Links

Security Organizations

• US-CERT National Cyber Alert System
• SANS Institute, with compilations of recent security threats, Global Incident Analysis Center (GIAC), GIAC training, and Reading Room
• InfraGard (Vermont InfraGard)
• CERT Security Improvement Modules, including general information on firewalls and intrusion detectors.
• International Computer Security Association (ICSA); excellent set of papers on firewalls, viruses, e-commerce, etc.
• Computer Security Institute (Source of the annual "CSI/FBI Computer Crime and Security Survey")
• The Center for Internet Security
  

Information Security Status Sites

• Computer Network Defence Operational Picture
• MS-ISAC Operations Center
• Internet Storm Center at www.incidents.org
• Distributed Intrusion Detection System, DShield.org
• TERRORISM REPORTS: Global Incident Map Displaying Terrorist Acts, Suspicious Activity, and General Terrorism News | MIPT Terrorism Knowledge Base

Security Information Sites

• Talisker Security Wizardry Portal
• Box Network's New Order computer & network security portal
• The NAVY INFOSEC WebSite: "Dedicated to the Defense and Protection of all United States Navy Information Systems, Afloat and Ashore."
• securitywatch.com
• AntiOnline (Good starting point)
• NSI Security Resource Net
• DigiCrime
• SecureZone, the "ultimate" computer security resource
• AntiSearch's Information Security Related Sites
• Security & encryption links from Yahoo!
• Hideaway.Net - Internet Security Portal
• Security Benchmark (Comprehensive Information Security Resources)
• INFOSYSSEC: The Security Portal for Information System Security Professionals
• Infosec Writers
• EDUCAUSE/Internet2 Computer and Network Security Task Force (including security videos)
• Stupid Security: Exposing Fake Security Since 2003
  

General Information/Overviews

• INFOSEC Zeitgeist: The emergence of trends and patterns in the security community (A. Usher)
• SANS Top Twenty and Tool Announcements
• NIST Computer Security Resource Center (CSRC) publications page
• Automated Security Self-Evaluation Tool (ASSET)
• Return On Investment (ROI) Calculator
• Abstract: Shall We Dust Moscow?, Dan Farmer's "Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections"
• "Considerations for LAN and Internet Security" (GCK & C.A. Monaghan)
• Marcus Ranum's security papers including Taxonomy of Internet Attacks, firewalls FAQ, presentations...
• Security glossaries: RFC 2828/FYI 36: Internet Security Glossary | Slade's "Glossary of Communications, Computer, Data, and Information Security Terms" (mirror) | Glossary of Computer Security Terms (Nemesys Computer Consultants)
• Fred Cohen & Associates security-related games/simulations
• Slashdot: News for nerds, stuff that matters
• www.ComputerBytesMan.com
• MPRM Group Ltd. — Information Technology Security Agency
• Security glossary online: Victoria TelecommunityNet | Northern Illinois University
• Training material: 14-part introductory security course (M. Burgess; English & Norwegian) | Course material from Mich Kabay | DoD Information Assurance Training and Awareness program
• Sun Tzu's "The Art of War": The Oldest Military Treatise in the World" (Everyone in infosec and infoware quotes Sun Tzu; here's the text)
• "Information Security Education Resources for Professional Development" (M. Kabay)
• Information security course material (Purdue's Center for Education and Research in Information Assurance and Security & Symantec Corp.)

General Information Databases

• NIST/DHS National Vulnerability Database, provides an index to vulnerabilities by vendor and software product
• Mitre's Common Vulnerabilities and Exposures dictionary
• NIST Threats-and-Countermeasures Database
• NIST Toolbox for constructing security specifications
• CERIAS Workshop on Security Vulnerability Databases
• NIST Workshop on Databases of Threats and Countermeasures
• INFOSEC Year in Review (M. Kabay)

Security Criteria

• Rainbow Book Series [ NIST | National Computer Security Center (NCSC) | INFOSYSSEC]
• DoD Orange Book
• NIST's "Common Criteria for IT Security Evaluation (CC)" page

Security Incident Response Teams

• Australian Computer Emergency Response Team (AUSCERT)
• CERT Coordination Center
• Defense Information Systems Agency (DISA) Center for Automated System Security Incident Support Team (ASSIST)
• Dept. of Energy Computer Incident Advisory Capability (CIAC)
• European CERTs list
• Federal Computer Incident Response Capability (FedCIRC)
• Forum of Incident Response and Security Teams (FIRST)
• German Research Network Computer Emergency Response Team (DFN-CERT)
• NASA Incident Response Center (NASIRC)
• National Institute for Standards and Technology (NIST) Computer Security Resource & Response Center (CSRC), security, virus info, VIRUS-L archive "How to Develop and Implement a CIRT"

Information Warfare

• InfoWar.Com, with tons of info plus archives of Happy Hacker, Phrack, and more...
• IWS - The Information Warfare Site
• HOMELAND SECURITY: (U.S.) Department of Homeland Security | White House Homeland Security page (Homeland Security Reorganization Plan) | The ANSER Institute For Homeland Security (Journal of Homeland Security)
• PAPERS: Trojan Dragon: China’s Cyber Threat (Tkacik, 2008) | "Cyber Attacks During the War on Terrorism: A Predictive Analysis" (ISTS, Dartmouth, 2001) | Countering the New Terrorism (Lesser, Hoffman, Arquilla, Ronfeldt, Zanini, & Jenkins, 1999) | In Athena's Camp: Preparing for Conflict in the Information Age (Arquilla & Ronfeldt, ed., 1997; PDF files) | "Cyber-terrorism: The Shape of Future Conflict?" (Rathmell, 1997) | "Cyberwar and Netwar: New Modes, Old Concepts, of Conflict" (Arquilla & Ronfeldt, 1993) | "Information Age Warfare Must Enlist Civilian Partnerships" (Campen, SIGNAL, 1999) | "Information Warfare: A Two-Edged Sword" (RAND Corp., 1995)
• TERROR WATCH: internet haganah (defense) | Homeland Security Policy Institute Group

