Promoting security awareness and development.

Here are some links of interest.

Access Control

Bank (http://www.privcom.gc.ca/media/nr-c/2008/nr-c_081127_e.asp)

We usually think of access control in terms of identification, authentication, and authorization: accountability tends to get left to last. This story was interesting in that the problem stems from a failure of accountability.

Calculus CAPTCHA (http://www.theregister.co.uk/2011/03/09/calculus_based_captcha/)

A bit more sophisticated than optical character recognition.

DataLossDB (http://datalossdb.org/)

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

facebookpriv (http://www.allfacebook.com/2009/02/facebook-privacy/)

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

Flash settings (http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html)

The Flash security settings panel, particularly the microphone and Webcam setting.

MiFare presentation at DEFCON (http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf)

This is the presentation that was banned by a Boston court, detailing the specifics of how to defeat the "protections" on the Boston transit MiFare card. The same system is also in use elsewhere.

Pentest Standard (http://www.pentest-standard.org/index.php/Main_Page)

An attempt at a standard for penetration testing. Given the complexity of drawing up a pentest contract, I'm all for the idea, but I'm not sure how well this one works out. Probably needs more work.

SSN algorithm (http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-t...)

Given the importance and wide use of US Social Security Numbers (even though the use is legally restricted), this article on how to determine SSNs is fairly important.

Web SSO (http://sso-analysis.org/)

An analysis of current Web-based federated ID and single-signon systems. Research paper, online checking tool, and a discussion forum.

Biometrics

Biometric Consortium (http://www.biometrics.org/)

Might have been better in vendors, but ...

Face Recognition Vendor Tests( http://www.nist.gov/itl/iad/ig/frvt-home.cfm)

US government and military sponsored program to assess face recognition biometric products.

Irises (http://www.photographyserved.com/Gallery/Your-beautiful-eyes/428809)

Some great high-resolution shots of human irises. The detail here shows why iris scanning can be used as a distinguishing biometric.

Pawsense keystroke analysis (http://www.bitboost.com/pawsense/index.html)

Pawsense is a program to determine whether a cat has been walking across your keyboard, and to disable the keyboard input until reactivated. It's a bit of a joke, but an example of keystroke analysis biometrics.

Passwords and Passphrases

hard passwords (http://www.time.com/time/magazine/article/0,9171,2089349,00.html)

Cute essay about password choice (although not much useful help).

Naked password (http://www.nakedpassword.com/)

OK, this is probably a bad idea, but it does make some points about password choice. This is a system that you can install along with your password choice, or password change, feature. As the user enters the password, the password is analyzed for strength (length, characters, non-alpha, etc). The stronger the password the more of a picture of a lady is ... revealed. On the one hand, it provides motivation for choosing stronger passwords. On the other, it may distract the user from memorizing the password. On the third hand, it may violate company policy, or open you to sexual harassment charges. Any takers for finding some other means of motivation that is less distasteful or troublesome?

Top 500 worst passwords (http://www.whatsmypass.com/?p=415)

When having a discussion about passwords, if someone is recalcitrant, might be an idea to point them at this, and see if they turn red ...

Top 500 worst passwords (http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time)

A list of the top 500 most frequently used (and therefore eminently guessable) passwords. If you see yours, change it.

WPACracker (http://www.wpacracker.com/)

Polly wanna crack a WPA network? A cloud based cluster is offering to help out, for a small fee. You send them a data capture, and they run a 130 million word dictionary against it, in as little as 20 minutes. Do you trust them? Are they going to be used to crack WPA networks? Is this sufficient impetus to move to WPA2? Are you going to create a longer passphrase?

RFID

pig hackers http://www.youtube.com/watch?v=8ImZmDYme_s

Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers? (Actually, pigs are pretty clever critters ...)

Application Security

DataLossDB (http://datalossdb.org/)

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

Microsoft Security Vulnerability Research and Defense blog http://blogs.technet.com/swi/comments/2684789.aspx

Microsoft blog from the Secure Windows Initiative (SWI) team(s). Not an awful lot of detail, but some extra beyond the Knowledge Base articles.

Systems Development

Anubis http://anubis.iseclab.org/

Similar to VirusTotal, but this one does an activity check, looking for dangerous operations.

BSIMM http://bsi-mm.com/

The Building Security In Maturity Model (BSIMM) is a good framework to follow for secure software development. Those who are familiar with the various Capability Maturity Models may be a bit surprised: this model doesn't come from the same institution and doesn't follow the same pattern. It's more of a breakdown framework, with a checklist of points to address, with some assignment to limited maturity levels.

BSIMM2 http://bsimm2.com/

A considerable change from the first version. Version 2 has more structure, but I'm not sure that the two-dimensional model adds much. It still isn't a "maturity" model as such. Still, anything that gets more app dev security advice out there ...

Build Security In (BSI) (from US DHS) https://buildsecurityin.us-cert.gov/daisy/bsi/home.html

Part of the Software Assurance program, a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) provides support, and, with other contributors, develops and collects software assurance/security information to help software developers and security practitioners create secure systems. Based on software engineering and addressing a software development life cycle. Links to best practices, tools, guidelines, rules, principles, and other resources.

Complexity kills http://www.switched.com/2011/03/03/state-of-the-union-security-eugene-spafford/

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

COSA project http://www.rebelscience.org/Cosas/COSA.htm

Complementary Objects for Software Applications. A form of object-oriented programming stated to be highly reliable. (The ability to build the underlying system is, unfortunately, not addressed.)

Google Online Security Blog http://googleonlinesecurity.blogspot.com/

Thoughts from the Google development security team: some useful points in regard to secure Web apps.

How to Hurt the Hackers http://www.gamasutra.com/features/20000724/pritchard_pfv.htm

Interesting discussion of cheating in online gaming and implications for application security.

Microsoft newsletter http://www.microsoft.com/canada/technet/securitynewsletter/default.mspx

Microsoft's security newsletter, Canadian version. The articles are often merely restatements of vulnerability announcements, and the additional ones aren't stunningly well written, but it is a resource. Many of the additional announcements have some tips on good coding practice.

Microsoft Security Centre http://www.microsoft.com/midsizebusiness/security/overview.mspx

Most of the white papers are a bit thin and "rah rah," but the security newsletter does have some worthwhile pieces.

Microsoft Security Development Lifecycle (SDL) http://www.microsoft.com/sdl

Some parts Microsoft specific, but a good deal of it is a reasonable process outline.

Microsoft Threat Modeling Tool http://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4f87-88a6...

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Mitre/SANS Top 25 Programming Errors http://cwe.mitre.org/top25/

Based on the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/), this document presents detailed descriptions of the top 25 programming errors along with guidance for mitigation. The errors are also cross referenced against related CWE items, as well as the Common Attack Pattern Enumeration and Classification (CAPEC) structure (http://capec.mitre.org/).

NIST cloud def https://www.ibm.com/developerworks/mydeveloperworks/blogs/CloudComputing/entry/n...

This IBM blog entry provides a basic summary of the NIST work on defining cloud computing (available at http://csrc.nist.gov/groups/SNS/cloud-computing/index.html), as well as some related jargon. It provides a fundamental starting point and basis for assessing "cloud" systems and providers.

OWASP https://www.owasp.org

Open Web Application Security Project, tips, tools, discussions, a wealth of resources.

OWASP CLASP Project http://www.owasp.org/index.php/Category:OWASP_CLASP_Project

CLASP (Comprehensive, Lightweight Application Security Process)is actually a set of process pieces that can be integrated into any software development process.

PHP Security Manual http://www.php.net/manual/en/security.php

Online security manual for securing the use of PHP.

Quant http://securosis.com/projectquant/project-quant-database-security-process-framew...

Project Quant is supposed to be a database security framework. At this stage it seems to be a decent outline of security in general, although there doesn't appear to be much in place that is particular to database security as a specialty.

SAFECode http://www.safecode.org/

Some white papers on "best practices" in application development.

SecEconIntMrkt http://www.enisa.europa.eu/doc/pdf/report_sec_econ_&_int_mark_20080131.pdf

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.)

Security Engineering http://www.cl.cam.ac.uk/~rja14/book.html

One of the best books, of any kind, on security. And you can read (or download) the entire first edition online here.

Software Security Assurance paper http://iac.dtic.mil/iatac/download/security.pdf

US Information Assurance Technology Analysis Center (IATAC) paper on development of secure software.

Software Security Top 10 Surprises http://www.informit.com/articles/article.aspx?p=1315431

Gary McGraw, Brian Chess, and Sammy Migues interviewed nine executives running top software security programs. Some results showed that we are still not doing enough, even at our best. Some showed that some of the things we stress most heavily are actually wrong. The article is summarized in a bullet list at http://www.informit.com/articles/article.aspx?p=1315431&seqNum=2

The Open Group Architecture Framework (TOGAF) Architecture Development Method (ADM) http://www.opengroup.org/onlinepubs/7699949499/toc.pdf

The Open Group Architecture Framework (TOGAF) Architecture Development Method (ADM) whitepaper. Fairly generic and high level, but does outline what to do about security at different stages of development.

Token kidnapping http://www.argeniss.com/research/TokenKidnapping.pdf

Example of permission or privilege hijacking on Windows XP and Vista. (PDF)

Tokeneer high integrity software project http://www.adacore.com/home/gnatpro/tokeneer/

NSA sponsored project demonstrating the means of developing high integrity, high security software.

US DoD SDLC https://acc.dau.mil/ifc/

The US Defense Dept has a system for everything, and most are fairly structured. Their Integrated Defense Acquisition, Technology and Logistics Life Cycle Management System Chart is no exception. However, if you pay attention, it does provide a detailed structure and process for secure development. (Warning: their cert is self signed, and your browser may object.) You can also get the chart PDF from https://acc.dau.mil/IFC/pdfs/Front_Ver_534_June_15_2009_34x22.pdf

Web development security http://www.infosecbc.org/links/

Note also that resources for Web development security can be found under the Telecom category. (NB: due to technical limitations, this link is recursive ...)

XSS testing http://www.microsoft.com/technet/community/columns/secmvp/sv0505.mspx

Microsoft article on testing for XSS vulnerabilities: fairly basic.

sec econ http://www.cl.cam.ac.uk/~rja14/Papers/econ.pdf

Another excellent Ross Anderson paper, this one dealing with the economics of security, and why the current system is stacked against proper security.

Business Continuity

BC (Canada) Provincial Emergency Program Hazard Plans http://www.pep.gov.bc.ca/hazard_plans/hazard_plans.html

A good set of plans for emergency response, both as resources and as templates for your own emergency documents.

BC PEP Community Emergency Program Review http://www.pep.bc.ca/cepr/review.html

Designed for community assessment of preparedness for emergency or disaster, this checklist can also be used as the outline for a corporate BCP plan and process.

BCI http://www.thebci.org/

The Business Continuity Institute does have a local chapter, but the only way you can get in touch with them is via email: BCForum.Leader@Gmail.com Note that the Website is www.thebci.org. If you try www.bci.org you will end up with a Bahai computer group.

Canadian Centre for Emergency Preparedness (CCEP) http://www.ccep.ca/

Disaster resilience materials for individuals, communities and businesses.

Disaster Management Canada http://www.ccep.ca/subscribe

Free (electronic version) business continuity/disaster response magazine.

Justice Institute of BC http://www.jibc.bc.ca/index.htm

The Justice Institute of British Columbia is acknowledged as a leader in education and training in justice, public safety and human services. The institute offers programs and courses in many areas related to Emergency Management.

NERC standards http://www.nerc.com/page.php?cid=2|20

North American Electric Reliability Corporation (NERC) standards, some of which address business continuity, emergency response, and disaster recovery.

North Shore Emergency Management Office Website with resources http://www.nsemo.org/

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

Safe Canada http://www.safecanada.ca/

Site has some disaster and emergency materials and contacts.

sanitization http://www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf

This article is originally from the IEEE Security and Privacy magazine, circa 2003. As such, some of the programs noted are out of date or obsolete. However, a number are still available and in use, and the basic concepts outlined are still valuable.

shakeout http://www.shakeout.org/

Resources, instructions and tips from the government of California on earthquake preparedness. Video instructions are at http://www.youtube.com/watch?v=o7eGZEY5wEM

US cyber pol review http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

This paper, directed from the US White House, may be the structure for US information, networking, and infrastructure policy over the next seven years. While vague, it does give some indication of directions.

Incident Response

Computer Security Incident Response Team http://www.cert.org/csirts/Creating-A-CSIRT.html

A process for getting started creating a computer security incident response team, from CERT.

Creating a CSIRT http://www.cert.org/csirts/Creating-A-CSIRT.html

CERT.ORG advice and step-by step instructions on creating a computer security incident response team.

CSIRT exercise http://www.enisa.europa.eu/act/cert/support/exercise

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such team

CSIRT setup http://www.first.org/resources/guides/cert-in-a-box/

Structure for setting up a Computer Security Incident Response Team, informed by the experience of the Netherlands government agency. Some of the graphical material can be downloaded at http://www.first.org/resources/guides/cert-in-a-box.zip , but the Website is much better.

ENISA CSIRT guide http://www.enisa.europa.eu/cert_guide/index_guide.htm

Exhaustive, and yet strangely undirected, ENISA walk through the points relevant to setting up a CSIRT. Can also be had in PDF from http://www.enisa.europa.eu/cert_guide/downloads/CSIRT_setting_up_guide_E... , which might be easier to deal with.

GetCyberSafe http://www.getcybersafe.gc.ca/index-eng.aspx

Your (federal) government dollars at work. Some reasonably decent advice.

Open Source Forensics http://www2.opensourceforensics.org/home

A reference for the use of open source software in digital investigations, that is digital forensics, computer forensics, and incident response.

RFC 2350 http://rfc.dotsrc.org/rfc/rfc2350.html

1998 version of what incident response teams should and shouldn't be and do.

usonlinefraud http://www.ultimatecoupons.com/how-to-report-internet-fraud.html

A collection of links to sites with information on online fraud. Reporting links for those in the US.

Creating a CSIRT http://www.cert.org/csirts/Creating-A-CSIRT.html

CERT.ORG advice and step-by step instructions on creating a computer security incident response team.

CSIRT exercise http://www.enisa.europa.eu/act/cert/support/exercise

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

CSIRT setup http://www.first.org/resources/guides/cert-in-a-box/

Structure for setting up a Computer Security Incident Response Team, informed by the experience of the Netherlands government agency. Some of the graphical material can be downloaded at http://www.first.org/resources/guides/cert-in-a-box.zip , but the Website is much better.

ENISA CSIRT guide http://www.enisa.europa.eu/cert_guide/index_guide.htm

Exhaustive, and yet strangely undirected, ENISA walk through the points relevant to setting up a CSIRT. Can also be had in PDF from http://www.enisa.europa.eu/cert_guide/downloads/CSIRT_setting_up_guide_E... , which might be easier to deal with.

RFC 2350 http://rfc.dotsrc.org/rfc/rfc2350.html

1998 version of what incident response teams should and shouldn't be and do.

Commentary

51st State http://www.appropriationart.ca/wp-content/uploads/2008/06/51_state.pdf

Comic book commentary on bill C-61 copyright amendments

CIA triad versus Parkerian Hexad http://en.wikipedia.org/wiki/Parkerian_Hexad

If you find a really outrageous quote about infosec, it usually comes from either Donn Parker or Winn Schwartau. (If you find a really good quote about infosec, it usually comes from Gene Spafford or Bruce Schneier.) Donn frequently makes the point that the widely used CIA triad (Confidentiality, Integrity, and Availability) is insufficient to describe the totality of what we need to consider in the infosec field, and proposes a "hexad" of onfidentiality, possession, integrity, authenticity, availability, and utility. (Note also that Donn asserts the definitions of integrity and authenticity in the Wikipedia entry are flawed.)

