Links Directory

Why OpenID won't work.

Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License.

Might have been better in vendors, but ...

Good article from ISMH 1998 edition

US government and military sponsored program to assess face recognition biometric products.

Some great high-resolution shots of human irises. The detail here shows why iris scanning can be used as a distinguishing biometric.

Pawsense is a program to determine whether a cat has been walking across your keyboard, and to disable the keyboard input until reactivated. It's a bit of a joke, but an example of keystroke analysis biometrics.

Cute essay about password choice (although not much useful help).

OK, this is probably a bad idea, but it does make some points about password choice. This is a system that you can install along with your password choice, or password change, feature. As the user enters the password, the password is analyzed for strength (length, characters, non-alpha, etc). The stronger the password the more of a picture of a lady is ... revealed.

On the one hand, it provides motivation for choosing stronger passwords. On the other, it may distract the user from memorizing the password. On the third hand, it may violate company policy, or open you to sexual harassment charges.

Any takers for finding some other means of motivation that is less distasteful or troublesome?

When having a discussion about passwords, if someone is recalcitrant, might be an idea to point them at this, and see if they turn red ...

A list of the top 500 most frequently used (and therefore eminently guessable) passwords. If you see yours, change it.

Description and even code for setting up a phishing site to obtain OpenID credentials.

Polly wanna crack a WPA network? A cloud based cluster is offering to help out, for a small fee. You send them a data capture, and they run a 130 million word dictionary against it, in as little as 20 minutes.

Do you trust them? Are they going to be used to crack WPA networks? Is this sufficient impetus to move to WPA2? Are you going to create a longer passphrase?

Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers?

(Actually, pigs are pretty clever critters ...)

Similar to VirusTotal, but this one does an activity check, looking for dangerous operations.

The Building Security In Maturity Model (BSIMM) is a good framework to follow for secure software development. Those who are familiar with the various Capability Maturity Models may be a bit surprised: this model doesn't come from the same institution and doesn't follow the same pattern. It's more of a breakdown framework, with a checklist of points to address, with some assignment to limited maturity levels.

A considerable change from the first version. Version 2 has more structure, but I'm not sure that the two-dimensional model adds much. It still isn't a "maturity" model as such. Still, anything that gets more app dev security advice out there ...

Part of the Software Assurance program, a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) provides support, and, with other contributors, develops and collects software assurance/security information to help software developers and security practitioners create secure systems. Based on software engineering and addressing a software development life cycle. Links to best practices, tools, guidelines, rules, principles, and other resources.

Advice and tools for engineering resilient systems.

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

Complementary Objects for Software Applications. A form of object-oriented programming stated to be highly reliable. (The ability to build the underlying system is, unfortunately, not addressed.)

Thoughts from the Google development security team: some useful points in regard to secure Web apps.

Interesting discussion of cheating in online gaming and implications for application security.

SE Linux has been formally verified. This not only verifies the safety of the OS, but is also an example of formal verification (the A level of the old TCSEC/Orange book standard).

Microsoft's security newsletter, Canadian version. The articles are often merely restatements of vulnerability announcements, and the additional ones aren't stunningly well written, but it is a resource. Many of the additional announcements have some tips on good coding practice.

Most of the white papers are a bit thin and "rah rah," but the security newsletter does have some worthwhile pieces.

Some parts Microsoft specific, but a good deal of it is a reasonable process outline.

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Based on the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/), this document presents detailed descriptions of the top 25 programming errors along with guidance for mitigation. The errors are also cross referenced against related CWE items, as well as the Common Attack Pattern Enumeration and Classification (CAPEC) structure (http://capec.mitre.org/).

This IBM blog entry provides a basic summary of the NIST work on defining cloud computing (available at http://csrc.nist.gov/groups/SNS/cloud-computing/index.html), as well as some related jargon. It provides a fundamental starting point and basis for assessing "cloud" systems and providers.

Open Web Application Security Project, tips, tools, discussions, a wealth of resources.

CLASP (Comprehensive, Lightweight Application Security Process)is actually a set of process pieces that can be integrated into any software development process.

Online security manual for securing the use of PHP.

Project Quant is supposed to be a database security framework. At this stage it seems to be a decent outline of security in general, although there doesn't appear to be much in place that is particular to database security as a specialty.

Some white papers on "best practices" in application development.

This PDF lists some basic software development practices.

Another excellent Ross Anderson paper, this one dealing with the economics of security, and why the current system is stacked against proper security.

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.)

One of the best books, of any kind, on security. And you can read (or download) the entire first edition online here.

US Information Assurance Technology Analysis Center (IATAC) paper on development of secure software.

Gary McGraw, Brian Chess, and Sammy Migues interviewed nine executives running top software security programs. Some results showed that we are still not doing enough, even at our best. Some showed that some of the things we stress most heavily are actually wrong. The article is summarized in a bullet list at http://www.informit.com/articles/article.aspx?p=1315431&seqNum=2

Carnegie-Mellon's secure software development model

The Open Group Architecture Framework (TOGAF) Architecture Development Method (ADM) whitepaper. Fairly generic and high level, but does outline what to do about security at different stages of development.

Example of permission or privilege hijacking on Windows XP and Vista. (PDF)

NSA sponsored project demonstrating the means of developing high integrity, high security software.

Overview of the Tokeneer project (in PDF)

The US Defense Dept has a system for everything, and most are fairly structured. Their Integrated Defense Acquisition, Technology and Logistics Life Cycle Management System Chart is no exception. However, if you pay attention, it does provide a detailed structure and process for secure development. (Warning: their cert is self signed, and your browser may object.)

You can also get the chart PDF from https://acc.dau.mil/IFC/pdfs/Front_Ver_534_June_15_2009_34x22.pdf

Note also that resources for Web development security can be found under the Telecom category. (NB: due to technical limitations, this link is recursive ...)

Microsoft article on testing for XSS vulnerabilities: fairly basic.

CERT.ORG advice and step-by step instructions on creating a computer security incident response team.

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

Structure for setting up a Computer Security Incident Response Team, informed by the experience of the Netherlands government agency. Some of the graphical material can be downloaded at http://www.first.org/resources/guides/cert-in-a-box.zip , but the Website is much better.

Exhaustive, and yet strangely undirected, ENISA walk through the points relevant to setting up a CSIRT. Can also be had in PDF from http://www.enisa.europa.eu/cert_guide/downloads/CSIRT_setting_up_guide_E... , which might be easier to deal with.

Guidance on forming and operating a computer security incident response team (CSIRT)

1998 version of what incident response teams should and shouldn't be and do.

David Bell (yes, *the* Bell) looking back on how the model was developed, 30 years later. (Also commenting that we know *how* to build secure systems, we just don't.)

