: Stolen numbers put at 45 .7 million, by Jenn Abelson, The Boston Globe, March 29, 2007
  • Store IDs led to arrests: Data taken from TJX was used to buy gift cards, by Ross Kerber, The Boston Globe, March 29, 2007
• Russian Roulette, by Art Janke, CSOonline.com, February 2005
• A Quiet Time Bomb: The Vulnerability of U.S. Supercomputers, by Lewis Koch, Raw Story, May 11, 2004 (Many NSF sponsored supercomputer sites, major research universities, and national labs compromised by intruders over several month period.)
• Alarm growing over bot software, by Robert Lemos, CNET News.com, April 30, 2004 ("Bot nets", or "blended threats" as AusCERT refers to them, are affecting millions of PCs worldwide. Tens of thousands at a time are used for distributed denial of service attacks and extortion attempts, as well as unblockable spam delivery, theft of credit card numbers, passwords, and software product keys.)
• Worm worries grow with release of Windows hacks, by Robert Lemos, CNET News.com, April 28, 2004 (Microsoft reports 9.5 million PCs infected by MS Blaster)

Interesting reading about hacker culture, sociology, attacks, etc.

• Stalking the Wily Hacker, by Cliff Stoll, Communications of the ACM, Vol. 31, No 5, May 1988
• The Hacker Crackdown, by Bruce Sterling
• Hackers: Crime in the Digital Sublime, by Dr. Paul Taylor, Routledge, 1999, July 2000
• @ Large: The Strange Case of the World's Biggest Internet Invasion, by Charles C. Mann & David H. Freedman, (Simon & Schuster Trade, 0-684-82464-7) ["U.S. News 06/02/97: Adaptations from ``At Large," a cracker's escapades"]
• Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, by Suelette Dreyfus (Mandarin [Reed Books Australia], ISBN 1-86330-595-5)
• Masters of Deception: The Gang that Ruled Cyberspace, by Michelle Slatalla and Joshua Quittner, (HarperPerennial, ISBN 0-06-017030-1)
• The Fugitive Game, by Jonathan Littman (Little, Brown & Company, ISBN 0-316-52858-7)
• An Analysis Of Security Incidents On The Internet: 1989 - 1995, by John D. Howard, April 7, 1997
• Vipers In the Sandbox -- Used to Be, the Internet Was a Safe Place to Play
• Remembering the Net crash of '88 - Cornell student KO'd fledgling Internet with replicating 'worm' (MSNBC)
• Phrack magazine has some articles of interest. An index of philes from issues 1-50 can be found in Phrack 51-14. (See also: their Links We Dig: Hacker Related Links)
• Richard Thieme's Hacking Culture and the Passion for Knowledge
• 27/03/99 - NZ link as FBI acts against teenage hackers
• Jenott cleared of spying -- Guilty of lesser charges, GI gets 3 years
• FBI mounts big crackdown on small-town teens (ZDNN)
• Israeli nabbed in Pentagon hack (CNET News.com)
• Hackers attack NASA, Navy... and the UW! (CNET News.com)
• DOJ charges youth in hack attacks (CNET News.com)
• Hackers "claim" Pentagon attack (CNET News.com)
• Computer security problems growing (CNET News.com)
• A huge slew of news stories are found on my DDoS web page, and don't forget to check out our book on DDoS

International Standards

• ISO 27001

Security Vulnerabilities

• Vulnerability Disclosure Framework, Final Report and Recommendations to the National Infrastructure Advisory Council, January 13, 2004
• Open Source Vulnerability Database
• Software Vulnerability Analysis
• Common Vulnerabilities and Exposures Impact Statement (.pdf)
• Vulnerability Assessment Framework 1.1 (.pdf)
• INFILSEC's vulnerabilities database
• RFPolicy 2.0 by Rain Forest Puppy
• Nessus (vulnerability auditing tool)

