Links Directory

Why OpenID won't work.

Might have been better in vendors, but ...

Good article from ISMH 1998 edition

US government and military sponsored program to assess face recognition biometric products.

Pawsense is a program to determine whether a cat has been walking across your keyboard, and to disable the keyboard input until reactivated. It's a bit of a joke, but an example of keystroke analysis biometrics.

Description and even code for setting up a phishing site to obtain OpenID credentials.

Various resources

US Dept of Energy paper: Parasite Programs; Adware, Spyware, and Stealth Networks

A Windows ... "extension" of the ClamAV open source AV scanner. ClamWin has an interesting relation to ClamAV, and the ClamAV people seem annoyed if anyone calls ClamWin a version or port of ClamAV.

A kind of updated version of what we have been saying for years: use multiple means of AV detection. Some interesting points and means of improving performance.

An old GreyMagic paper, but an interesting security vulnerability.

Information sharing project to detect and reduce bots and botnets

Check a suspected file against not quite as many scanners as VirusTotal.

A new way for marketers and malicious sites to store and use information on your computer.

A list of vulnerabilities.

Rich Skrenta created probably the second or third computer virus.

Excellent presentation (but then, everything Ross does is worth noting) on botnets, related malware and fraud, and the command and control systems. Interesting research on the various types that are more resistant to takedown.

Partnership committed to protecting Internet and computer users from the threats that are caused by bad (malicious) software.

Submit a suspect file: the system does a form of black box testing, looking not at the file itself, but at it's actions.

Rather simplistic but possibly handy overview of malware and surfing threats

Check a suspected file against a large number of virus scanners.

Part of the Software Assurance program, a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) provides support, and, with other contributors, develops and collects software assurance/security information to help software developers and security practitioners create secure systems. Based on software engineering and addressing a software development life cycle. Links to best practices, tools, guidelines, rules, principles, and other resources.

Advice and tools for engineering resilient systems.

Complementary Objects for Software Applications. A form of object-oriented programming stated to be highly reliable. (The ability to build the underlying system is, unfortunately, not addressed.)

Thoughts from the Google development security team: some useful points in regard to secure Web apps.

Interesting discussion of cheating in online gaming and implications for application security.

Most of the white papers are a bit thin and "rah rah," but the security newsletter does have some worthwhile pieces.

Some parts Microsoft specific, but a good deal of it is a reasonable process outline.

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Open Web Application Security Project, tips, tools, discussions, a wealth of resources.

Online security manual for securing the use of PHP.

Some white papers on "best practices" in application development.

One of the best books, of any kind, on security. And you can read (or download) the entire first edition online here.

US Information Assurance Technology Analysis Center (IATAC) paper on development of secure software.

Carnegie-Mellon's secure software development model

The Open Group Architecture Framework (TOGAF) Architecture Development Method (ADM) whitepaper. Fairly generic and high level, but does outline what to do about security at different stages of development.

Example of permission or privilege hijacking on Windows XP and Vista. (PDF)

NSA sponsored project demonstrating the means of developing high integrity, high security software.

Overview of the Tokeneer project (in PDF)

Note also that resources for Web development security can be found under the Telecom category. (NB: due to technical limitations, this link is recursive ...)

Microsoft article on testing for XSS vulnerabilities: fairly basic.

Guidance on forming and operating a computer security incident response team (CSIRT)

Interesting examination of the failure of CCTV to deter crime in the UK. Points out the need to know what your CCTV requirements are: simply installing the tech is not enough.

Fairly simplistic explanation of the home router DNS attack.

In Canada you'll get the mail back, postage due ...

Interesting discussion of cheating in online gaming and implications for application security.

Why proprietary algorithms are a bad thing.

How intellectual property laws are destroying creativity.

You may have seen or heard of Peter Gutman's review of Vista. Despite controversy, it has some important things to say not only about DRM, but also about the security of the platform, in certain respects. (For example, the DoS possibilities, and also the new impetus for hackers of all stripes to delve into the internals of the system.)

1979 version of the RAND report on computer security, originally done in 1970.

Satirical article on how not to review security (antivirus) software. Although Sarah Tanner, a secretary, is credited with the artice, it was actually written by Alan Solomon

Classic paper on "how far back do you have to check?" (This paper has spawned a widely held myth that Thompson actually did create a backdoor into all versions of UNIX and every program created with C.)