(In case that link goes bad, another copy is at http://www.acsac.org/2005/papers/Bell.pdf )

A year later he presented another paper, available at http://selfless-security.offthisweek.com/presentations/Bell_LBA.pdf

Interesting examination of the failure of CCTV to deter crime in the UK. Points out the need to know what your CCTV requirements are: simply installing the tech is not enough.

On the face of it, this has nothing to do with security. Dig a bit deeper, though, and it does. We rely on risk analysis, sometimes losing track of the dangers in the thickets of data and metrics of which we've become so fond.

The article notes that there is a definite and undeniable link between the number of cellular telephone towers in a area, and the number of births. So, do cell towers cause babies?

As Mark Twain said, there are lies, damned lies, and statistics.

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

The US Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit organization headquartered in Washington, D.C. A commission on cybersecurity was formed in 2007 in order to prepare a set of recommendations for the incoming US President. Unfortunately, the report is rather generic and banal, boiling down to a statement that US cybersecurity is weak, and that the US should be doing pretty much the usual, only better. This report has been promoted on a number of security mailing lists as an important set of recommendations. It probably is important to read, if only to get a view of the fairly limited position which may be driving US public policy in the near term.

Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License.

Fairly simplistic explanation of the home router DNS attack.

In Canada you'll get the mail back, postage due ...

Interesting discussion of cheating in online gaming and implications for application security.

An interesting analysis of a graphic recently used by Victoria's Secret in their advertising. This gives chapter and verse of the techniques used, and results obtained, demonstrating the ability to determine if an image has been altered, and even which parts of an image have been modified, and how.

I find this particularly interesting because of the apparently widely held belief that steganography is "undetectable" without comparision to the original image. Most of the "Photoshop disasters" are glaringly obvious to the naked eye. As this demonstrates, analysis and detection of modification is easily accomplished, even when the differences are not apparent to the human eye. (Well, except for the straps. That was pretty stupid ...)

I'm usually not too impressed with interviews with the blackhat side: they tend to be long on self-justification and short on actual information or thought. However, this one is fairly decent, with some interesting perspectives on "the road to hell" as well as some insights on spam and adware protection.

Why proprietary algorithms are a bad thing.

Psychological profile of what makes a good defender in the infosec world.

How intellectual property laws are destroying creativity.

A 60 Minutes story about a particular case of online poker cheating. Would you trust large sums of money, or the drugs upon which your life and health depend, or private and intimate details of your life to total strangers, about whom you know nothing?

The answer, in case after case, appears to be "yes."

The Washington Post version is at http://www.washingtonpost.com/wp-dyn/content/article/2008/11/29/AR200811...

You may have seen or heard of Peter Gutman's review of Vista. Despite controversy, it has some important things to say not only about DRM, but also about the security of the platform, in certain respects. (For example, the DoS possibilities, and also the new impetus for hackers of all stripes to delve into the internals of the system.)

1979 version of the RAND report on computer security, originally done in 1970.

Satirical article on how not to review security (antivirus) software. Although Sarah Tanner, a secretary, is credited with the artice, it was actually written by Alan Solomon

Classic paper on "how far back do you have to check?" (This paper has spawned a widely held myth that Thompson actually did create a backdoor into all versions of UNIX and every program created with C.)

Excerpt from the book, detailing the flaws in "security by obscurity"

Another excellent Ross Anderson paper, this one dealing with the economics of security, and why the current system is stacked against proper security.

This article describes one particular instance where security theatre can be effective protection. It is not too hard to come up with other examples: most uniformed security is, in fact, security theatre, although generally intended for a deterrent effect, rather than as illustrated in this piece.

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.)

Video "documentary" about early hackers, somewhat simplistic.

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

Gene Spafford on our "putting out fires" mentality

A story on two studies into the effects of new communications technology on language and slang. The UK Post Office study is available at ftp://ftp.royalmail.com/Downloads/public/ctf/po/TechChat-Draft2.pdf Unfortunately, the Australian study doesn't seem to be linked, and it is the one pointing out the greater risk.

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter.

If you've sent me a message, and never got an answer, how detailed was your subject line?

Has VANOC gone too far with trademark? Can they trademark phrases in the public domain, or commonly used?

Interesting, though unsurprising, paper from the US DoD Security Institute studying motivation for espionage.

Want to know how to have more secure logins online? Don't ask the banks ...

Interesting video commentary from the UK on photography in public places.

Given at the Zurich Seminar, April 1984, by John Gordon. Absolutely priceless.

Cartoons based on subject lines in spam messages.

Colbert Report take on the Protect America Act. Political and biased, but amusing look at aspects of privacy and surveillance.

This out-of-office message ended up on a Welsh road sign. There was a recent instance of "Translate server error" ending up on a Chinese restaurant sign as well. Be careful of "believing" automated messages.

Kinda like the "Chuck Norris is deity" Websites, somebody made up a list of "facts" about Bruce Schneier :-)

Deconfliction has a specific meaning in aviation or the military, to do with planning flightpaths to avoid collision. In computer science, it has to do with avoiding problems in rules-based reasoning. What we have, here, is a failure to communicate ...

An old rec.humor.funny posting about how to abuse your opponent in a flame war. A good guide to remember what *not* to say in any online "discussion."

Cute essay about password choice (although not much useful help).

You may or may not be aware of the mass of "Hitler rant" videos on YouTube. These take a clip (from the movie "Downfall") and subtitle it with a rant from Hitler about everything from college football to the iPhone to Facebook accounts to ... well, anything at all.

This one is about cloud computing and security, and makes a few cute points about security in general.

Cute video on mailing list/forum/group netiquette

Cute little video about databases and the erosion of privacy.

Not exactly a major security awareness resource, but http://twitter.com/InfoSecElmo should be on everyone's Twitter feed. Some cute little slogans and reminders.

A cute pictorial essay (PDF) with pictures of unsafe and insecure working situations. (Don't try these at home ...)

Some fun advertising videos from Iron Mountain starring John Cleese.

An extremely long, but somewhat amusing, ad for Kaspersky, in old silent movie style.

Amusing commentary on the Playmobil Security Check Point toy

I have got to give this out to some of the candidates who come to the seminars with absolutely no security background, and want to know which book to get "the answers" out of.

A bit of fun on non-disclosure agreements.

Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers?

(Actually, pigs are pretty clever critters ...)

OK, I know what I want for Christmas!

Check out the pictures and reviews :-)

Practicing safe hex, version 2. Since I use key signing parties when teaching about digital signatures and certification, I probably found this *way* too funny ...

Somebody took the Bruce Schneier list and made a more graphical site out of it.

