Links Directory

Why OpenID won't work.

Might have been better in vendors, but ...

Good article from ISMH 1998 edition

US government and military sponsored program to assess face recognition biometric products.

Pawsense is a program to determine whether a cat has been walking across your keyboard, and to disable the keyboard input until reactivated. It's a bit of a joke, but an example of keystroke analysis biometrics.

When having a discussion about passwords, if someone is recalcitrant, might be an idea to point them at this, and see if they turn red ...

Description and even code for setting up a phishing site to obtain OpenID credentials.

The Building Security In Maturity Model (BSIMM) is a good framework to follow for secure software development. Those who are familiar with the various Capability Maturity Models may be a bit surprised: this model doesn't come from the same institution and doesn't follow the same pattern. It's more of a breakdown framework, with a checklist of points to address, with some assignment to limited maturity levels.

Part of the Software Assurance program, a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) provides support, and, with other contributors, develops and collects software assurance/security information to help software developers and security practitioners create secure systems. Based on software engineering and addressing a software development life cycle. Links to best practices, tools, guidelines, rules, principles, and other resources.

Advice and tools for engineering resilient systems.

Complementary Objects for Software Applications. A form of object-oriented programming stated to be highly reliable. (The ability to build the underlying system is, unfortunately, not addressed.)

Thoughts from the Google development security team: some useful points in regard to secure Web apps.

Interesting discussion of cheating in online gaming and implications for application security.

Most of the white papers are a bit thin and "rah rah," but the security newsletter does have some worthwhile pieces.

Some parts Microsoft specific, but a good deal of it is a reasonable process outline.

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Based on the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/), this document presents detailed descriptions of the top 25 programming errors along with guidance for mitigation. The errors are also cross referenced against related CWE items, as well as the Common Attack Pattern Enumeration and Classification (CAPEC) structure (http://capec.mitre.org/).

Open Web Application Security Project, tips, tools, discussions, a wealth of resources.

CLASP (Comprehensive, Lightweight Application Security Process)is actually a set of process pieces that can be integrated into any software development process.

Online security manual for securing the use of PHP.

Some white papers on "best practices" in application development.

This PDF lists some basic software development practices.

One of the best books, of any kind, on security. And you can read (or download) the entire first edition online here.

US Information Assurance Technology Analysis Center (IATAC) paper on development of secure software.

Gary McGraw, Brian Chess, and Sammy Migues interviewed nine executives running top software security programs. Some results showed that we are still not doing enough, even at our best. Some showed that some of the things we stress most heavily are actually wrong. The article is summarized in a bullet list at http://www.informit.com/articles/article.aspx?p=1315431&seqNum=2

Carnegie-Mellon's secure software development model

The Open Group Architecture Framework (TOGAF) Architecture Development Method (ADM) whitepaper. Fairly generic and high level, but does outline what to do about security at different stages of development.

Example of permission or privilege hijacking on Windows XP and Vista. (PDF)

NSA sponsored project demonstrating the means of developing high integrity, high security software.

Overview of the Tokeneer project (in PDF)

Note also that resources for Web development security can be found under the Telecom category. (NB: due to technical limitations, this link is recursive ...)

Microsoft article on testing for XSS vulnerabilities: fairly basic.

CERT.ORG advice and step-by step instructions on creating a computer security incident response team.

Guidance on forming and operating a computer security incident response team (CSIRT)

1998 version of what incident response teams should and shouldn't be and do.

Interesting examination of the failure of CCTV to deter crime in the UK. Points out the need to know what your CCTV requirements are: simply installing the tech is not enough.

The US Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit organization headquartered in Washington, D.C. A commission on cybersecurity was formed in 2007 in order to prepare a set of recommendations for the incoming US President. Unfortunately, the report is rather generic and banal, boiling down to a statement that US cybersecurity is weak, and that the US should be doing pretty much the usual, only better. This report has been promoted on a number of security mailing lists as an important set of recommendations. It probably is important to read, if only to get a view of the fairly limited position which may be driving US public policy in the near term.

Fairly simplistic explanation of the home router DNS attack.

In Canada you'll get the mail back, postage due ...

Interesting discussion of cheating in online gaming and implications for application security.

I'm usually not too impressed with interviews with the blackhat side: they tend to be long on self-justification and short on actual information or thought. However, this one is fairly decent, with some interesting perspectives on "the road to hell" as well as some insights on spam and adware protection.