Security Tools

• The Ethical Hacker Network
• Backtrack 2 w/Metasploit 3 Framework in a VMware Virtual Appliance
• Firewall Knock Operator (single-packet encrypted port knocker)
• SnortSam (Snort plug-in that allows for automated blocking of IP addresses)
• SecuriTeam.com (Archive) Tools
• E-SECURE-DB IT Security Information DATABASE
• stunnel.org (tunnel anything over SSL pipe)
• SSH
  • New features in Secure Shell Version 2.2
  • dsniff and SSH: Reports of My Demise are Greatly Exaggerated, by Richard E. Silverman
  • CygWin and OpenSSH on Windows
  • Getting OpenSSH to work with ssh.com and itself, University of Texas
  • SSH Public-Private Keys, by Ian Wells, December 27, 2003
  • KDE KMail: Secure Email Through SSH Tunneling, by Mike Pilone
  • Tunneling Explained, ssh.com
  • SSH Tunneling part 1 - Local Forwarding, Hacking Linux Exposed
• dsniff
• whisker (web server vulnerability scanner)
• Nessus (vulnerability auditing tool)
• Ramenfind (Identification and cleanup tool for the Linux "Ramen" worm.)
• ftp://ftp.psy.uq.oz.au/pub/Crypto (DES and SSL)
• Improved whois client
• Domain Name Whois (dnw)
• IP Whois (ipw)
• Sam Spade Tools (online tools)
• Trinux
• immunix.org
• nmrcOS
• nmap
  • nmap version scanning
  • Using the 'grepable' or 'machine' output option
  • Overview of using nmap for scanning by Lamont Granquist
  • Decoy scanning by Max Vision
• hunt (TCP session hijacking tool)
• RFC 1470: Tools for Monitoring and Debugging TCP/IP Internets and Interconnected Devices
• Cryptographic File System (CFS)

Philes/Archives/News

• An Introduction to the Computer Underground, by The Butler, February 26, 1991
• The Computer Security History Project Home Page [GREAT collection of unpublished seminal papers in computer security]
• Zone-h (Archives web page defacements, etc.)
• k-otik (French security site w/exploits, advisories, etc.)
• Packet Storm Security
• attrition.org
• Neophapsis archives
• LinuxSecurity.com
• THC (The Hacker's Collective)
• Black Sun Research Facility Tutorials
• Vampi's alt.hackers.malicious graveyard (alternate link)
• Markus Hübner's Security and Hackerscene page
• Hacking Kit v2.0.b March/97 by Invisible Evil

Interesting security-related news articles

• Romania Emerges As Nexus of Cybercrime, by William J. Kole, Associated Press Writer, October 19, 2003
• The MPAA and RIAA in the news
  • The "University Toolkit"
    • MPAA University 'Toolkit' Raises Privacy Concerns, by Brian Krebs, Washington Post "Security Fix" blog, November 23, 2007
    • Examining the MPAA University Toolkit, Richard Bejtlich Tao Security blog posting, November 23, 2007
    • MPAA Forced To Take Down University Toolkit, Slashdot post, December 3, 2007

Interesting Security Research

• Towards a Taxonomy of Information Assurance, by Abe Usher
• D-WARD Project (DDoS Network Attack Recognition and Defense), UCLA
• Computer Immune Systems research an University of New Mexico
• The Counter-Group
• Detecting Stepping Stones, by Yin Zhang and Vern Paxson
• DHCP analysis
  • Next Generation DHCP Deployments, by Dave Hull and George F. Willard III, www.SysAdmin.com (Kansas University Scholarlink reference w/source code)
  • dhcprint utility, by Frank Sweetser, wpi.edu
  • (See also: PacketFence)

Secure Hardware

• 'Trusted Computing' Frequently Asked Questions - TC / TCG / LaGrande / NGSCB / Longhorn / Palladium / TCPA, by Ross Anderson, Version 1.1 (August 2003)

Analysis

• The Internet Auditing Project

TCP/IP vulnerabilities, exploits, coding, etc.

• Uri's TCP/IP Resources List: FAQs, tutorials, guides, web pages & sites, and books about TCP/IP, By Uri Raz
• Rootshell
• New Stuff (a Romanian hacker's exploit collection)
• Playing redir games with ARP and ICMP
• Solaris Kernel Tuning for Security, by Ido Dubrawsky
• A Short Overview of IP spoofing: PART I
• Simple Active Attack Against TCP
• An Advanced 4.3 BSD Interprocess Communication Tutorial

Linux Security

• Tinfoil Hat Linux ;)
• Linux BRIDGE-STP-HOWTO: About The Linux Modular Bridge And STP, by Uwe Böhme
• Linux Router Project (Documents)
• Linux FreeS/WAN project
• Linux Administrators Security Guide (LASG) by Kurt Seifried
• Bastille Linux Project (hardening scripts for five Linux distributions, HP-UX and Mac OS X)
• Linux Security HOWTO
• The Linux Security Audit Project is trying to harden Linux
• Securing Linux, Part 1: Elementary security for your Linux box, LinuxWorld article
• Encrypting your Disks with Linux
• Wim's BIOS Page: Everything you want to know about BIOS
• Linux Partition HOWTO at LinuxPlanet.com
• EXT3 File System mini-HOWTO
• Linux Filesystems HOWTO

Governmental activity on cybercrime, Information Assurance, etc.