Amusing list of excuses we've all heard before. (I wonder where the master list is?)

Cute and sometimes painfully accurate

PowerPoint slide deck stuffed with all kinds of (too true to be funny) security maxims that they *didn't* teach you about in the CISSP seminar.

Roger Johnston's original list of security maxims.

Some decent reminders of safe practices

Too true to be funny ...

An amusing take on the US SOPA and PIPA (which can affect us). Note also recent Harper gov't moves in this direction.

We have all kinds of systems to help us out. Sometimes they help us *way* out. Sometimes they create the most amazing problems. This article addresses that kind of situation.

(I recall a, well, "politically correct checker," I suppose, which, some years ago, amended a newspaper article in order to inform people that a certain local municipal government was, fiscally speaking, "back in the African-American" ...)

We were discussing DNA identification, and someone came up with this ad for a PCR machine ...

Australian video, "would anybody be stupid enough to let a trojan horse in today?"

Funny, but rather profane

My kinda cartoon. Besides, if you haven't looked through xkcd, you should.

A game to help people recognize phishing sites

This site appears to be for a vendor of POS terminals, but the page does have links on credit card and ID theft protection. Most of these are for the US, but some do offer generic advice.

Mostly research

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

A list of free security utilities by category. Could quibble about whether they are all best of breed, but a handy list for home and small office users.

Your (federal) government dollars at work. Some reasonably decent advice.

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

Interesting project to provide low-cost computers for education in developing countries. Security implications, anyone?

A set of tips for protecting your credit card, and your identity information, when you use it. Fairly standard advice, but a good set to keep in mind.

A good online awareness video produced by the ThinkUKnow campaign ( http://www.thinkuknow.co.uk/ ) done by CEOP in the UK.

Almost no tutorial value, but some crypto fun and a bit of history.

Colossus was the "brute force" part of the attack against Enigma during the second world war. Recently one of the devices was rebuilt.

Kerchoff was right: proprietary and secret systems need to be viewed with extreme suspicion.

Various stuff by a science popularizer

NSA 1972 document declassified in 2007. Interesting that some parts are still classified.

A cute cartoon introduction to the Advanced Encryption Standard (AES, aka Rijndael) algorithm. Four sections, growing increasingly technical.

Actually an umbrella for a number of projects related to cryptography. A number are also specifically related to personal privacy.

This site has an interesting collection of simulators of early twentieth century rotor cryptodevices, as well as papers on Enigma and related technologies.

GnuPG developers

Home of the project

Basic instructions for use of GnuPG, but also discusses some basic crypto concepts and key management issues.

Download and install

Bruce Schneier (and seven others) 's submission to NIST for the next Secure Hash Algorithm.

Part of this is coding executable programming. Part of it is steganography. Part of it seems to be a bit of a kick at export restrictions on cryptographic software. You may have to be a little bit crazy to understand the purposes behind it.

Open-source disk encryption software

A process for getting started creating a computer security incident response team, from CERT.

CERT.ORG advice and step-by step instructions on creating a computer security incident response team.

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

Structure for setting up a Computer Security Incident Response Team, informed by the experience of the Netherlands government agency. Some of the graphical material can be downloaded at http://www.first.org/resources/guides/cert-in-a-box.zip , but the Website is much better.

Exhaustive, and yet strangely undirected, ENISA walk through the points relevant to setting up a CSIRT. Can also be had in PDF from http://www.enisa.europa.eu/cert_guide/downloads/CSIRT_setting_up_guide_E... , which might be easier to deal with.

Your (federal) government dollars at work. Some reasonably decent advice.

Guidance on forming and operating a computer security incident response team (CSIRT)

A reference for the use of open source software in digital investigations, that is digital forensics, computer forensics, and incident response.

1998 version of what incident response teams should and shouldn't be and do.

List of resources and documents

A collection of links to sites with information on online fraud. Reporting links for those in the US.

An explanation of copyright and the concept of "fair use" using clips from a whole bunch of Disney animated movies. Sometimes hard to follow, but priceless. has been uploaded multiple times to YouTube.

Brief IEEE Spectrum article on copyright and fair use, touching on use on the WEb and in blogs.

Interesting discussion on copyright, plagiarism, attribution, and related concepts, with a fairly cute video and song. Video also available at http://www.youtube.com/watch?v=dPtH2KPuQbs

Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License.

How intellectual property laws are destroying creativity.

A slashdot posting about a McDonalds attempt to patent the process for making a sandwich.

How novel is this?

Patents are generally held to be granted on devices, or inventions. In recent years, United States patents have been granted on processes, and even software. "Patent Absurdity" is a half hour video outlining the dangers and difficulties surrounding the granting of software patents. The interviews take place around the "Bilski" case appeal before the Supreme Court. (The "Bilski" case decision is generally held to strike down software patents, but is still the subject of a good deal of debate.)

An amusing take on the US SOPA and PIPA (which can affect us). Note also recent Harper gov't moves in this direction.

The fact that the US issues software patents has long been a contentious issue. This recent decision may reduce that protection.

The research behind all the stories about being able to retrieve data from memory (DRAM)even after the computer is powered off.

Article on body language indicators to look for when trying to determine whether the subject is telling the truth. (Probably best not to rely on it too heavily, but possibly useful.)

Tips for detecting falsehoods in interviewing and interrogation.

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

US NIJ simple guide for collecting digital evidence. (PDF)

The Forensics Wiki. As with all wikis, it is in process, but there is room for additional material ...

An interesting analysis of a graphic recently used by Victoria's Secret in their advertising. This gives chapter and verse of the techniques used, and results obtained, demonstrating the ability to determine if an image has been altered, and even which parts of an image have been modified, and how.

I find this particularly interesting because of the apparently widely held belief that steganography is "undetectable" without comparision to the original image. Most of the "Photoshop disasters" are glaringly obvious to the naked eye. As this demonstrates, analysis and detection of modification is easily accomplished, even when the differences are not apparent to the human eye. (Well, except for the straps. That was pretty stupid ...)

An interesting little tidbit relating to law and investigation. This piece notes a few of the ways that trained interviewers (and profilers) use to detect when people are lying.

Feel free to try it out, but remember: the professionals who use it study a lot more than one infographic.

The Open Source Computer Forensics Manual doesn't have a lot in it, and it only covers the basic approach, but it is reasonable at that. Maybe someone can get the project restarted.

A reference for the use of open source software in digital investigations, that is digital forensics, computer forensics, and incident response.

Instructions on setting up a test lab rig.

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

Actually an umbrella for a number of projects related to cryptography. A number are also specifically related to personal privacy.