Some Vendors' Security Bulletins

• Berkeley Software Design, Inc. (BSDI)
• Cable & Wireless Security Engineering
• Caldera Systems Linux
• Compaq
• Cisco Systems Security Technical Tips and Internet Security Advisories
• Debian Linux
• The FreeBSD Project
• ISS X-Force
• Microsoft security bulletins
• Novell
• The Open BSD Project
• Red Hat Linux
• Santa Cruz Operation (SCO)
• Silicon Graphics (SGI)
• Sun Microsystems

Security News and Journals

• Access Controls and Security Systems
• ACM RISKS DIGEST
• ACM Transactions on Information and Systems Security (TISSEC)
• American Society for Industrial Security (ASIS)
• Hacker's Digest
• Information Security Magazine
• Internet Security Review
• Journal of Computer Security
• The Security Journal
• Security Magazine
• SecurityFocus.com

Security newslists/e-periodicals

• SANS Security Digests
• secedu (Security Education)
• CERT/CC Advisories
• InfoSec News
• Network World Fusion Security e-zine (Mich Kabay)
• Net-Sec newsletter
• NewsScan Daily: text version | HTML version
• POLITECH — Declan McCullagh's politics and technology mailing list
• RISKS newsletter
• SearchSecurity Daily News
• Secure Business Quarterly
• SecurityPortal's Weekly Newsletter
• Dartmouth's Institute for Security Technology Studies (ISTS) "Security in the News"
• Crypto-Gram (Counterpane Internet Security)
• Vulnwatch
• NTBugtraq
• The Full Disclosure List
• Sophos
• Security Tracker
• Church Of The Swimming Elephant
• zone- the internet thermometer

Privacy

• Electronic Frontier Foundation (EFF)
• Electronic Privacy Information Center (EPIC) [includes practical privacy tools page]
• privacy.org
• Privacy International (includes "Privacy and Human Rights" page)
• Personal Notes on "Computers, Freedom & Privacy 2002" (Roger Clarke)
• USA PATRIOT Act: HTML | PDF | Analysis by EPIC | EFF Analysis of provisions relating to online activities
• "PATRIOT II": The Center for Public Integrity | PBS' "NOW With Bill Moyers" | ACLU
• "Super-DMCA" Laws
• Commission Nationale de l'Informatique et des Libertés (CNIL) "Your traces" page
• André Bacard's Privacy Page (including "Anonymous Remailer FAQ" and pointers to services)
• No Place To Hide (book & multimedia investigation site...)

Education and Industry Training/Certification

• National IA Education & Training Program (NSA)
• Centers of Academic Excellence
• Committee on National Security Systems (CNSS)
• IA Courseware Evaluation Program
• Colloquium for Information Systems Security Education (CISSE)
• ISC2 Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP), and more
• Rob Slade's book references to the CISSP CBK (mirror) and Web links (mirror)
• The SANS Institute GIAC (Global Information Assurance Certification (GIAC)
• International Council of Electronic Commerce Consultants (EC-Council) Certified Ethical Hacker (CEH) and more
• CompTIA Security+

Cryptography

General Crypto Information

• RSA's Cryptography FAQ
• Cypherpunks WWW page
• Security and Cryptography (from ARPA.MIL)
• Encryption standards around the world
• Common Data Security Architecture (CDSA)
• COAST Hotlist of Security Sites
• Crytography Research Inc.'s cryptography.com Site
• The National Security Agency: Providing and Protecting Vital Information Through Cryptology
• Government Communications Headquarters (GCHQ) [U.K.] (GCHQ crypto challenge page)
• American Cryptogram Association (ACA) ( Crypto Drop Box)
• Cryptologia
• Cryptome.org ("Cryptome welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and blast protection -- open, secret and classified documents -- but not limited to those.") All this and the unbelievable Eyeballing Series.
• Yahoo! crypto pages
• Linux FreeS/WAN Project crypto links

Legal and Policy Information

• U.S.: U.S. Department of Commerce Export Administration Regulations (EAR) | U.S. Electronic Signature (e-sign) legislation
• International: Summary of International Crypto Controls | Crypto policies and laws around the world | Neville, Peterson & Williams: Customs and International Trade Law
• Organizations: Business Software Alliance (BSA) | Center for Democracy and Technology (CDT) | Electronic Frontier Foundation (EFF)

About Cryptography

• Counterpane Labs publications, including "Why Cryptography is Harder Than it Looks" and key length information; also Crypto-Gram monthly newsletter
• The Prime Pages, all about prime numbers
• "Overview of Cryptographic Methods" (GCK)
• Ron Rivest's "Cryptography and Security" Page (including "Chaffing and Winnowing" paper)
• "Cryptography and Number Theory for Digital Cash" (J.O. Grabbe)
• "Algebra & Complexity Theory in Cryptography" (J.S. Leaning)
• CryptoLog: The Internet Guide to Cryptography
• "List of Cryptographers" from U.C. Berkeley
• distributed.net, a project to break cryto algorithms using the distributed computing power of the Internet [see also "The Threats of Distributed Cracking" (A. Twyman)]

Cryptography History

• Cryptography Timeline
• Tom Perera's "Enigma Cipher Machines, Other Cipher Machines, Antique Computers and Calculators" page
• Enigma Java applet: AT&T (U.K.) | Enigma page, with several Java, PalmOS, and BASIC simulators...
• Alan Turing Home Page
• The Enigma Machine (Univ. of Arizona)
• Vignere Cipher
• NSA's National Cryptologic Museum
• Codes and Ciphers in the Second World War
• Java emulators of WW II crypto devices: Purple, Sigaba, Enigma, Russian Espionage Cipher, and a public domain Bombe.
• Rebuilding the WWII codebreaking machine, Colossus
• Bob Lord's Online Crypto Museum

