Links Directory

Pawsense is a program to determine whether a cat has been walking across your keyboard, and to disable the keyboard input until reactivated. It's a bit of a joke, but an example of keystroke analysis biometrics.

Password/passphrase

CAPTCHA:

http://www.captcha.net/

Inkblot password generator/reminder:

http://research.microsoft.com/displayArticle.aspx

RFID

Guidance for Securing Radio Frequency Identification (RFID) Systems (Draft):

http://csrc.nist.gov/publications/drafts.html#sp800-98

RFID IO tools:

http://rfidiot.org/

Application and development security

Malware

Anti Phishing Working Group (APWG):

http://www.antiphishing.org/

Various resources

AntiRootkit Software:

http://asert.arbornetworks.com/2007/04/free-antirootkit-software/

ITU Botnet Mitigation Toolkit:

http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html

Information sharing project to detect and reduce bots and botnets

Local Shared Objects -- "Flash Cookies":

http://www.epic.org/privacy/cookies/flash.html

A new way for marketers and malicious sites to store and use information on your computer.

Rich Skrenta:

http://www.cbc.ca/technology/story/2007/08/31/tech-virus.html

Rich Skrenta created probably the second or third computer virus.

Searching For Evil, Ross Anderson:

http://video.google.ca/videoplay

Excellent presentation (but then, everything Ross does is worth noting) on botnets, related malware and fraud, and the command and control systems. Interesting research on the various types that are more resistant to takedown.

Trends in "badware":

http://stopbadware.org/home/consumerreport

Rather simplistic but possibly handy overview of malware and surfing threats

Virus Encyclopedias

* F- Secure:

http://www.f-secure.com/v-descs/

One of the top two sites

* Sophos:

http://www.sophos.com/virusinfo/analyses/

The other top site

About site:

http://antivirus.about.com/od/virusdescriptions/l/blency.htm

*Extremely* limited info

Computer Associates (CA):

http://www3.ca.com/securityadvisor/virusinfo/browse.aspx

Limited info

Kaspersky:

http://www.viruslist.com/en/viruslist.html

Often good info, but can be iconoclastic

McAfee:

http://us.mcafee.com/virusInfo/default.asp

Panda:

http://www.pandasoftware.com/virus_info/encyclopedia/

Panda started in the US with a couple of good people, but it changed hands a few years back and I have no feeling for how good the info here is at the moment.

RAV:

http://www.ravantivirus.com/encyclopedia/

Symantec:

http://www.symantec.com/enterprise/security_response/threatexplorer/threats.jsp

Limited info and lots of false entries

Trend:

http://www.trendmicro.com/vinfo/virusencyclo/

Older info good, but recent is questionable

Systems Development

Build Security In (BSI) (from US DHS):

https://buildsecurityin.us-cert.gov/daisy/bsi/home.html

Part of the Software Assurance program, a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) provides support, and, with other contributors, develops and collects software assurance/security information to help software developers and security practitioners create secure systems. Based on software engineering and addressing a software development life cycle. Links to best practices, tools, guidelines, rules, principles, and other resources.

Google Online Security Blog:

http://googleonlinesecurity.blogspot.com/

Thoughts from the Google development security team: some useful points in regard to secure Web apps.

How to Hurt the Hackers:

http://www.gamasutra.com/features/20000724/pritchard_pfv.htm

Interesting discussion of cheating in online gaming and implications for application security.

Microsoft Security Centre:

http://www.microsoft.com/midsizebusiness/security/overview.mspx

Most of the white papers are a bit thin and "rah rah," but the security newsletter does have some worthwhile pieces.

Microsoft Threat Modeling Tool:

http://www.microsoft.com/downloads/details.aspx

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Token kidnapping:

http://www.argeniss.com/research/TokenKidnapping.pdf

Example of permission or privilege hijacking on Windows XP and Vista. (PDF)

Web development security:

http://www.infosecbc.org/links/

Note also that resources for Web development security can be found under the Telecom category. (NB: due to technical limitations, this link is recursive ...)

Business Continuity/Contingency and Disaster Recovery

ENISA BCP paper:

http://www.enisa.europa.eu/rmra/files/business_it_cont_rep.pdf

Large paper from ENISA.

Small business disaster planning pamphlet:

http://www.sba.gov/services/disasterassistance/disasterpreparedness/index.html

Simplistic but basic disaster recovery planning advice for small businesses.

Small business recovery planning advice:

http://www.officedepot.com/promo/pages/docs/onlinedisasterbrochure.pdf

Pamphlet from Office Depot, but good for small businesses.

UK Resilience National Recovery Guidance:

http://www.ukresilience.info/response/recovery_guidance.aspx

Some potentially helpful materials, but not well organized.