Why proprietary algorithms are a bad thing.

How intellectual property laws are destroying creativity.

A 60 Minutes story about a particular case of online poker cheating. Would you trust large sums of money, or the drugs upon which your life and health depend, or private and intimate details of your life to total strangers, about whom you know nothing?

The answer, in case after case, appears to be "yes."

The Washington Post version is at http://www.washingtonpost.com/wp-dyn/content/article/2008/11/29/AR200811...

You may have seen or heard of Peter Gutman's review of Vista. Despite controversy, it has some important things to say not only about DRM, but also about the security of the platform, in certain respects. (For example, the DoS possibilities, and also the new impetus for hackers of all stripes to delve into the internals of the system.)

1979 version of the RAND report on computer security, originally done in 1970.

Satirical article on how not to review security (antivirus) software. Although Sarah Tanner, a secretary, is credited with the artice, it was actually written by Alan Solomon

Classic paper on "how far back do you have to check?" (This paper has spawned a widely held myth that Thompson actually did create a backdoor into all versions of UNIX and every program created with C.)

Excerpt from the book, detailing the flaws in "security by obscurity"

Video "documentary" about early hackers, somewhat simplistic.

Gene Spafford on our "putting out fires" mentality

A story on two studies into the effects of new communications technology on language and slang. The UK Post Office study is available at ftp://ftp.royalmail.com/Downloads/public/ctf/po/TechChat-Draft2.pdf Unfortunately, the Australian study doesn't seem to be linked, and it is the one pointing out the greater risk.

Has VANOC gone too far with trademark? Can they trademark phrases in the public domain, or commonly used?

Interesting, though unsurprising, paper from the US DoD Security Institute studying motivation for espionage.

Want to know how to have more secure logins online? Don't ask the banks ...

Interesting video commentary from the UK on photography in public places.

Given at the Zurich Seminar, April 1984, by John Gordon. Absolutely priceless.

Cartoons based on subject lines in spam messages.

Colbert Report take on the Protect America Act. Political and biased, but amusing look at aspects of privacy and surveillance.

This out-of-office message ended up on a Welsh road sign. There was a recent instance of "Translate server error" ending up on a Chinese restaurant sign as well. Be careful of "believing" automated messages.

Cute video on mailing list/forum/group netiquette

A cute pictorial essay (PDF) with pictures of unsafe and insecure working situations. (Don't try these at home ...)

Some fun advertising videos from Iron Mountain starring John Cleese.

An extremely long, but somewhat amusing, ad for Kaspersky, in old silent movie style.

Amusing commentary on the Playmobil Security Check Point toy

A bit of fun on non-disclosure agreements.

Practicing safe hex, version 2. Since I use key signing parties when teaching about digital signatures and certification, I probably found this *way* too funny ...

Amusing list of excuses we've all heard before. (I wonder where the master list is?)

Cute and sometimes painfully accurate

PowerPoint slide deck stuffed with all kinds of (too true to be funny) security maxims that they *didn't* teach you about in the CISSP seminar.

Some decent reminders of safe practices

Too true to be funny ...

We have all kinds of systems to help us out. Sometimes they help us *way* out. Sometimes they create the most amazing problems. This article addresses that kind of situation.

(I recall a, well, "politically correct checker," I suppose, which, some years ago, amended a newspaper article in order to inform people that a certain local municipal government was, fiscally speaking, "back in the African-American" ...)

We were discussing DNA identification, and someone came up with this ad for a PCR machine ...

Australian video, "would anybody be stupid enough to let a trojan horse in today?"

Funny, but rather profane

My kinda cartoon. Besides, if you haven't looked through xkcd, you should.

A game to help people recognize phishing sites

Mostly research

A list of free security utilities by category. Could quibble about whether they are all best of breed, but a handy list for home and small office users.

Interesting project to provide low-cost computers for education in developing countries. Security implications, anyone?

A set of tips for protecting your credit card, and your identity information, when you use it. Fairly standard advice, but a good set to keep in mind.

Almost no tutorial value, but some crypto fun and a bit of history.

Colossus was the "brute force" part of the attack against Enigma during the second world war. Recently one of the devices was rebuilt.

Kerchoff was right: proprietary and secret systems need to be viewed with extreme suspicion.

Various stuff by a science popularizer

NSA 1972 document declassified in 2007. Interesting that some parts are still classified.