Quantum Cryptography

• "The Future of Cryptography Under Quantum Computers" (M.A. Barreno)
• Los Alamos National Labs
• Quantum Computation
• IBM Almaden Research Lab ("The early days of experimental quantum cryptography" [J.A. Smolin])
• "'Unbreakable' encryption unveiled" (R. Pease, 10/8/2008)
• Quantum Cryptography blog

Poor Cryptography Examples

• DVD CSS: CSS DVD Encryption/Decryption, including "Cryptanalysis of Contents Scrambling System" (F.A. Stevenson) | CSS Page, including a Gallery of CSS Descramblers | OpenDVD.org

A Little Crypto Humor

• "Hackers Beg Boring People to Stop Encrypting Email" (SatireWire.com)

Advanced Encryption Standard (AES) & Rijndael

• NIST's AES Home Page
• The Rijndael Page
• "Improved Cryptanalysis of Rijndael" (Ferguson et al.)
• The Rijndael Fan Page
• Attacks on AES/Rijndael PGP et al.
• PGP Corp.
• The International PGP Home Page
• The OpenPGP Alliance
• MIT's PGP distribution
• MIT PGP Public Key Server
• Phil Zimmermann's Home Page
• GNU Privacy Guard (GnuPG)
• Tom McCune's PGP page
• Security bug (or feature) affecting PGP virtual disk, SDA, et al.

Miscellaneous Crypto Protocol Links

• Cracked Crypto Schemes
• Twofish
• GCK's Links to many crypto protocols
• EFF Cracking DES page
• Elliptic curve cryptography: Certicom's ECC Resources | PKCS #13: Elliptic Curve Cryptography Standard
• RSA's Public-Key Cryptography Standards (PKCS)
• Multivariate cryptography and cryptanalysis
• Some European standards: 3GPP Confidentiality and Integrity Algorithms: F8 & F9 | ETSI Security Algorithms
• Cryptography and Braid Groups
• David Hopwood's Standard Cryptographic Algorithm Naming Pages (including lots of algorithm details)
• Weaknesses in hash functions: "Finding Collisions in the Full SHA-1" (Wang et al.) | MD5, SHA-0, and SHA-1 broken...

Product Vendors

• National Security Institute's List of Security Products & Services
• TRUECRYPT, open-source on-the-fly encryption for Windows and Linux
• RSA Security, Inc. (RSA attack info)
• Hewlett-Packard's International Cryptography Framework
• IBM position papers on key recovery and technical guide to encryption
• Digital Watermarks: New Tools for Copyright Owners and Webmasters
• CrypTec Systems

Public Key Infrastructure (PKI)

• The PKI Forum
• PKI and the Law Web site
• ETSI Security Technical Committee
• IETF Public Key Infrastructure (X.509) (pkix) Working Group
• NIST's Public Key Infrastructure (PKI) page...
• "Weaving a Web of Trust" (R. Khare & A. Rifkin)
• The PKI Page
• CommerceNet's "Security and Internet Payments" page
• "PKI: How It Works" (Lucent)
• "Improvements on Conventional PKI Wisdom" (Carl Ellison)
• "Security Management Infrastructure: Session Key Management Protocols (and some other stuff)" includes info on ISAKMP/Oakley
• SKIP - Simple Key management for Internet Protocols IP-Level Cryptography
• Simple Distributed Security Infrastructure/Secure PKI (SDSI/SPKI): General resources | SPKI/SDSI Certificates
• CA info/vendors: OpenCA, information on open source CA | VeriSign | Thawte | Baltimore Technologies | EnTrust Technologies | Chrysalis-ITS | Cylink Corp. | nCipher, Inc. | Norman Data Defense Systems | OpenNetwork Technologies | Syntegra, Inc. | Valicert, Inc.

Steganography

• "An Overview of Steganography for the Computer Forensics Examiner" (GCK)
• Steganography Analysis and Research Center (SARC) (includes Steganography Application Fingerprint Database (SAFDB)
• MIT's Data Hiding Home Page
• Cambridge University's Information Hiding Home Page plus steganographic software listings
• JJTC's Steganalysis and Steganography & Digital Watermarking pages
• J. Fridrich's stego research papers
• StegoArchive.com (Alt. URL)
• Steganography software (COTSE)
• Steganos
• WetStone Technologies
• "Coded Communications" (McGrath, Newsweek/MSNBC, 9/21/2001)
• Digital Invisible Ink Toolkit
• spam mimic
• OutGuess (N. Provos)
• SpyHunter stego page (M. Raggo)
• Workshop on Information Hiding: 2004 (6th) (includes links to prior workshops) | 2005 (7th)
• Many articles on C# code and steganography
• Analyzing steganography softwares (for the fun of learning about it) (interesting little site...)
• BARCODES: Barcodes (and the information hidden in them...) | DocuColor Tracking Dot Decoding Guide (EFF) | "Electronic Clipping System" (IBM) | "Hiding messages in plain sight" (BBC news article about images only visible to cell phone camera) | OP3 Shot Codes | Shot Codes (cell phone camera decodes bar code and automatically accesses a Web site)
  

Operating System Security

General Information

• Cerberus Information Security Advisories
• CIS Security Benchmarks and Scoring Tools (Windows NT/2000, Solaris, Linux, HP-UX)
• BUGTRAQ Vulnerability Database Statistics | Symantec Internet Security Threat Report
• SecurityFocus.com: Microsoft | Sun | Linux
• The Ideahamster Organization and the Open Source Security Testing Methodology Manual (OSSTMM)
• Open Source Vulnerability Database (OSVDB)
• Trusted Computing Platform Alliance (TCPA)
• Password management: Password Manager | Password Safe v1.7.1 | Password Safe (later versions)
• "The Great Debates: Pass Phrases vs. Passwords" (J. Johansson) [Part 1 | Part 2 | Part 3]
• NIST Security Technical Implementation Guides (STIGs) (covers a host of systems including Cisco, Juniper, OS/390, Tandem, VOIP, Windows, Wireless, Linux)
• NSA Security Configuration Guides (SNAC)