Incident Response

Handbook for Computer Security Incident Response Teams (CSIRTs):

http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html

Guidance on forming and operating a computer security incident response team (CSIRT)

Commentary

51st State:

http://www.appropriationart.ca/wp-content/uploads/2008/06/51_state.pdf

Comic book commentary on bill C-61 copyright amendments

Bruce Schneier's Weblog:

http://www.schneier.com/blog/

Articles

Home DNS redirect:

http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

Fairly simplistic explanation of the home router DNS attack.

How to deal with junk mail (US only):

http://www.vertical-visions.com/_temp/postagepaid/index2.html

In Canada you'll get the mail back, postage due ...

How to Hurt the Hackers:

http://www.gamasutra.com/features/20000724/pritchard_pfv.htm

Interesting discussion of cheating in online gaming and implications for application security.

Peter Gutman's review of MS Windows Vista:

http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

You may have seen or heard of Peter Gutman's review of Vista. Despite controversy, it has some important things to say not only about DRM, but also about the security of the platform, in certain respects. (For example, the DoS possibilities, and also the new impetus for hackers of all stripes to delve into the internals of the system.)

Reader’s Guide to Reviews - Alan Solomon:

http://www.softpanorama.org/Malware/Reprints/virus_reviews.html

Satirical article on how not to review security (antivirus) software. Although Sarah Tanner, a secretary, is credited with the artice, it was actually written by Alan Solomon

Reflections on Trusting Trust - Ken Thompson:

Ken Thompson

Classic paper on "how far back do you have to check?" (This paper has spawned a widely held myth that Thompson actually did create a backdoor into all versions of UNIX and every program created with C.)

Rudimentary Treatise on the Construction of Locks, 1853:

http://www.deter.com/unix/papers/treatise_locks.html

Excerpt from the book, detailing the flaws in "security by obscurity"

Solving the wrong problems:

http://www.cerias.purdue.edu/weblogs/spaf/kudos-opinions-rants/post-124/solving-some-of-the-wrong-problems/

Gene Spafford on our "putting out fires" mentality

Wish-It-Was-Two-Factor-Authentication:

http://worsethanfailure.com/Articles/WishItWas-TwoFactor-.aspx

Want to know how to have more secure logins online? Don't ask the banks ...

You can't picture this:

http://current.com/items/88856223_you_can_t_picture_this

Interesting video commentary from the UK on photography in public places.

Humour

Aspamaday:

http://aspamaday.blogspot.com/

Cartoons based on subject lines in spam messages.

AT&Treason:

http://www.crooksandliars.com/2008/03/07/the-colbert-report-at-treason/

Colbert Report take on the Protect America Act. Political and biased, but amusing look at aspects of privacy and surveillance.

How to behave on a mailing list:

http://www.videojug.com/film/how-to-behave-on-an-internet-forum

Cute video on mailing list/forum/group netiquette

Insecure working conditions:

http://blog.rootshell.be/wp-content/uploads/2008/04/security-at-work.pdf

A cute pictorial essay (PDF) with pictures of unsafe and insecure working situations. (Don't try these at home ...)

John Cleese/Iron Mountain ads:

http://www.friendlyadvicemachine.com/

Some fun advertising videos from Iron Mountain starring John Cleese.

Kaspersky ad:

http://www.youtube.com/watch

An extremely long, but somewhat amusing, ad for Kaspersky, in old silent movie style.

Kiddie security awareness?:

http://www.theregister.co.uk/2008/03/07/security_check_point/

Amusing commentary on the Playmobil Security Check Point toy

Responsible Behavior [Key Signing]:

http://www.xkcd.com/364/

Practicing safe hex, version 2. Since I use key signing parties when teaching about digital signatures and certification, I probably found this *way* too funny ...

Security excuse bingo:

http://www.crypto.com/bingo/pr

Amusing list of excuses we've all heard before. (I wonder where the master list is?)

Security is like dentistry:

http://securosis.com/2006/08/30/security-is-like-dentistry/

Cute and sometimes painfully accurate

SecurityCartoon:

http://securitycartoon.com/

Some decent reminders of safe practices

The PCR Song:

http://pcrsong.notlong.com

We were discussing DNA identification, and someone came up with this ad for a PCR machine ...

Trojan Horse video:

http://www.youtube.com/watch

Australian video, "would anybody be stupid enough to let a trojan horse in today?"

TSA gangsta rap:

http://www.youtube.com/watch

Funny, but rather profane

Virus net:

http://xkcd.com/350/

My kinda cartoon. Besides, if you haven't looked through xkcd, you should.

Personal and home

Anti-Phishing Phil:

http://cups.cs.cmu.edu/antiphishing_phil/

A game to help people recognize phishing sites

Cyberbullying:

http://cyberbullying.us/

Mostly research

Free security tools:

http://peterhgregory.wordpress.com/2007/12/20/give-the-gift-of-safe-internet-use-this-christmas/

A list of free security utilities by category. Could quibble about whether they are all best of breed, but a handy list for home and small office users.