GnuPG developers

Home of the project

Basic instructions for use of GnuPG, but also discusses some basic crypto concepts and key management issues.

Download and install

Bruce Schneier (and seven others) 's submission to NIST for the next Secure Hash Algorithm.

Part of this is coding executable programming. Part of it is steganography. Part of it seems to be a bit of a kick at export restrictions on cryptographic software. You may have to be a little bit crazy to understand the purposes behind it.

Open-source disk encryption software

A process for getting started creating a computer security incident response team, from CERT.

CERT.ORG advice and step-by step instructions on creating a computer security incident response team.

Guidance on forming and operating a computer security incident response team (CSIRT)

1998 version of what incident response teams should and shouldn't be and do.

List of resources and documents

An explanation of copyright and the concept of "fair use" using clips from a whole bunch of Disney animated movies. Sometimes hard to follow, but priceless. has been uploaded multiple times to YouTube.

Brief IEEE Spectrum article on copyright and fair use, touching on use on the WEb and in blogs.

How intellectual property laws are destroying creativity.

A slashdot posting about a McDonalds attempt to patent the process for making a sandwich.

How novel is this?

The fact that the US issues software patents has long been a contentious issue. This recent decision may reduce that protection.

The research behind all the stories about being able to retrieve data from memory (DRAM)even after the computer is powered off.

Tips for detecting falsehoods in interviewing and interrogation.

US NIJ simple guide for collecting digital evidence. (PDF)

The Open Source Computer Forensics Manual doesn't have a lot in it, and it only covers the basic approach, but it is reasonable at that. Maybe someone can get the project restarted.

Information about the Canadian Do-Not-Call list and legislation, as well as an "opt out" message generator to get you off the lists of "exempt" organizations.

Intended to enable communicating organisations to include privacy enhancing technologies (PETs) in large-scale web-based services for the general public and customers.

Detailed discussion of the common retail practice of collecting drivers licence information. Other discussion is at http://www.privcom.gc.ca/media/nr-c/2008/nr-c_081202_e.asp, and a PDF version is at http://www.privcom.gc.ca/information/pub/guide_edl_e.pdf

Map listing the different aspects of data breach notification laws in the US: click on a state and a popup box gives you specifics.

They don't even spell it right ...

One of the top two sites

The other top site

*Extremely* limited info

Limited info

Often good info, but can be iconoclastic

Panda started in the US with a couple of good people, but it changed hands a few years back and I have no feeling for how good the info here is at the moment.

Limited info and lots of false entries

Older info good, but recent is questionable

Specific questions and points about Alternate Data Streams (ADS).

Alternate Data Streams (ADS) is a feature of Microsoft Windows NTFS file system. It allows a means of hiding files, data, and even applications on a system. It is difficult to detect ADS material without specialized tools.

Another ADS review from Infosecwriters.com

Some information on ADS is available in this MSDN article, under the section about Multiple File Streams.

Utility for listing ADS files.

LADS (List Alternate Data Streams) utility for finding ADS.

Autorun is a function of Windows that provides for automatic execution of a program when removable media is inserted into, or attached to, the computer. It can be used for many functions. However, it is currently widely used to spread malware or attack systems simply by getting a user to plug a USB key/jump drive/thumb drive into the computer. More and more, security specialists are recommending that Autorun be disabled on Windows computers as a matter of course.

Disabling Autorun seems to be easier said than done. Here is some detailed advice from the Canadian Cyber Incident Response Centre.

CERT has fairly limited information on Autorun.

The How-To Geek provides graphical details of Microsoft's Gpedit.msc.

Of course, Microsoft has its own advice on how to deal with Autorun. This is at least their second attempt, Knowledge Base 953252. According to the CCIRC, it doesn't always work.

Some extra details on the TechRepublic blog.

tildemark's advice certainly seems easy, but I'm not entirely certain that it is complete.

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Advice for hardening

The Syskey utility can be used to remove or protect encryption keys from the machine

Instructions and recommendations for security of Windows Vista in a domain with Active Directory

Recommendations about how to harden computers that run Windows XP with SP2

Some people have asked that the material on this site be available in some kind of "feed" fashion. Therefore, at the (ISC)2 blog site, I have started blogging these entries as I add them. This material can also be obtained as an RSS feed.

Bruce Schneier's Crypto-Gram newsletter is like most of his writing. It's readable, and it's always worth reading, even if you don't agree with him. You can also look up his blog and books.