NetWare (Novell)

• Northwestern Univ.
• Nomad Mobile Research Centre (includes NetWare Hack FAQ)
• Socrates (NetWare and more!)
• "Security Procedures and Checklists for LAN Administrators of Netware 3.1x"

Unix (including Linux)

• CERT Security Improvement Modules, with Unix-specific practices
• "Armoring Linux" and "Armoring Solaris"
• NSA's Security-Enhanced Linux Project
• "NSA Guide to the Secure Configuration of Solaris 8"
• "The Official Red Hat Linux Security Guide"
• CyberSoft (excellent set of papers and downloadable tools...)
• UNIX Exploits
• Stack Smashing Security Vulnerabilities
• Matt's UNIX Security Page
• BUGTRAQ archive
• "An Architectural Overview of UNIX Network Security" (Reinhardt)
• Linux Shadow Password HOWTO
• Genocide2600.com
• ROOTKIT.COM
• Apostols, queso and other tools
• Fyodor's Playhouse, nmap and other tools (nLog is a Perl script to convert nmap log file output to a flat file database) [See also "A practical approach for defeating Nmap OS-Fingerprinting" (Berrueta).]
• Michal Zalewski's p0f, the passive OS fingerprinting tool
• hping, command-line oriented TCP/IP packet assembler/analyzer.
• NetSaint Network Monitor (Linux)
• Security Portal's Linux Security page
• Linux SECURITY.COM

General Tools

• Metasploit Project ("point and crack")
• SecurityFocus.com (Unix and Windows) <LI.Hacker (Samarai[sic]) Tools from MPRM Group
• Vulnerability scanners: Nessus Security Scanner | World Wide Digital Security, Inc. SAINT: Security Administrator's Integrated Network Tool (Unix) (or here) | UltraScan & EPDump (NT) | Kane Security Analyst | WebTrends | NGSSoftware Typhon Security Scanner (NT/2000) | Tenable Security NeWT and NeVO
• Open Vulnerability Assessment Language (OVAL): US-CERT and OVAL | Mitre
• Packet sniffers: LBL's tcpdump (Unix) | tcpdump/libpcap | WinDump (tcpdump port for Windows) | Analyzer: a public domain protocol analyzer (from the folks who brought you WinDump!) | WIRESHARK | Ethereal | sniffit | Natas, opensource version of freeware Windows 2000 network sniffer | dsniff FAQ
• System auditing: COPS | SWATCH | Tripwire | Foundstone (formerly NT OBJECTives) auditing tools for NT | Inzider, Fport (Foundstone), and Vision (fport GUI), shows which Windows NT processes are listening to open ports | Startup Cop for all Windows versions; tells what programs run at startup
• Trinux — A Linux Security Toolkit
• Unix tools: A wealth of Unix tools, always changing... | Psionic PortSentry: Port Scan Detection and Active Defense System | Whitehats security tools
• File wipers/shredders: CleanDrive (WhiteCanyon) | Window Washer (Webroot) | BCWipe (Jetico) | Eraser (Sami Tolvanen) | SecureClean (AccessData) | East-Tec Eraser 2000 (East Technologies) | PGP Windows NT/2000/XP
• NSA guidelines to securing...: WinNT | WinXP | Win2000 | Windows Server 2003
• "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist"
• CERT Security Improvement Modules, with NT-specific practices
• NTBugTraq Home Page including the International Windows NT Fixes Up-to-date Query Engine
• Bill Wall's Windows NT links (includes security)
• NTsecurity.com
• The NT Shop (NTSecurity.Net)
• L0pht Advisories Page
• Microsoft-related security papers -- NT, Internet Explorer, Internet Information Server, MS Proxy Server
• "Microsoft Passport to Trouble"
• MS Security Tools
• Microsoft Personal Security Advisor (MPSA), web-based application to test Windows NT 4.0 Workstation or Windows 2000 Professional systems
• HFNetChk: command-line tool to check the patch status of all the machines in a network
• USSR Labs
• Science Applications International Corporation (SAIC), responsible for the NT 4.0 C2 evaluation
• Computer & Network Security Site
• Known NT Exploits
• Nomad Mobile Research Centre (includes NT Hack FAQ)
• Sysinternals (formerly NTInternals)
• NT Security - Frequently Asked Questions
• Win NT Security
• Windows NT Security FAQ
• WinNuke Testing Ground
• Security White Papers and Web Links for Windows NT
• Winternals Software
• NT and Related Security Holes and Bugs (Rhino9)
• Mnemonix's home page, particularly heavy on Windows NT...
• JSI, Inc. NT resources information... (registry hacks)
• Windows NT (perhaps something for '95) Systems Bug List Page
• "Security Tools for Windows NT" (GCK)
• Stefan Norberg's "Building a Windows NT Host in Practice"
• Trusted Systems' Windows NT Security Guidelines
• "Armoring NT" (Spitzner)
• "Hardening Windows 2000" (Cox)
• "NetBIOS Insecurities"
• "Understanding NetBIOS" (NeonSurge)
• IraqiWorm Analysis (myNetWatchman)
• "Non-Stack Overflows on Windows" (D. Litchfield)
• "System Security Administration for NT" (H. Carvey)
• Geo's Windows NT tips
• "Exploiting design flaws in the Win32 API for privilege escalation. Or... Shatter Attacks - How to break Windows." and "Shatter attacks - more techniques, more detail, more juicy goodness" (C. Paget) | A New Avenue of Attack: Event-driven system vulnerabilities" (S. Xenitellis) | March 1997 article in Microsoft Systems Journal (M. Pietrek)

Other Microsoft Issues....