One Laptop Per Child:

http://laptop.org/

Interesting project to provide low-cost computers for education in developing countries. Security implications, anyone?

Cryptology

Chosen collisions attack on MD5:

http://www.win.tue.nl/hashclash/Nostradamus/

An amusing illustration of the "birthday attack" against hash functions.

Crypto law survey site:

http://rechten.uvt.nl/koops/cryptolaw/

Survey of crypto laws by country.

MD5:

http://en.wikipedia.org/wiki/MD5

Wikipedia on MD5 and the related attacks: good portal to references.

MD5/SHA cryptanalytic attacks:

http://www.cerias.purdue.edu/news_and_events/events/security_seminar/details.php

CERIAS video seminar, good coverage of properties of has functions, as well.

History

"The Search" TV show:

http://www.channel4.com/history/microsites/S/search/follow/index.html

Almost no tutorial value, but some crypto fun and a bit of history.

Colossus Mk2 Rebuild Project:

http://www.tnmoc.co.uk/ColRbd.htm

Colossus was the "brute force" part of the attack against Enigma during the second world war. Recently one of the devices was rebuilt.

Keeloq cracked:

http://www.theregister.co.uk/2008/04/03/keeloq_master_key_found/

Kerchoff was right: proprietary and secret systems need to be viewed with extreme suspicion.

Popularized crypto:

http://www.simonsingh.com/Crypto_Corner.html

Various stuff by a science popularizer

Software

G10 Code:

http://www.g10code.com/

GnuPG developers

GNU Privacy Guard (GnuPG):

http://www.gnupg.org/

Home of the project

GnuPG for Windows:

http://www.gpg4win.org/

Download and install

Stego tools:

http://www.jjtc.com/Steganography/tools.html

Stego tools list:

http://www.jjtc.com/Steganography/toolmatrix.htm

TrueCrypt:

http://www.truecrypt.org/

Open-source disk encryption software

Law and Investigation

A Fair(y) Use Tale:

http://cyberlaw.stanford.edu/documentary-film-program/film/a-fair-y-use-tale

An explanation of copyright and the concept of "fair use" using clips from a whole bunch of Disney animated movies. Sometimes hard to follow, but priceless. has been uploaded multiple times to YouTube.

http://spectrum.ieee.org/apr08/6115

Brief IEEE Spectrum article on copyright and fair use, touching on use on the WEb and in blogs.

Crypto law survey site:

http://rechten.uvt.nl/koops/cryptolaw/

Survey of crypto laws by country.

US Dept of Justice forensics chart:

http://www.cybercrime.gov/forensics_chart.pdf

Outlines a method and procedure for overall management of digital forensic analysis.

Incident Response

Handbook for Computer Security Incident Response Teams (CSIRTs):

http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html

Guidance on forming and operating a computer security incident response team (CSIRT)

US Awareness site:

http://www.ussecurityawareness.org/highres/incident-response.html

List of resources and documents

Investigation

Catching lies:

http://www.webmd.com/balance/features/10-ways-catch-liar

Tips for detecting falsehoods in interviewing and interrogation.

Electronic Crime Scene Investigation:

http://www.ncjrs.gov/pdffiles1/nij/219941.pdf

US NIJ simple guide for collecting digital evidence. (PDF)

Privacy

I Opt Out site:

http://ioptout.ca

Information about the Canadian Do-Not-Call list and legislation, as well as an "opt out" message generator to get you off the lists of "exempt" organizations.

Privacy Enhancing Technologies (PET) Wiki:

http://petweb.nr.no

Intended to enable communicating organisations to include privacy enhancing technologies (PETs) in large-scale web-based services for the general public and customers.

US Data Breah Notification Laws map:

http://www.csoonline.com/read/020108/ammap/ammap.html

Map listing the different aspects of data breach notification laws in the US: click on a state and a popup box gives you specifics.

US Safe Harbor:

http://www.export.gov/safeharbor/sh_overview.html

They don't even spell it right ...

Magazines

Chief Security Officer (CSO) Magazine:

http://www.omeda.com/cgi-win/cso.cgi

Information Security Magazine:

http://informationsecurity.techtarget.com/

Secure Computing (SC) Magazine:

http://www.scmagazine.com/us/

Operations security

Adeona:

http://adeona.cs.washington.edu/

Open source laptop tracking. (Absolute Software is in for it now ...)

NIST security configuration checklists:

http://csrc.nist.gov/checklists/

Advice for hardening platforms.

Security Content Automation Program:

http://nvd.nist.gov/scap/scap.cfm

U.S. Government Agencies attempt to automate vulnerability scanning

US Defence agency configurations:

http://iase.disa.mil/stigs/stig/index.html

Advice on hardening.