Unfortunately, you can't get the DHS Daily Open Source Infrastructure Report as a mail feed any more, you have to go to the Website to get the actual report. (It seems you can get a sort of reminder by email.) However, at the moment it is the best compilation source for news stories of security related items.

General list. This archives back to 1998.

The RISKS Forum Digest, moderated by Peter G. Neumann, is the pre-eminent security-related mailing list on the Internet, and probably the oldest as well. This site, courtesy of the University of Newcastle upon Tyne, maintains a complete archive, and provides directions on how to subscribe at the RISKS Info Page, http://lists.csl.sri.com/mailman/listinfo/risks.

The material is also summarized, by Neumann, in the Illustrative Risks site, http://www.csl.sri.com/users/neumann/illustrative.html. This provides coded, on-line descriptions of the stories that have appeared in the digest.

SafeCanada is similar to the DHS daily report, and it does send you daily email reports, albeit without much detail.

A list of a number of information security and related mailing lists.

Listings for local groups in a number of places. Some aren't representative of the local scene.

Relatively new group, starting some local chapters

According to Bob Tremonti, the Security Professionals Information Exchange (www.SPIE.ca) meets the last Thursday of the month (plus a rather secretive sub-group of security folks in the energy sector), and the Disaster Recovey Information Exchange (DRIE West) meets -- well, it meets when someone finaly gets a meeting organized ...

US gov site with links to law enforcement

As he says, 10+ years worth of security bookmarks. New links added frequently, hardly never cleaned. Lots of outdated and broken links

Undoubtedly self-promotion, and an attempt to use Google ads to drive revenue, but some of the links are useful.

Extensive list of organizations and entities. (Note that this appears to be run by a member of a consortium that is very active in self-promotional activities ...)

A companion site for the Stallings textbook, but a good set of resources and references

CERT MERIT project regarding insider attacks and threats.

From the US-CERT and DHS, a framework outlining IT security topics and levels (manage, design, implement, evaluate) to various IT security roles. As of the 2008 document it is fairly limited, but provides a good starting point.

Paper advising on termination procedures for sensitive positions

Attack trees provide a formal way of describing the security of systems, under varying attack possibilities. You represent attacks against a system in a tree structure, with the goal of the attack as the root node and different requirements for achieving that goal as leaf nodes. You can then work on denying the requirements to an attacker.

Operational risk is how the banks refer to what we know as risk management.

Like it says, fairly formal and abstract, but does explain the concepts by working with them.

Fairly hefty process, but some interesting ideas for risk assessment.

Limited articles and papers on risk management.

Various guides and papers

Guide from ANSI on how to assess the financial (quantitative) risk analysis of cyber threats.

Tools and advice on the use of failure mode and effects analysis.

Sample documents for the method

Security assessment framework from the Open Information System Security Group (OSSIG, www.oissg.org), mostly concentrating on pen testing, but some project planning material for general security or risk assessment. Document/project seems to have been abandoned mid-2006.

Paper

A collection of online courses, mostly free. Registration is required, and may be annoying. Courses require IE for use. Some are general, some MS product specific. Even those that are generic have MS specific mentions, sometimes in surprising places. The course content tends to the simplistic, but does, usually, stick to generally accepted policies and guidelines. The usage of the courses is idiosyncratic at times, but you can usually puzzle it out. The material is a mix of page-turner and slide plus voice-over. There are occasional references: these must be obtained separately. There are review questions: these are basically useless.

Mostly applicable to software development, but some general points.

Again, mostly software development.

Variation on Pascal's Wager: interesting take on risk analysis and management that could probably be used more widely.

Reduced version of the OCTAVE program. You can download the guidebook at this site.

A security testing or assessment framework. It is interesting that, for an "open source" document, you can only download a partial version, or an old version, unless you are a "gold" member. About half of the Lite 3 version is promotional material, the rest is a checklist of decent, but hardly surprising, checks to perform.

We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks.

This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general.

A few "Special Publications: Computer and Information Technology."

Collection of papers, posters, and presentations by CISSPs. Also at http://www.isc2.org/csa

A game to help people recognize phishing sites

Some information and tips on bank related scams.

Tips for securing a home (or small office) computer.

Tips for securing a home (or small office) network or Internet connected computer.

I'm not sure how useful it is, but it sure is pretty. Maps kidnappings, shootings, bombings, terrorist acts, piracy (non-recording), and a bunch of other nasty stuff.