• Standing Guard Over Cyberspace: A new U.S. program trains students in computer security, in exchange for government service, by David Kushner, IEEE Spectrum (republished by the Center for Information Security)
• Information Assurance Support Environment (IASE) Policy and Guidance
• US Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Computer Intrusion Cases
• S. 1993 - Government Information Security Act of 1999
• ASSURING SECURITY AND TRUST IN CYBERSPACE, White House Chief of Staff John Podesta, July 17, 2000
• Draft Convention on Cyber-Crime, Council of Europe (See also Cybercrime Solution Has Bugs, by Declan McCullagh, Wired News, May. 3, 2000)
• FBI Carnivore Sucks E-Mail Millions (from cryptome.org)
• ACLU and Corn-Revere Target FBI Carnivore (from cryptome.org)
• Activities of the Governmental Affairs Committee on Government Information Security, 1995-1999
• Kevin Mitnik testimony to U.S. Senate, March 2, 2000
• President Clinton's proposed National Plan for Information Systems Protection, January 2000
• REPORT SUMMARY of The President's Commission on Critical Infrastructure Protection

General Accounting Office reports

• GAO-07-65 -- INFORMATION SECURITY: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing, October, 2006
• GAO-06-811 -- INFORMATION SECURITY: Coordination of Federal Cyber Security Research and Development, September, 2006
• GAO-05-231 -- INFORMATION SECURITY: Emerging Cybersecurity Issues Threaten Federal Information Systems, May 13, 2005
• GAO-05-482 -- INFORMATION SECURITY: Internal Revenue Service Needs to Remedy Serious Weaknesses over Taxpayer and Bank Secrecy Act Data, April 15, 2005
• GAO-05-567T -- Information Security: Department of Homeland Security Faces Challenges in Fulfilling Statutory Requirements, by Gregory C. Wilshusen, director, information security, before the Subcommittee on Management, Integration, and Oversight, House Committee on Homeland Security, April 14, 2005
• GAO-04-699T -- CRITICAL INFRASTRUCTURE PROTECTION: Establishing Effective Information Sharing with Infrastructure Sectors, testimony by Robert F. Dacey, Director, Information Security, before a joint hearing of the Subcommittee on Infrastructure and Border Security and the Subcommittee on Cybersecurity, Science, and Research and Development, House Select Committee on Homeland Security, April 21, 2004
• GAO-04-628T --CRITICAL INFRASTRUCTURE PROTECTION: Challenges and Efforts to Secure Control Systems, testimony by Robert F. Dacey, director, Information Security, before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform, March 30, 2004
• GAO-04-354 -- CRITICAL INFRASTRUCTURE PROTECTION: Challenges and Efforts to Secure Systems, March 15, 2004
• GAO-01-208t -- HOMELAND SECURITY: A Risk Management Approach Can Guide Preparedness Efforts
• GAO-04-140T -- CRITICAL INFRASTRUCTURE PROTECTION: Challenges in Securing Control Systems,October 1, 2003
• GAO-01-323 -- CRITICAL INFRASTRUCTURE PROTECTION: Significant Challenges in Developing National Capabilities, April 25, 2001
• GAO/T-AIMD-00-229 -- CRITICAL INFRASTRUCTURE PROTECTION: Comments on the Proposed Cyber Security Information Act of 2000, June 22, 2000
• GAO/T-AIMD-181 -- CRITICAL INFRASTRUCTURE PROTECTION: "ILOVEYOU" Computer Virus Highlights Need for Improved Alert and Coordination Capabilities, May 18, 2000
• GAO/T-AIMD-171 -- INFORMATION SECURITY: "ILOVEYOU" Computer Virus Emphasizes Critical Need for Agency and Governmentwide Improvements, May 10, 2000
• GAO/T-AIMD-00-7 -- CRITICAL INFRASTRUCTURE PROTECTION: Fundamental Improvements Needed to Assure Security of Federal Operations, October 6, 1999
• GAO/T-AIMD-99-223 -- INFORMATION SECURITY: Recent Attacks on Federal Web Sites Underscore Need for Stronger Information Security Management, June 24, 1999
• GAO/AIMD-99-47 -- INFORMATION SECURITY: Many NASA Mission-Critical Systems Face Serious Risk, May 1999
• GAO/AIMD-98-145 -- COMPUTER SECURITY: Pervasive, Serious Weaknesses Jeopardize State Department Operations, May 1998
• GAO/AIMD-98-155 -- AIR TRAFFIC CONTROL: Weak Computer Security Practices Jeopardize Flight Safety, May 1998
• GAO/T-AIMD-98-170 -- INFORMATION SECURITY: Serious Weaknesses Put State Department and FAA Operations at Risk, May 1998
• GAO/AIMD-98-68 -- EXECUTIVE GUIDE: Information Security Management -- Learning From Leading Organizations, May 1998
• GAO/HR-97-1 -- HIGH RISK SERIES: An Overview, February 1997
• GAO/HR-97-9 -- HIGH RISK SERIES: Information Management and Technology, February 1997