US NSA security configuration guidelines:

http://www.nsa.gov/SNAC/

Advice on hardening

Windows and Microsoft

Microsoft Threat Modeling Tool:

http://www.microsoft.com/downloads/details.aspx

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

NIST security configuration checklists for MS Windows:

http://csrc.nist.gov/itsec/

Advice for hardening

Vista secure configuration:

http://www.microsoft.com/technet/windowsvista/security/guide.mspx

Instructions and recommendations for security of Windows Vista in a domain with Active Directory

Windows XP Security Guide:

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

Recommendations about how to harden computers that run Windows XP with SP2

Security and related agencies

(ISC)²:

https://www.isc2.org/

International Information System Security Certification Consortium

abuse.net:

http://www.abuse.net/

REporting of annoying behaviour

CSE IT Security Learning Centre:

http://www.cse-cst.gc.ca/training/training-e.html

Communications Security Establishment training to support the IT security needs of Government of Canada professionals

DHS Daily Open Source Infrastructure Report:

http://www.dhs.gov/xinfoshare/programs/editorial_0542.shtm

Excellent review of security related news. "The DHS Daily Open Source Infrastructure Report (Daily Report) is collected each week day as a summary of open-source published information concerning significant critical infrastructure issues."

fraud.org:

http://www.fraud.org/

US based reporting organization

ICASI:

http://iscasi.org

Industry Consortium for the Advancement of Security on the Internet (ICASI) was formed as a non-profit corporation by a group of vendors to address international, multi-product security challenges. So far it hasn't done much, but watch this space.

Interpol cybercrime advice:

http://www.interpol.int/public/technologycrime/crimeprev/default.asp

Reports and checklists, particularly in terms of what an investigator needs to know about Information Technology (IT) security measures in order to be able to carry out investigations in an IT environment and to give advice in crime prevention methods.

NIST publications:

http://csrc.nist.gov/publications/nistpubs/index.html

HUGE resource of extremely valuable stuff

RCMP TSB training:

http://www.rcmp-grc.gc.ca/tsb/workshops/index_e.htm

RCMP Technical Security Branch IT and physical security workshops and presentations for employees of federal government and other agencies.

US Secret Service:

http://www.secretservice.gov/

Responsible for mail and wire fraud in the US, major responsibility for advanced fee (419/Nigerian) frauds

Local groups

CitySec site:

http://www.citysec.org/

Listings for local groups in a number of places. Some aren't representative of the local scene.

National Information Security Group:

http://www.naisg.org/

Relatively new group, starting some local chapters

SPIE (Calgary):

www.SPIE.ca

According to Bob Tremonti, the Security Professionals Information Exchange (www.SPIE.ca) meets the last Thursday of the month (plus a rather secretive sub-group of security folks in the energy sector), and the Disaster Recovey Information Exchange (DRIE West) meets -- well, it meets when someone finaly gets a meeting organized ...

Portals and listings

Internet Crime Complaint Center:

www.IC3.gov

US gov site with links to law enforcement

Lotsa links:

http://www.fx-vista.com/

Undoubtedly self-promotion, and an attempt to use Google ads to drive revenue, but some of the links are useful.

SecurityBenchmark.com:

www.securitybenchmark.com

Extensive list of organizations and entities. (Note that this appears to be run by a member of a consortium that is very active in self-promotional activities ...)

Student Resources for Computer Security: Principles and Practice text:

http://williamstallings.com/CompSec/CompSec1e.html

A companion site for the Stallings textbook, but a good set of resources and references

Security and risk management and awareness

Personnel

Termination procedures:

http://www.usenix.org/events/lisa99/full_papers/ringel/ringel_html/index.html

Paper advising on termination procedures for sensitive positions

Risk analysis, assessment, and management

Australian operational risk portal:

http://oprisk.austega.com

Operational risk is how the banks refer to what we know as risk management.

Common Vulnerability Scoring System (CVSS):

http://www.first.org/cvss/cvss-guide.html

Fairly hefty process, but some interesting ideas for risk assessment.

ENISA risk management materials:

http://www.enisa.europa.eu/rmra/h_home.html

Limited articles and papers on risk management.

Failure Modes and Effects Analysis (FMEA):

http://www.isixsigma.com/tt/fmea/

Various guides and papers

Harmonized TRA Methodology:

http://www.rcmp-grc.gc.ca/tsb/pubs/tra/index_e.htm

Sample documents for the method

Information Systems Security Assessment Framework (ISSAF):

http://www.oissg.org/issaf

Security assessment framework from the Open Information System Security Group (OSSIG, www.oissg.org), mostly concentrating on pen testing, but some project planning material for general security or risk assessment. Document/project seems to have been abandoned mid-2006.