Computer security video from AT&T archives, circa 1990 http://www.youtube.com/watch?v=KmgkBLwxoP8

Have a giggle at the dated video and voiceover. Or, consider that most of the problems are still there ...

Holding kids back at school http://linuxlock.blogspot.com/2008/12/linux-stop-holding-our-kids-back.html

An interesting blog entry. Ken's "response" may be a bit over the top, but the teacher's letter does, definitely, show the prejudice and uphill battle that open source software is facing. Could relate to intellectual property legal issues, or just general culture and awareness ...

NIST historical papers collection http://csrc.nist.gov/publications/history/

Various important essays and reports from the early days of infosec.

Psych and sec http://www.cl.cam.ac.uk/~rja14/psysec.html

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.

Traffic cameras and identity theft http://arstechnica.com/news.ars/post/20081222-dont-like-speed-cameras-use-them-t...

Kids are making up fake licence plates, pasting them over their own, and then deliberately getting "caught" by traffic cameras so that someone else gets the ticket. This is being used to maliciously "joe job" people they don't like. Traffic camera tickets have, of course, very weak authentication.

Articles

Bell-La Padula http://selfless-security.offthisweek.com/presentations/looking-back.pdf

David Bell (yes, *the* Bell) looking back on how the model was developed, 30 years later. (Also commenting that we know *how* to build secure systems, we just don't.) (In case that link goes bad, another copy is at http://www.acsac.org/2005/papers/Bell.pdf ) A year later he presented another paper, available at http://selfless-security.offthisweek.com/presentations/Bell_LBA.pdf

CCTV failure to deter crime http://www.guardian.co.uk/uk/2008/may/06/ukcrime1

Interesting examination of the failure of CCTV to deter crime in the UK. Points out the need to know what your CCTV requirements are: simply installing the tech is not enough.

Cell births http://www.guardian.co.uk/science/blog/2010/dec/17/mobile-phone-masts-birth-rate

On the face of it, this has nothing to do with security. Dig a bit deeper, though, and it does. We rely on risk analysis, sometimes losing track of the dangers in the thickets of data and metrics of which we've become so fond. The article notes that there is a definite and undeniable link between the number of cellular telephone towers in a area, and the number of births. So, do cell towers cause babies? As Mark Twain said, there are lies, damned lies, and statistics.

Complexity kills http://www.switched.com/2011/03/03/state-of-the-union-security-eugene-spafford/

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

CSIS Commission on Cybersecurity for the 44 Presidency http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf

The US Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit organization headquartered in Washington, D.C. A commission on cybersecurity was formed in 2007 in order to prepare a set of recommendations for the incoming US President. Unfortunately, the report is rather generic and banal, boiling down to a statement that US cybersecurity is weak, and that the US should be doing pretty much the usual, only better. This report has been promoted on a number of security mailing lists as an important set of recommendations. It probably is important to read, if only to get a view of the fairly limited position which may be driving US public policy in the near term.

freelicence http://diveintomark.org/archives/2009/10/19/the-point

Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License.

How to Hurt the Hackers http://www.gamasutra.com/features/20000724/pritchard_pfv.htm

Interesting discussion of cheating in online gaming and implications for application security.

Image forensics http://www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.html

An interesting analysis of a graphic recently used by Victoria's Secret in their advertising. This gives chapter and verse of the techniques used, and results obtained, demonstrating the ability to determine if an image has been altered, and even which parts of an image have been modified, and how. I find this particularly interesting because of the apparently widely held belief that steganography is "undetectable" without comparision to the original image. Most of the "Photoshop disasters" are glaringly obvious to the naked eye. As this demonstrates, analysis and detection of modification is easily accomplished, even when the differences are not apparent to the human eye. (Well, except for the straps. That was pretty stupid ...)

Interview with an adware author http://philosecurity.org/2009/01/12/interview-with-an-adware-author

I'm usually not too impressed with interviews with the blackhat side: they tend to be long on self-justification and short on actual information or thought. However, this one is fairly decent, with some interesting perspectives on "the road to hell" as well as some insights on spam and adware protection.

Larry Lessig IP video http://www.ted.com/talks/view/id/187

How intellectual property laws are destroying creativity.

On the Internet, nobody can tell you are an Absolute fraud and cheat http://www.cbsnews.com/stories/2008/11/25/60minutes/main4633254.shtml

A 60 Minutes story about a particular case of online poker cheating. Would you trust large sums of money, or the drugs upon which your life and health depend, or private and intimate details of your life to total strangers, about whom you know nothing? The answer, in case after case, appears to be "yes." The Washington Post version is at http://www.washingtonpost.com/wp-dyn/content/article/2008/11/29/AR200811...

Peter Gutman's review of MS Windows Vista http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt

You may have seen or heard of Peter Gutman's review of Vista. Despite controversy, it has some important things to say not only about DRM, but also about the security of the platform, in certain respects. (For example, the DoS possibilities, and also the new impetus for hackers of all stripes to delve into the internals of the system.)

RAND infosec report, originally from 1970 http://www.rand.org/pubs/reports/R609-1/R609.1.html

1979 version of the RAND report on computer security, originally done in 1970.

Reader http://www.softpanorama.org/Malware/Reprints/virus_reviews.html

Satirical article on how not to review security (antivirus) software. Although Sarah Tanner, a secretary, is credited with the artice, it was actually written by Alan Solomon

Reflections on Trusting Trust - Ken Thompson http://www.infosecbc.org/Ken%20Thompson

Classic paper on "how far back do you have to check?" (This paper has spawned a widely held myth that Thompson actually did create a backdoor into all versions of UNIX and every program created with C.)

Rudimentary Treatise on the Construction of Locks, 1853 http://www.deter.com/unix/papers/treatise_locks.html

Excerpt from the book, detailing the flaws in "security by obscurity"

sec econ http://www.cl.cam.ac.uk/~rja14/Papers/econ.pdf

Another excellent Ross Anderson paper, this one dealing with the economics of security, and why the current system is stacked against proper security.

Sec Theatre Can Work http://www.csoonline.com/article/468569/Sometimes_Security_Theater_Really_Works

This article describes one particular instance where security theatre can be effective protection. It is not too hard to come up with other examples: most uniformed security is, in fact, security theatre, although generally intended for a deterrent effect, rather than as illustrated in this piece.

SecEconIntMrkt http://www.enisa.europa.eu/doc/pdf/report_sec_econ_&_int_mark_20080131.pdf

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.)

socnetanonymity http://www.cs.utexas.edu/~shmat/shmat_oak09.pdf

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

Studies into "textese" http://news.bbc.co.uk/go/em/-/2/hi/technology/7775013.stm

A story on two studies into the effects of new communications technology on language and slang. The UK Post Office study is available at ftp://ftp.royalmail.com/Downloads/public/ctf/po/TechChat-Draft2.pdf Unfortunately, the Australian study doesn't seem to be linked, and it is the one pointing out the greater risk.

Subject lines http://www.allspammedup.com/2012/02/avoid-looking-like-a-spammer-writing-good-su...

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter. If you've sent me a message, and never got an answer, how detailed was your subject line?

VANOC and trademark http://www.cbc.ca/canada/british-columbia/story/2008/09/25/bc-vancouver-olympics...

Has VANOC gone too far with trademark? Can they trademark phrases in the public domain, or commonly used?

What Privacy is For http://www.harvardlawreview.org/symposium/papers2012/cohen.pdf

While academic in tone, and not the easiest read ever, this paper is one of the most thought-provoking and insightful pieces on privacy that I've read in a long time. I highly recommend it.

Why spy? http://www.hanford.gov/oci/maindocs/ci_r_docs/whyhappens.pdf

Interesting, though unsurprising, paper from the US DoD Security Institute studying motivation for espionage.

Wish-It-Was-Two-Factor-Authentication http://worsethanfailure.com/Articles/WishItWas-TwoFactor-.aspx

Want to know how to have more secure logins online? Don't ask the banks ...

You can't picture this http://current.com/items/88856223_you_can_t_picture_this

Interesting video commentary from the UK on photography in public places.

Humour

Virus net http://xkcd.com/350/

My kinda cartoon. Besides, if you haven't looked through xkcd, you should.

Trojan Horse video http://www.youtube.com/watch?v=ChBKqcRpmDs&eurl=

Australian video, "would anybody be stupid enough to let a trojan horse in today?"

The PCR Song http://pcrsong.notlong.com

We were discussing DNA identification, and someone came up with this ad for a PCR machine ...

Spellcheckers creating disaster http://www.good.is/?p=15166

We have all kinds of systems to help us out. Sometimes they help us *way* out. Sometimes they create the most amazing problems. This article addresses that kind of situation. (I recall a, well, "politically correct checker," I suppose, which, some years ago, amended a newspaper article in order to inform people that a certain local municipal government was, fiscally speaking, "back in the African-American" ...)

SOPA protest http://www.youtube.com/watch?v=1p-TV4jaCMk

An amusing take on the US SOPA and PIPA (which can affect us). Note also recent Harper gov't moves in this direction.

SecurityCartoon http://securitycartoon.com/

Some decent reminders of safe practices

Security Maxims http://www.ne.anl.gov/capabilities/vat/seals/maxims.html

Roger Johnston's original list of security maxims.

Security maxims http://www.cl.cam.ac.uk/~rja14/musicfiles/preprints/Johnston/securitymaxims.ppt

PowerPoint slide deck stuffed with all kinds of (too true to be funny) security maxims that they *didn't* teach you about in the CISSP seminar.

Security excuse bingo http://www.crypto.com/bingo/pr

Amusing list of excuses we've all heard before. (I wonder where the master list is?)

Schneier facts http://www.schneierfacts.com/

Somebody took the Bruce Schneier list and made a more graphical site out of it.

Responsible Behavior [Key Signing] http://www.xkcd.com/364/

Practicing safe hex, version 2. Since I use key signing parties when teaching about digital signatures and certification, I probably found this *way* too funny ...

Play Check Point http://www.amazon.com/gp/product/B0002CYTL2/ref=cm_cd_asin_lnk

OK, I know what I want for Christmas! Check out the pictures and reviews :-)

pig hackers http://www.youtube.com/watch?v=8ImZmDYme_s

Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers? (Actually, pigs are pretty clever critters ...)

DA for friends http://www.friendda.org/

A bit of fun on non-disclosure agreements.

Know security http://www.youtube.com/watch?v=FgWT-ba9q0E&hd=1

I have got to give this out to some of the candidates who come to the seminars with absolutely no security background, and want to know which book to get "the answers" out of.

Kiddie security awareness? http://www.theregister.co.uk/2008/03/07/security_check_point/

Amusing commentary on the Playmobil Security Check Point toy

Kaspersky ad http://www.youtube.com/watch?v=oVMeCEzMSDU

An extremely long, but somewhat amusing, ad for Kaspersky, in old silent movie style.

John Cleese/Iron Mountain ads http://www.friendlyadvicemachine.com/

Some fun advertising videos from Iron Mountain starring John Cleese.

Insecure working conditions http://blog.rootshell.be/wp-content/uploads/2008/04/security-at-work.pdf

A cute pictorial essay (PDF) with pictures of unsafe and insecure working situations. (Don't try these at home ...)

InfoSecElmo http://twitter.com/InfoSecElmo

Not exactly a major security awareness resource, but http://twitter.com/InfoSecElmo should be on everyone's Twitter feed. Some cute little slogans and reminders.

How to order pizza http://www.funnieststuff.net/viewmovie.php?id=2202

Cute little video about databases and the erosion of privacy.

Hitler cloud sec http://www.youtube.com/watch?v=VjfaCoA2sQk

You may or may not be aware of the mass of "Hitler rant" videos on YouTube. These take a clip (from the movie "Downfall") and subtitle it with a rant from Hitler about everything from college football to the iPhone to Facebook accounts to ... well, anything at all. This one is about cloud computing and security, and makes a few cute points about security in general.

hard passwords http://www.time.com/time/magazine/article/0,9171,2089349,00.html

Cute essay about password choice (although not much useful help).

Flamer's Bible http://www.netfunny.com/rhf/jokes/88q1/13785.8.html

An old rec.humor.funny posting about how to abuse your opponent in a flame war. A good guide to remember what *not* to say in any online "discussion."

Deconfliction http://www.youtube.com/watch?v=g39xIewgGaM

Deconfliction has a specific meaning in aviation or the military, to do with planning flightpaths to avoid collision. In computer science, it has to do with avoiding problems in rules-based reasoning. What we have, here, is a failure to communicate ...

Bruce Schneier list http://www.chmil.org/bruce-facts-all.txt

Kinda like the "Chuck Norris is deity" Websites, somebody made up a list of "facts" about Bruce Schneier :-)

Auto-responses on signs http://news.bbc.co.uk/2/hi/uk_news/wales/7702913.stm

This out-of-office message ended up on a Welsh road sign. There was a recent instance of "Translate server error" ending up on a Chinese restaurant sign as well. Be careful of "believing" automated messages.

AT&Treason http://www.crooksandliars.com/2008/03/07/the-colbert-report-at-treason/

Colbert Report take on the Protect America Act. Political and biased, but amusing look at aspects of privacy and surveillance.

Aspamaday http://aspamaday.blogspot.com/

Cartoons based on subject lines in spam messages.

Alice and Bob After Dinner Speech (http://downlode.org/Etext/alicebob.html)

Given at the Zurich Seminar, April 1984, by John Gordon. Absolutely priceless.

Personal and Home

Anti-Phishing Phil http://cups.cs.cmu.edu/antiphishing_phil/

A game to help people recognize phishing sites

Card & Identity Theft http://merchantwarehouse.com/credit-card-and-identity-theft-protection

This site appears to be for a vendor of POS terminals, but the page does have links on credit card and ID theft protection. Most of these are for the US, but some do offer generic advice.

Facebook privacy demo http://bit.ly/aclu_quiz

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

facebookpriv http://www.allfacebook.com/2009/02/facebook-privacy/

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

Free security tools http://peterhgregory.wordpress.com/2007/12/20/give-the-gift-of-safe-internet-use...

A list of free security utilities by category. Could quibble about whether they are all best of breed, but a handy list for home and small office users.

GetCyberSafe http://www.getcybersafe.gc.ca/index-eng.aspx

Your (federal) government dollars at work. Some reasonably decent advice.

North Shore Emergency Management Office Website with resources http://www.nsemo.org/

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

One Laptop Per Child http://laptop.org/

Interesting project to provide low-cost computers for education in developing countries. Security implications, anyone?

Protecting your credit card http://mrsm1th.blogspot.com/search/label/Identity%20Theft

A set of tips for protecting your credit card, and your identity information, when you use it. Fairly standard advice, but a good set to keep in mind.

ThinkUKnow? http://www.youtube.com/watch?v=vp5nScG6C5g

A good online awareness video produced by the ThinkUKnow campaign ( http://www.thinkuknow.co.uk/ ) done by CEOP in the UK.

Cryptography

Cartoon AES http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

This cartoon strip (also available at the bottom of the page as PowerPoint and PDF) illustrates the operations of the AES algorithm. It starts very simplistically, and then jumps way down into the detail, but the operations are all there.

Chosen collisions attack on MD5 http://www.win.tue.nl/hashclash/Nostradamus/

An amusing illustration of the "birthday attack" against hash functions.

Crypto papers http://eprint.iacr.org/

A massive, non-peer-reviewed, and not very organized archive of papers on all kinds of aspects of cryptology. There is a search function.