Excerpt from the book, detailing the flaws in "security by obscurity"

Video "documentary" about early hackers, somewhat simplistic.

Gene Spafford on our "putting out fires" mentality

Has VANOC gone too far with trademark? Can they trademark phrases in the public domain, or commonly used?

Interesting, though unsurprising, paper from the US DoD Security Institute studying motivation for espionage.

Want to know how to have more secure logins online? Don't ask the banks ...

Interesting video commentary from the UK on photography in public places.

Given at the Zurich Seminar, April 1984, by John Gordon. Absolutely priceless.

Cartoons based on subject lines in spam messages.

Colbert Report take on the Protect America Act. Political and biased, but amusing look at aspects of privacy and surveillance.

Cute video on mailing list/forum/group netiquette

A cute pictorial essay (PDF) with pictures of unsafe and insecure working situations. (Don't try these at home ...)

Some fun advertising videos from Iron Mountain starring John Cleese.

An extremely long, but somewhat amusing, ad for Kaspersky, in old silent movie style.

Amusing commentary on the Playmobil Security Check Point toy

A bit of fun on non-disclosure agreements.

Practicing safe hex, version 2. Since I use key signing parties when teaching about digital signatures and certification, I probably found this *way* too funny ...

Amusing list of excuses we've all heard before. (I wonder where the master list is?)

Cute and sometimes painfully accurate

PowerPoint slide deck stuffed with all kinds of (too true to be funny) security maxims that they *didn't* teach you about in the CISSP seminar.

Some decent reminders of safe practices

Too true to be funny ...

We were discussing DNA identification, and someone came up with this ad for a PCR machine ...

Australian video, "would anybody be stupid enough to let a trojan horse in today?"

Funny, but rather profane

My kinda cartoon. Besides, if you haven't looked through xkcd, you should.

A game to help people recognize phishing sites

Mostly research

A list of free security utilities by category. Could quibble about whether they are all best of breed, but a handy list for home and small office users.

Interesting project to provide low-cost computers for education in developing countries. Security implications, anyone?

Almost no tutorial value, but some crypto fun and a bit of history.

Colossus was the "brute force" part of the attack against Enigma during the second world war. Recently one of the devices was rebuilt.

Kerchoff was right: proprietary and secret systems need to be viewed with extreme suspicion.

Various stuff by a science popularizer

NSA 1972 document declassified in 2007. Interesting that some parts are still classified.

GnuPG developers

Home of the project

Basic instructions for use of GnuPG, but also discusses some basic crypto concepts and key management issues.

Download and install

Bruce Schneier (and seven others) 's submission to NIST for the next Secure Hash Algorithm.

Open-source disk encryption software

A process for getting started creating a computer security incident response team, from CERT.

Guidance on forming and operating a computer security incident response team (CSIRT)

List of resources and documents

An explanation of copyright and the concept of "fair use" using clips from a whole bunch of Disney animated movies. Sometimes hard to follow, but priceless. has been uploaded multiple times to YouTube.

Brief IEEE Spectrum article on copyright and fair use, touching on use on the WEb and in blogs.

How intellectual property laws are destroying creativity.

A slashdot posting about a McDonalds attempt to patent the process for making a sandwich.

How novel is this?

The fact that the US issues software patents has long been a contentious issue. This recent decision may reduce that protection.

The research behind all the stories about being able to retrieve data from memory (DRAM)even after the computer is powered off.

Tips for detecting falsehoods in interviewing and interrogation.

US NIJ simple guide for collecting digital evidence. (PDF)

Information about the Canadian Do-Not-Call list and legislation, as well as an "opt out" message generator to get you off the lists of "exempt" organizations.

Intended to enable communicating organisations to include privacy enhancing technologies (PETs) in large-scale web-based services for the general public and customers.

Map listing the different aspects of data breach notification laws in the US: click on a state and a popup box gives you specifics.

They don't even spell it right ...

Create threat model documents for applications using entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities

Advice for hardening

The Syskey utility can be used to remove or protect encryption keys from the machine

Instructions and recommendations for security of Windows Vista in a domain with Active Directory

Recommendations about how to harden computers that run Windows XP with SP2

Listings for local groups in a number of places. Some aren't representative of the local scene.