Department of Defense publications

• Rainbow Series Library
• DISA's Security Technical Implementation Guides (STIGs)
• NSA's security recommendation guides

NIST Computer Security Standards, Checklists, and Special Publications

• NIST Computer Security Resource Center home page
• Special Publication 800-61: Computer Security Incident Handling Guide, January 2004 (PDF)
• Draft NIST Special Publication 800-86: Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response, August 11, 2005 (PDF)
• Recommended Security Controls for Federal Information Systems, Revision 2, December, 2007 (PDF)
• Computer Security Resource Center Practices & Checklists / Security Guides
• Special Publication 800-30 -- Risk Management Guide for Information Technology Systems (PDF)
• DRAFT Special Publication 800-40 -- Procedures for Handling Security Patches (PDF)
• DRAFT Special Publication 800-45 -- Guidelines on Electronic Mail Security (PDF)
• The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments (.pdf)Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell, National Security Agency
• NIST 800-18 -- Guide for Developing Security Plans for Information Technology Systems, December 1998
• NIST 800-10 -- Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls. [PDF format]
• NIST 800-12 -- An Introduction to Computer Security: The NIST Handbook, October 1995
• NIST 800-14 -- Generally Accepted Principles and Practices for Securing Information Technology Systems, June 1996 [PDF format]
• NIST DRAFT Special Publication Internet Security Policy: A Technical Guide

Risk Management

• Security Guidelines for the Electricity Sector: Cyber Risk ManagementNorth American Electric Reliability Council, June 14, 2002
• Special Publication 800-30: Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology (NIST) (PDF file)
• GAO-01-208t HOMELAND SECURITY: A Risk Management Approach Can Guide Preparedness Efforts (PDF)
• Information security is information risk management
• Risk Taking: Time for a Comeback, by Rob Preston, September 18, 2003
• AON Risk Management/Information Security Tips
• Chapter 3: Understanding the Security Risk Management Discipline, Microsoft TechNet

Security Policy/Incident Response

• CSIRT Case Classification (Example for Enterprise CSIRT), by Dustin Schieber and Gavin Reid (Cisco Systems) and Ivo Peixinho (CAIS/RNP)
• RFPolicy 2.0 by Rain Forest Puppy
• Best Practices RFCs
  • RFC2196, Site Security Handbook
  • RFC2350, Expectations for Computer Security Incident Response
  • RFC2504, Users' Security Handbook
• (See NIST 800-30)
• (See NIST 800-18)
• (See NIST 800-14)
• (See NIST 800-12)
• (See NIST 800-xx)
• A Framework for Incident Response, Information Security Team, DePaul University, December 13, 2002
• Harvard University's Information Security Handbook
• Handbook for Computer Security Incident Response Teams (CSIRTs), Moira J. West-Brown, Don Stikvort, and Klaus-Peter Kossakowski
• Forming an Incident Response Team, Danny Smith