Fake certificates on the Internet http://www.win.tue.nl/hashclash/rogue-ca/

A group recently published a paper at the 25th Annual Chaos Communication Congress in Berlin, called "MD5 considered harmful today: Creating a rogue CA certificate." This has resulted in a lot of speculation. Here is the paper itself for your consideration and analysis.

Free Rainbow tables http://www.freerainbowtables.com

Like it says, rainbow tables freely available, along with password cracking services. Also some explanation of the technology.

hash lifetimes http://valerieaurora.org/hash.html

Chart showing the (sometimes short) useful lifetimes of cryptographic hash functions.

Image forensics http://www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.html

An interesting analysis of a graphic recently used by Victoria's Secret in their advertising. This gives chapter and verse of the techniques used, and results obtained, demonstrating the ability to determine if an image has been altered, and even which parts of an image have been modified, and how. I find this particularly interesting because of the apparently widely held belief that steganography is "undetectable" without comparision to the original image. Most of the "Photoshop disasters" are glaringly obvious to the naked eye. As this demonstrates, analysis and detection of modification is easily accomplished, even when the differences are not apparent to the human eye. (Well, except for the straps. That was pretty stupid ...)

Letter frequency http://oxforddictionaries.com/page/frequencyalphabet

Just in case you want some help in cracking simple ciphers ...

MD5 http://en.wikipedia.org/wiki/MD5

Wikipedia on MD5 and the related attacks: good portal to references.

MD5/SHA cryptanalytic attacks http://www.cerias.purdue.edu/news_and_events/events/security_seminar/details.php...

CERIAS video seminar, good coverage of properties of has functions, as well.

NIST SHA 3 competition http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

Because of the weaknesses found in SHA-1, MD5, and other widely used hash algorithms, NIST has opened a public competition to develop a new cryptographic hash algorithm that can be used for digital signatures, message authentication and other applications. The new hash algorithm will be called SHA-3.

Rainbow tables http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.rainbow

Video presentation from Watchguard. Fairly simplistic. Doesn't go into the creation of the tables.

WPA crack of November 2008 http://dl.aircrack-ng.org/breakingwepandwpa.pdf

Full paper of the attack on WPA. Useful only for very small packets, but could be used in (for example) ARP poisoning attacks.

WPACracker http://www.wpacracker.com/

Polly wanna crack a WPA network? A cloud based cluster is offering to help out, for a small fee. You send them a data capture, and they run a 130 million word dictionary against it, in as little as 20 minutes. Do you trust them? Are they going to be used to crack WPA networks? Is this sufficient impetus to move to WPA2? Are you going to create a longer passphrase?

History

"The Search" TV show http://www.channel4.com/history/microsites/S/search/follow/index.html

Almost no tutorial value, but some crypto fun and a bit of history.

Colossus Mk2 Rebuild Project http://www.tnmoc.co.uk/ColRbd.htm

Colossus was the "brute force" part of the attack against Enigma during the second world war. Recently one of the devices was rebuilt.

Keeloq cracked http://www.theregister.co.uk/2008/04/03/keeloq_master_key_found/

Kerchoff was right: proprietary and secret systems need to be viewed with extreme suspicion.

TEMPEST http://www.nsa.gov/public/pdf/tempest.pdf

NSA 1972 document declassified in 2007. Interesting that some parts are still classified.

Software

Cartoon AES http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

A cute cartoon introduction to the Advanced Encryption Standard (AES, aka Rijndael) algorithm. Four sections, growing increasingly technical.

Crypto Project https://crypto.is/

Actually an umbrella for a number of projects related to cryptography. A number are also specifically related to personal privacy.

enigma http://cryptocellar.org/simula/

This site has an interesting collection of simulators of early twentieth century rotor cryptodevices, as well as papers on Enigma and related technologies.

GNU Privacy Handbook http://www.gnupg.org/gph/en/manual.html

Basic instructions for use of GnuPG, but also discusses some basic crypto concepts and key management issues.

Skein hash algorithm http://www.schneier.com/skein.html

Bruce Schneier (and seven others) 's submission to NIST for the next Secure Hash Algorithm.

Steganographic bad poetry http://lcamtuf.coredump.cx/wss/

Part of this is coding executable programming. Part of it is steganography. Part of it seems to be a bit of a kick at export restrictions on cryptographic software. You may have to be a little bit crazy to understand the purposes behind it.

TrueCrypt http://www.truecrypt.org/

Open-source disk encryption software

Ethics

Mitch Kabay ethics http://www.mekabay.com/ethics/index.htm

Fairly standard articles and slide decks on ethics.

moraltest http://www.ted.com/index.php/talks/dan_ariely_on_our_buggy_moral_code.html

A very interesting presentation and intriguing research into moral behaviour. The culminating point is that we need to test and experiment with morality, since we seem to have many incorrect notions about it.

Patent Absurdity http://patentabsurdity.com

Patents are generally held to be granted on devices, or inventions. In recent years, United States patents have been granted on processes, and even software. "Patent Absurdity" is a half hour video outlining the dangers and difficulties surrounding the granting of software patents. The interviews take place around the "Bilski" case appeal before the Supreme Court. (The "Bilski" case decision is generally held to strike down software patents, but is still the subject of a good deal of debate.)

Psych and sec http://www.cl.cam.ac.uk/~rja14/psysec.html

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.

Shariah and Cybercrime http://ccrimejournal.brinkster.net/alaeldinijccdec2008.htm

From the International Journal of Cyber Criminology (http://www.cybercrimejournal.co.nr/), "Shariah Law and Cyber-Sectarian Conflict: How can Islamic Criminal Law respond to cyber crime?" This paper looks at the concepts in Islamic Shariah law that relate to specifically computer or information system related crimes. The paper is possibly not a complete examination, but is not hopeful as regards the ability to criminalize cybercrime. Also available as PDF (http://cyber.kic.re.kr/data/alaeldinijccdec2008.pdf).

Law and Investigation

Canadian Charter of Rights and Freedoms http://laws.justice.gc.ca/en/charter/

Canada is a Common Law (as opposed to Civil or Code Law) legal system, and therefore subject to a charter document. In the case of Canada, this is the Canadian Charter of Rights and Freedoms.

MiFare presentation at DEFCON http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

This is the presentation that was banned by a Boston court, detailing the specifics of how to defeat the "protections" on the Boston transit MiFare card. The same system is also in use elsewhere.

Network identity theft: who owns IP addresses? http://blog.washingtonpost.com/securityfix/2008/04/a_case_of_network_identity_th...

A very interesting article by Brian Krebs of the Washington Post, touching on the entities involved in IP (Internet Protocol) addresses and assignments, and the legal difficulties of dealing with theft or misuse. More information is available at http://www.47-usc-230c2.org/

NIST Computer Forensics Tool Testing http://www.cftt.nist.gov/

Some interesting things you didn't know about the most widely used computer forensics tools.

Shariah and Cybercrime http://ccrimejournal.brinkster.net/alaeldinijccdec2008.htm

From the International Journal of Cyber Criminology (http://www.cybercrimejournal.co.nr/), "Shariah Law and Cyber-Sectarian Conflict: How can Islamic Criminal Law respond to cyber crime?" This paper looks at the concepts in Islamic Shariah law that relate to specifically computer or information system related crimes. The paper is possibly not a complete examination, but is not hopeful as regards the ability to criminalize cybercrime. Also available as PDF (http://cyber.kic.re.kr/data/alaeldinijccdec2008.pdf).

US Cybercrime http://www.cybercrime.gov/

US Department of Justice site with news stories, related (US) laws, and some documents related to digital evidence, investigation, and prosecution.

US Dept of Justice forensics chart http://www.cybercrime.gov/forensics_chart.pdf

Outlines a method and procedure for overall management of digital forensic analysis.

Intellectual Property

A Fair(y) Use Tale http://cyberlaw.stanford.edu/documentary-film-program/film/a-fair-y-use-tale

An explanation of copyright and the concept of "fair use" using clips from a whole bunch of Disney animated movies. Sometimes hard to follow, but priceless. has been uploaded multiple times to YouTube.

Copyright, blogs, and fair use http://spectrum.ieee.org/apr08/6115

Brief IEEE Spectrum article on copyright and fair use, touching on use on the WEb and in blogs.

Larry Lessig IP video http://www.ted.com/talks/view/id/187

How intellectual property laws are destroying creativity.

Making a sandwich is patentable? http://yro.slashdot.org/article.pl?sid=08/11/25/0034229&from=rss

A slashdot posting about a McDonalds attempt to patent the process for making a sandwich.

Patent Absurdity http://patentabsurdity.com

Patents are generally held to be granted on devices, or inventions. In recent years, United States patents have been granted on processes, and even software. "Patent Absurdity" is a half hour video outlining the dangers and difficulties surrounding the granting of software patents. The interviews take place around the "Bilski" case appeal before the Supreme Court. (The "Bilski" case decision is generally held to strike down software patents, but is still the subject of a good deal of debate.)

SOPA protest http://www.youtube.com/watch?v=1p-TV4jaCMk

An amusing take on the US SOPA and PIPA (which can affect us). Note also recent Harper gov't moves in this direction.

US software patents http://www.cafc.uscourts.gov/opinions/07-1130.pdf

The fact that the US issues software patents has long been a contentious issue. This recent decision may reduce that protection.

Investigation

"Cold memory" attack http://citp.princeton.edu/memory

The research behind all the stories about being able to retrieve data from memory (DRAM)even after the computer is powered off.

Body language http://lifehacker.com/5852572/how-to-read-and-utilize-body-language-to-reveal-th...

Article on body language indicators to look for when trying to determine whether the subject is telling the truth. (Probably best not to rely on it too heavily, but possibly useful.)

Catching lies http://www.webmd.com/balance/features/10-ways-catch-liar

Tips for detecting falsehoods in interviewing and interrogation.

CSIRT exercise http://www.enisa.europa.eu/act/cert/support/exercise

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

Electronic Crime Scene Investigation http://www.ncjrs.gov/pdffiles1/nij/219941.pdf

US NIJ simple guide for collecting digital evidence. (PDF)

ForensicsWiki http://www.forensicswiki.org/

The Forensics Wiki. As with all wikis, it is in process, but there is room for additional material ...

Image forensics http://www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.html

An interesting analysis of a graphic recently used by Victoria's Secret in their advertising. This gives chapter and verse of the techniques used, and results obtained, demonstrating the ability to determine if an image has been altered, and even which parts of an image have been modified, and how. I find this particularly interesting because of the apparently widely held belief that steganography is "undetectable" without comparision to the original image. Most of the "Photoshop disasters" are glaringly obvious to the naked eye. As this demonstrates, analysis and detection of modification is easily accomplished, even when the differences are not apparent to the human eye. (Well, except for the straps. That was pretty stupid ...)

Lying http://blogs.westword.com/showandtell/2011/03/how_to_spot_a_liar_gratuitous_rand...

An interesting little tidbit relating to law and investigation. This piece notes a few of the ways that trained interviewers (and profilers) use to detect when people are lying. Feel free to try it out, but remember: the professionals who use it study a lot more than one infographic.

Open Source Computer Forensics Manual http://sourceforge.net/projects/oscfmanual/

The Open Source Computer Forensics Manual doesn't have a lot in it, and it only covers the basic approach, but it is reasonable at that. Maybe someone can get the project restarted.

Open Source Forensics http://www2.opensourceforensics.org/home

A reference for the use of open source software in digital investigations, that is digital forensics, computer forensics, and incident response.

Pen test lab http://metasploit.com/help/test-lab.jsp

Instructions on setting up a test lab rig.

socnetanonymity http://www.cs.utexas.edu/~shmat/shmat_oak09.pdf

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

Privacy

Crypto Project https://crypto.is/

Actually an umbrella for a number of projects related to cryptography. A number are also specifically related to personal privacy.

DataLossDB http://datalossdb.org/

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

Facebook privacy demo http://bit.ly/aclu_quiz

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

Facebook security http://chainmailcheck.wordpress.com/2011/01/05/facebook-security-guide/

The actual security guide pointed to resides at ZDNet, but this site lists the four parts together (and the ZDNet navigation is not exactly clear). Navigation through the checklist is not completely obvious either. You can go through by clicking on arrow icons () at the upper right hand corner of the images (which may be hard to find because the images can be fairly busy), or by clicking on individual pictures below the image and text. (Clicking the arrow icons down there only moves the pictures back and forth, without moving you through the checklist.) However, once you master the oddities, the checklist can be quite helpful. It is fairly complete, and, although the text instructions on how to find the items can be difficult, the fact that the image displays the page in question, and the red numbers point out what you are supposed to choose, allows you to check that you are, in fact, on the right page. The instructions may seem simplistic if you have been using Facebook for a while, but they will be great for a newcomer, and even the "expert" will likely find a setting they didn't know about.

facebookpriv http://www.allfacebook.com/2009/02/facebook-privacy/

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

How to order pizza http://www.funnieststuff.net/viewmovie.php?id=2202

Cute little video about databases and the erosion of privacy.

Privacy economics http://ssrn.com/abstract=1522605

An interesting paper looking at the risks, risk management, and legal economics of breaches of privacy. Much of the material is fairly standard, but it also looks at different types of controls (such as preventative and recovery) in regard to data breaches, disclosure laws, and standards such as PCI DSS. Valuation of assets is also a factor. (Free download, as of this posting.)

Privacy Enhancing Technologies (PET) Wiki http://petweb.nr.no

Intended to enable communicating organisations to include privacy enhancing technologies (PETs) in large-scale web-based services for the general public and customers.

Recording drivers licence information http://www.privcom.gc.ca/information/pub/guide_edl_e.asp

Detailed discussion of the common retail practice of collecting drivers licence information. Other discussion is at http://www.privcom.gc.ca/media/nr-c/2008/nr-c_081202_e.asp, and a PDF version is at http://www.privcom.gc.ca/information/pub/guide_edl_e.pdf

socnetanonymity http://www.cs.utexas.edu/~shmat/shmat_oak09.pdf

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

SSN algorithm http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-t...

Given the importance and wide use of US Social Security Numbers (even though the use is legally restricted), this article on how to determine SSNs is fairly important.

What Privacy is For http://www.harvardlawreview.org/symposium/papers2012/cohen.pdf

While academic in tone, and not the easiest read ever, this paper is one of the most thought-provoking and insightful pieces on privacy that I've read in a long time. I highly recommend it.

Malware

Antirootkit.com http://www.antirootkit.com/

Not an awful lot of information on the site, but it does have a list of rootkit detection software. There are brief descriptions of the products. Be careful of the download links: they can be misleading in terms of what you are actually getting.

Anubis http://anubis.iseclab.org/

Similar to VirusTotal, but this one does an activity check, looking for dangerous operations.

Browsing Protection http://browsingprotection.f-secure.com/swp/

This tool will let you check sites you don't know, or are not sure about. Just plug the URL into the address box on the page.

CIACTech02-004 http://www.ciac.org/ciac/techbull/CIACTech02-004.shtml

US Dept of Energy paper: Parasite Programs; Adware, Spyware, and Stealth Networks

ClamWin http://www.clamwin.com/

A Windows ... "extension" of the ClamAV open source AV scanner. ClamWin has an interesting relation to ClamAV, and the ClamAV people seem annoyed if anyone calls ClamWin a version or port of ClamAV.