Making the Case for FMEA in Managing Software Projects:

http://www.isixsigma.com/library/content/c060515a.asp

Paper

Microsoft Learning Catalogue, Security:

https://www.microsoftelearning.com/catalog/itpro.aspx#Security

A collection of online courses, mostly free. Registration is required, and may be annoying. Courses require IE for use. Some are general, some MS product specific. Even those that are generic have MS specific mentions, sometimes in surprising places. The course content tends to the simplistic, but does, usually, stick to generally accepted policies and guidelines. The usage of the courses is idiosyncratic at times, but you can usually puzzle it out. The material is a mix of page-turner and slide plus voice-over. There are occasional references: these must be obtained separately. There are review questions: these are basically useless.

Most Terrifying Video You'll Ever See:

http://www.youtube.com/watch

Variation on Pascal's Wager: interesting take on risk analysis and management that could probably be used more widely.

Security awareness

(ISC)² Awareness Centre:

https://www.isc2.org/cgi-bin/csam_resources.cgi

Collection of papers, posters, and presentations by CISSPs. Also at http://www.isc2.org/csa

Anti-Phishing Phil:

http://cups.cs.cmu.edu/antiphishing_phil/

A game to help people recognize phishing sites

Global Incident Map:

http://www.globalincidentmap.com/home.php

I'm not sure how useful it is, but it sure is pretty. Maps kidnappings, shootings, bombings, terrorist acts, piracy (non-recording), and a bunch of other nasty stuff.

Information Security Awareness Forum :

http://www.infosec.co.uk/ISAF

This portal says it is under the direction of ISSA UK, but Reed Exhibitions seems to play a major role ...

Notre Dame University infosec info:

http://secure.nd.edu/

Some of this is only accessible to registered students, and most of it is fairly simple, but it's good, straightforward, and clear. Decent model to follow. (Some aspects do date quickly ...)

Safer Interenet Programme:

http://www.sip-bench.org/sipbench.php

EU programme for home computer security, mostly benchmarking filtering software

Security Awareness Slogans:

http://www.nativeintelligence.com/ni-free/awareness-slogans.asp

A list to jumpstart some thinking ...

Small business recovery planning advice:

http://www.officedepot.com/promo/pages/docs/onlinedisasterbrochure.pdf

Pamphlet from Office Depot, but good for small businesses.

Stay Safe Online:

http://staysafeonline.org/

Portal site, fairly simplistic material

Think Security First:

http://www.thinksecurityfirst.org

"Security Awareness for Small Business, Home Office and Home computing." A brief outline, plus some links. Contact the page owner to download additional handout materials.

Trends in "badware":

http://stopbadware.org/home/consumerreport

Rather simplistic but possibly handy overview of malware and surfing threats

Children

Easybits:

http://www.easybits.com/

Whitelisting program for kids, top ranking from EU Safer Internet benchmarks

Guidelines on Internet Access for Children and Parents - Les Bell:

http://www.lesbell.com.au/Home.nsf/web/Guidelines+on+Internet+Access+for+Children+and+Parents

These guidelines are written for parents of children at primary or elementary schools: aged 5 to 12.

Kids and Internet slides:

http://www.deltapolice.ca/slo/presentations/index.php

Allan Alton's presentation, hosted by Delta Police Dept. Particularly good on background info.

vendors

K9:

http://www.getk9.com/

Web filtering software

Microsoft Security Awareness Program:

http://www.microsoft.com/technet/security/understanding/awareness.mspx

Lots of material ...

Veridion CISSP training:

http://www.veridion.net/fligne_eng.html

Fairly simplistic, but a set of slides and voiceover available free of charge ...

Video and multimedia

"New cybercrime" trailer:

http://www.youtube.com/watch

Short piece from Fortify Software, no detail but possibly useful for awareness intro.

BC government security awareness materials:

http://www.cio.gov.bc.ca/Security/video_trng/sec_aware_on.htm

Discussion starter scenario videos.

Botnets, part 1:

http://video.google.com/videoplay

Rather superficial (do we really need to know about source code and compilers, and lots of shots of Corey looking mean?), but introduction to the basic idea and concepts

Compromised Bank Website:

http://youtube.com/watch

Roger Thompson's detailed explanation of an exploit served by a compromised bank Website.

Drive-by downloads:

http://video.google.com/videoplay

Simplistic, little in the way of detail.

How to get a free meal at McDonalds:

http://www.5min.com/Video/How-to-get-a-free-meal-at-McDonalds-4186

You've probably thought of this, but it's kind of cute. Possibly good for a discussion of bad design, or the cost/benefit of securing small transactions.

Lock bumping news story:

http://www.youtube.com/watch

Memphis TV station

Most Terrifying Video You'll Ever See:

http://www.youtube.com/watch

Variation on Pascal's Wager: interesting take on risk analysis and management that could probably be used more widely.

MySpace hack:

http://www.youtube.com/watch

Roger Thompson and an example exploit serve from a social networking site.

Net safety/privacy:

http://www.youtube.com/watch

Rather disturbing, but probably effective in terms of children disclosing information and trusting strangers.