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

The actual security guide pointed to resides at ZDNet, but this site lists the four parts together (and the ZDNet navigation is not exactly clear). Navigation through the checklist is not completely obvious either. You can go through by clicking on arrow icons (<>) at the upper right hand corner of the images (which may be hard to find because the images can be fairly busy), or by clicking on individual pictures below the image and text. (Clicking the arrow icons down there only moves the pictures back and forth, without moving you through the checklist.)

However, once you master the oddities, the checklist can be quite helpful. It is fairly complete, and, although the text instructions on how to find the items can be difficult, the fact that the image displays the page in question, and the red numbers point out what you are supposed to choose, allows you to check that you are, in fact, on the right page. The instructions may seem simplistic if you have been using Facebook for a while, but they will be great for a newcomer, and even the "expert" will likely find a setting they didn't know about.

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

Cute little video about databases and the erosion of privacy.

Information about the Canadian Do-Not-Call list and legislation, as well as an "opt out" message generator to get you off the lists of "exempt" organizations.

One way of fighting back against C-30

An interesting paper looking at the risks, risk management, and legal economics of breaches of privacy. Much of the material is fairly standard, but it also looks at different types of controls (such as preventative and recovery) in regard to data breaches, disclosure laws, and standards such as PCI DSS. Valuation of assets is also a factor.

(Free download, as of this posting.)

Intended to enable communicating organisations to include privacy enhancing technologies (PETs) in large-scale web-based services for the general public and customers.

Detailed discussion of the common retail practice of collecting drivers licence information. Other discussion is at http://www.privcom.gc.ca/media/nr-c/2008/nr-c_081202_e.asp, and a PDF version is at http://www.privcom.gc.ca/information/pub/guide_edl_e.pdf

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

Given the importance and wide use of US Social Security Numbers (even though the use is legally restricted), this article on how to determine SSNs is fairly important.

Map listing the different aspects of data breach notification laws in the US: click on a state and a popup box gives you specifics.

They don't even spell it right ...

One of the top two sites

The other top site

*Extremely* limited info

Limited info

A good list of malware for mobiles, cell phones, and smart phones.

Often good info, but can be iconoclastic

Panda started in the US with a couple of good people, but it changed hands a few years back and I have no feeling for how good the info here is at the moment.

Limited info and lots of false entries

Older info good, but recent is questionable

Specific questions and points about Alternate Data Streams (ADS).

Alternate Data Streams (ADS) is a feature of Microsoft Windows NTFS file system. It allows a means of hiding files, data, and even applications on a system. It is difficult to detect ADS material without specialized tools.

Another ADS review from Infosecwriters.com

Some information on ADS is available in this MSDN article, under the section about Multiple File Streams.

Utility for listing ADS files.

LADS (List Alternate Data Streams) utility for finding ADS.

Autorun is a function of Windows that provides for automatic execution of a program when removable media is inserted into, or attached to, the computer. It can be used for many functions. However, it is currently widely used to spread malware or attack systems simply by getting a user to plug a USB key/jump drive/thumb drive into the computer. More and more, security specialists are recommending that Autorun be disabled on Windows computers as a matter of course.

Disabling Autorun seems to be easier said than done. Here is some detailed advice from the Canadian Cyber Incident Response Centre.

CERT has fairly limited information on Autorun.

The How-To Geek provides graphical details of Microsoft's Gpedit.msc.

Of course, Microsoft has its own advice on how to deal with Autorun. This is at least their second attempt, Knowledge Base 953252. According to the CCIRC, it doesn't always work.

Some extra details on the TechRepublic blog.

tildemark's advice certainly seems easy, but I'm not entirely certain that it is complete.

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Advice for hardening

This article is originally from the IEEE Security and Privacy magazine, circa 2003. As such, some of the programs noted are out of date or obsolete. However, a number are still available and in use, and the basic concepts outlined are still valuable.

The Syskey utility can be used to remove or protect encryption keys from the machine

Instructions and recommendations for security of Windows Vista in a domain with Active Directory

Recommendations about how to harden computers that run Windows XP with SP2

Some people have asked that the material on this site be available in some kind of "feed" fashion. Therefore, at the (ISC)2 blog site, I have started blogging these entries as I add them. This material can also be obtained as an RSS feed.

Bruce Schneier's Crypto-Gram newsletter is like most of his writing. It's readable, and it's always worth reading, even if you don't agree with him. You can also look up his blog and books.

Unfortunately, you can't get the DHS Daily Open Source Infrastructure Report as a mail feed any more, you have to go to the Website to get the actual report. (It seems you can get a sort of reminder by email.) However, at the moment it is the best compilation source for news stories of security related items.

General list. This archives back to 1998.

Microsoft's security newsletter, Canadian version. The articles are often merely restatements of vulnerability announcements, and the additional ones aren't stunningly well written, but it is a resource. Many of the additional announcements have some tips on good coding practice.

The RISKS Forum Digest, moderated by Peter G. Neumann, is the pre-eminent security-related mailing list on the Internet, and probably the oldest as well. This site, courtesy of the University of Newcastle upon Tyne, maintains a complete archive, and provides directions on how to subscribe at the RISKS Info Page, http://lists.csl.sri.com/mailman/listinfo/risks.

The material is also summarized, by Neumann, in the Illustrative Risks site, http://www.csl.sri.com/users/neumann/illustrative.html. This provides coded, on-line descriptions of the stories that have appeared in the digest.

SafeCanada is similar to the DHS daily report, and it does send you daily email reports, albeit without much detail.

The SecLists.Org Security Mailing List Archive collects and archives a number of security related mailing lists, although it concentrates on those dealing with networking and exploits. It also provides a portal to the lists themselves, so it's a valuable resource for those looking for lists. (Check out Funsec and RISKS.)

A list of a number of information security and related mailing lists.

Meetings roughly twice a year. Focused primarily on ISO 27000 family.

Listings for local groups in a number of places. Some aren't representative of the local scene.

Relatively new group, starting some local chapters

According to Bob Tremonti, the Security Professionals Information Exchange (www.SPIE.ca) meets the last Thursday of the month (plus a rather secretive sub-group of security folks in the energy sector), and the Disaster Recovey Information Exchange (DRIE West) meets -- well, it meets when someone finaly gets a meeting organized ...

US gov site with links to law enforcement

As he says, 10+ years worth of security bookmarks. New links added frequently, hardly never cleaned. Lots of outdated and broken links

Undoubtedly self-promotion, and an attempt to use Google ads to drive revenue, but some of the links are useful.

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

The SecLists.Org Security Mailing List Archive collects and archives a number of security related mailing lists, although it concentrates on those dealing with networking and exploits. It also provides a portal to the lists themselves, so it's a valuable resource for those looking for lists. (Check out Funsec and RISKS.)