Cloud AV paper http://www.eecs.umich.edu/fjgroup/pubs/cloudav-usenix08.pdf

A kind of updated version of what we have been saying for years: use multiple means of AV detection. Some interesting points and means of improving performance.

fastflux http://www.icann.org/committees/security/sac025.pdf

This paper provides an overview explanation of fast flux and double flux activities related to hiding malicious Websites, or avoiding takedown (particularly related to botnets. It also suggests certain actions which could mitigate such activity. The essay uses a lot of jargon and is not always clear, but does provide a decent basic explanation.

Ghostnet http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espio...

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times (http://www.nytimes.com/2009/03/29/technology/29spy.html ). There is also related work in a report out of Cambridge (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html and full report at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf )(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

hiding address http://fuckthespam.com/?info

Many antispam sites tell you not to provide your email address. This advice, however, doesn't work too well if you need to advertise your address so that people can contact you. This site provides some practical advice on ways to hide your address from robots and spiders, but still make it accessible to people. Most of these techniques would also work in HTML formatted email, but, as a malware specialist, I can hardly encourage people to use HTML formatted email. For those of a malware research frame of mind, a number of these techniques are also used to hide malicious content.

ITU Botnet Mitigation Toolkit http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html

Information sharing project to detect and reduce bots and botnets

Jotti's malware scan http://virusscan.jotti.org/

Check a suspected file against not quite as many scanners as VirusTotal.

Local Shared Objects -- "Flash Cookies" http://www.epic.org/privacy/cookies/flash.html

A new way for marketers and malicious sites to store and use information on your computer.

Malware analysis http://blogs.sans.org/computer-forensics/2010/11/12/get-started-with-malware-ana...

A collection of resources (mostly online) that will help those interested get started working towards an understanding of how to pick apart malware, see what it does, and how to protect against it.

Malware Analysis https://noppa.aalto.fi/noppa/kurssi/t-110.6220/etusivu

A series of PDFs, the course teaches what malicious code is and how it can be analyzed. Topics include malware taxonomy,reverse engineering, code emulation fundamentals, basic cryptoanalysis of malicious crypto, and antivirus engine basics. The full course includes lectures.

malware.com http://www.malware.com/

A list of vulnerabilities.

Rich Skrenta http://www.cbc.ca/technology/story/2007/08/31/tech-virus.html

Rich Skrenta created probably the second or third computer virus.

Searching For Evil, Ross Anderson http://video.google.ca/videoplay?docid=-1380463341028815296

Excellent presentation (but then, everything Ross does is worth noting) on botnets, related malware and fraud, and the command and control systems. Interesting research on the various types that are more resistant to takedown.

smmattack http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf

This paper describes an attack on the Intel SMM (System Management Module). This is a very low level attack, and therefore would be able to circumvent almost all common software defences, and some that rely on hardware, as well.

StopBadware http://www.stopbadware.org/

Partnership committed to protecting Internet and computer users from the threats that are caused by bad (malicious) software.

Sunbelt CWSandbox http://research.sunbelt-software.com/submit.aspx

Submit a suspect file: the system does a form of black box testing, looking not at the file itself, but at it's actions.

Trends in "badware" http://stopbadware.org/home/consumerreport

Rather simplistic but possibly handy overview of malware and surfing threats

Viruses Revealed http://vx.netlux.org/lib/ars08.html

After Macmillan refused to update the book, David and I got the copyright back, and planned to update it and release in online. Somebody beat us to it. This appears to be a blackhat site, so be careful, but the information appears to be there.

VirusTotal http://www.virustotal.com/

Check a suspected file against a large number of virus scanners.

Operations Security

Adeona http://adeona.cs.washington.edu/

Open source laptop tracking. (Absolute Software is in for it now ...)

CERT insider threat study http://www.cert.org/archive/pdf/08tr009.pdf

CERT MERIT project regarding insider attacks and threats.

Computer Re-use Optimisation Project (CROP) http://freegroups.net/groups/cu/www/crop/organisations.html

In the course of operations, recycling of old computers is an issue. The confidentiality dangers of object reuse are reasonably well known. However, when the time comes to get rid of a bunch of old (and rather toxic, if just dumped) computer equipment, where can you send them to best effect? This project lists a number of organizations and institutions, in a number of different areas of the world, that take, refurbish, and give computers to worthy causes.

Creating a CSIRT http://www.cert.org/csirts/Creating-A-CSIRT.html

CERT.ORG advice and step-by step instructions on creating a computer security incident response team.

DataLossDB http://datalossdb.org/

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

is2me http://www.is2me.org/index-en.html

This site presents a useful structure for risk assessment/management and information security, specifically for medium-sized businesses (200-1000 employee size). It is not intended as a panacea, but as a stop-gap measure for those without a mature information security architecture of their own. A Spanish version (the original) is available at http://www.is2me.org/ .

RFC 2350 http://rfc.dotsrc.org/rfc/rfc2350.html

1998 version of what incident response teams should and shouldn't be and do.

Secure data erasure http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

For all the trouble we have to take to protect, backup, and maintain our data, when we want to get rid of it, it turns out to be remarkably difficult. Do we delete Overwriting delete? Overwrite 40 times? Overwrite 40 times including all the slack space? Degauss? Get out the thermite? This site presents a faster and easier option. There is software, and also a paper (possibly self-serving ...) explaining the option, and why it is very often good enough.

Security Content Automation Program http://nvd.nist.gov/scap/scap.cfm

U.S. Government Agencies attempt to automate vulnerability scanning

Security Incident Survey Cheat Sheet http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet....

Tips for examining a suspect server to decide whether to escalate for formal incident response. The steps presented in this cheat sheet aim at minimizing the adverse effect that the initial survey will have on the system, to decrease the likelihood that the attacker's footprints will be inadvertently erased.

Shouting at hard disks http://www.youtube.com/watch?v=tDacjrSCeq4

Shouting at hard disks http://www.youtube.com/watch?v=tDacjrSCeq4 Shhh, be wewwy, wewwy, quiet! We'we hunting disk latency. Who knew that yelling at your hard disks, far from getting them to work faster, would only make things worse? Well, when you think about it in terms of vibration, it makes a lot of sense.

TEMPEST http://www.tscm.com/TSCM101tempest.html

There are lots of myths about TEMPEST and emanations (or emissions) security. This site provides detailed information. Unfortunately, it isn't quite as sensational as the myths, but more useful.

Windows and Microsoft

ADS FAQ http://www.heysoft.de/nt/ntfs-ads.htm

Specific questions and points about Alternate Data Streams (ADS).

ADS overview http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

Alternate Data Streams (ADS) is a feature of Microsoft Windows NTFS file system. It allows a means of hiding files, data, and even applications on a system. It is difficult to detect ADS material without specialized tools.

ADS per Microsoft http://msdn.microsoft.com/en-us/library/ms810604.aspx

Some information on ADS is available in this MSDN article, under the section about Multiple File Streams.

ADS tool - LADS http://www.heysoft.de/Frames/f_sw_la_en.htm

LADS (List Alternate Data Streams) utility for finding ADS.

Autorun - CCIRC http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx

Autorun is a function of Windows that provides for automatic execution of a program when removable media is inserted into, or attached to, the computer. It can be used for many functions. However, it is currently widely used to spread malware or attack systems simply by getting a user to plug a USB key/jump drive/thumb drive into the computer. More and more, security specialists are recommending that Autorun be disabled on Windows computers as a matter of course. Disabling Autorun seems to be easier said than done. Here is some detailed advice from the Canadian Cyber Incident Response Centre.

Autorun - how-to geek http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-dri...

The How-To Geek provides graphical details of Microsoft's Gpedit.msc.

Autorun - Microsoft http://support.microsoft.com/kb/953252

Of course, Microsoft has its own advice on how to deal with Autorun. This is at least their second attempt, Knowledge Base 953252. According to the CCIRC, it doesn't always work.

Autorun - tildemark http://www.tildemark.com/tips/disable-autorun-on-cdrom-or-usb-drives.html

tildemark's advice certainly seems easy, but I'm not entirely certain that it is complete.

Microsoft Threat Modeling Tool http://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4f87-88a6...

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

sanitization http://www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf

This article is originally from the IEEE Security and Privacy magazine, circa 2003. As such, some of the programs noted are out of date or obsolete. However, a number are still available and in use, and the basic concepts outlined are still valuable.

Syskey for additional hardening http://support.microsoft.com/kb/310105

The Syskey utility can be used to remove or protect encryption keys from the machine

Vista secure configuration http://www.microsoft.com/technet/windowsvista/security/guide.mspx

Instructions and recommendations for security of Windows Vista in a domain with Active Directory

Windows XP Security Guide http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.ms...

Recommendations about how to harden computers that run Windows XP with SP2

Physical Security

Time to Completely Rethink Physical Access Control System Architecture

Physical Access Control Systems (PACS) have been a critically important element of asset protection for over 3 decades. Until recently, the architecture of these systems has remained virtually unchanged. The US Department of Homeland Security under security initiative HSPD-12 for physical and logical access control have approved and deployed a fundamentally different architecture for PACS, paving the way for a transformation in the industry.  These changes will affect IT and security professionals and will provide CEOs improved visibility into their security systems.  These initiatives open up new opportunities for commercial, Industrial, and government stake holders and providers of physical and logical access control. This presentation will explore the new architecture and the subsequent implications.

Body language http://lifehacker.com/5852572/how-to-read-and-utilize-body-language-to-reveal-th...

Article on body language indicators to look for when trying to determine whether the subject is telling the truth. (Probably best not to rely on it too heavily, but possibly useful.)

Flash face http://flashface.ctapt.de/

Remember the old Identi-kit? (Ever heard of the old Identi-kit?) Well, someone put up a Flash-based version on the Web. Try it out. And see why composite pictures seldom look much like the target.

pig hackers http://www.youtube.com/watch?v=8ImZmDYme_s

Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers? (Actually, pigs are pretty clever critters ...)

Play Check Point http://www.amazon.com/gp/product/B0002CYTL2/ref=cm_cd_asin_lnk

OK, I know what I want for Christmas! Check out the pictures and reviews :-)

shakeout http://www.shakeout.org/

Resources, instructions and tips from the government of California on earthquake preparedness. Video instructions are at http://www.youtube.com/watch?v=o7eGZEY5wEM

TEMPEST http://www.tscm.com/TSCM101tempest.html

There are lots of myths about TEMPEST and emanations (or emissions) security. This site provides detailed information. Unfortunately, it isn't quite as sensational as the myths, but more useful.

Resources and References

Answer sheet form generator http://www.catpin.com/bubbletest/

OK, OK, I know, it sounds weird. However, if you are preparing for your CISSP exam, this may be useful. When you write the CISSP exam, you are given an exam question book, and a separate mark sense answer sheet with 400 rows of five circles each. (Yes, you are correct, the actual exam has 250 questions and only four options for each. The answer sheet is used for other exams as well.) Anyway, this site will allow you to make up your own answer sheet, so that you are operating under conditions as real as possible when you do practice tests.

Bell-La Padula http://selfless-security.offthisweek.com/presentations/looking-back.pdf

David Bell (yes, *the* Bell) looking back on how the model was developed, 30 years later. (Also commenting that we know *how* to build secure systems, we just don't.)

Bell-LaPadula model review http://www.acsac.org/2005/papers/Bell.pdf

A review, thirty years later, of the Bell-LaPadula model by David Bell.

Bell-LaPadula paper part 1 http://www.albany.edu/acc/courses/ia/classics/belllapadula1.pdf

A reconstruction of the first part of the famous Bell-LaPadula model. Note that this is a formal mathematical model, using symbolic logic. Not the first formal model of security, nor even the first state machine model, but one of the most useful in the early days.

Building a Secure Computer System http://nucia.ist.unomaha.edu/dspace/documents/gasserbook.pdf

Full text of Morrie Gasser's 1988 book, good general introduction and guide to security.

Cambridge Computer Laboratory security conference database http://www.cl.cam.ac.uk/research/security/conferences/all.html

Security professionals and practitioners need to keep up skills, and expand horizons and ideas about the infosec field. There are a few conferences that are extremely popular. However, there are a great many that are just as good (perhaps better), although not as well known. The University of Cambridge has developed a security conference database which mind give some pointers and help in finding new sources of knowledge and inspiration.

CCCURE CISSP intro http://www.cccure.org/flash/intro/player.html

cccure.org is a fairly famous resource for those studying for the CISSP exam. There are various papers and other resources, and the famous quizzes. (The quizzes have, of late, been inundated with questions of rather low quality, but it is the most widely used, accessible, and certainly no worse than many others.) This presentation is a general overview of the CISSP, buried in a major sales pitch for cccure.

Complexity kills http://www.switched.com/2011/03/03/state-of-the-union-security-eugene-spafford/

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

CSIRT setup http://www.first.org/resources/guides/cert-in-a-box/

Structure for setting up a Computer Security Incident Response Team, informed by the experience of the Netherlands government agency. Some of the graphical material can be downloaded at http://www.first.org/resources/guides/cert-in-a-box.zip , but the Website is much better.

DataLossDB http://datalossdb.org/

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

ENISA CSIRT guide http://www.enisa.europa.eu/cert_guide/index_guide.htm

Exhaustive, and yet strangely undirected, ENISA walk through the points relevant to setting up a CSIRT. Can also be had in PDF from http://www.enisa.europa.eu/cert_guide/downloads/CSIRT_setting_up_guide_E... , which might be easier to deal with.

flashcards http://www.flashcardexchange.com/tag/cissp

This site provides functions for creating your own flashcards of varying types. This particular link looks for those tagged as being suitable for study for the CISSP exam. (You will notice that there are other related tags, and you may wish to try out those for security terms which are not specific to the CISSP.) The material is provided by volunteers, so the quality varies. In the sets I examined, some points were flatly wrong, while others where questionable. However, it does provide a range of points to test yourself against, and see if you are unfamiliar with certain areas. (The functions of the card decks also vary: some are simply vocabulary flashcards, while others present sample questions for you to test yourself.)

GetCyberSafe http://www.getcybersafe.gc.ca/index-eng.aspx

Your (federal) government dollars at work. Some reasonably decent advice.

Infosec related books, reviewed http://victoria.tc.ca/techrev/mnbksc.htm

Reviews of books from various fields of information security.

Infosec terms http://victoria.tc.ca/techrev/secgloss.htm

A partial listing (errata and updates) of information security terms.

Intro to infosec http://openlearn.open.ac.uk/course/view.php?id=3631

A Masters level course from the UK OpenLearning/LearningSpace centre, introducing the concepts of information security management. Little or no technical content. Parts appear based on BS 7799-2/ISO 27001.

MELANI http://www.melani.admin.ch/index.html?lang=en

The Reporting and Analysis Centre for Information Assurance is a Swiss group, seemingly consisting of business and government agencies cooperating to provide information about computer, and particularly online, security. The material seems to be pretty basic, but is clear.

Microsoft Learning Paths for Security http://technet.microsoft.com/en-gb/security/cc297185.aspx

A kind of topical index to some Microsoft security materials.

Open Source Forensics http://www2.opensourceforensics.org/home

A reference for the use of open source software in digital investigations, that is digital forensics, computer forensics, and incident response.

Pen test lab http://metasploit.com/help/test-lab.jsp

Instructions on setting up a test lab rig.

Recommended infosec books http://victoria.tc.ca/techrev/mnbksccd.htm

Links to reviews of recommended information security literature. The list is divided by the ten ISC2 "domains" of security.

Search Security/Information Security Magazine CISSP training http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1330306,00.html?t...

The ten domains of the CISSP, roughly 45 minutes per domain. Slides with voiceover from Shon Harris.

SecEconIntMrkt http://www.enisa.europa.eu/doc/pdf/report_sec_econ_&_int_mark_20080131.pdf

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.)