This portal says it is under the direction of ISSA UK, but Reed Exhibitions seems to play a major role ...

Slides/text with voiceover. There is also a test that might get you a certificate, but it wouldn't let me use any of my email addresses, so I know nothing about it.

Process for developing a security awareness program. Rather generic and abstract, but as with all NIST stuff many good points.

Some of this is only accessible to registered students, and most of it is fairly simple, but it's good, straightforward, and clear. Decent model to follow. (Some aspects do date quickly ...)

Fairly simplistic.

A list of various scams, and ways to recognize (and sometimes report) them. The descriptions are fairly simple, but the scope is useful.

We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks.

This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general.

A collection of documents and links for security awareness.

EU programme for home computer security, mostly benchmarking filtering software

A list to jumpstart some thinking ...

Some posters in the style of the well-known motivational posters. Some are fairly odd, but they are cute.

Pamphlet from Office Depot, but good for small businesses.

Portal site, fairly simplistic material

"Security Awareness for Small Business, Home Office and Home computing." A brief outline, plus some links. Contact the page owner to download additional handout materials.

The original Walnut Creek site, with fewer materials.

Rather simplistic but possibly handy overview of malware and surfing threats

Virginia Information Technologies Agency (VITA) (state government) Information Security Awareness Toolkit. Contains the "Duhs of Security" video (listed in the video and multimedia section here) in both viewable and downloadable format, and with subtitles and without, as well as other links and resources.

Prices for the standards vary tremendously. For those that have been accepted as ANSI standards, this is one of the cheapest places to get copies of the standards.

Mostly links to buy the standards

British Standards Institute

A cooperative effort from the ISO 27001 security mailing list

ISMS International User Group (IUG), also ISMS Journal. (ISMS, Information Security Management System, is a term used in BS 7799 and descendents and almost nowhere else: it is an indication of BS 7799/ISO 27K relation.)

An apparently free electronic magazine. (Existing issues all seem to date from 2004: the most recent edition brings up a link to a German consultancy that seems to be doing the publishing.) News (mostly old) of meetings and events, some general security articles, remarkably little on BS 7799/ISO27K materials. (Issue 5 does have a nice piece on 17799 and software development.) The subscription address currently appears to be defunct.

International Organization for Standardization, group responsible for many international standards, particularly in communications: a number relate to security such as ISO 9000 (on quality) and the ISO 17799 security guideline framework. You will note that the name of the organization does not fit the acronym. Legend has it that, since the body was international in nature, it would be unfair to have the name in a particular language, and therefore the acronym ISO was derived from the Greek word "isos" (which means equal) so that no language would have an expansion that fit. (Many English-speakers refer, incorrectly, to the "International Standards Organization.")

ISO 27000:2009, the overview document for the 27000 family of standards, is now published and available as a free download. It outlines the 27000 standards (to date) and provides a very brief glossary. For some reason the standard comes as a zip archive file of a PDF. When you go to the link, you will be briefly redirected to a licence page, and have to agree in order to get the document.

White papers, templates, and sample documents from the ISO27k implementers

Part of Gary Hinson's collection of ISO 27K materials. Case studies, policies, statements, and other supporting documents.

Mailing list for discussion of, and resources for, ISO 27000 family and other security frameworks. (Not an official ISO list: run by Gary Hinson.)

Information and resources on ISO 27000 family and other security frameworks. (Not an ISO site: run by Gary Hinson.) A handy (though short) FAQ, list of books, and links to relevant sites.

A fairly simplistic set of questions, and you, basically, do all the work, but it an give you a bit of a feel. Seems to be based on the capability maturity model. (I'm reasonably sure that they will use the data to try and sell you some consulting, but ...)

An internet user group dedicated to the ISO information security standards. Content is very thin.

Public collaboration 'wiki' for both ISO 17799 and ISO 27001. At present, the contents are rather thin.

In starting phases

This copy hosted on the CCCURE site. I don't know who the U.S. Cyber Consequences Unit (US-CCU) is (aside from the two authors), but the material is generally decent. (Some of the items are a bit bizarre.) It can also be found at http://www.cyberunitss.com/files/cybersecuritychecklist2007.pdf

Watch this space. To report in January 2008.

No lack of self-esteem for these guys, but they do have some documents publicly available, particularly the Standard of Good Practice. This is incredibly verbose, but boils down to a checklist both of objectives and of specific activities or controls. You have to register to get the doc.