• Xbox: bunnie's adventures hacking the Xbox | "Keeping Secrets in Hardware: the Microsoft XBoxTM Case Study" (A. Huang)
• Palladium: Ross Anderson's TCPA / Palladium Frequently Asked Questions | Microsoft Palladium page (EPIC)

PalmOS

• L0pht PalmOS Development

Firewalls/IDS/Honeypots

Firewalls

• NIST SP 800-41: "Guidelines on Firewall and Firewall Policy"
• ICSA's list of certified firewalls and Firewall Buyer's Guide
• InfoSec News firewall survey
• The Rotherwick Firewall Resource, an excellent starting point for firewall info
• Ultimate Firewalls Page: Excellent info on types of attacks, product info
• Greatcircle firewall routers, FAQ, file archive, ...
• IANA assigned port numbers
• "Firewall Routers and Packet Filtering" (GCK)
• Mason: automatic firewall builder for Linux (by Bill Stearns)
• Product summaries: Firewall Product Overview | Firewall Fiesta!, comprehensive list of products and vendors | Data Communications Magazine's Firewall Security Table and Firewall Review - Lab Test
• Products: Axent | Check Point ( and problems with CheckPoint's Firewall-1) | GTA GnatBox | Network-1 | Raptor Systems | Tripwire Security Systems | Trusted Information Systems
  
  Personal Firewalls
• Test Windows systems remotely for exposures: Gibson Research Center (GBC) ShieldsUP! | BLACKCODE.COM | Symantec Security Check | farm9
• "FireHole — How to bypass your personal firewall outbound detection or Game Over: An exercise in utility" (R. Kier)
• Cable modem/ADSL security: ADSL Reports | Speed Guide.net | "Cable Modems and the Internet: Securing the SOHO" (GCK)
• Home PC Firewall Guide
• Cable modem/DSL hardware: Linksys EtherFast Cable/DSL Router | D-Link DI-701 | Macsense XRouter | SonicWALL SOHO2
• Windows software: ADWARE REPORT -- Firewall Reviews - October 2005 | Home PC Firewall Guide | Comodo Firewall | BlackICE™ PC Protection (Network ICE/ISS) | ZoneAlarm | Outpost Firewall (Agnitum) | WinRoute and Tiny Personal Firewall (TINY Software) | Norton Personal Firewall & Norton Internet Security | CyberArmor Personal Firewall (InfoExpress) | ConSeal PC Firewall (Conseal Software) | Internet Firewall 2000 (IFW2000) for Personal Computers (Digital Robotics) | Home PC Firewall Guide
• UNIX: Netfilter (iptables), for Linux | Mason, plug-in for Netfilter or IPChains | IPFilter, for BSD

Proxy Servers

• Standard-type proxies: Apache proxy server | Microsoft Proxy Server | Netscape Proxy Server | SOCKS ( SOCKS5 white paper (Aventail)) | Squid
• Transparent proxies: Cisco WCCP | Inktomi | NetApp Web Cache | PacketStorm WebSpeed
• Tor: An anonymous Internet communication system Intrusion Detection
• HoneyNet Technical Whitepapers
• SANS Intrusion Detection FAQ
• Robert Graham's NIDS FAQ
• DShield, distributed IDS
• SURF IDS
• IDS EVASION: "IDS Evasion Techniques and Tactics" (K. Timm) | "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" (T. Ptacek & T. Newsham) | "Defeating Sniffers and Intrusion Detection Systems" (Phrack 8.54.10)
• arachNIDS (Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems)
• State of the Practice of Intrusion Detection Technologies (CERT Tech. Report)
• "Intrusion Prevention: The Next Step in IT Security" (Hollander)
• "Defending Yourself: The Role of Intrusion Detection Systems" (J. McHugh, A. Christie, & J. Allen, IEEE Software, Sept./Oct., 2000)
• CERIAS IDS Page
• NIST SP 800-31: "Intrusion Detection Systems (IDS)"
• SecurityFocus.com IDS tools (host, network, evasion)
• Snort (Martin Roesch); also here) | WINSNORT.com | Shadow (Navy Surface Warfare Center) | BlackICE™ PC Protection (Network ICE/ISS) | ZoneAlarm | Specter

Honeypots

• "To Build A Honeypot"
• The Honeypot Project
• Fred Cohen's Deception Toolkit (DTK)
• Tiny Honeypot (G. Bakos)
• LaBrea - The Tarpit
• SecurityProfiling honeyd for Windows

Virtual Private Networks (VPN)/Tunneling

General Information

• "What is a VPN?" (Ferguson)
• Tina Bird's VPN Page
• Thomas Porter's VPN web page
• The VPN Resource - VPDN.Com (TeleChoice)
• Alliance Datacom VPN papers/tutorials
• Communications Industry Researchers (CIR)
• Internetweek's VPN Source Page
• Virtual Private Network Consortium (VPNC)
• VPNlabs
• Some vendors: Avaya (nee VPNet) | Aventail Extranet Strategist | Cisco (nee Altiga) | F-Secure Corp. (nee Data Fellows) | Intel (nee Shiva) | Lucent (nee Livingston) | Nortel | SafeNet (nee IRE) | SonicWALL (nee RedCreek) | Symantec (nee Axent)
  

Secure Shell (SSH)

• SSH Communications Security
• SSH/SSHD for Win32
• IETF Secure Shell (secsh) Working Group
• TTSSH: An SSH Extension to Teraterm Tunneling Protocols (Layer 2)
• PPTP: Point-to-Point Tunneling Protocol (PPTP) | PPTP technical site (MS) | PPTP FAQ (MS) | "Understanding Point-to-Point Tunneling Protocol (PPTP)" (MS) | Counterpane's Analysis of MS-PPTP | Ascend PPTP FAQs | RFC 2637 (PPTP)
• L2TP: Cisco L2TP FAQs | L2TP (draft 16) (IETF pppext WG)

IP Security Protocol (IPsec)