News report on wireless hotspots:

http://www.youtube.com/watch

KIRO news in Seattle

Password cracking:

http://video.google.com/videoplay

Basic description

Phishing indications:

http://www.sacs.co.za/videos/Phishing/Phishing.html

Flash presentation, audio and screen activity, showing phishing symptoms and indications in a message.

Rootkits explanation (part 1):

http://video.google.com/videoplay

Very simplistic tutorial on what rootkits do. (Very lo-res and grainy.)

Rootkits explanation (part 2):

http://video.google.com/videoplay

Very simplistic tutorial on what rootkits do. (Very lo-res and grainy.)

Rootkits explanation (part 3) (kernel mode and defence):

http://video.google.com/videoplay

(Very) slightly more technical.

SecurityTube:

http://www.securitytube.net

Portal to security related videos

Shredding videos:

http://www.ssiworld.com/watch/watch-en.htm

Video clips of shredding all kinds of things. Nothing to do with security per se, but fun to show when you are talking about destruction of data or BCP events. (Be sure to check out the cars.)

Web session hijacking:

http://www.watchguard.com/RSS/showarticle.aspx

Watchguard video on "sidejacking." Not much detail, but interesting to see how easy the tools make it.

Web session hijacking:

http://www.tgdaily.com/content/view/34324/108/

Longer and more detailed version of sidejacking.

Security frameworks

BS 7799/ISO 17799/27000 family

ANSI Webstore:

http://webstore.ansi.org/ansidocstore/default.asp

Prices for the standards vary tremendously. For those that have been accepted as ANSI standards, this is one of the cheapest places to get copies of the standards.

BSI Global BS 7799/ISO 27001/infosec page:

http://www.bsi-global.com/Global/iso27001.xalter

Mostly links to buy the standards

BSI Global home page:

http://www.bsi-global.com/index.xalter

British Standards Institute

ISMS Audit guideline document:

http://www.iso27001security.com/ISMS_Auditing_Guideline_release_1.pdf

A cooperative effort from the ISO 27001 security mailing list

ISMS International User Group (IUG):

http://www.xisec.com/

ISMS International User Group (IUG), also ISMS Journal. (ISMS, Information Security Management System, is a term used in BS 7799 and descendents and almost nowhere else: it is an indication of BS 7799/ISO 27K relation.)

ISMS Journal:

http://www.xisec.com/foundation.htm

An apparently free electronic magazine. (Existing issues all seem to date from 2004: the most recent edition brings up a link to a German consultancy that seems to be doing the publishing.) News (mostly old) of meetings and events, some general security articles, remarkably little on BS 7799/ISO27K materials. (Issue 5 does have a nice piece on 17799 and software development.) The subscription address currently appears to be defunct.

ISO:

www.iso.org

International Organization for Standardization, group responsible for many international standards, particularly in communications: a number relate to security such as ISO 9000 (on quality) and the ISO 17799 security guideline framework. You will note that the name of the organization does not fit the acronym. Legend has it that, since the body was international in nature, it would be unfair to have the name in a particular language, and therefore the acronym ISO was derived from the Greek word "isos" (which means equal) so that no language would have an expansion that fit. (Many English-speakers refer, incorrectly, to the "International Standards Organization.")

ISO 27000 papers and templates:

http://www.iso27001security.com/html/white_papers.html

White papers, templates, and sample documents from the ISO27k implementers’ forum.

ISO 27001 mailing list:

http://groups.google.com/group/iso27001security

Mailing list for discussion of, and resources for, ISO 27000 family and other security frameworks. (Not an official ISO list: run by Gary Hinson.)

ISO 27001 portal site:

http://www.iso27001security.com/

Information and resources on ISO 27000 family and other security frameworks. (Not an ISO site: run by Gary Hinson.) A handy (though short) FAQ, list of books, and links to relevant sites.

ISO 27001 Self-Assessment on Information Security:

https://benchmark.wolcottgroup.com/

A fairly simplistic set of questions, and you, basically, do all the work, but it an give you a bit of a feel. Seems to be based on the capability maturity model. (I'm reasonably sure that they will use the data to try and sell you some consulting, but ...)

The ISO 27001 and 17799 User Group:

http://www.17799.com

An internet user group dedicated to the ISO information security standards. Content is very thin.

The ISO 27001 and ISO 17799 Open Guide:

http://iso-17799.safemode.org

Public collaboration 'wiki' for both ISO 17799 and ISO 27001. At present, the contents are rather thin.

Vancouver (BC) ISMS User Group:

http://ismsug.org

In starting phases

Vendors

Callio:

http://www.callio.com/

Checklist for BS 7799/ISO27K family of standards. Also some pages tersely outlining BS 7799 and descendents.