North American Electric Reliability Corporation (NERC) standards, some of which address computer systems and/or physical security surrounding computer systems.

The PCI (Payment Card Industry) Data Security Standards. You can get the standard itself, plus various supporting documents. As of October 2008 the current standard is 1.2.

Quite exhaustive listing of a wide variety of infosec frameworks, guidelines, and documents. Brief descriptions. Covers ISO, NIST, RFCs, and FIPS, among others.

ISACA produces the CObIT audit guidelines.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Big on internal controls. Breakdown grid similar to Zachman but with finer granularity and three dimensions.

No results yet, but a worthy effort.

International Telecommunications Union (ITU) project attempting to list and describe the various infosec documents, standards, and frameworks. A particular standard may be hard to find, but the range and scope is interesting.

The Institute of Internal Auditors (The IIA), has a number of Global Technology Audit Guides (GTAGs). These are available free on the site (or you can purchase printed copies), and cover areas such as Developing the IT Audit Plan, Business Continuity Management, Identity and Access Management, Auditing Application Controls, Information Technology Outsourcing, Managing and Auditing IT Vulnerabilities, Managing and Auditing Privacy Risks, Management of IT Auditing, Continuous Auditing, and Change and Patch Management Controls.

It's not always easy finding the real ITIL among the crowd of people (and Websites) wanting to jump on the bandwagon. (Nor is it made any easier by the fact that they keep changing the site.) Anyway, here 'tis currently.

An attempt to map all of the various security frameworks. Some useful information, not always presented in ways easy to understand. They will also try to sell you spreadsheets of the comparisons.

Repository of the old "rainbow" series of books, including the TCSEC "Orange Book," at the NIST CSRC site.

What type of organization (how mature) you are, based mostly on formality of processes.

Yet anohter outline?

A product of the banking and financial community, at one time, BITS stood for

Global Threat Map, Threat Briefs, Top Threat Sources, Threat Index, Top Internet Attacks, and Vulnerability Risk Index using a distributed network of sensors

An illustrated guide to one of the recently noted problems with DNS.

A test for your DNS resolver against a recent weakness.

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times (http://www.nytimes.com/2009/03/29/technology/29spy.html ). There is also related work in a report out of Cambridge (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html and full report at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf )(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

Solid explanation of fast-flux technology (used by botnets) from the HoneyNet Know Your Enemy project.

How to extract the personal information for a Gmail or Google ID. Not sure whether this bug has been fixed, but the process is interesting in itself.

Collection of open source tools and display components

Paper on the risks associated with social networking sites, specifically using LinkedIn as an example.

Promiscuous mode, the ability to read all traffic on the network segment even if it's not addressed to you, can be used to mount attacks. It's usually considered a passive attack, because it is used for sniffing. However, there are means to determine if a card on the system is in promiscuous mode.

Fast flux, the rapid rotation of DNS records to point from a single domain name to a number of separate machines, is widely used in malware serving, phishing scams, and other related net nastiness. Unfortunately, the basic concepts are also used for legitimate purposes, such as performance enhancement on large and popular sites, or the prevention of net censorship.

The initial report of the Fast Flux Hosting Working Group of the Generic Names Supporting Organization (GNSO)of ICANN (Internet Corporation for Assigned Names and Numbers)contains a good deal of information and thought, and should receive wider disseminationand consideration than it has to date.

Free Network Project, demonstrating the use of encryption and onion routing in securing a network against analysis.

Technique for anonymous communication over a computer network, it is a technique that encodes routing information in a set of encrypted layers. Onion routing is also based on mix cascades or networks, bouncing the messages between different nodes.

Port knocking could be used to authenticate requests, but the request and authentication could be observed, and this may be security by obscurity. Even worse, port knocking could be used to set up a covert channel ...

The RFC for Transport Layer Security (TLS), based on SSL.

Tor onion routing anonymizing project.

Reporting site for annoying behaviour

Africa

multiple whois database lookup

Various resources

Handy to run through when telemarketers call. The Do Not Call list link is US, but the script should be useful for anyone.

Asia Pacific

One of the sources for tracing domains

Alan Solomon's PhD dissertation

Volunteer organization to agitate for solutions against spam.