Relatively new group, starting some local chapters

According to Bob Tremonti, the Security Professionals Information Exchange (www.SPIE.ca) meets the last Thursday of the month (plus a rather secretive sub-group of security folks in the energy sector), and the Disaster Recovey Information Exchange (DRIE West) meets -- well, it meets when someone finaly gets a meeting organized ...

CERT MERIT project regarding insider attacks and threats.

Paper advising on termination procedures for sensitive positions

Attack trees provide a formal way of describing the security of systems, under varying attack possibilities. You represent attacks against a system in a tree structure, with the goal of the attack as the root node and different requirements for achieving that goal as leaf nodes. You can then work on denying the requirements to an attacker.

Operational risk is how the banks refer to what we know as risk management.

Like it says, fairly formal and abstract, but does explain the concepts by working with them.

Fairly hefty process, but some interesting ideas for risk assessment.

Limited articles and papers on risk management.

Various guides and papers

Guide from ANSI on how to assess the financial (quantitative) risk analysis of cyber threats.

Tools and advice on the use of failure mode and effects analysis.

Sample documents for the method

Security assessment framework from the Open Information System Security Group (OSSIG, www.oissg.org), mostly concentrating on pen testing, but some project planning material for general security or risk assessment. Document/project seems to have been abandoned mid-2006.

Paper

A collection of online courses, mostly free. Registration is required, and may be annoying. Courses require IE for use. Some are general, some MS product specific. Even those that are generic have MS specific mentions, sometimes in surprising places. The course content tends to the simplistic, but does, usually, stick to generally accepted policies and guidelines. The usage of the courses is idiosyncratic at times, but you can usually puzzle it out. The material is a mix of page-turner and slide plus voice-over. There are occasional references: these must be obtained separately. There are review questions: these are basically useless.

Mostly applicable to software development, but some general points.

Again, mostly software development.

Variation on Pascal's Wager: interesting take on risk analysis and management that could probably be used more widely.

Reduced version of the OCTAVE program. You can download the guidebook at this site.

A few "Special Publications: Computer and Information Technology."

Collection of papers, posters, and presentations by CISSPs. Also at http://www.isc2.org/csa

A game to help people recognize phishing sites

Some information and tips on bank related scams.

Tips for securing a home (or small office) computer.

Tips for securing a home (or small office) network or Internet connected computer.

I'm not sure how useful it is, but it sure is pretty. Maps kidnappings, shootings, bombings, terrorist acts, piracy (non-recording), and a bunch of other nasty stuff.

This portal says it is under the direction of ISSA UK, but Reed Exhibitions seems to play a major role ...

Slides/text with voiceover. There is also a test that might get you a certificate, but it wouldn't let me use any of my email addresses, so I know nothing about it.

Process for developing a security awareness program. Rather generic and abstract, but as with all NIST stuff many good points.

Some of this is only accessible to registered students, and most of it is fairly simple, but it's good, straightforward, and clear. Decent model to follow. (Some aspects do date quickly ...)

Fairly simplistic.

A list of various scams, and ways to recognize (and sometimes report) them. The descriptions are fairly simple, but the scope is useful.

A collection of documents and links for security awareness.

EU programme for home computer security, mostly benchmarking filtering software

A list to jumpstart some thinking ...

Some posters in the style of the well-known motivational posters. Some are fairly odd, but they are cute.

Pamphlet from Office Depot, but good for small businesses.

Portal site, fairly simplistic material

"Security Awareness for Small Business, Home Office and Home computing." A brief outline, plus some links. Contact the page owner to download additional handout materials.

The original Walnut Creek site, with fewer materials.

Prices for the standards vary tremendously. For those that have been accepted as ANSI standards, this is one of the cheapest places to get copies of the standards.

Mostly links to buy the standards

British Standards Institute

A cooperative effort from the ISO 27001 security mailing list

ISMS International User Group (IUG), also ISMS Journal. (ISMS, Information Security Management System, is a term used in BS 7799 and descendents and almost nowhere else: it is an indication of BS 7799/ISO 27K relation.)