IT Governance:

http://www.itgovernance.co.uk/

Alan Calder's site, selling Alan Calder's consulting, books, and toolkits, much of which has (nominally) to do with BS 7799/ISO 17799. (Can't say for sure about the consulting, but the books and toolkits are verbose and of limited utility. Some documents and templates will save you a bit of time in terms of documenting your process.)

Checklists, controls, and practice lists

CyberSecurity Checklist:

http://www.cccure.org/modules.php

This copy hosted on the CCCURE site. I don't know who the U.S. Cyber Consequences Unit (US-CCU) is (aside from the two authors), but the material is generally decent. (Some of the items are a bit bizarre.) It can also be found at http://www.cyberunitss.com/files/cybersecuritychecklist2007.pdf

Identity Theft Standards Panel:

www.ansi.org/idsp

Watch this space. To report in January 2008.

Information Security Forum:

http://www.securityforum.org/

No lack of self-esteem for these guys, but they do have some documents publicly available, particularly the Standard of Good Practice. This is incredibly verbose, but boils down to a checklist both of objectives and of specific activities or controls. You have to register to get the doc.

Other

APEC Information Security Standards Handbook:

www.cio.gov/fpkisc/library/apec_tel26_v113.pdf

Quite exhaustive listing of a wide variety of infosec frameworks, guidelines, and documents. Brief descriptions. Covers ISO, NIST, RFCs, and FIPS, among others.

CObIT and ISACA:

http://isaca.org/

ISACA produces the CObIT audit guidelines.

Generally Accepted Information Security Principles:

http://www.issa.org/gaisp/gaisp.html

No results yet, but a worthy effort.

IT Unified Compliance Framework (UCF):

http://www.unifiedcompliance.com/

An attempt to map all of the various security frameworks. Some useful information, not always presented in ways easy to understand. They will also try to sell you spreadsheets of the comparisons.

Rainbow books:

http://csrc.nist.gov/publications/secpubs/rainbow/

Repository of the old "rainbow" series of books, including the TCSEC "Orange Book," at the NIST CSRC site.

Systems Security Engineering -- Capability Maturity Model:

http://www.sse-cmm.org/index.html

What type of organization (how mature) you are, based mostly on formality of processes.

US CERT Essential Body of Knowledge (EBK):

http://www.us-cert.gov/ITSecurityEBK/

Yet anohter outline?

Risk and assessment

BITSinfo Publications:

http://bitsinfo.org/p_publications.html

A product of the banking and financial community, at one time, BITS stood for “Banking Industry Technology Secretariat” but apparently it doesn't anymore. In any case, the BITS Website has some documents that relate to security and risk analysis. Of particular interest is the BITS Kalculator, a risk measurement/comparison tool. (Note that the site does not work with all browsers.)

Vendors

Espiria:

http://www.espiria.com/home.html

Part consulting, part product: security risk assessment based on a standardized, online, data collection tool.

RiskWatch:

http://www.riskwatch.com/

Self-assessment tool to be used in preparation for audit, mostly for financial institutions.

Securac:

http://www.securac.net/

Acertus risk assessment software

Telecom and network security

Attacks and status

Active Threat Level Analysis System (ATLAS):

http://atlas.arbor.net/

Global Threat Map, Threat Briefs, Top Threat Sources, Threat Index, Top Internet Attacks, and Vulnerability Risk Index using a distributed network of sensors

Open Source Security Information Management:

http://www.ossim.net/

Collection of open source tools and display components

Protection and tools

Freenet:

http://freenetproject.org/index.php

Free Network Project, demonstrating the use of encryption and onion routing in securing a network against analysis.

Tor:

http://www.torproject.org/

Tor onion routing anonymizing project.

Spam

(US) FTC site to report spam:

http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm

(US) sites to report spam:

http://cc.uoregon.edu/cnews/fall2002/spamreport.html

abuse.net:

http://www.abuse.net/

Reporting site for annoying behaviour

AfriNIC whois:

http://www.afrinic.net/cgi-bin/whois

Africa

Allwhois:

http://www.allwhois.com/

multiple whois database lookup

Anti Phishing Working Group (APWG):

http://www.antiphishing.org/

Various resources

Anti-telemarketing script:

http://www.junkbusters.com/ht/en/script.html

Handy to run through when telemarketers call. The Do Not Call list link is US, but the script should be useful for anyone.

APNIC whois:

http://www.apnic.net/apnic-bin/whois.pl

Asia Pacific

ARIN whois:

http://whois.arin.net/whois/arinwhois.html

One of the sources for tracing domains

Bayesian filtering:

http://www.drsolly.com/phd.htm

Alan Solomon's PhD dissertation

Bayesian filtering explanation:

http://www.paulgraham.com/spam.html

Coalition Against Unsolicited Commercial Email:

http://www.cauce.org/

Volunteer organization to agitate for solutions against spam.

