General Computer Security Awareness¶
The Joy of Getting Hacked, by Andy Baio, December 12, 2015
10 Resources to Turbocharge Your Security Awareness, by Cas Purdy, October 20, 2015
[HOPE X] How to Prevent Security Afterthought Syndrome, August 10, 2014
Australian Defence Signals Directorate Top 35 mitigation strategies (The Top 4 remove 85% of targeted attacks)
NSA’s Sager on trends of 2011 security breaches, advanced persistent threat hype, Search Security, TechTarget, October 7, 2011
Security Engineering - The (online) Book, by Ross Anderson, John Wiley and Sons, 2001, ISBN 0-471-38922-6
Evans: ‘People are losing data’, by Matthew Weigelt, FCW.com, November 2, 2006
CERT/CC’s Virtual Training Environment
EDUCAUSE Security Task Force Computer Security Awareness Video Contest (These are great!)
EDUCAUSE | Security Task Force | Data Incident Notification Toolkit
Internet Threats: Spyware and Phishing Scams, The University of Missouri-Columbia Information & Access Technology Services
Advanced Persistent Threat (APT) Simulation¶
GitHub mitre/caldera (“An automated adversary emulation system”)
GitHub NextronSystems/APTSimulator (“A toolset to make a system look as if it was the victim of an APT attack”)
GitHUb endgameinc/RTA (“Red Team Automation (RTA)”)
GitHub redhuntlabs/RedHunt-OS (“Virtual Machine for Adversary Emulation and Threat Hunting”)
GitHub uber-common/metta (“An information security preparedness tool to do adversarial simulation.”)
Purple Teaming¶
The Difference Between Red, Blue, and Purple Teams, By Daniel Miessler, April 4, 2020
The Rise of ‘Purple Teaming’, By Josepth Salazar, DARKReading, June 13, 2019
- Tooling and automation
Purple Team Exercise Tools, Jorge Orchilles, Medium, April 29, 2020
List of Adversary Emulation Tools, PenTestIT, August 6, 2020
Purple team cyber ranges: Hands-on training for red and blue teams, by Patrick Mallory, March 4, 2021
Purple testing and chaos engineering in security experimentation, by Aaron Rinehart and Andrew Weidenhamer, June 14, 2018
Internet of Things (IoT)¶
Case Study: Hacking Smart Lock Security, by NewSky Security, December 18, 2015
Rediscovery of NetUSB Vulnerability in Broadband Routers by NewSky Security, February 28, 2016
SSH¶
Tunneling Explained, ssh.com
Upgrade Your SSH Key to Ed25519, by Risan Bagja Pradana, Medium, January 9, 2018
Ed25519 SSH Keys Are Great, But Barriers Remain, by Greg Burek, July 23, 2019
Post-mortem and remediations for Apr 11 (2019) security incident, by Matthew Hodgson, May 8, 2019 (involved exploitation of SSH trust relationships; includes remediation advice for others)
SSH Tunneling part 1 - Local Forwarding, Hacking Linux Exposed
GitHub square/sharkey (“Sharkey is a service for managing certificates for use by OpenSSH”)
- SSH Key Management and Rotation
NIST publishes guidelines for SSH key management: What happens next?, by Tatu Ylönen, November 16, 2015
NIST IR 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH), by Tatu Ylonen, Paul Turner, Karen Scarfone, Murugiah Souppaya, October 2015
Managing SSH Keys for Automated Access - Current Recommended Practice, by Tatu Ylönen, Greg Kent, and Murugiah Soyppaya, April 2013
Managing Access Using SSH Keys, by Tatu Ylönen, LISA 2013
The Why Behind SSH Key Management, by Topher Marie, May 4, 2014
Managing SSH Host Keys in a Reliable Way, by Greg Sutcliffe, March 11, 2013
Ubuntu / Debian Linux Regenerate OpenSSH Host Keys, by Vivek Gite, June 15, 2008
Key rotation in OpenSSH 6.8+, by Damien Miller, February 1, 2015
SSH Key Rotation with Ansible, by Jesse Keating, June 7, 2014
SHA256 ssh fingerprint given by the client but only md5 fingerprint known for server, Stackexchange post by JonnyJD, June 18, 2015
dsniff and SSH: Reports of My Demise are Greatly Exaggerated, by Richard E. Silverman
Getting OpenSSH to work with ssh.com and itself, University of Texas
SSH Public-Private Keys, by Ian Wells, December 27, 2003
KDE KMail: Secure Email Through SSH Tunneling, by Mike Pilone
Transport Layer Security (TLS) and Secure Sockets Layer (SSL)¶
NIST Standard SP 800-57 Part 1 Rev. 4 (Recommendation for Key Management, Part 1: General)
stunnel.org (tunnel anything over SSL pipe)
- Let’s Encrypt
Let’s Encrypt Auto-Renewal for Nginx Reverse Proxies, by Thomas Busby, May 27, 2016
StartSSL The Swiss Officer’s Knife of Digital Certificates & PKI
Self-signed SSL certificates and how to trust them, by Tarun Lalwani, June 17, 2017
Setup Your Own Certificate Authority (CA) on Linux and Use it in a Windows Environment, by Karim Elatov, April 21, 2013
Create your own Certificate Authority with TinyCA, by Jack Wallen, November 30, 2012
Setting up your own certificate authority with gnoMint, by Ben Martin, September 30, 2008
GitHub brianclements/pkictl (“Openssl wrapper script for simplifying Public Key Infrastructure tasks.”)