Extensive list of organizations and entities. (Note that this appears to be run by a member of a consortium that is very active in self-promotional activities ...)

A companion site for the Stallings textbook, but a good set of resources and references

CERT MERIT project regarding insider attacks and threats.

From the US-CERT and DHS, a framework outlining IT security topics and levels (manage, design, implement, evaluate) to various IT security roles. As of the 2008 document it is fairly limited, but provides a good starting point.

A useful collection of links to guidelines for the use of social networking media and systems.

Paper advising on termination procedures for sensitive positions

Attack trees provide a formal way of describing the security of systems, under varying attack possibilities. You represent attacks against a system in a tree structure, with the goal of the attack as the root node and different requirements for achieving that goal as leaf nodes. You can then work on denying the requirements to an attacker.

Operational risk is how the banks refer to what we know as risk management.

An interesting, semi-quantified risk analysis tool. Allows you to address both the protective benefits and the resource/operational cost of various safeguards, and compare them against each other.

Carnegie-Mellon's CERT has put together a taxonomy of the different types of cyber security risks, cross-reference mapped to NIST SP 800-53.

It's a good start. I'm not sure how useful it is. Malware, for example, is definitely a "deliberate action of people," but it's also "inaction from lack of knowledge" on the part of users. It may also be systems design failure or a failure of process controls.

Like it says, fairly formal and abstract, but does explain the concepts by working with them.

Fairly hefty process, but some interesting ideas for risk assessment.

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

Limited articles and papers on risk management.

Various guides and papers

Guide from ANSI on how to assess the financial (quantitative) risk analysis of cyber threats.

Tools and advice on the use of failure mode and effects analysis.

Sample documents for the method

Security assessment framework from the Open Information System Security Group (OSSIG, www.oissg.org), mostly concentrating on pen testing, but some project planning material for general security or risk assessment. Document/project seems to have been abandoned mid-2006.

A Masters level course from the UK OpenLearning/LearningSpace centre, introducing the concepts of information security management. Little or no technical content. Parts appear based on BS 7799-2/ISO 27001.

This site presents a useful structure for risk assessment/management and information security, specifically for medium-sized businesses (200-1000 employee size). It is not intended as a panacea, but as a stop-gap measure for those without a mature information security architecture of their own. A Spanish version (the original) is available at http://www.is2me.org/ .

Paper

A collection of online courses, mostly free. Registration is required, and may be annoying. Courses require IE for use. Some are general, some MS product specific. Even those that are generic have MS specific mentions, sometimes in surprising places. The course content tends to the simplistic, but does, usually, stick to generally accepted policies and guidelines. The usage of the courses is idiosyncratic at times, but you can usually puzzle it out. The material is a mix of page-turner and slide plus voice-over. There are occasional references: these must be obtained separately. There are review questions: these are basically useless.

Mostly applicable to software development, but some general points.

Again, mostly software development.

Variation on Pascal's Wager: interesting take on risk analysis and management that could probably be used more widely.

Reduced version of the OCTAVE program. You can download the guidebook at this site.

A security testing or assessment framework. It is interesting that, for an "open source" document, you can only download a partial version, or an old version, unless you are a "gold" member. About half of the Lite 3 version is promotional material, the rest is a checklist of decent, but hardly surprising, checks to perform.

We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks.

This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general.

An interesting paper looking at the risks, risk management, and legal economics of breaches of privacy. Much of the material is fairly standard, but it also looks at different types of controls (such as preventative and recovery) in regard to data breaches, disclosure laws, and standards such as PCI DSS. Valuation of assets is also a factor.

(Free download, as of this posting.)

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.)

This paper, directed from the US White House, may be the structure for US information, networking, and infrastructure policy over the next seven years. While vague, it does give some indication of directions.

A few "Special Publications: Computer and Information Technology."

Collection of papers, posters, and presentations by CISSPs. Also at http://www.isc2.org/csa

A game to help people recognize phishing sites

This tool will let you check sites you don't know, or are not sure about. Just plug the URL into the address box on the page.

Some information and tips on bank related scams.

Tips for securing a home (or small office) computer.

Tips for securing a home (or small office) network or Internet connected computer.

Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Security Tips Newsletter. Sign up or download.

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

The US DHS cyber awareness, tips, and events page. Also note Obama's 2009 pep talk at http://www.whitehouse.gov/blog/Protecting-yourself-online/

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

The actual security guide pointed to resides at ZDNet, but this site lists the four parts together (and the ZDNet navigation is not exactly clear). Navigation through the checklist is not completely obvious either. You can go through by clicking on arrow icons (<>) at the upper right hand corner of the images (which may be hard to find because the images can be fairly busy), or by clicking on individual pictures below the image and text. (Clicking the arrow icons down there only moves the pictures back and forth, without moving you through the checklist.)

However, once you master the oddities, the checklist can be quite helpful. It is fairly complete, and, although the text instructions on how to find the items can be difficult, the fact that the image displays the page in question, and the red numbers point out what you are supposed to choose, allows you to check that you are, in fact, on the right page. The instructions may seem simplistic if you have been using Facebook for a while, but they will be great for a newcomer, and even the "expert" will likely find a setting they didn't know about.

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

Your (federal) government dollars at work. Some reasonably decent advice.

I'm not sure how useful it is, but it sure is pretty. Maps kidnappings, shootings, bombings, terrorist acts, piracy (non-recording), and a bunch of other nasty stuff.

Cute essay about password choice (although not much useful help).

This portal says it is under the direction of ISSA UK, but Reed Exhibitions seems to play a major role ...

Not exactly a major security awareness resource, but http://twitter.com/InfoSecElmo should be on everyone's Twitter feed. Some cute little slogans and reminders.

Slides/text with voiceover. There is also a test that might get you a certificate, but it wouldn't let me use any of my email addresses, so I know nothing about it.

The Reporting and Analysis Centre for Information Assurance is a Swiss group, seemingly consisting of business and government agencies cooperating to provide information about computer, and particularly online, security. The material seems to be pretty basic, but is clear.

Native Intelligence obviously wants to sell you courses and materials, but there are some free samples and ideas there.

Process for developing a security awareness program. Rather generic and abstract, but as with all NIST stuff many good points.

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

Some of this is only accessible to registered students, and most of it is fairly simple, but it's good, straightforward, and clear. Decent model to follow. (Some aspects do date quickly ...)

Latest online security awareness from the US feds. Limited and basic awareness tips (but a decent start), some cute games (for the easily amused), and a very few phishing videos.

Some tips for avoiding fraud when shopping online.

Fairly simplistic.