Email headers and tracing email:

http://www.lesbell.com.au/Home.nsf/web/Tracing+Emails

Good article on how to dissect and trace email

Geektools:

http://geektools.com/

Various tools for tracing spam and URLs

Hormel SPAM site:

http://www.spam.com/ci/ci_in.htm

SPAM vs spam

Knujon spam reporting site:

http://www.knujon.com/

A very useful "one stop" site for reporting spam. Submission is by file, rather than form, which is a pain, but you can also report by forwarding email. (There are specific instructions in order to get hearders.) Knujon ("no junk" spelled backwards) seems most interested in shutting down Websites, but also has provisions for submitting general spam (to knujon@coldrain.net) as well as stocks (stockjunk@coldrain.net), drugs (rx@coldrain.net), phishing (phishing@coldrain.net), and one of the only addresses I've found for 419/advanced fee/Nigerian scams (for some reason called deposit scam: depositscams@coldrain.net).

Lighter side of anti-spam:

http://www.rhyolite.com/anti-spam/you-might-be.html

Just to keep your sanity in the battle ...

Sam Spade:

http://samspade.org/

whois tracing tool. At one time also had utility software available.

Spam laws:

http://www.spamlaws.com/

US, EU, and other countries

Spamming Incident Reporting and Termination Squad from CastleCops:

http://wiki.castlecops.com/SIRT

Like PIRT, this allows you to submit spam messages for takedown of the spam server.

Web and Web application security

http://www.owasp.org/index.php/Main_Page

Open Web Application Security Project (OWASP), presentations, video, papers, blogs, mailing lists.

Searching For Evil, Ross Anderson:

http://video.google.ca/videoplay

XSS cheat sheet:

http://ha.ckers.org/xss.html

Just a list of XSS attacks, but a way to check that your Web app filter will catch things.

Vancouver Groups

Canadian Information Processing Society - Vancouver:

http://cips-vancouver.org

CIPS is focused on IT excellence through its work on public policy, setting standards within the profession and providing IT support to its community.

Information Systems Audit and Controls Association (ISACA) Vancouver Chapter:

http://www.isaca-vancouver.org/

ISACA is focused on IT governance, control and assurance.

ISSA Vancouver:

http://vancouver-issa.org

Information Systems Security Association (ISSA) is an association dedicated to providing forums, publications, and peer interactions to professionals who are security practitioners or responsible for managing their organization's technology and data risks.

Vendors (includes freeware and open source)

"Get Ready for CISSP Exam" book:

http://www.conformix.com/books/cissp/download/cissp-book.pdf

Not really a book, this is more of a checklist of topics. The English used in the text is not the best, and there is very little in the way of explanation. It is also quite incomplete. (For example, there is almost nothing on BCP, OpSec, and Law/Investigation.) However, for those without other resources, if you can understand the points, and find the flaws, in this material, you have a good chance of passing the CISSP exam. (NB: the author sells consulting and training. Given the quality of the book you might want to save your money on the training.)

Adeona:

http://adeona.cs.washington.edu/

Open source laptop tracking. (Absolute Software is in for it now ...)

Fred Cohen &Associates:

http://all.net/

Fred is the grandfather of antiviral/malware research, and has been around the security field for a long time. His books, particularly, are always unusual, but always worthwhile.

Microsoft Security Centre (Canada):

www.microsoft.ca/security

Various resources.

Microsoft security events and Webcasts:

http://www.microsoft.com/events/security/default.mspx

A rather annoying site that is not easy to use and doesn't always have security related materials, but is always willing to redirect you to a sales event to which you probably can't come.

Microsoft security newsletters:

http://www.microsoft.com/technet/security/signup/default.mspx

The actual security newsletter does have some good pieces.

Malware

ESET SysInspector:

http://www.eset.eu/en/eset-sysinspector

ESET SysInspector is a diagnostic tool for Windows NT based systems. It allows an in depth analysis of various aspects of your operating system, including running processes, registry content, startup items and network connections. ESET SysInspector makes dealing with malware infected system easier.

F-Secure:

http://www.f-secure.com/

Accurate and wel-respected scanner

Noscript:

http://noscript.net/

Firefox addon restricting JavaScript, Java, and other forms of active content.

Proxomitron:

http://www.castlecops.com/Proxomitron.html

Web filtering proxy. Can be used to restrict various content, including outgoing, so useful for privacy as well. Can also be used to manage Web browsing appearance and display, including size, images, and backgrounds. Certain functions by default, highly customizable, but may require knowledge of HTML and HTTP. Because it is a proxy, works with any browser.

Sophos:

http://www.sophos.com/

Accurate and well-respected scanner: office in Vancouver. Also spam filtering.

Spam

Emailias:

http://www.emailias.com/

Automated creation of throwaway email addresses

FairUCE :

http://www.alphaworks.ibm.com/tech/fairuce

sender identity spam filter

Mailinator:

http://www.mailinator.com/mailinator/index.jsp