• S/WAN, Linux-based IPsec
• IETF ipsec WG (Contains a complete list of IPsec drafts and RFCs)
• <dtool> IPsec links
• "Decoding IPsec: Understanding the Protocols of Virtual Private Networks" (Gail Meredith, Packet Magazine, 2Q2002)
• "Understanding the IPSec Protocol Suite" (Alcatel, March, 2000)
• "An Overview of Cryptography: IP Security (IPsec) Protocol" (GCK)
• SSL vs. IPsec VPN: "VPN Decision Guide: IPSec or SSL VPN Decision Criteria" (Juniper) | Paper set #1 or Paper set #2

Web-related Security

Web Browsers/Protocols

• SOMEBODY: What do you reveal about yourself?
• Netcraft Web Site Finder
• WWW Security FAQ (includes HTML, Java, ActiveX, browsers, etc.)
• SSL specification (ftp)
• Security info (Netscape)
• "Forum on Security Standards for Web Services," OASIS + W3C, August 2002
• SAIC (wealth of documents, including SHTTP *plus* pointers to other sites)
• EIT's S-HTTP Page
• IETF's Transport Layer Security (TLS)
• "How to Obscure Any URL"
• Bugnosis, Web bug detector
• Web site scanners: Sam Spade | Xenu's Link Sleuth | Black Widow

Secure Web Services

• NIST 800-44: "Guidelines on Securing Public Web Servers"
• Axent's WebDefender
• Blockade Systems' Extended Access Control (EAC)
• Entegrity AssureAccess
• Hewlett-Packard's DomainGuard
• Network Associates' (NAI) WebShield E-ppliance
• Securant Technologies' ClearTrust SecureControl
• Systems Advisory Group Enterprises, Inc. (SAGE) BRICKHouse Web Appliance
• Perfecto Technologies' AppShield

Content Control

• Platform for Internet Content Selection (PICS) specification
• RSACi
• Content Screening Software: CyberPatrol (Win3.11/9x/NT, Mac) | CyberSitter (Win9x/NT) | The Internet Filter | NetNanny (Win3.11/9x) | SurfWatch (Win3.11/9x, Mac) (SurfWatch Internet safety presentation)

IIS

• Microsoft's IIS 4.0 Security Checklist
• NTBugTraq's security fixes for IIS 4.0 running on NT 4.0 with SP6a and IIS 5.0 running on Windows 2000 with SP1
• "Assessing IIS Configuration Remotely" (D. Litchfield) Web Privacy
• Platform for Privacy Preferences (P3P Project)
• TRUSTe Privacy Generator
• Network Advertising Initiative (NAI)
• U.S. Dept. of Commerce "Safe Harbor" Web site, to help U.S. companies complu with E.U. privacy policies
• AT&T Privacy Bird

Java/JavaScript/ActiveX

• Java security (Finjan)
• Hostile Applets: Using Java to break security (GA Tech.)
• Java security info from Sun
• A set of hostile Java applets
• JavaScript Security FAQ
• ActiveX FAQ

Other Web Programming

• CGI: WWW Security FAQ | "Writing Secure Scripts" | NCSA Tips for Secure CGI Programming | Lincoln Stein's excellent resource list
• Exploit checkers: PHF Prober | test-cgi checker | php_exploit, wwwcount exploit, and brute_web.c | CGICHK
• Latro Perl checker
• Socrates server load simulator
• Segue Performer SSL load performance tool

Hacked Web Site Mirrors

• alldas.org defacement archive
• Attrition.org's extensive — and timely! — set of hacked sites
• Some examples: CIA | U.S. Dept. of Justice | Kriegsman Furs | U.S. Air Force; also see 2600 Magazine
• Hacker News Network archive

Hacker/Cracker Sites & Tools

Hacker/Cracker General Sites...

• Top 75 Security Tools (INSECURE.ORG)
• SecurityBros.com (Not really a hacker site but very cool...)
• Genocide2600.com
• Packetstorm.org
• packet storm security
• Netscape's hacker page
• HNN - Hacker News Network
• The Happy Hacker
• Rhino9, includes "The Modern Hackers Desk Reference" and "NT Vulnerability Theory" (Also alternate URL)
• Networking Bloopers
• PC Demos Explained (new-age hackers...)
• The Black Hat Briefings/ DefCon show
• 2600 Magazine
• PHRACK Magazine
• Hacks and Cracks
• The Internet Underground
• Hackers Catalog
• rootshell.com
• Aneurysm...
• L0pht's Hacking Files Index (some NetWare, war dialers, phreaking, and more)
• Cracking Unix and BIOS passwords, and more...
• HackPalace.com
• EFF's "hacker" archive
• RainForestPuppy
• Tools discussed in Hacking Exposed
• astalavista.box.sk, the search engine for security related websites
• Astalavista
• Warez Oracle
• The Hacker's Choice

Commentary on Back Orifice/BO2k and other tools...

• TL Security | ISS X-Force | Diamond Computer Systems' BO2K scanner freeware

About Hackers...

• "Know Your Enemy" series (Lance Spitzner)

SATAN

• Info from NIST
• Dan Farmer's SATAN Website Password recovery/cracking tools...
• OphCrack (Windows password cracker; uses rainbow tables; runs on Windows, Linux/Unix, Mac OS X
• Offline NT Password & Registry Editor
• Password Recovery Resources from WindowsNetworking.com
• OXID.IT, including Windows passwords crackers: Cain & Abel v2.5 for Windows NT/2000/XP
• Vitas Ramanchauskas' password recovery software
• ELCOM Ltd. ZIP and Office password recovery software
• Password Crackers, Inc.
• Bokler's Cracker Software Page
• Alec Muffet's site (crack)
• John the Ripper (Unix, DOS, Win32)
• Brutus (HooBieNet)
• BIOS/CMOS Passwords: "How to Bypass BIOS Passwords" (LabMice.net) | "How to Bypass BIOS Passwords" (E. Orin) | Cmos password recovery tools
• CyXla's passwords database file
• "Windows NT Password Hacking" (.:0xception.com)
• "Feasibility of attacking Windows 2000 Kerberos Passwords" (F. O'Dwyer) | "Password Attack on Kerberos V and Windows 2000" (Kasslin &Tikkanen)
• Some password cracking sites: Russian PaSsWord Crackers | LostPassword.com | And more password crackers...
• Application crackers: KeyGen' United Studio | CRACKS.THEBUGS.WS: cracks for anytime
• Rainbow tables: Winrtgen, graphical Rainbow Tables Generator | rainbowtables.shmoo.com | rainbowcrack.com | "Making a Faster Cryptanalytic Time-Memory Trade-Off" (P. Oechslin)