Security Engineering http://www.cl.cam.ac.uk/~rja14/book.html

One of the best books, of any kind, on security. And you can read (or download) the entire first edition online here.

Security Forest http://www.SECURITYFOREST.COM

A wiki on various topics of security. So far most of the material relates to attacks, insecure software practices, and Web applications. It's also a bit thin.

socnetguides http://laurelpapworth.com/enterprise-list-of-40-social-media-staff-guidelines/

A useful collection of links to guidelines for the use of social networking media and systems.

SSN algorithm http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-t...

Given the importance and wide use of US Social Security Numbers (even though the use is legally restricted), this article on how to determine SSNs is fairly important.

Twitter feed http://twitter.com/rslade

For those preferring to get notifications of additions in a different way, I'll be posting links to new entries on Twitter. (Of course, I'll be posting other stuff there as well.) I'll try to remember to post links to both http://www.infosecbc.org/links and http://blog.isc2.org/isc2_blog/slade/index.html

University of Cambridge security conference database http://www.cl.cam.ac.uk/research/security/conferences/all.html

Wanna know what other security conferences you might be missing out on? Even this list isn't quite exhaustive. You might also want to check out http://iki.fi/japi/security.html#conf

Viruses Revealed http://vx.netlux.org/lib/ars08.html

After Macmillan refused to update the book, David and I got the copyright back, and planned to update it and release in online. Somebody beat us to it. This appears to be a blackhat site, so be careful, but the information appears to be there.

Mailing Lists and News

(ISC)<sup>2</sup> blog http://blog.isc2.org/isc2_blog/slade/index.html

Some people have asked that the material on this site be available in some kind of "feed" fashion. Therefore, at the (ISC)2 blog site, I have started blogging these entries as I add them. This material can also be obtained as an RSS feed.

Crypto-Gram http://bt.counterpane.com/crypto-gram.html#sub

Bruce Schneier's Crypto-Gram newsletter is like most of his writing. It's readable, and it's always worth reading, even if you don't agree with him. You can also look up his blog and books.

DHS Daily Open Source Infrastructure Report http://www.dhs.gov/xinfoshare/programs/editorial_0542.shtm

Unfortunately, you can't get the DHS Daily Open Source Infrastructure Report as a mail feed any more, you have to go to the Website to get the actual report. (It seems you can get a sort of reminder by email.) However, at the moment it is the best compilation source for news stories of security related items.

InfoSec News http://www.infosecnews.org/hypermail/

General list. This archives back to 1998.

Microsoft newsletter http://www.microsoft.com/canada/technet/securitynewsletter/default.mspx

Microsoft's security newsletter, Canadian version. The articles are often merely restatements of vulnerability announcements, and the additional ones aren't stunningly well written, but it is a resource. Many of the additional announcements have some tips on good coding practice.

RISKS Forum Digest archive site http://catless.ncl.ac.uk/Risks

The RISKS Forum Digest, moderated by Peter G. Neumann, is the pre-eminent security-related mailing list on the Internet, and probably the oldest as well. This site, courtesy of the University of Newcastle upon Tyne, maintains a complete archive, and provides directions on how to subscribe at the RISKS Info Page, http://lists.csl.sri.com/mailman/listinfo/risks.

SafeCanada.ca http://www.safecanada.ca/news_e.asp?nid=15887&e=1

SafeCanada is similar to the DHS daily report, and it does send you daily email reports, albeit without much detail.

seclists.org

The SecLists.Org Security Mailing List Archive collects and archives a number of security related mailing lists, although it concentrates on those dealing with networking and exploits. It also provides a portal to the lists themselves, so it's a valuable resource for those looking for lists. (Check out Funsec and RISKS.)

SecLists.Org Security Mailing List Archive http://seclists.org/

A list of a number of information security and related mailing lists.

Security and Related Agencies

(ISC)<sup>2</sup> https://www.isc2.org/

International Information System Security Certification Consortium

(ISC)^2 History http://www.isc2.org/isc2-history.aspx

A brief history and background of (ISC)^2. Included are two video clips with interviews with some of the founders. (Apparently the project was supposed to include 4, but only two are listed here.)

abuse.net http://www.abuse.net/

REporting of annoying behaviour

Canadian Centre for Emergency Preparedness (CCEP) http://www.ccep.ca/

Disaster resilience materials for individuals, communities and businesses.

Center for Internet Security http://www.cisecurity.org/

Supposedly nonprofit group forming yet more security metrics, checklists and frameworks.

CSE IT Security Learning Centre http://www.cse-cst.gc.ca/training/training-e.html

Communications Security Establishment training to support the IT security needs of Government of Canada professionals

DHS Cybersecurity help/resource http://www.dhs.gov/xprevprot/programs/gc_1202746448575.shtm

Recently there has been a bit of a debate, around the US, anyway, about whether the NSA or the DHS should have responsibility for cybersecurity. One of the points raised is that the NSA shouldn't take on that job, since cybersecurity involves helping "ordinary" people and companies secure their own systems. (In the modern environment, silo/bastion thinking doesn't work in security: now, that fact that I have a virus means you have a problem.) And the NSA has proven itself singularly loath to tell anything to anyone. DHS has, on the other hand, set up a cybersecurity resource. Check it out. (It'll only take a couple of seconds.) Back? Pretty pathetic, isn't it? Maybe the NSA should take over. They could hardly do worse ...

DHS Daily Open Source Infrastructure Report http://www.dhs.gov/xinfoshare/programs/editorial_0542.shtm

Excellent review of security related news. "The DHS Daily Open Source Infrastructure Report (Daily Report) is collected each week day as a summary of open-source published information concerning significant critical infrastructure issues."

European SecurityTaskforce http://www.securitytaskforce.org

Not much material, seemingly a lot of meetings.

fraud.org http://www.fraud.org/

US based reporting organization

GetCyberSafe http://www.getcybersafe.gc.ca/index-eng.aspx

Your (federal) government dollars at work. Some reasonably decent advice.

ICASI http://iscasi.org

Industry Consortium for the Advancement of Security on the Internet (ICASI) was formed as a non-profit corporation by a group of vendors to address international, multi-product security challenges. So far it hasn't done much, but watch this space.

Interpol cybercrime advice http://www.interpol.int/public/technologycrime/crimeprev/default.asp

Reports and checklists, particularly in terms of what an investigator needs to know about Information Technology (IT) security measures in order to be able to carry out investigations in an IT environment and to give advice in crime prevention methods.

Justice Institute of BC http://www.jibc.bc.ca/index.htm

The Justice Institute of British Columbia is a leader in education, training and the development of professional standards of practice in justice, public safety and human services. The institute offers programs and courses in many public safety areas, and has online courses as well.

MELANI http://www.melani.admin.ch/index.html?lang=en

The Reporting and Analysis Centre for Information Assurance is a Swiss group, seemingly consisting of business and government agencies cooperating to provide information about computer, and particularly online, security. The material seems to be pretty basic, but is clear.

RCMP TSB training http://www.rcmp-grc.gc.ca/tsb/workshops/index_e.htm

RCMP Technical Security Branch IT and physical security workshops and presentations for employees of federal government and other agencies.

US Cybercrime http://www.cybercrime.gov/

US Department of Justice site with news stories, related (US) laws, and some documents related to digital evidence, investigation, and prosecution.

US Secret Service http://www.secretservice.gov/

Responsible for mail and wire fraud in the US, major responsibility for advanced fee (419/Nigerian) frauds

Local Groups

BC ISMS UG http://www.ismsug.org

Meetings roughly twice a year. Focused primarily on ISO 27000 family.

CitySec site http://www.citysec.org/

Listings for local groups in a number of places. Some aren't representative of the local scene.

National Information Security Group http://www.naisg.org/

Relatively new group, starting some local chapters

SPIE (Calgary) http://www.SPIE.ca

According to Bob Tremonti, the Security Professionals Information Exchange (www.SPIE.ca) meets the last Thursday of the month (plus a rather secretive sub-group of security folks in the energy sector), and the Disaster Recovey Information Exchange (DRIE West) meets -- well, it meets when someone finaly gets a meeting organized ...

Portals and Listings

Internet Crime Complaint Center http://www.IC3.gov

US gov site with links to law enforcement

Jari Pirhonen's security links http://koti.welho.com/jpirhone/security.html

As he says, 10+ years worth of security bookmarks. New links added frequently, hardly never cleaned. Lots of outdated and broken links

Lotsa links http://www.fx-vista.com/

Undoubtedly self-promotion, and an attempt to use Google ads to drive revenue, but some of the links are useful.

North Shore Emergency Management Office Website with resources http://www.nsemo.org/

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

seclists.org http://seclists.org/

The SecLists.Org Security Mailing List Archive collects and archives a number of security related mailing lists, although it concentrates on those dealing with networking and exploits. It also provides a portal to the lists themselves, so it's a valuable resource for those looking for lists. (Check out Funsec and RISKS.)

SecurityBenchmark.com http://www.securitybenchmark.com

Extensive list of organizations and entities. (Note that this appears to be run by a member of a consortium that is very active in self-promotional activities ...)

Student Resources for Computer Security: Principles and Practice text http://williamstallings.com/CompSec/CompSec1e.html

A companion site for the Stallings textbook, but a good set of resources and references

Security and Risk Management and Awareness

CERT insider threat study http://www.cert.org/archive/pdf/08tr009.pdf

CERT MERIT project regarding insider attacks and threats.

IT Security EBK http://www.us-cert.gov/ITSecurityEBK/

From the US-CERT and DHS, a framework outlining IT security topics and levels (manage, design, implement, evaluate) to various IT security roles. As of the 2008 document it is fairly limited, but provides a good starting point.

socnetguides http://laurelpapworth.com/enterprise-list-of-40-social-media-staff-guidelines/

A useful collection of links to guidelines for the use of social networking media and systems.

Termination procedures http://www.usenix.org/events/lisa99/full_papers/ringel/ringel_html/index.html

Paper advising on termination procedures for sensitive positions

Risk Analysis, Assessment, and Management

Attack trees http://www.schneier.com/paper-attacktrees-ddj-ft.html

Attack trees provide a formal way of describing the security of systems, under varying attack possibilities. You represent attacks against a system in a tree structure, with the goal of the attack as the root node and different requirements for achieving that goal as leaf nodes. You can then work on denying the requirements to an attacker.

Australian operational risk portal http://oprisk.austega.com

Operational risk is how the banks refer to what we know as risk management.

Calabrese http://righteousit.wordpress.com/2009/02/26/calabreses-razor/

An interesting, semi-quantified risk analysis tool. Allows you to address both the protective benefits and the resource/operational cost of various safeguards, and compare them against each other.

CERT taxonomy http://www.cert.org/archive/pdf/10tn028.pdf

Carnegie-Mellon's CERT has put together a taxonomy of the different types of cyber security risks, cross-reference mapped to NIST SP 800-53. It's a good start. I'm not sure how useful it is. Malware, for example, is definitely a "deliberate action of people," but it's also "inaction from lack of knowledge" on the part of users. It may also be systems design failure or a failure of process controls.

Classification Scheme for Information System Threats, Attacks, and Defences http://www.all.net/journal/ntb/cause-and-effect.html

Like it says, fairly formal and abstract, but does explain the concepts by working with them.

Common Vulnerability Scoring System (CVSS) http://www.first.org/cvss/cvss-guide.html

Fairly hefty process, but some interesting ideas for risk assessment.

Complexity kills http://www.switched.com/2011/03/03/state-of-the-union-security-eugene-spafford/

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

CSIRT exercise http://www.enisa.europa.eu/act/cert/support/exercise

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

ENISA risk management materials http://www.enisa.europa.eu/rmra/h_home.html

Limited articles and papers on risk management.

Financial Impact of Cyber Risk calculations http://webstore.ansi.org/cybersecurity.aspx

Guide from ANSI on how to assess the financial (quantitative) risk analysis of cyber threats.

FMEA resources http://www.isixsigma.com/tt/fmea/

Tools and advice on the use of failure mode and effects analysis.

Information Systems Security Assessment Framework (ISSAF) http://www.oissg.org/issaf

Security assessment framework from the Open Information System Security Group (OSSIG, www.oissg.org), mostly concentrating on pen testing, but some project planning material for general security or risk assessment. Document/project seems to have been abandoned mid-2006.

Intro to infosec http://openlearn.open.ac.uk/course/view.php?id=3631

A Masters level course from the UK OpenLearning/LearningSpace centre, introducing the concepts of information security management. Little or no technical content. Parts appear based on BS 7799-2/ISO 27001.

is2me http://www.is2me.org/index-en.html

This site presents a useful structure for risk assessment/management and information security, specifically for medium-sized businesses (200-1000 employee size). It is not intended as a panacea, but as a stop-gap measure for those without a mature information security architecture of their own. A Spanish version (the original) is available at http://www.is2me.org/ .

Microsoft Learning Catalogue, Security https://www.microsoftelearning.com/catalog/itpro.aspx#Security

A collection of online courses, mostly free. Registration is required, and may be annoying. Courses require IE for use. Some are general, some MS product specific. Even those that are generic have MS specific mentions, sometimes in surprising places. The course content tends to the simplistic, but does, usually, stick to generally accepted policies and guidelines. The usage of the courses is idiosyncratic at times, but you can usually puzzle it out. The material is a mix of page-turner and slide plus voice-over. There are occasional references: these must be obtained separately. There are review questions: these are basically useless.

Microsoft threat assessment (STRIDE) http://msdn.microsoft.com/en-us/library/aa302418.aspx

Mostly applicable to software development, but some general points.

Most Terrifying Video You'll Ever See http://www.youtube.com/watch?v=bDsIFspVzfI

Variation on Pascal's Wager: interesting take on risk analysis and management that could probably be used more widely.

OCTAVE Allegro http://www.cert.org/octave/allegro.html

Reduced version of the OCTAVE program. You can download the guidebook at this site.

OSSTMM - Open Source Security Testing Methodology Manual http://www.isecom.org/osstmm/

A security testing or assessment framework. It is interesting that, for an "open source" document, you can only download a partial version, or an old version, unless you are a "gold" member. About half of the Lite 3 version is promotional material, the rest is a checklist of decent, but hardly surprising, checks to perform.

Presenting risk http://understandinguncertainty.org/node/233

We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks. This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general.

Privacy economics http://ssrn.com/abstract=1522605

An interesting paper looking at the risks, risk management, and legal economics of breaches of privacy. Much of the material is fairly standard, but it also looks at different types of controls (such as preventative and recovery) in regard to data breaches, disclosure laws, and standards such as PCI DSS. Valuation of assets is also a factor. (Free download, as of this posting.)

SecEconIntMrkt http://www.enisa.europa.eu/doc/pdf/report_sec_econ_&_int_mark_20080131.pdf

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.)

US cyber pol review http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

This paper, directed from the US White House, may be the structure for US information, networking, and infrastructure policy over the next seven years. While vague, it does give some indication of directions.

US GAO infosec reports http://www.gao.gov/special.pubs/cit.htm

l A few "Special Publications: Computer and Information Technology."

Security Awareness

(ISC)<sup>2</sup> Awareness Centre https://www.isc2.org/cgi-bin/csam_resources.cgi?page=2&sort=Title&filter=

Collection of papers, posters, and presentations by CISSPs. Also at http://www.isc2.org/csa

Anti-Phishing Phil http://cups.cs.cmu.edu/antiphishing_phil/

A game to help people recognize phishing sites

Browsing Protection http://browsingprotection.f-secure.com/swp/

This tool will let you check sites you don't know, or are not sure about. Just plug the URL into the address box on the page.