An apparently free electronic magazine. (Existing issues all seem to date from 2004: the most recent edition brings up a link to a German consultancy that seems to be doing the publishing.) News (mostly old) of meetings and events, some general security articles, remarkably little on BS 7799/ISO27K materials. (Issue 5 does have a nice piece on 17799 and software development.) The subscription address currently appears to be defunct.

International Organization for Standardization, group responsible for many international standards, particularly in communications: a number relate to security such as ISO 9000 (on quality) and the ISO 17799 security guideline framework. You will note that the name of the organization does not fit the acronym. Legend has it that, since the body was international in nature, it would be unfair to have the name in a particular language, and therefore the acronym ISO was derived from the Greek word "isos" (which means equal) so that no language would have an expansion that fit. (Many English-speakers refer, incorrectly, to the "International Standards Organization.")

White papers, templates, and sample documents from the ISO27k implementers’ forum.

Part of Gary Hinson's collection of ISO 27K materials. Case studies, policies, statements, and other supporting documents.

Mailing list for discussion of, and resources for, ISO 27000 family and other security frameworks. (Not an official ISO list: run by Gary Hinson.)

Information and resources on ISO 27000 family and other security frameworks. (Not an ISO site: run by Gary Hinson.) A handy (though short) FAQ, list of books, and links to relevant sites.

A fairly simplistic set of questions, and you, basically, do all the work, but it an give you a bit of a feel. Seems to be based on the capability maturity model. (I'm reasonably sure that they will use the data to try and sell you some consulting, but ...)

An internet user group dedicated to the ISO information security standards. Content is very thin.

Public collaboration 'wiki' for both ISO 17799 and ISO 27001. At present, the contents are rather thin.

In starting phases

This copy hosted on the CCCURE site. I don't know who the U.S. Cyber Consequences Unit (US-CCU) is (aside from the two authors), but the material is generally decent. (Some of the items are a bit bizarre.) It can also be found at http://www.cyberunitss.com/files/cybersecuritychecklist2007.pdf

Watch this space. To report in January 2008.

No lack of self-esteem for these guys, but they do have some documents publicly available, particularly the Standard of Good Practice. This is incredibly verbose, but boils down to a checklist both of objectives and of specific activities or controls. You have to register to get the doc.

North American Electric Reliability Corporation (NERC) standards, some of which address computer systems and/or physical security surrounding computer systems.

The PCI (Payment Card Industry) Data Security Standards. You can get the standard itself, plus various supporting documents. As of October 2008 the current standard is 1.2.

Quite exhaustive listing of a wide variety of infosec frameworks, guidelines, and documents. Brief descriptions. Covers ISO, NIST, RFCs, and FIPS, among others.

ISACA produces the CObIT audit guidelines.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Big on internal controls. Breakdown grid similar to Zachman but with finer granularity and three dimensions.

No results yet, but a worthy effort.

International Telecommunications Union (ITU) project attempting to list and describe the various infosec documents, standards, and frameworks. A particular standard may be hard to find, but the range and scope is interesting.

An attempt to map all of the various security frameworks. Some useful information, not always presented in ways easy to understand. They will also try to sell you spreadsheets of the comparisons.

Repository of the old "rainbow" series of books, including the TCSEC "Orange Book," at the NIST CSRC site.

What type of organization (how mature) you are, based mostly on formality of processes.

Yet anohter outline?

A product of the banking and financial community, at one time, BITS stood for “Banking Industry Technology Secretariat” but apparently it doesn't anymore. In any case, the BITS Website has some documents that relate to security and risk analysis. Of particular interest is the BITS Kalculator, a risk measurement/comparison tool. (Note that the site does not work with all browsers.)

Global Threat Map, Threat Briefs, Top Threat Sources, Threat Index, Top Internet Attacks, and Vulnerability Risk Index using a distributed network of sensors

An illustrated guide to one of the recently noted problems with DNS.

A test for your DNS resolver against a recent weakness.

Solid explanation of fast-flux technology (used by botnets) from the HoneyNet Know Your Enemy project.

How to extract the personal information for a Gmail or Google ID. Not sure whether this bug has been fixed, but the process is interesting in itself.

Collection of open source tools and display components

Paper on the risks associated with social networking sites, specifically using LinkedIn as an example.

Free Network Project, demonstrating the use of encryption and onion routing in securing a network against analysis.

The RFC for Transport Layer Securi