A list of various scams, and ways to recognize (and sometimes report) them. The descriptions are fairly simple, but the scope is useful.

We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks.

This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general.

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.

A collection of documents and links for security awareness.

EU programme for home computer security, mostly benchmarking filtering software

This article is originally from the IEEE Security and Privacy magazine, circa 2003. As such, some of the programs noted are out of date or obsolete. However, a number are still available and in use, and the basic concepts outlined are still valuable.

A list to jumpstart some thinking ...

Roger Johnston's original list of security maxims.

Some posters in the style of the well-known motivational posters. Some are fairly odd, but they are cute.

Resources, instructions and tips from the government of California on earthquake preparedness. Video instructions are at http://www.youtube.com/watch?v=o7eGZEY5wEM

Pamphlet from Office Depot, but good for small businesses.

A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking/social media/Web 2.0 activities.

A useful collection of links to guidelines for the use of social networking media and systems.

Portal site, fairly simplistic material

Advice on online safety (from the folks who brought you the TSA, so lower your expectations).

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter.

If you've sent me a message, and never got an answer, how detailed was your subject line?

"Security Awareness for Small Business, Home Office and Home computing." A brief outline, plus some links. Contact the page owner to download additional handout materials.

The original Walnut Creek site, with fewer materials.

Rather simplistic but possibly handy overview of malware and surfing threats

A collection of links to sites with information on online fraud. Reporting links for those in the US.

Virginia Information Technologies Agency (VITA) (state government) Information Security Awareness Toolkit. Contains the "Duhs of Security" video (listed in the video and multimedia section here) in both viewable and downloadable format, and with subtitles and without, as well as other links and resources.

Prices for the standards vary tremendously. For those that have been accepted as ANSI standards, this is one of the cheapest places to get copies of the standards.

Meetings roughly twice a year. Focused primarily on ISO 27000 family.

Mostly links to buy the standards

British Standards Institute

A Masters level course from the UK OpenLearning/LearningSpace centre, introducing the concepts of information security management. Little or no technical content. Parts appear based on BS 7799-2/ISO 27001.

A cooperative effort from the ISO 27001 security mailing list

ISMS International User Group (IUG), also ISMS Journal. (ISMS, Information Security Management System, is a term used in BS 7799 and descendents and almost nowhere else: it is an indication of BS 7799/ISO 27K relation.)

An apparently free electronic magazine. (Existing issues all seem to date from 2004: the most recent edition brings up a link to a German consultancy that seems to be doing the publishing.) News (mostly old) of meetings and events, some general security articles, remarkably little on BS 7799/ISO27K materials. (Issue 5 does have a nice piece on 17799 and software development.) The subscription address currently appears to be defunct.

International Organization for Standardization, group responsible for many international standards, particularly in communications: a number relate to security such as ISO 9000 (on quality) and the ISO 17799 security guideline framework. You will note that the name of the organization does not fit the acronym. Legend has it that, since the body was international in nature, it would be unfair to have the name in a particular language, and therefore the acronym ISO was derived from the Greek word "isos" (which means equal) so that no language would have an expansion that fit. (Many English-speakers refer, incorrectly, to the "International Standards Organization.")

ISO 27000:2009, the overview document for the 27000 family of standards, is now published and available as a free download. It outlines the 27000 standards (to date) and provides a very brief glossary. For some reason the standard comes as a zip archive file of a PDF. When you go to the link, you will be briefly redirected to a licence page, and have to agree in order to get the document.

White papers, templates, and sample documents from the ISO27k implementers

Part of Gary Hinson's collection of ISO 27K materials. Case studies, policies, statements, and other supporting documents.

Mailing list for discussion of, and resources for, ISO 27000 family and other security frameworks. (Not an official ISO list: run by Gary Hinson.)

Information and resources on ISO 27000 family and other security frameworks. (Not an ISO site: run by Gary Hinson.) A handy (though short) FAQ, list of books, and links to relevant sites.

A fairly simplistic set of questions, and you, basically, do all the work, but it an give you a bit of a feel. Seems to be based on the capability maturity model. (I'm reasonably sure that they will use the data to try and sell you some consulting, but ...)

Praxiom is primarily interested in selling you their products and services, but this section of their Website does have some helpful material in getting an overview of ISO 27001 and what people are doing about it. (The site also has materials on other parts of the ISO 27K family.)

An internet user group dedicated to the ISO information security standards. Content is very thin.

Public collaboration 'wiki' for both ISO 17799 and ISO 27001. At present, the contents are rather thin.

ISACA maps of CobiT to ITIL, NSIT SP800-53, CMMI, ISO 17799/27002, Project Management BOK, and others.

This copy hosted on the CCCURE site. I don't know who the U.S. Cyber Consequences Unit (US-CCU) is (aside from the two authors), but the material is generally decent. (Some of the items are a bit bizarre.) It can also be found at http://www.cyberunitss.com/files/cybersecuritychecklist2007.pdf

Watch this space. To report in January 2008.

No lack of self-esteem for these guys, but they do have some documents publicly available, particularly the Standard of Good Practice. This is incredibly verbose, but boils down to a checklist both of objectives and of specific activities or controls. You have to register to get the doc.

North American Electric Reliability Corporation (NERC) standards, some of which address computer systems and/or physical security surrounding computer systems.

The PCI (Payment Card Industry) Data Security Standards. You can get the standard itself, plus various supporting documents. As of October 2008 the current standard is 1.2.

A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking/social media/Web 2.0 activities.

A useful collection of links to guidelines for the use of social networking media and systems.

Quite exhaustive listing of a wide variety of infosec frameworks, guidelines, and documents. Brief descriptions. Covers ISO, NIST, RFCs, and FIPS, among others.

David Bell (yes, *the* Bell) looking back on how the model was developed, 30 years later. (Also commenting that we know *how* to build secure systems, we just don't.)

(In case that link goes bad, another copy is at http://www.acsac.org/2005/papers/Bell.pdf )

A year later he presented another paper, available at http://selfless-security.offthisweek.com/presentations/Bell_LBA.pdf

ISACA produces the CObIT audit guidelines.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Big on internal controls. Breakdown grid similar to Zachman but with finer granularity and three dimensions.

No results yet, but a worthy effort.

International Telecommunications Union (ITU) project attempting to list and describe the various infosec documents, standards, and frameworks. A particular standard may be hard to find, but the range and scope is interesting.

The Institute of Internal Auditors (The IIA), has a number of Global Technology Audit Guides (GTAGs). These are available free on the site (or you can purchase printed copies), and cover areas such as Developing the IT Audit Plan, Business Continuity Management, Identity and Access Management, Auditing Application Controls, Information Technology Outsourcing, Managing and Auditing IT Vulnerabilities, Managing and Auditing Privacy Risks, Management of IT Auditing, Continuous Auditing, and Change and Patch Management Controls.