Secure Email

• GNU Privacy Guard (GPG)
• The GNU Privacy Handbook
• GPG Keysigning Party HOWTO
• Integrating Pine with PGP/GPG
  • Topal: GPG and Pine integration
  • UNIX: Using PGP with Pine, University of Maryland OIT
  • pgpenvelope (Pine & PGP/GPG integration tool)
  • The latest version of gpg4pine looks likes its someplace in the linuxdoc.org CVS tree
• Implementing Privacy Using GnuPG on Linux, by sinister (at) computertorture.com (See notes on passphrase selection)
• MIT's PGP Freeware site
• PGPi's PGP Tools, shells, and plugins page
• Moving from PGP to GnuPG
• Attack on Private Signature Keys, by Vlastimil Klíma and Tomáš Ro(PDF)

Secure Programming

• How to Write Secure Code, by the Shmoo Group
• The World Wide Web Security FAQ
• Writing Secure SUID Programs by Matt Bishop
• Secure Programming for Linux and Unix HOWTO, by David A. Wheeler
• Designing secure software -- SunWorld, April 1998
• Security Code Review Guidelines by Adam Shostack
• Writing More Secure CGI Scripts, by Les Cottrell

Miscellaneous Security related pages

• An introduction to the Internet and Internet Security.
• http://www.alw.nih.gov/Security/security-docs.html
• You can't think of any ways to make money off security holes? DigiCrime, Inc. has! ;)
• Dan Farmer's survey of (in)security of Web sites
• The National Info-Sec Technical Baseline (draft)
• UNIX Review - Security Loopholes
• Back issues of SunWorld Online's Security column
• USENIX - Security Web Sites
• Computer Security Canada, Inc.
• INFO SECURITY NEWS magazine
• CIAC-2318_IRC_On_Your_Dime.pdf
• TrustedBSD Project (Orange book B1 enhancements to FreeBSD)
• The Solaris Security FAQ at www.SunWorld.com
• Centralized System Monitoring With Swatch, by Stephen E. Hansen and E. Todd Atkins, Stanford University (LISA '93 presentation)
• SecWiz Security Guides
• Bill Wall's list of hacker incidents
• 2nd Annual Global Information Security Survey, Ernst & Young, LLP
• 2000 Computer Crime and Security Survey, Computer Security Institute (CSI)
• An Analysis Of Security Incidents On The Internet: 1989 - 1995, by John D. Howard, April 7, 1997
• The BlackHat Briefings and DEFCON
• The OpenBSD Project produces a very secure (out of the box) version of Unix
• Fred Cohen & Associates essays and articles
• Kerberos: The Network Authentication Protocol

Readings for Critical Infrastructure "Cyberterrorism" course

• The Rise of Complex Terrorism, by Thomas Homer-Dixon, Petroleum World, April 4, 2004
• Presidential Decision Directive 63 (.pdf)
• Critical Infrastructures
• Whitepaper on the IT-ISAC
• Critical Infrastructures: What Makes an Infrastructure Critical? (.pdf)
• The National Strategy for Homeland Security (July 2002)
• National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (.pdf)
• National Strategy to Secure Cyberspace (.pdf)
• Practices For Securing Critical Information Assets
• Legal Issues White Paper
• President's Commission on Critical Infrastructure Protection documents list

• Social engineering: examples and countermeasures from the real-world, by Anonymous
• Social Engineering Fundamentals, Part I: Hacker Tactics, by Sarah Granger
• The Use of Social Engineering as a Means of Violating Computer Systems, by Malcolm Allen, October 12, 2001
• Hoax email goads users into deleting harmless files by Matt Loney, May 30, 2001
• "Social Engineering" just a new twist on an old con game
• Social Engineering: Policies and Education a Must, by Rick Tims, February 16, 2001
• Social Engineering: What is it, why is so little said about it and what can be done?, by John Palumbo, July 26, 2000
• People Hacking: The Psychology of Social Engineering, text of Harl's talk at Access All Areas III, May 7, 1997
• VMYTHS: Truth about computer security hysteria

Password crackers and dictionaries

• Phenoelit Default Password List
• Packetstorm Security's password crackers and wordlists
• AntiServer Password Crackers Download Area
• Geodsoft Good and Bad Passwords How-To
• elitesys wordlist library
• ftp://ftp.ox.ac.uk/pub/wordlists/
• The OpenWall wordlist CD
• Securing Password Against Dictionary Attack, by Benny Pinkas and Tomas Sander