Windows-based tools

• WildPackets (formerly AGNetTools) EtherPeek plus iNetTools (DNS Lookup, Finger, Name Lookup, Name Scan, Ping, Ping Scan, Port Scan, Service Scan, Throughput, Trace Route and Whois)
• J. River Network Toolbox (ping, traceroute, IP address and port scanner, finger, whois, and more)
• eEye Digital Security's nmapNT
• cotse.com's winetd, an NT port of inetd, including tcpwrappers, honeypot modules, and more
• Foundstone's tools, including SuperScan port scanner, DDoS ping, and UDP flood
• NetBIOS tools
• Sysinternals Miscellaneous Tools
• NetScan Tools Pro, includes a wealth of tools all in one place
• GFI LANguard Network Security Scanner (N.S.S.), "allows you to scan, detect, assess and remediate any security vulnerabilities on your network"

Network-based tools

• Google Hacking

Other Security Topics

Viruses/Worms

• Virus Bulletin
• SecurityFocus.com
• VBsim: Symantec's worm/virus simulator
• Virus Databases/Product Vendors: AVP Virus Encyclopedia | CIAC's Virus Database Page | F-Secure Computer Virus Info Center | McAfee Anti-Virus Center | Network Associates Virus Library | Sophos | Symantec's AntiVirus Research Center | Trend Virus Information Center
• Virus Hoax Information: CIAC's Internet Hoaxes Page | F-Secure Hoax warnings | Symantec Virus Hoaxes | Vmyths.com (formerly Computer Virus Myths Page)
• Chain Letters & Urban Legends (Why here? Well, it is sort of related to virus hoaxes....): BreakTheChain.org(E-mail chain letters) | The AFU (alt.folklore.urban) and Urban Legends Archive | CIAC Internet Chain Letters Page | The San Fernando Valley Folklore Society's Urban Legends Reference Pages
• EICAR anti-virus test file
• MALWARE: "Guide to Malware Incident Handling and Prevention: Recommendations of the National Institute of Standards and Technology" | Truman - The Reusable Unknown Malware Analysis Net | Nepenthes - finest collection - (Malware collection)
• The Instant Macro-Virus Maker (IMVM)

E-mail/Spamming

• Fight Spam on the Internet! site
• Spam laws in the U.S. and around the world
• John Marshall Law School cyberlaw site
• Internet Mail Consortium (IMC)
• Integralis' MIMESweeper
• Coalition Against Unsolicited Commercial Email (CAUCE)
• JunkBusters
• NIST SP 800-45: "Guidelines on Electronic Mail Security"

Passwords

• "Passwords — Strengths and Weaknesses" (GCK)
• One-Time Password (OTP) systems: Security Dynamics Technologies (SDTI) | Secure Computing Corp. | Activcard | Axent Technologies | CRYPTOCard Corporation | LeeMah DataCom | Vasco Data Security, Inc. | IETF's One-Time-Password SASL Mechanism
• BioPassword keystroke dynamics

Denial-of-service

• Denial of Service (DoS) Attack Resources Page
• PacketStorm's Distributed Attack Tools list
• David Dittrich's DDoS papers (The best analyses of Trin00, TFN, and Stacheldraht)
• DoS Database
• Webtorials DDoS briefing
• Buffer overflow: Cerberus papers (David Litchfield) | NT Security's papers (Dave LeBlanc) | USSR Back | Foundstone Tools (formerly NT Objectives)

Code Red Worm....

• DShield
• www.incidents.org (SANS Institute)
• CAIDA's analysis and "The Spread of the Code-Red Worm (CRv2): The Movie"
• Digital Island's Code Red page
• Microsoft URL for Code Red Advisory and Microsoft Patch Installation Instructions
• eEye Digital Security

Personalities in Security

• "Kevin Mitnick" info
• "Cliff Stoll" info
• "Takedown" (Tsutomu Shimomura on Kevin Mitnick)
• Phil Zimmermann (inventor of PGP)
• Discovery Channel's "Hackers' Hall of Fame"

Ethics

• "Why Kids Shouldn't Be Criminal Hackers: An Explanation for High School Students, Teachers & Parents" (Mich Kabay) | M. Kabay's ethics articles and links
• Responsible Netizen Page
• The CyberPilot's License
• University of British Columbia's Center for Applied Ethics Computer & Information Ethics Resources on the WWW
• DePaul University's Ethics Resources for Teachers and Trainers
• Internet & Computer Ethics for Kids (and Parents & Teachers Who Haven't Got a Clue) (Winn Schwartau)
• "Composing Ourselves Online: Broadening the Definition of Computer Literacy" (R.W. Burniske)
• "CyberEthics: Internet Ethics for Children" (E. Kennedy) plus many links
• Doug Johnson's "Resources for teaching information technology ethics to children and young adults"

E-government/E-voting

• Rebecca Mercuri's pages on Electronic Voting (and why she's ag'in it!)
• The Digital Government Research Center (DGRC)
• "Security Criteria for Electronic Voting" (P. Neumann)
• Lorrie Cranor's Voting page and pointers
• DoD's Secure Electronic Registration and Voting Experiment (SERVE)
• Good analysis of the risks of hacking electronic voting machines
• By Avi Rubin: "Security Considerations for Remote Electronic Voting over the Internet" | "Can a Voting Machine that is Rigged for a Particular Candidate Pass Certification?"
• Comparison of Indian and Diebold electronic voting machines: BlogSpot | TinyURL