It's not always easy finding the real ITIL among the crowd of people (and Websites) wanting to jump on the bandwagon. (Nor is it made any easier by the fact that they keep changing the site.) Anyway, here 'tis currently.

An attempt to map all of the various security frameworks. Some useful information, not always presented in ways easy to understand. They will also try to sell you spreadsheets of the comparisons.

An attempt at a standard for penetration testing. Given the complexity of drawing up a pentest contract, I'm all for the idea, but I'm not sure how well this one works out. Probably needs more work.

Project Quant is supposed to be a database security framework. At this stage it seems to be a decent outline of security in general, although there doesn't appear to be much in place that is particular to database security as a specialty.

Repository of the old "rainbow" series of books, including the TCSEC "Orange Book," at the NIST CSRC site.

Sherwood Applied Business Security Architecture (SABSA), closely related to the Zachman framework. The SABSA site also describes a process and other functions.

What type of organization (how mature) you are, based mostly on formality of processes.

Yet anohter outline?

This paper, directed from the US White House, may be the structure for US information, networking, and infrastructure policy over the next seven years. While vague, it does give some indication of directions.

The original article outlining the Zachman Framework, a business architecture model sometimes used as a breakdown model for security planning.

Current (2010) model of the Zachman framework. (At the moment, the original zifa.com site and zachmaninternational seem to be pretty badly bent.)

A product of the banking and financial community, at one time, BITS stood for

An interesting, semi-quantified risk analysis tool. Allows you to address both the protective benefits and the resource/operational cost of various safeguards, and compare them against each other.

This site presents a useful structure for risk assessment/management and information security, specifically for medium-sized businesses (200-1000 employee size). It is not intended as a panacea, but as a stop-gap measure for those without a mature information security architecture of their own. A Spanish version (the original) is available at http://www.is2me.org/ .

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.

Global Threat Map, Threat Briefs, Top Threat Sources, Threat Index, Top Internet Attacks, and Vulnerability Risk Index using a distributed network of sensors

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

An illustrated guide to one of the recently noted problems with DNS.

A test for your DNS resolver against a recent weakness.

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

This paper provides an overview explanation of fast flux and double flux activities related to hiding malicious Websites, or avoiding takedown (particularly related to botnets. It also suggests certain actions which could mitigate such activity. The essay uses a lot of jargon and is not always clear, but does provide a decent basic explanation.

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times (http://www.nytimes.com/2009/03/29/technology/29spy.html ). There is also related work in a report out of Cambridge (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html and full report at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf )(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

Solid explanation of fast-flux technology (used by botnets) from the HoneyNet Know Your Enemy project.

How to extract the personal information for a Gmail or Google ID. Not sure whether this bug has been fixed, but the process is interesting in itself.

Collection of open source tools and display components

Instructions on setting up a test lab rig.

Advertised as RSTEG (Retransmission STEGanography), the technique described in this paper actually uses the standard TCP operations to allow you to set up a kind of covert channel. Interesting idea, although likely neither terribly dangerous nor important.

The SecLists.Org Security Mailing List Archive collects and archives a number of security related mailing lists, although it concentrates on those dealing with networking and exploits. It also provides a portal to the lists themselves, so it's a valuable resource for those looking for lists. (Check out Funsec and RISKS.)

Paper on the risks associated with social networking sites, specifically using LinkedIn as an example.

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

Polly wanna crack a WPA network? A cloud based cluster is offering to help out, for a small fee. You send them a data capture, and they run a 130 million word dictionary against it, in as little as 20 minutes.

Do you trust them? Are they going to be used to crack WPA networks? Is this sufficient impetus to move to WPA2? Are you going to create a longer passphrase?

An old rec.humor.funny posting about how to abuse your opponent in a flame war. A good guide to remember what *not* to say in any online "discussion."

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter.

If you've sent me a message, and never got an answer, how detailed was your subject line?

This tool will let you check sites you don't know, or are not sure about. Just plug the URL into the address box on the page.

Promiscuous mode, the ability to read all traffic on the network segment even if it's not addressed to you, can be used to mount attacks. It's usually considered a passive attack, because it is used for sniffing. However, there are means to determine if a card on the system is in promiscuous mode.

The actual security guide pointed to resides at ZDNet, but this site lists the four parts together (and the ZDNet navigation is not exactly clear). Navigation through the checklist is not completely obvious either. You can go through by clicking on arrow icons (<>) at the upper right hand corner of the images (which may be hard to find because the images can be fairly busy), or by clicking on individual pictures below the image and text. (Clicking the arrow icons down there only moves the pictures back and forth, without moving you through the checklist.)

However, once you master the oddities, the checklist can be quite helpful. It is fairly complete, and, although the text instructions on how to find the items can be difficult, the fact that the image displays the page in question, and the red numbers point out what you are supposed to choose, allows you to check that you are, in fact, on the right page. The instructions may seem simplistic if you have been using Facebook for a while, but they will be great for a newcomer, and even the "expert" will likely find a setting they didn't know about.

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

Fast flux, the rapid rotation of DNS records to point from a single domain name to a number of separate machines, is widely used in malware serving, phishing scams, and other related net nastiness. Unfortunately, the basic concepts are also used for legitimate purposes, such as performance enhancement on large and popular sites, or the prevention of net censorship.

The initial report of the Fast Flux Hosting Working Group of the Generic Names Supporting Organization (GNSO)of ICANN (Internet Corporation for Assigned Names and Numbers)contains a good deal of information and thought, and should receive wider disseminationand consideration than it has to date.

The Flash security settings panel, particularly the microphone and Webcam setting.

Free Network Project, demonstrating the use of encryption and onion routing in securing a network against analysis.

Technique for anonymous communication over a computer network, it is a technique that encodes routing information in a set of encrypted layers. Onion routing is also based on mix cascades or networks, bouncing the messages between different nodes.

Instructions on setting up a test lab rig.

Port knocking could be used to authenticate requests, but the request and authentication could be observed, and this may be security by obscurity. Even worse, port knocking could be used to set up a covert channel ...

A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking/social media/Web 2.0 activities.

A useful collection of links to guidelines for the use of social networking media and systems.

The RFC for Transport Layer Security (TLS), based on SSL.

Tor onion routing anonymizing project.

A collection of links to sites with information on online fraud. Reporting links for those in the US.

Reporting site for annoying behaviour

Africa

multiple whois database lookup

Various resources

Handy to run through when telemarketers call. The Do Not Call list link is US, but the script should be useful for anyone.