CERT home computer security http://www.cert.org/homeusers/HomeComputerSecurity/

Tips for securing a home (or small office) computer.

CERT home network security http://www.cert.org/tech_tips/home_networks.html

Tips for securing a home (or small office) network or Internet connected computer.

Cyber Security Tips http://www.msisac.org/awareness/news/

Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Security Tips Newsletter. Sign up or download.

DataLossDB http://datalossdb.org/

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

DHS cyber http://www.dhs.gov/cyber

The US DHS cyber awareness, tips, and events page. Also note Obama's 2009 pep talk at http://www.whitehouse.gov/blog/Protecting-yourself-online/

Facebook privacy demo http://bit.ly/aclu_quiz

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

Facebook security http://chainmailcheck.wordpress.com/2011/01/05/facebook-security-guide/

The actual security guide pointed to resides at ZDNet, but this site lists the four parts together (and the ZDNet navigation is not exactly clear). Navigation through the checklist is not completely obvious either. You can go through by clicking on arrow icons () at the upper right hand corner of the images (which may be hard to find because the images can be fairly busy), or by clicking on individual pictures below the image and text. (Clicking the arrow icons down there only moves the pictures back and forth, without moving you through the checklist.) However, once you master the oddities, the checklist can be quite helpful. It is fairly complete, and, although the text instructions on how to find the items can be difficult, the fact that the image displays the page in question, and the red numbers point out what you are supposed to choose, allows you to check that you are, in fact, on the right page. The instructions may seem simplistic if you have been using Facebook for a while, but they will be great for a newcomer, and even the "expert" will likely find a setting they didn't know about.

facebookpriv http://www.allfacebook.com/2009/02/facebook-privacy/

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

GetCyberSafe http://www.getcybersafe.gc.ca/index-eng.aspx

Your (federal) government dollars at work. Some reasonably decent advice.

Global Incident Map http://www.globalincidentmap.com/home.php

I'm not sure how useful it is, but it sure is pretty. Maps kidnappings, shootings, bombings, terrorist acts, piracy (non-recording), and a bunch of other nasty stuff.

hard passwords http://www.time.com/time/magazine/article/0,9171,2089349,00.html

Cute essay about password choice (although not much useful help).

Information Security Awareness Forum http://www.infosec.co.uk/ISAF

This portal says it is under the direction of ISSA UK, but Reed Exhibitions seems to play a major role ...

InfoSecElmo http://twitter.com/InfoSecElmo

Not exactly a major security awareness resource, but http://twitter.com/InfoSecElmo should be on everyone's Twitter feed. Some cute little slogans and reminders.

InfraGuard workplace information security awareness course http://www.infragardawareness.com/course1

Slides/text with voiceover. There is also a test that might get you a certificate, but it wouldn't let me use any of my email addresses, so I know nothing about it.

MELANI http://www.melani.admin.ch/index.html?lang=en

The Reporting and Analysis Centre for Information Assurance is a Swiss group, seemingly consisting of business and government agencies cooperating to provide information about computer, and particularly online, security. The material seems to be pretty basic, but is clear.

NativeIntelligencesecaware http://www.nativeintelligence.com/index.asp

Native Intelligence obviously wants to sell you courses and materials, but there are some free samples and ideas there.

NIST quide for infosec awareness program http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Process for developing a security awareness program. Rather generic and abstract, but as with all NIST stuff many good points.

North Shore Emergency Management Office Website with resources http://www.nsemo.org/

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

Notre Dame University infosec info http://secure.nd.edu/

Some of this is only accessible to registered students, and most of it is fairly simple, but it's good, straightforward, and clear. Decent model to follow. (Some aspects do date quickly ...)

onguardonline http://www.onguardonline.gov

Latest online security awareness from the US feds. Limited and basic awareness tips (but a decent start), some cute games (for the easily amused), and a very few phishing videos.

PhoneBusters Recognize It http://www.phonebusters.com/english/recognizeit.html

A list of various scams, and ways to recognize (and sometimes report) them. The descriptions are fairly simple, but the scope is useful.

Presenting risk http://understandinguncertainty.org/node/233

We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks. This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general.

Psych and sec http://www.cl.cam.ac.uk/~rja14/psysec.html

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.

Safer Interenet Programme http://www.sip-bench.org/sipbench.php?page=home&lang=en

EU programme for home computer security, mostly benchmarking filtering software

sanitization http://www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf

This article is originally from the IEEE Security and Privacy magazine, circa 2003. As such, some of the programs noted are out of date or obsolete. However, a number are still available and in use, and the basic concepts outlined are still valuable.

Security Maxims http://www.ne.anl.gov/capabilities/vat/seals/maxims.html

Roger Johnston's original list of security maxims.

Security motivational posters/wallpapers http://flosse.2blocksaway.com/archives/80

Some posters in the style of the well-known motivational posters. Some are fairly odd, but they are cute.

shakeout http://www.shakeout.org/

Resources, instructions and tips from the government of California on earthquake preparedness. Video instructions are at http://www.youtube.com/watch?v=o7eGZEY5wEM

Social armour http://www.eset.com/threat-center/blog/2009/09/08/armor-for-social-butterflies

A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking/social media/Web 2.0 activities.

socnetguides http://laurelpapworth.com/enterprise-list-of-40-social-media-staff-guidelines/

A useful collection of links to guidelines for the use of social networking media and systems.

Stay Safe Online http://staysafeonline.org/

Portal site, fairly simplistic material

StopThinkConnect http://www.dhs.gov/files/events/stop-think-connect.shtm

Advice on online safety (from the folks who brought you the TSA, so lower your expectations).

Subject lines http://www.allspammedup.com/2012/02/avoid-looking-like-a-spammer-writing-good-su...

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter. If you've sent me a message, and never got an answer, how detailed was your subject line?

Think Security First http://www.thinksecurityfirst.org

"Security Awareness for Small Business, Home Office and Home computing." A brief outline, plus some links. Contact the page owner to download additional handout materials.

Think Security First - Walnut Creek http://www.thinksecurityfirst.net

The original Walnut Creek site, with fewer materials.

Trends in "badware" http://stopbadware.org/home/consumerreport

Rather simplistic but possibly handy overview of malware and surfing threats

usonlinefraud http://www.ultimatecoupons.com/how-to-report-internet-fraud.html

A collection of links to sites with information on online fraud. Reporting links for those in the US.

VITA Information Security Awareness Toolkit http://www.vita.virginia.gov/security/default.aspx?id=5146

Virginia Information Technologies Agency (VITA) (state government) Information Security Awareness Toolkit. Contains the "Duhs of Security" video (listed in the video and multimedia section here) in both viewable and downloadable format, and with subtitles and without, as well as other links and resources.

What Privacy is For http://www.harvardlawreview.org/symposium/papers2012/cohen.pdf

While academic in tone, and not the easiest read ever, this paper is one of the most thought-provoking and insightful pieces on privacy that I've read in a long time. I highly recommend it.

Children

Childnet http://childnet.com/

Childnet has some publications and resources that you might find useful. The overall tone seems a tad commercial and self-promotional, but that doesn't mean that you can't take what has value and ignore the rest.

Cyberbullying http://www.digizen.org/cyberbullying/fullFilm.aspx

A video about cyberbullying, long on emotion and a bit short on suggestions.

Easybits http://www.easybits.com/

Whitelisting program for kids, top ranking from EU Safer Internet benchmarks

Guidelines on Internet Access for Children and Parents - Les Bell http://www.lesbell.com.au/Home.nsf/web/Guidelines+on+Internet+Access+for+Childre...

These guidelines are written for parents of children at primary or elementary schools: aged 5 to 12.

Hacker High School http://www.hackerhighschool.org

Project for development of licence-free, security and privacy awareness teaching materials and back-end support for teachers of elementary, junior high, and high school students. (Which is interesting, because they also seem to have licence requirements or arrangements.) The materials are very simplistic, and, despite supposedly being aimed at school age students, don't seem to have anything that would appeal to that audience.

HTCIA Internet Safety For Children http://www.htcia.org/isfc/

Very limited resources, and some training files available only to members. Not much content here.

iKeepSafe Internet Safety Coalition http://www.ikeepsafe.org/

Big on flash, videos, and commercial materials, a bit thin on actual content. Directed at parents, educators, and policymakers.

Internet Safety for Kids http://www.packet-level.com/kids/

Book (in PDF format), slides, handouts and other resources for an educational program. A specifically Canadian version is also available.

Kids and Internet slides http://www.deltapolice.ca/slo/presentations/index.php

Allan Alton's presentation, hosted by Delta Police Dept. Particularly good on background info.

NetSmartz http://www.netsmartz.org/

Material from the US National Center for Missing & Exploited Children.

SafeCanada.ca http://www.safecanada.ca/link_e.asp?category=3&topic=94

Internet safety for kids from the Canadian government.

ThinkUKnow? http://www.youtube.com/watch?v=vp5nScG6C5g

A good online awareness video produced by the ThinkUKnow campaign ( http://www.thinkuknow.co.uk/ ) done by CEOP in the UK.

Vendors

Card & Identity Theft http://merchantwarehouse.com/credit-card-and-identity-theft-protection

This site appears to be for a vendor of POS terminals, but the page does have links on credit card and ID theft protection. Most of these are for the US, but some do offer generic advice.

International Computer Driving Licence http://www.icdl.ca/default_en.htm

A bit gimmicky, maybe, but some general awareness of online security. See also http://www.ecdl.com/countries/index.jsp

K9 http://www.getk9.com/

Web filtering software

LiveWires Game http://www.livewwwires.com/

Sales site, no awareness materials available.

Microsoft awareness kit http://technet.microsoft.com/en-us/security/cc165442.aspx

Microsoft has a kit of awareness materials that you can download for free. There are some PowerPoint slide decks. These should be reviewed prior to use, since, while they do have some content, they have an awful lot of blank holes which need to be filled with your company name and some additional details. There are also templates for brochures, etc, but these contain no content, and are simply formats and styles.

Symantec Family Resources Website http://www.symantec.com/norton/familyresources/index.jsp

Limited materials, mostly oriented to the company's products.

Veridion CISSP training http://www.veridion.net/fligne_eng.html

Fairly simplistic, but a set of slides and voiceover available free of charge ...

Video and Multimedia

"New cybercrime" trailer http://www.youtube.com/watch?v=-5zxOLZ5jXM

Short piece from Fortify Software, no detail but possibly useful for awareness intro.

Botnets, part 1 http://video.google.com/videoplay?docid=6894729573807265981

Rather superficial (do we really need to know about source code and compilers, and lots of shots of Corey looking mean?), but introduction to the basic idea and concepts

Bud logs in http://www.youtube.com/watch?v=0QzhkOkvKnM

Simple password management tips from Watchguard.

Chip and pin fraud (part 1) http://www.youtube.com/watch?v=L7QzOcZAwbg

Part 1 (of 2) of a BBC piece on debit card (chip and pin) fraud. Ross Anderson is interviewed. (Piece must be a bit old: pan of his office shows Sec Eng 1st edition.)

Chip and pin fraud (part 2) http://youtube.com/watch?v=pHdX3ZYEvXw

Part 2 of the BBC piece. This section shows a very cavalier attitude on the part of the banks.

Compromised Bank Website http://youtube.com/watch?v=aWV8d2rWf8E

Roger Thompson's detailed explanation of an exploit served by a compromised bank Website.

Computer security video from AT&T archives, circa 1990 http://www.youtube.com/watch?v=KmgkBLwxoP8

Have a giggle at the dated video and voiceover. Or, consider that most of the problems are still there ...

Cyber exchange http://cyberexchange.isc2.org/Search.aspx?page=1&q=&ResPerPage=10

A new design for the old ISC2 computer security awareness materials.

Cymru videos http://www.youtube.com/teamcymru

Short videos (slide desks and voiceover) on various security topics, mostly related to malware. Basic information, but quite suitable for security awareness presentations.

Deconfliction http://www.youtube.com/watch?v=g39xIewgGaM

Deconfliction has a specific meaning in aviation or the military, to do with planning flightpaths to avoid collision. In computer science, it has to do with avoiding problems in rules-based reasoning. What we have, here, is a failure to communicate ...

Duhs of Security http://www.youtube.com/watch?v=UPs5JCg910E

This security awareness video (on YouTube), made by the infosec people in the state government of the Commonwealth of Virginia, covers some good, basic tips. It's amusing, and only 13 minutes long. Some of the advice is specific to their security policy, and probably won't match yours, but at least it'll get you (or your staff) thinking about some of the issues.

Hitler cloud sec http://www.youtube.com/watch?v=VjfaCoA2sQk

You may or may not be aware of the mass of "Hitler rant" videos on YouTube. These take a clip (from the movie "Downfall") and subtitle it with a rant from Hitler about everything from college football to the iPhone to Facebook accounts to ... well, anything at all. This one is about cloud computing and security, and makes a few cute points about security in general.

How to get a free meal at McDonalds http://www.5min.com/Video/How-to-get-a-free-meal-at-McDonalds-4186

You've probably thought of this, but it's kind of cute. Possibly good for a discussion of bad design, or the cost/benefit of securing small transactions.

How to order pizza http://www.funnieststuff.net/viewmovie.php?id=2202

Cute little video about databases and the erosion of privacy.

Most Terrifying Video You'll Ever See http://www.youtube.com/watch?v=bDsIFspVzfI

Variation on Pascal's Wager: interesting take on risk analysis and management that could probably be used more widely.

MySpace hack http://www.youtube.com/watch?v=_VipylmHnII

Roger Thompson and an example exploit serve from a social networking site.

Net safety/privacy http://www.youtube.com/watch?v=xZHq4CQekTY

Rather disturbing, but probably effective in terms of children disclosing information and trusting strangers.

Phishing indications http://www.sacs.co.za/videos/Phishing/Phishing.html

Flash presentation, audio and screen activity, showing phishing symptoms and indications in a message.

pig hackers http://www.youtube.com/watch?v=8ImZmDYme_s

Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers? (Actually, pigs are pretty clever critters ...)

Rainbow tables http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.rainbow

Video presentation from Watchguard. Fairly simplistic.

Rootkits explanation (part 1) http://video.google.com/videoplay?docid=6096561464071933082&hl=en

Very simplistic tutorial on what rootkits do. (Very lo-res and grainy.)

Rootkits explanation (part 2) http://video.google.com/videoplay?docid=5675191504457207546&hl=en

Very simplistic tutorial on what rootkits do. (Very lo-res and grainy.)

Security Freak video portal http://security-freak.net/videos.html

Links to a number of security related videos. Some technical, some simple.

SecurityTube http://www.securitytube.net

Portal to security related videos

Sexy Hacking videos http://sexyhacking.com/videos/

Seemingly a promo for the company, this series of videos pretends to use sexy ladies to teach you about vulnerability scanning and penetration tools. The material is far too simplistic to teach anything at all about the technology, but could be a cute intro for an awareness session. Unfortunately, while the company promised to do new videos regularly, they only seem to have produced six.

Shredding videos http://www.ssiworld.com/watch/watch-en.htm

Video clips of shredding all kinds of things. Nothing to do with security per se, but fun to show when you are talking about destruction of data or BCP events. (Be sure to check out the cars.)

SOPA protest http://www.youtube.com/watch?v=1p-TV4jaCMk

An amusing take on the US SOPA and PIPA (which can affect us). Note also recent Harper gov't moves in this direction.

ThinkUKnow? http://www.youtube.com/watch?v=vp5nScG6C5g

A good online awareness video produced by the ThinkUKnow campaign ( http://www.thinkuknow.co.uk/ ) done by CEOP in the UK.