Good article on how to dissect and trace email

Various tools for tracing spam and URLs

SPAM vs spam

A very useful "one stop" site for reporting spam. Submission is by file, rather than form, which is a pain, but you can also report by forwarding email. (There are specific instructions in order to get hearders.) Knujon ("no junk" spelled backwards) seems most interested in shutting down Websites, but also has provisions for submitting general spam (to knujon@coldrain.net) as well as stocks (stockjunk@coldrain.net), drugs (rx@coldrain.net), phishing (phishing@coldrain.net), and one of the only addresses I've found for 419/advanced fee/Nigerian scams (for some reason called deposit scam: depositscams@coldrain.net).

Just to keep your sanity in the battle ...

A very interesting article by Brian Krebs of the Washington Post, touching on the entities involved in IP (Internet Protocol) addresses and assignments, and the legal difficulties of dealing with theft or misuse. More information is available at http://www.47-usc-230c2.org/

whois tracing tool. At one time also had utility software available.

US, EU, and other countries

Like PIRT, this allows you to submit spam messages for takedown of the spam server.

System to feed email harvesting bots fake email addresses

Delay tactic to increase demand on spamming machines

Information and education about 419 (aka advanced fee fraud aka Nigerian) scam messages and reporting.

Tricks spammers use

Nice CIDR explanation from PacBell

Finnish guide primarily for securing online services.

Some people disagree, or use other assignments, but this is the formal standard. IANA is also a source for domain name, IP address, and autonomous system (AS) number information.

Simplistic paper outlining the OSI 7 layer model.

For those teaching, or even seeking to understand, TCP/IP packet headers, a lovely collection of figures which illustrate the functions quite well. There is no textual explanation;this is not a tutorial or introduction; but as a reminder of some of the most important information, it's great.

Open Web Application Security Project (OWASP), presentations, video, papers, blogs, mailing lists.

A sneaky way to hack a site in such a way that only newbies get caught ...

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times (http://www.nytimes.com/2009/03/29/technology/29spy.html ). There is also related work in a report out of Cambridge (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html and full report at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf )(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

A description of various oddities in the way different browsers handle different code and other Web-related entities. These differences can possibly be exploited in security attacks. Internet Explorer (a few versions), Firefox (a few versions), Safari, Opera, Chrome, and Android are examined.

Online security manual for securing the use of PHP.

Excellent presentation (but then, everything Ross does is worth noting) on botnets, related malware and fraud, and the command and control systems. Interesting research on the various types that are more resistant to takedown.

An interesting piece of research and discussion, examining browser vulnerabilities, and the risk to the computing envrionment as a whole, in light of a large number of factors.

Just a list of XSS attacks, but a way to check that your Web app filter will catch things.

Grisoft antivirus product has the advantage that they have always produced a version that is available for free download. Unfortunately, a number of features and functions are not available in the free version.

ESET SysInspector is a diagnostic tool for Windows NT based systems. It allows an in depth analysis of various aspects of your operating system, including running processes, registry content, startup items and network connections. ESET SysInspector makes dealing with malware infected system easier.

Accurate and wel-respected scanner

F-Secure's BlackLight Rootkit Elimination Technology is well-regarded in the anti-malware research community. It is available in their complete product, but can also be downloaded separately as a utility. F-Secure also provides a little bit of rootkit explanation at http://www.f-secure.co.uk/blacklight/rootkit.html.

GMER is a Polish anti-rootkit program (Windows only) available for free download.

McAfee Rootkit Detective (originally from Avert) is available for download, but the McAfee site makes sure you know it is a beta product, and requires knowledgeable application and use.

Firefox addon restricting JavaScript, Java, and other forms of active content.

Panda tends to oversell their products, but their anti-rootkit is also available for download.

Web filtering proxy. Can be used to restrict various content, including outgoing, so useful for privacy as well. Can also be used to manage Web browsing appearance and display, including size, images, and backgrounds. Certain functions by default, highly customizable, but may require knowledge of HTML and HTTP. Because it is a proxy, works with any browser.

Accurate and well-respected scanner: office in Vancouver. Also spam filtering.

Sophos has always been a solid antivirus company, so there is no reason to think that their anti-rootkit product is any less.

As usual with most Trend Micro products, RootkitBuster sounds fairly agressive.

Automated creation of throwaway email addresses

sender identity spam filter

One form of tarpit, this one seeking to slow down spam mail connection links.

Automated throwaway email address for spam filtering

Spam filter

Filtering software, company formerly (and still) produced antivirus scanner

Spam filtering program