Asia Pacific

One of the sources for tracing domains

Alan Solomon's PhD dissertation

Volunteer organization to agitate for solutions against spam.

Good article on how to dissect and trace email

Various tools for tracing spam and URLs

Many antispam sites tell you not to provide your email address. This advice, however, doesn't work too well if you need to advertise your address so that people can contact you. This site provides some practical advice on ways to hide your address from robots and spiders, but still make it accessible to people.

Most of these techniques would also work in HTML formatted email, but, as a malware specialist, I can hardly encourage people to use HTML formatted email. For those of a malware research frame of mind, a number of these techniques are also used to hide malicious content.

SPAM vs spam

A very useful "one stop" site for reporting spam. Submission is by file, rather than form, which is a pain, but you can also report by forwarding email. (There are specific instructions in order to get hearders.) Knujon ("no junk" spelled backwards) seems most interested in shutting down Websites, but also has provisions for submitting general spam (to knujon@coldrain.net) as well as stocks (stockjunk@coldrain.net), drugs (rx@coldrain.net), phishing (phishing@coldrain.net), and one of the only addresses I've found for 419/advanced fee/Nigerian scams (for some reason called deposit scam: depositscams@coldrain.net).

Just to keep your sanity in the battle ...

A very interesting article by Brian Krebs of the Washington Post, touching on the entities involved in IP (Internet Protocol) addresses and assignments, and the legal difficulties of dealing with theft or misuse. More information is available at http://www.47-usc-230c2.org/

whois tracing tool. At one time also had utility software available.

US, EU, and other countries

Like PIRT, this allows you to submit spam messages for takedown of the spam server.

System to feed email harvesting bots fake email addresses

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter.

If you've sent me a message, and never got an answer, how detailed was your subject line?

Delay tactic to increase demand on spamming machines

Information and education about 419 (aka advanced fee fraud aka Nigerian) scam messages and reporting.

Tricks spammers use

Nice CIDR explanation from PacBell

Basic physical layer transmission fundamentals don't get covered much these days, which makes the more advanced technologies that much more mysterious. This DOCSIS (Data Over Cable Service Interface Specification) tutorial is fairly simplistic, but it does provide some starting concepts in order to understand what is going on with cable modems. More details, and other pointers, are available at Wikipedia: http://en.wikipedia.org/wiki/DOCSIS

Finnish guide primarily for securing online services.

Some people disagree, or use other assignments, but this is the formal standard. IANA is also a source for domain name, IP address, and autonomous system (AS) number information.

This IBM blog entry provides a basic summary of the NIST work on defining cloud computing (available at http://csrc.nist.gov/groups/SNS/cloud-computing/index.html), as well as some related jargon. It provides a fundamental starting point and basis for assessing "cloud" systems and providers.

Simplistic paper outlining the OSI 7 layer model.

Instructions on setting up a test lab rig.

For those teaching, or even seeking to understand, TCP/IP packet headers, a lovely collection of figures which illustrate the functions quite well. There is no textual explanation;this is not a tutorial or introduction; but as a reminder of some of the most important information, it's great.

Open Web Application Security Project (OWASP), presentations, video, papers, blogs, mailing lists.

A sneaky way to hack a site in such a way that only newbies get caught ...

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times (http://www.nytimes.com/2009/03/29/technology/29spy.html ). There is also related work in a report out of Cambridge (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html and full report at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf )(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

A description of various oddities in the way different browsers handle different code and other Web-related entities. These differences can possibly be exploited in security attacks. Internet Explorer (a few versions), Firefox (a few versions), Safari, Opera, Chrome, and Android are examined.

Many antispam sites tell you not to provide your email address. This advice, however, doesn't work too well if you need to advertise your address so that people can contact you. This site provides some practical advice on ways to hide your address from robots and spiders, but still make it accessible to people.

Most of these techniques would also work in HTML formatted email, but, as a malware specialist, I can hardly encourage people to use HTML formatted email. For those of a malware research frame of mind, a number of these techniques are also used to hide malicious content.

You may or may not be aware of the mass of "Hitler rant" videos on YouTube. These take a clip (from the movie "Downfall") and subtitle it with a rant from Hitler about everything from college football to the iPhone to Facebook accounts to ... well, anything at all.

This one is about cloud computing and security, and makes a few cute points about security in general.

Online security manual for securing the use of PHP.

Excellent presentation (but then, everything Ross does is worth noting) on botnets, related malware and fraud, and the command and control systems. Interesting research on the various types that are more resistant to takedown.

An interesting piece of research and discussion, examining browser vulnerabilities, and the risk to the computing envrionment as a whole, in light of a large number of factors.

An analysis of current Web-based federated ID and single-signon systems. Research paper, online checking tool, and a discussion forum.

Just a list of XSS attacks, but a way to check that your Web app filter will catch things.

Grisoft antivirus product has the advantage that they have always produced a version that is available for free download. Unfortunately, a number of features and functions are not available in the free version.

ESET SysInspector is a diagnostic tool for Windows NT based systems. It allows an in depth analysis of various aspects of your operating system, including running processes, registry content, startup items and network connections. ESET SysInspector makes dealing with malware infected system easier.

Accurate and wel-respected scanner

F-Secure's BlackLight Rootkit Elimination Technology is well-regarded in the anti-malware research community. It is available in their complete product, but can also be downloaded separately as a utility. F-Secure also provides a little bit of rootkit explanation at http://www.f-secure.co.uk/blacklight/rootkit.html.

GMER is a Polish anti-rootkit program (Windows only) available for free download.

McAfee Rootkit Detective (originally from Avert) is available for download, but the McAfee site makes sure you know it is a beta product, and requires knowledgeable application and use.

Firefox addon restricting JavaScript, Java, and other forms of active content.

Panda tends to oversell their products, but their anti-rootkit is also available for download.

Web filtering proxy. Can be used to restrict various content, including outgoing, so useful for privacy as well. Can also be used to manage Web browsing appearance and display, including size, images, and backgrounds. Certain functions by default, highly customizable, but may require knowledge of HTML and HTTP. Because it is a proxy, works with any browser.

Accurate and well-respected scanner: office in Vancouver. Also spam filtering.

Sophos has always been a solid antivirus company, so there is no reason to think that their anti-rootkit product is any less.

As usual with most Trend Micro products, RootkitBuster sounds fairly agressive.

Automated creation of throwaway email addresses

sender identity spam filter

One form of tarpit, this one seeking to slow down spam mail connection links.

Automated throwaway email address for spam filtering

Spam filter

Filtering software, company formerly (and still) produced antivirus scanner

Spam filtering program