Voice Over IP (VOIP)

• Voice over IP Security Alliance (VOIPSA)
• "Security Considerations for Voice Over IP Systems" (NIST Special Publication 800-58)
• vomit - voice over misconfigured internet telephones

Locks and lockpicking

• "Master-Keyed Lock Vulnerability" | "Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks" (both by Matt Blaze)
• "The MIT Guide to Lock Picking" (Ted the Tool) Some Security Product Vendors
• AT&T: Internet security ftp server | Cheswick/Bellovin ftp server
• CrypTEC Systems
• CyberSafe (née Centrax)
• EnGarde IP-Watcher
• Internet Security Systems (ISS)
• Network Associates
• Network Flight Recorder (Marcus Ranum)
• Platinum Technology (née AbirNet)
• Secure Computing Corporation
• SecurityDynamics (SecurID Vulnerabilities White-Paper (ftp))

Health Insurance Portability and Accountability Act (HIPAA)

• Dept. of Health and Human Services Page... (includes library of proposed rules and mailing list information and "Standards for Privacy of Individually Identifiable Health Information")
• HIPAA.ORG
• HIPPA Advisory
• Univ. of Michigan Health System HIPAA Page
• Health Privacy Project (Georgetown University)
• ICSA'a HIPAA Pages
• Communications Technology Consultancy
• 3Com's HIPAA News and HIPAA FAQ
• HIPAAcomply
• VT/NH HIPAA consortium
• NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005

Security Policies

• IT Baseline Security Manual (English translation of manual from the German Federal Office for Information Security) — excellent resource, very large files
• Commonly Accepted Security Practices and Recommendations
• The Standard of Good Practice
• U.S. Federal Best Security Practices (BSPs) (CIO Council)
• DISA Information Assurance Support Environment (IASE) Policy & Guidance page
• Computer Security Administration guidelines
• RFC 2196 (Site Security Handbook) and RFC 2504 (User Security Handbook)
• Australia Defence Signals Directorate
• British Standards Institute (BS7799) [Articles by B. Mukund: Explanation of the standard | Implementation | Certification] | ISO 17779 Central | ISO 17799 Community Portal
• CERT/CC: Security Improvement Modules | OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
• Software Engineering Institute, Carnegie-Mellon Univ.
• Murdoch Univ.
• NIST's Special Publication: Internet Security Policy: A Technical Guide
• Common Criteria Project: International Common Criteria Page | NIST's Common Criteria for IT Security Evaluation (CC) Page | National Computer Security Center (NCSC) page | DoD CC policies, tutorials, FAQ
• SANS: Draft policies | S.C.O.R.E. (Security Consensus Operational Readiness Evaluation)
• U.S. Dept. of Energy
• "How to Develop a Network Security Policy" (Sun Microsystems)
• Columbia University Information Security Policy Statement
• WEDI — Workshop for Electronic Data Interchange
• The IT Security Cookbook, S. Boran (original)
• Information Security Policies Made Easy: A Comprehensive Set of Information Security Policies, V7, C.C. Wood
• PentaSafe's VigilEnt Security Manager
• IT Baseline Protection Manual, Federal Republic of Germany's Bundesamt für Sicherheit in der Informationstechnik (English)
• Business Continuity Reference Library (ITAudit)

Wireless Security

• General Sites: Wireless Research (U. of Maryland) | The Unofficial 802.11 Security Web Page (includes 802.11, EAP, GPRS/3G, 802.1X, VPN, and RADIUS information) | Wi-Fi Planet
• wi2600.org
• Warchalking | The Wireless Node Database Project
• Cigital Labs: ARP Poison paper | Wireless security | Wireless FAQ
• Wi-Fi Alliance | Wi-Fi Security
• WI-FI PROTECTED ACCESS (WPA): WECA Paper | Wi-Fi Alliance | NIST
• IEEE 802.11 WIRED EQUIVALENT PRIVACY (WEP): "FBI Teaches Lesson In How To Break Into Wi-Fi Networks" (Info. World, 4/7/2005) | UC Berkeley WEP flaws FAQ ( IEEE 802.11 response) | "Intercepting Mobile Communications: The Insecurity of 802.11" (Borisov et al.) | "Using the Fluhrer, Mantin, and Shamir Attack to Break WEP" | "Weaknesses in the Key Scheduling Algorithm of RC4" (Fluhrer et al.) | "Unsafe at any Key Size: An Analysis of the WEP Encapsulation" (J.Walker) | Configuring Wired Equivalent Privacy (Cisco) | "Penetration Testing on 802.11b Networks" (B. Huey)
• WAR DRIVING: High gain "Pringles" antenna (Arwain.net) | "Antenna on the Cheap (er, Chip)" (R. Flickenger) | Perl script by P. Shipley | Scripts by F.L. Roque | Alan Clegg's 802.11 Mapping Project
• SOFTWARE: NetStumbler | AirSnort (Home Page | SourceForge site) | Black Alchemy's Fake AP | WEPCrack | Airopeek | Kismet wireless packet sniffer
• WAP WTLS security problems
• BLUETOOTH: Bluetooth specification | Bluetooth primer | Bluetooth security issues | More Bluetooth security
• WIRELESS HOT SPOT DETECTORS: Digital Hotspotter (Canary Wireless) | WiFiSeeker (Chrysalis Development) | Wi-FiHotSpotList.com | JiWire
• "A Hacker Games the Hotel" (Infrared hacking in hotels, from WIRED)
  
• See also More on wireless technology...

Biometrics

• National Biometric Test Center
• Center for Unified Biometrics and Sensors
• "Biometrics: Uses and Abuses" (B. Schneier)
• The Biometrics Institute
• The Biometric Consortium
• The Biometrics Catalog
• Biometrics Research Homepage at MSU
• "Impact of Artificial 'Gummy' Fingers on Fingerprint Systems" (Matsumoto et al.)