Web session hijacking http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.sidejack

Watchguard video on "sidejacking." Not much detail, but interesting to see how easy the tools make it.

Web session hijacking http://www.tgdaily.com/content/view/34324/108/

Longer and more detailed version of sidejacking.

YouTube use for hiding malware http://www.youtube.com/watch?v=pzKmzO_Xq3k

Interesting video demonstrating (on YouTube) the use of YouTube to hide malware nature and activities.

Security Architecture

Bell-La Padula http://selfless-security.offthisweek.com/presentations/looking-back.pdf

David Bell (yes, *the* Bell) looking back on how the model was developed, 30 years later. (Also commenting that we know *how* to build secure systems, we just don't.)

Complexity kills http://www.switched.com/2011/03/03/state-of-the-union-security-eugene-spafford/

Security State of the Cyber-Union With Eugene Spafford. We are moving to greater complexity, not less, and getting away from fundamentals.

SABSA http://www.sabsa.org/UserFiles/Image/2-matrix.png

Sherwood Applied Business Security Architecture (SABSA), closely related to the Zachman framework. The SABSA site also describes a process and other functions.

Security Engineering http://www.cl.cam.ac.uk/~rja14/book.html

One of the best books, of any kind, on security. And you can read (or download) the entire first edition online here.

Zachman Framework article http://www.zachmaninternational.com/images/stories/ibmsj2603e.pdf

The original article outlining the Zachman Framework, a business architecture model sometimes used as a breakdown model for security planning.

Zachman model http://eacoe.org/pdf/EACOE_Enterprise_Framework.pdf

Current (2010) model of the Zachman framework. (At the moment, the original zifa.com site and zachmaninternational seem to be pretty badly bent.)

Security Frameworks

Security frameworks presentation, with notes http://www.iso27001security.com/Rob_Slades_security_frameworks_presentation.ppt

This is my security frameworks presentation, in PowerPoint. (It's compatible with OpenOffice.) Not just a deck of slides, it has a whole article on the topic embedded in the notes. I used to point at the ISC2 awareness materials, but they seem to change.

BS 7799/ISO 17799/27000 family

Callio http://www.callio.com/

Checklist for BS 7799/ISO27K family of standards. Also some pages tersely outlining BS 7799 and descendents.

IT Governance http://www.itgovernance.co.uk/

Alan Calder's site, selling Alan Calder's consulting, books, and toolkits, much of which has (nominally) to do with BS 7799/ISO 17799. (Can't say for sure about the consulting, but the books and toolkits are verbose and of limited utility. Some documents and templates will save you a bit of time in terms of documenting your process.)

ANSI Webstore http://webstore.ansi.org/ansidocstore/default.asp

Prices for the standards vary tremendously. For those that have been accepted as ANSI standards, this is one of the cheapest places to get copies of the standards.

Intro to infosec http://openlearn.open.ac.uk/course/view.php?id=3631

A Masters level course from the UK OpenLearning/LearningSpace centre, introducing the concepts of information security management. Little or no technical content. Parts appear based on BS 7799-2/ISO 27001.

ISMS International User Group (IUG) http://www.xisec.com/

ISMS International User Group (IUG), also ISMS Journal. (ISMS, Information Security Management System, is a term used in BS 7799 and descendents and almost nowhere else: it is an indication of BS 7799/ISO 27K relation.)

ISMS Journal http://www.xisec.com/foundation.htm

An apparently free electronic magazine. (Existing issues all seem to date from 2004: the most recent edition brings up a link to a German consultancy that seems to be doing the publishing.) News (mostly old) of meetings and events, some general security articles, remarkably little on BS 7799/ISO27K materials. (Issue 5 does have a nice piece on 17799 and software development.) The subscription address currently appears to be defunct.

ISO http://www.iso.org

International Organization for Standardization, group responsible for many international standards, particularly in communications: a number relate to security such as ISO 9000 (on quality) and the ISO 17799 security guideline framework. You will note that the name of the organization does not fit the acronym. Legend has it that, since the body was international in nature, it would be unfair to have the name in a particular language, and therefore the acronym ISO was derived from the Greek word "isos" (which means equal) so that no language would have an expansion that fit. (Many English-speakers refer, incorrectly, to the "International Standards Organization.")

ISO 27000 http://standards.iso.org/ittf/PubliclyAvailableStandards/c041933_ISO_IEC_27000_2...

ISO 27000:2009, the overview document for the 27000 family of standards, is now published and available as a free download. It outlines the 27000 standards (to date) and provides a very brief glossary. For some reason the standard comes as a zip archive file of a PDF. When you go to the link, you will be briefly redirected to a licence page, and have to agree in order to get the document.

ISO 27000 papers and templates http://www.iso27001security.com/html/white_papers.html

White papers, templates, and sample documents from the ISO27k implementers

ISO 27000 Toolkit http://www.iso27001security.com/html/iso27k_toolkit.html

Part of Gary Hinson's collection of ISO 27K materials. Case studies, policies, statements, and other supporting documents.

ISO 27001 mailing list http://groups.google.com/group/iso27001security

Mailing list for discussion of, and resources for, ISO 27000 family and other security frameworks. (Not an official ISO list: run by Gary Hinson.)

ISO 27001 portal site http://www.iso27001security.com/

Information and resources on ISO 27000 family and other security frameworks. (Not an ISO site: run by Gary Hinson.) A handy (though short) FAQ, list of books, and links to relevant sites.

ISO 27001 Self-Assessment on Information Security https://benchmark.wolcottgroup.com/?gclid=CJm0sI27spACFQNCgwodaw7HLA

A fairly simplistic set of questions, and you, basically, do all the work, but it an give you a bit of a feel. Seems to be based on the capability maturity model. (I'm reasonably sure that they will use the data to try and sell you some consulting, but ...)

Praxiom http://www.praxiom.com/27001.htm

Praxiom is primarily interested in selling you their products and services, but this section of their Website does have some helpful material in getting an overview of ISO 27001 and what people are doing about it. (The site also has materials on other parts of the ISO 27K family.)

The ISO 27001 and 17799 User Group http://www.17799.com

An internet user group dedicated to the ISO information security standards. Content is very thin.

The ISO 27001 and ISO 17799 Open Guide http://iso-17799.safemode.org

Public collaboration 'wiki' for both ISO 17799 and ISO 27001. At present, the contents are rather thin.

Checklists, controls, and practice lists

CobiT maps to http://www.isaca.org/Template.cfm?

Section=COBIT_Mapping1&Template=/ContentManage... ISACA maps of CobiT to ITIL, NSIT SP800-53, CMMI, ISO 17799/27002, Project Management BOK, and others.

CyberSecurity Checklist http://www.cccure.org/modules.php?name=Downloads&d_op=viewdownload&cid=93

This copy hosted on the CCCURE site. I don't know who the U.S. Cyber Consequences Unit (US-CCU) is (aside from the two authors), but the material is generally decent. (Some of the items are a bit bizarre.) It can also be found at http://www.cyberunitss.com/files/cybersecuritychecklist2007.pdf

Identity Theft Standards Panel http://www.ansi.org/idsp

Watch this space. To report in January 2008.

Information Security Forum http://www.securityforum.org/

No lack of self-esteem for these guys, but they do have some documents publicly available, particularly the Standard of Good Practice. This is incredibly verbose, but boils down to a checklist both of objectives and of specific activities or controls. You have to register to get the doc.

NERC standards http://www.nerc.com/page.php?cid=2|20

North American Electric Reliability Corporation (NERC) standards, some of which address computer systems and/or physical security surrounding computer systems.

PCI DSS https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

The PCI (Payment Card Industry) Data Security Standards. You can get the standard itself, plus various supporting documents. As of October 2008 the current standard is 1.2.

Social armour http://www.eset.com/threat-center/blog/2009/09/08/armor-for-social-butterflies

A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking/social media/Web 2.0 activities.

socnetguides http://laurelpapworth.com/enterprise-list-of-40-social-media-staff-guidelines/

A useful collection of links to guidelines for the use of social networking media and systems.

Risk and assessment

BITSinfo Publications http://bitsinfo.org/p_publications.html

A product of the banking and financial community, at one time, BITS stood for

Calabrese http://righteousit.wordpress.com/2009/02/26/calabreses-razor/

An interesting, semi-quantified risk analysis tool. Allows you to address both the protective benefits and the resource/operational cost of various safeguards, and compare them against each other.

is2me http://www.is2me.org/index-en.html

This site presents a useful structure for risk assessment/management and information security, specifically for medium-sized businesses (200-1000 employee size). It is not intended as a panacea, but as a stop-gap measure for those without a mature information security architecture of their own. A Spanish version (the original) is available at http://www.is2me.org/ .

Psych and sec http://www.cl.cam.ac.uk/~rja14/psysec.html

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.

CobiT maps to http://www.isaca.org/Template.cfm?

Section=COBIT_Mapping1&Template=/ContentManage... ISACA maps of CobiT to ITIL, NSIT SP800-53, CMMI, ISO 17799/27002, Project Management BOK, and others.

Espiria http://www.espiria.com/home.html

Part consulting, part product: security risk assessment based on a standardized, online, data collection tool.

RiskWatch http://www.riskwatch.com/

Self-assessment tool to be used in preparation for audit, mostly for financial institutions.

Securac http://www.securac.net/

Acertus risk assessment software

Telecom and network security

Pen test lab http://metasploit.com/help/test-lab.jsp

Instructions on setting up a test lab rig.

Wi-Fi security cheat sheet ebook http://www.sysman.org/wifi-security-ebook-RakeshGoyal-Sysman-2008-10-09-V001.pdf

A little over a third of this ebook is promotional material for the authors. Another third is fairly generic background on Wi-Fi and infosec. Roughly a quarter of the pages are dedicated to a simplistic set of recommendations for securing wireless LAN systems, particularly at home. But it's better than nothing.

Attacks and status

Active Threat Level Analysis System (ATLAS) http://atlas.arbor.net/

Global Threat Map, Threat Briefs, Top Threat Sources, Threat Index, Top Internet Attacks, and Vulnerability Risk Index using a distributed network of sensors

CSIRT exercise http://www.enisa.europa.eu/act/cert/support/exercise

ENISA (European Network and Information Security Agency)has extensive materials on setting up a CSIRT (Computer Security Incident Response Team). They have also provided significant exercise materials in order to test and train such teams.

DataLossDB http://datalossdb.org/

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.

DNS exploit http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

An illustrated guide to one of the recently noted problems with DNS.

DNS Randomness Test https://www.dns-oarc.net/oarc/services/dnsentropy

A test for your DNS resolver against a recent weakness.

Facebook privacy demo http://bit.ly/aclu_quiz

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

fastflux http://www.icann.org/committees/security/sac025.pdf

This paper provides an overview explanation of fast flux and double flux activities related to hiding malicious Websites, or avoiding takedown (particularly related to botnets. It also suggests certain actions which could mitigate such activity. The essay uses a lot of jargon and is not always clear, but does provide a decent basic explanation.

Ghostnet http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espio...

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times (http://www.nytimes.com/2009/03/29/technology/29spy.html ). There is also related work in a report out of Cambridge (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html and full report at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf )(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

HoneyNet fast-flux explanation http://www.honeynet.org/papers/ff

Solid explanation of fast-flux technology (used by botnets) from the HoneyNet Know Your Enemy project.

How to extract Gmail ID data http://blogs.securiteam.com/index.php/archives/1113

How to extract the personal information for a Gmail or Google ID. Not sure whether this bug has been fixed, but the process is interesting in itself.

Open Source Security Information Management http://www.ossim.net/

Collection of open source tools and display components

Pen test lab http://metasploit.com/help/test-lab.jsp

Instructions on setting up a test lab rig.

RSTEG http://arxiv.org/ftp/arxiv/papers/0905/0905.0363.pdf

Advertised as RSTEG (Retransmission STEGanography), the technique described in this paper actually uses the standard TCP operations to allow you to set up a kind of covert channel. Interesting idea, although likely neither terribly dangerous nor important.

seclists.org http://seclists.org/

The SecLists.Org Security Mailing List Archive collects and archives a number of security related mailing lists, although it concentrates on those dealing with networking and exploits. It also provides a portal to the lists themselves, so it's a valuable resource for those looking for lists. (Check out Funsec and RISKS.)

Social networking threats http://www.csis.dk/dk/forside/LinkedIn.pdf

Paper on the risks associated with social networking sites, specifically using LinkedIn as an example.

socnetanonymity http://www.cs.utexas.edu/~shmat/shmat_oak09.pdf

This paper, although rather abstract and academic, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation that inherently exist in social networking.

WPACracker http://www.wpacracker.com/

Polly wanna crack a WPA network? A cloud based cluster is offering to help out, for a small fee. You send them a data capture, and they run a 130 million word dictionary against it, in as little as 20 minutes. Do you trust them? Are they going to be used to crack WPA networks? Is this sufficient impetus to move to WPA2? Are you going to create a longer passphrase?

Email

Flamer's Bible http://www.netfunny.com/rhf/jokes/88q1/13785.8.html

An old rec.humor.funny posting about how to abuse your opponent in a flame war. A good guide to remember what *not* to say in any online "discussion."

Subject lines http://www.allspammedup.com/2012/02/avoid-looking-like-a-spammer-writing-good-su...

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter. If you've sent me a message, and never got an answer, how detailed was your subject line?

Protection and Tools

Browsing Protection http://browsingprotection.f-secure.com/swp/

This tool will let you check sites you don't know, or are not sure about. Just plug the URL into the address box on the page.

Detection of promiscuous mode network cards http://www.securityfriday.com/promiscuous_detection_01.pdf

Promiscuous mode, the ability to read all traffic on the network segment even if it's not addressed to you, can be used to mount attacks. It's usually considered a passive attack, because it is used for sniffing. However, there are means to determine if a card on the system is in promiscuous mode.

Facebook security http://chainmailcheck.wordpress.com/2011/01/05/facebook-security-guide/

The actual security guide pointed to resides at ZDNet, but this site lists the four parts together (and the ZDNet navigation is not exactly clear). Navigation through the checklist is not completely obvious either. You can go through by clicking on arrow icons () at the upper right hand corner of the images (which may be hard to find because the images can be fairly busy), or by clicking on individual pictures below the image and text. (Clicking the arrow icons down there only moves the pictures back and forth, without moving you through the checklist.) However, once you master the oddities, the checklist can be quite helpful. It is fairly complete, and, although the text instructions on how to find the items can be difficult, the fact that the image displays the page in question, and the red numbers point out what you are supposed to choose, allows you to check that you are, in fact, on the right page. The instructions may seem simplistic if you have been using Facebook for a while, but they will be great for a newcomer, and even the "expert" will likely find a setting they didn't know about.

facebookpriv http://www.allfacebook.com/2009/02/facebook-privacy/

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

Fast Flux Hosting Working Group of the GNSO initial report http://gnso.icann.org/issues/fast-flux-hosting/fast-flux-initial-report-26jan09....

Fast flux, the rapid rotation of DNS records to point from a single domain name to a number of separate machines, is widely used in malware serving, phishing scams, and other related net nastiness. Unfortunately, the basic concepts are also used for legitimate purposes, such as performance enhancement on large and popular sites, or the prevention of net censorship. The initial report of the Fast Flux Hosting Working Group of the Generic Names Supporting Organization (GNSO)of ICANN (Internet Corporation for Assigned Names and Numbers)contains a good deal of information and thought, and should receive wider disseminationand consideration than it has to date.

Freenet http://freenetproject.org/index.php?page=whatis

Free Network Project, demonstrating the use of encryption and onion routing in securing a network against analysis.

Onion routing http://www.onion-router.net/

Technique for anonymous communication over a computer network, it is a technique that encodes routing information in a set of encrypted layers. Onion routing is also based on mix cascades or networks, bouncing the messages between different nodes.

Pen test lab http://metasploit.com/help/test-lab.jsp

Instructions on setting up a test lab rig.

Port knocking http://www.portknocking.org/

Port knocking could be used to authenticate requests, but the request and authentication could be observed, and this may be security by obscurity. Even worse, port knocking could be used to set up a covert channel ...

Social armour http://www.eset.com/threat-center/blog/2009/09/08/armor-for-social-butterflies

A blog posting from Eset outlining some basic tips for reducing the risks associated with social networking/social media/Web 2.0 activities.

ocnetguides http://laurelpapworth.com/enterprise-list-of-40-social-media-staff-guidelines/

A useful collection of links to guidelines for the use of social networking media and systems.

TLS RFC http://www.ietf.org/rfc/rfc2246.txt

The RFC for Transport Layer Security (TLS), based on SSL.

Tor http://www.torproject.org/

Tor onion routing anonymizing project.

usonlinefraud http://www.ultimatecoupons.com/how-to-report-internet-fraud.html

A collection of links to sites with information on online fraud. Reporting links for those in the US.

Spam

http://www.abuse.net/

Reporting site for annoying behaviour

Allwhois http://www.allwhois.com/

multiple whois database lookup

Anti-telemarketing script http://www.junkbusters.com/ht/en/script.html

Handy to run through when telemarketers call. The Do Not Call list link is US, but the script should be useful for anyone.

ARIN whois http://whois.arin.net/whois/arinwhois.html

One of the sources for tracing domains

Bayesian filtering http://www.drsolly.com/phd.htm

Alan Solomon's PhD dissertation

Coalition Against Unsolicited Commercial Email http://www.cauce.org/

Volunteer organization to agitate for solutions against spam.

Geektools http://geektools.com/

Various tools for tracing spam and URLs

hiding address http://fuckthespam.com/?info

Many antispam sites tell you not to provide your email address. This advice, however, doesn't work too well if you need to advertise your address so that people can contact you. This site provides some practical advice on ways to hide your address from robots and spiders, but still make it accessible to people. Most of these techniques would also work in HTML formatted email, but, as a malware specialist, I can hardly encourage people to use HTML formatted email. For those of a malware research frame of mind, a number of these techniques are also used to hide malicious content.

Knujon spam reporting site http://www.knujon.com/

A very useful "one stop" site for reporting spam. Submission is by file, rather than form, which is a pain, but you can also report by forwarding email. (There are specific instructions in order to get hearders.) Knujon ("no junk" spelled backwards) seems most interested in shutting down Websites, but also has provisions for submitting general spam (to knujon@coldrain.net) as well as stocks (stockjunk@coldrain.net), drugs (rx@coldrain.net), phishing (phishing@coldrain.net), and one of the only addresses I've found for 419/advanced fee/Nigerian scams (for some reason called deposit scam: depositscams@coldrain.net).

Network identity theft: who owns IP addresses? http://blog.washingtonpost.com/securityfix/2008/04/a_case_of_network_identity_th...

A very interesting article by Brian Krebs of the Washington Post, touching on the entities involved in IP (Internet Protocol) addresses and assignments, and the legal difficulties of dealing with theft or misuse. More information is available at http://www.47-usc-230c2.org/

Sam Spade http://samspade.org/

whois tracing tool. At one time also had utility software available.

Spam laws http://www.spamlaws.com/

US, EU, and other countries

Spamming Incident Reporting and Termination Squad from CastleCops http://wiki.castlecops.com/SIRT

Like PIRT, this allows you to submit spam messages for takedown of the spam server.

SpamPoison http://spampoison.com/

System to feed email harvesting bots fake email addresses

Subject lines http://www.allspammedup.com/2012/02/avoid-looking-like-a-spammer-writing-good-su...

This is a particular bugbear of mine. When I get a message, from someone I don't know, with a subject line like "hello," am I even going to look at it, or just chuck it, unread, into the spam filter. If you've sent me a message, and never got an answer, how detailed was your subject line?

The 419 Coalition http://home.rica.net/alphae/419coal/

Information and education about 419 (aka advanced fee fraud aka Nigerian) scam messages and reporting.

Telecom and networking refs and resources

DOCSIS http://bradyvolpe.com/docsis-tutorial/

Basic physical layer transmission fundamentals don't get covered much these days, which makes the more advanced technologies that much more mysterious. This DOCSIS (Data Over Cable Service Interface Specification) tutorial is fairly simplistic, but it does provide some starting concepts in order to understand what is going on with cable modems. More details, and other pointers, are available at Wikipedia: http://en.wikipedia.org/wiki/DOCSIS

Internet Assigned Numbers Authority (IANA) port numbers http://www.iana.org/assignments/port-numbers

Some people disagree, or use other assignments, but this is the formal standard. IANA is also a source for domain name, IP address, and autonomous system (AS) number information.

NIST cloud def https://www.ibm.com/developerworks/mydeveloperworks/blogs/CloudComputing/entry/n...

This IBM blog entry provides a basic summary of the NIST work on defining cloud computing (available at http://csrc.nist.gov/groups/SNS/cloud-computing/index.html), as well as some related jargon. It provides a fundamental starting point and basis for assessing "cloud" systems and providers.

TCP/IP Header Drawings http://www.fatpipe.org/~mjb/Drawings/

For those teaching, or even seeking to understand, TCP/IP packet headers, a lovely collection of figures which illustrate the functions quite well. There is no textual explanation;this is not a tutorial or introduction; but as a reminder of some of the most important information, it's great.

Vendors (includes freeware and open source)

"Get Ready for CISSP Exam" book http://www.conformix.com/books/cissp/download/cissp-book.pdf

Not really a book, this is more of a checklist of topics. The English used in the text is not the best, and there is very little in the way of explanation. It is also quite incomplete. (For example, there is almost nothing on BCP, OpSec, and Law/Investigation.) However, for those without other resources, if you can understand the points, and find the flaws, in this material, you have a good chance of passing the CISSP exam. (NB: the author sells consulting and training. Given the quality of the book you might want to save your money on the training.)

Adeona http://adeona.cs.washington.edu/

Open source laptop tracking. (Absolute Software is in for it now ...)

Card & Identity Theft http://merchantwarehouse.com/credit-card-and-identity-theft-protection

This site appears to be for a vendor of POS terminals, but the page does have links on credit card and ID theft protection. Most of these are for the US, but some do offer generic advice.

CCCURE CISSP intro http://www.cccure.org/flash/intro/player.html

cccure.org is a fairly famous resource for those studying for the CISSP exam. There are various papers and other resources, and the famous quizzes. (The quizzes have, of late, been inundated with questions of rather low quality, but it is the most widely used, accessible, and certainly no worse than many others.) This presentation is a general overview of the CISSP, buried in a major sales pitch for cccure.

CryptoNAS http://cryptonas.org/

encrypted network attached storage

Fred Cohen &Associates http://all.net/

Fred is the grandfather of antiviral/malware research, and has been around the security field for a long time. His books, particularly, are always unusual, but always worthwhile.

HomelandSecEd http://www.homelandsecuritydegree.org

This is a rather odd site, and I'm not sure where to put it. However, it would seem to be useful, mostly for those in the US who want to get post secondary programs related to jobs in the Department of Homeland Security. These may have application for others, as well.

hping http://www.hping.org/

command-line TCP/IP packet assembler/analyzer

Microsoft newsletter http://www.microsoft.com/canada/technet/securitynewsletter/default.mspx

Microsoft's security newsletter, Canadian version. The articles are often merely restatements of vulnerability announcements, and the additional ones aren't stunningly well written, but it is a resource. Many of the additional announcements have some tips on good coding practice.

Microsoft security events and Webcasts http://www.microsoft.com/events/security/default.mspx

A rather annoying site that is not easy to use and doesn't always have security related materials, but is always willing to redirect you to a sales event to which you probably can't come.

OpenSSH for Windows http://sshwindows.sourceforge.net/

free package that installs a minimal OpenSSH server and client utilities

OpenSSL http://www.openssl.org/

collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as full-strength general purpose cryptography

Pen test lab http://metasploit.com/help/test-lab.jsp

Instructions on setting up a test lab rig.

Quant http://securosis.com/projectquant/project-quant-database-security-process-framew...

Project Quant is supposed to be a database security framework. At this stage it seems to be a decent outline of security in general, although there doesn't appear to be much in place that is particular to database security as a specialty.

Security Guide http://www.thesecurityguide.com

A sort of oddball portal site, listing various security tools and software, also has a somewhat simplistic security guide that you can download (if you can figure out how to access it).

Selenium IDE http://selenium-ide.openqa.org/

Selenium is a suite of tools to automate web application testing. The IDE is a tool to make that even easier.

Sentry tools http://sourceforge.net/projects/sentrytools

protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis

Stunnel http://www.stunnel.org/

program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer)

Top 100 Network Security Tools http://sectools.org/

This is not a vendor site as such, but a (briefly) annotated list of the most highly regarded (and used) security tools and utilities. An awful lot of these are free. Unfortunately, this is currently based on a 2006 survey, but has been updated in terms of individual tools.

AVG http://free.grisoft.com/

Grisoft antivirus product has the advantage that they have always produced a version that is available for free download. Unfortunately, a number of features and functions are not available in the free version.

ESET SysInspector http://www.eset.eu/en/eset-sysinspector

ESET SysInspector is a diagnostic tool for Windows NT based systems. It allows an in depth analysis of various aspects of your operating system, including running processes, registry content, startup items and network connections. ESET SysInspector makes dealing with malware infected system easier.

F-Secure http://www.f-secure.com/

Accurate and wel-respected scanner

F-Secure BlackLight Rootkit Elimination Technology http://www.f-secure.com/blacklight/

F-Secure's BlackLight Rootkit Elimination Technology is well-regarded in the anti-malware research community. It is available in their complete product, but can also be downloaded separately as a utility. F-Secure also provides a little bit of rootkit explanation at http://www.f-secure.co.uk/blacklight/rootkit.html.

GMER http://www.gmer.net/index.php

GMER is a Polish anti-rootkit program (Windows only) available for free download.

McAfee Rootkit Detective http://vil.nai.com/vil/stinger/rkstinger.aspx

McAfee Rootkit Detective (originally from Avert) is available for download, but the McAfee site makes sure you know it is a beta product, and requires knowledgeable application and use.

Noscript http://noscript.net/

Firefox addon restricting JavaScript, Java, and other forms of active content.

Panda Anti-Rootkit http://www.pandasoftware.com/download/documents/help/rkc/en/rkc_en.htm

Panda tends to oversell their products, but their anti-rootkit is also available for download.

Proxomitron http://www.castlecops.com/Proxomitron.html

Web filtering proxy. Can be used to restrict various content, including outgoing, so useful for privacy as well. Can also be used to manage Web browsing appearance and display, including size, images, and backgrounds. Certain functions by default, highly customizable, but may require knowledge of HTML and HTTP. Because it is a proxy, works with any browser.

Sophos http://www.sophos.com/

Accurate and well-respected scanner: office in Vancouver. Also spam filtering.

Sophos Anti-Rootkit http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Sophos has always been a solid antivirus company, so there is no reason to think that their anti-rootkit product is any less.

Trend Micro RootkitBuster http://www.trendmicro.com/download/rbuster.asp

As usual with most Trend Micro products, RootkitBuster sounds fairly agressive.

Emailias http://www.emailias.com/

Automated creation of throwaway email addresses

LaBrea http://labrea.sourceforge.net/

One form of tarpit, this one seeking to slow down spam mail connection links.

Mailinator http://www.mailinator.com/mailinator/index.jsp

Automated throwaway email address for spam filtering

Sophos http://www.sophos.com/

Filtering software, company formerly (and still) produced antivirus scanner

Vancouver Groups

BCI http://www.thebci.org/

The Business Continuity Institute does have a local chapter, but the only way you can get in touch with them is via email: BCForum.Leader@Gmail.com Note that the Website is www.thebci.org. If you try www.bci.org you will end up with a Bahai computer group.

Canadian Information Processing Society - Vancouver http://cips-vancouver.org

CIPS is focused on IT excellence through its work on public policy, setting standards within the profession and providing IT support to its community.

ISSA Vancouver http://vancouver-issa.org

Information Systems Security Association (ISSA) is an association dedicated to providing forums, publications, and peer interactions to professionals who are security practitioners or responsible for managing their organization's technology and data risks.

North Shore Emergency Management Office Website with resources http://www.nsemo.org/

NSEMO, (our local North Shore Emergency Management Office) has redone their Website, and it now contains a fair amount of generically useful information, such as suggested contents for "grab and go" bags, and home emergency plans.

VanSecCity http://www.vansec.org/

For those wanting a less formal association, this group is trying to meet up for pub nights once a month.

Web and Web application security

http://www.owasp.org/index.php/Main_Page

Open Web Application Security Project (OWASP), presentations, video, papers, blogs, mailing lists.

.htaccess tricks http://isc.sans.org/diary.html?storyid=5150

A sneaky way to hack a site in such a way that only newbies get caught ...

Facebook privacy demo http://bit.ly/aclu_quiz

This link (actually a bit.ly link, since the actual link requires you to be logged in to Facebook) is a demonstration of how much information *any* Facebook app can get about you.

Ghostnet http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espio...

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times (http://www.nytimes.com/2009/03/29/technology/29spy.html ). There is also related work in a report out of Cambridge (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html and full report at http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf )(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest).

Google Browser Security Handbook http://code.google.com/p/browsersec/wiki/Main

A description of various oddities in the way different browsers handle different code and other Web-related entities. These differences can possibly be exploited in security attacks. Internet Explorer (a few versions), Firefox (a few versions), Safari, Opera, Chrome, and Android are examined.

hiding address http://fuckthespam.com/?info

Many antispam sites tell you not to provide your email address. This advice, however, doesn't work too well if you need to advertise your address so that people can contact you. This site provides some practical advice on ways to hide your address from robots and spiders, but still make it accessible to people. Most of these techniques would also work in HTML formatted email, but, as a malware specialist, I can hardly encourage people to use HTML formatted email. For those of a malware research frame of mind, a number of these techniques are also used to hide malicious content.

Hitler cloud sec http://www.youtube.com/watch?v=VjfaCoA2sQk

You may or may not be aware of the mass of "Hitler rant" videos on YouTube. These take a clip (from the movie "Downfall") and subtitle it with a rant from Hitler about everything from college football to the iPhone to Facebook accounts to ... well, anything at all. This one is about cloud computing and security, and makes a few cute points about security in general.

PHP Security Manual http://www.php.net/manual/en/security.php

Online security manual for securing the use of PHP.

Searching For Evil, Ross Anderson http://video.google.ca/videoplay?docid=-1380463341028815296

Excellent presentation (but then, everything Ross does is worth noting) on botnets, related malware and fraud, and the command and control systems. Interesting research on the various types that are more resistant to takedown.

Understanding the Web browser threat http://www.techzoom.net/publications/insecurity-iceberg/index.en

An interesting piece of research and discussion, examining browser vulnerabilities, and the risk to the computing envrionment as a whole, in light of a large number of factors.

Web SSO http://sso-analysis.org/

An analysis of current Web-based federated ID and single-signon systems. Research paper, online checking tool, and a discussion forum.

XSS cheat sheet http://ha.ckers.org/xss.html

Just a list of XSS attacks, but a way to check that your Web app filter will catch things.