Installing and Managing SSL Web Certificates in OpenVPN Access Server, September 30, 2015
Running your own Ansible Driven CA, by Haggai Zagury, October 2016
How to build your own public key infrastructure, by Nick Sullivan, June 24, 2015
Simply generating self-signed SSL Certs with Ansible, by serialized.net, April 17, 2013
Getting Started with NGINX - Part 3: Enable TLS for HTTPS Connections, by Linode, June 1, 2018
Getting Started with NGINX - Part 4: TLS Deployment Best Practices, by Linode, May 28, 2019
News items of interest¶
- The TJX intrusion - Largest data theft in U.S. history
TJX agrees to reimburse banks, by Ross Kerber, The Boston Globe, December 1, 2007
TJX e-mails tell the tale, by Donna Goodison, The Boston Herald, November 28, 2007
Authorities hope arrest of Ukraine man leads to TJX orchestrator, by Dan Kaplan, August 21, 2007
Report: TJX breach began in Minnesota Marshalls parking lot, by Dan Kaplan, SC Magazine, May 4, 2007
Breach of data at TJX is called the biggest ever: Stolen numbers put at 45 .7 million, by Jenn Abelson, The Boston Globe, March 29, 2007
Store IDs led to arrests: Data taken from TJX was used to buy gift cards, by Ross Kerber, The Boston Globe, March 29, 2007
Russian Roulette, by Art Janke, CSOonline.com, February 2005
A Quiet Time Bomb: The Vulnerability of U.S. Supercomputers, by Lewis Koch, Raw Story, May 11, 2004 (Many NSF sponsored supercomputer sites, major research universities, and national labs compromised by intruders over several month period.)
Alarm growing over bot software, by Robert Lemos, CNET News.com, April 30, 2004 (“Bot nets”, or “blended threats” as AusCERT refers to them, are affecting millions of PCs worldwide. Tens of thousands at a time are used for distributed denial of service attacks and extortion attempts, as well as unblockable spam delivery, theft of credit card numbers, passwords, and software product keys.)
Worm worries grow with release of Windows hacks, by Robert Lemos, CNET News.com, April 28, 2004 (Microsoft reports 9.5 million PCs infected by MS Blaster)
Taxonomies and Ontologies for Information Security¶
Towards a Taxonomy of Information Assurance, by Abe Usher
Existing taxonomies assembled by the European Union Agency for Network and Information Security (ENISA)
Incident Classification by Don Stikvoort (describes the taxonomy developed by eCISIRT.net)
Toward an Ontology of Integrated Intelligence & Conflict: A Primer, by Michael Wilson, Decision Support Systems, Inc., April 2001
gt06 the semantic age or a young ontologists primer, talk by Conrad Constantine, YouTube video
Outside the Closed World: On Using Machine Learning For Network Intrusion Detection, by Robin Sommer and Vern Paxson, Oakland 2010
Security Tools¶
- OSSEC
About active responses in OSSEC, by Stjepan Groš, August 12, 2012
- National Security Agency Technology Transfer Program Open Source Software Releases
GitHub nationalsecurityagency (“Official organization account for the National Security Agency (NSA)”)
GitHub nsacyber (“NSA Cybersecurity: Official GitHub organization account for NSA’s defensive Cybersecurity mission. Formerly known as NSA Information Assurance & Information Assurance Directorate.”)
- goSecure
GitHub nsacyber/goSecure (“An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi. #nsacyber https://nsacyber.github.io/goSecure/”)
My own fork: Github davedittrich/goSecure (https://davedittrich.github.io/goSecure)
Turning a Raspberry Pi 3 Into a Cloaking Device With goSecure VPN, by Jordan Drysdale, September 21, 2016
- Collective Intelligence Framework (a lightweight framework for warehousing various security intelligence bits)
GitHub google/grr (“GRR Rapid Response: remote live forensics for incident response”) @grrresponse
Iterative Defense Architecture, SummitRoute blog, June 13, 2015
Boot my (secure)->(gov) cloud, by Nicki Watt, August 10, 2015
Fail2ban (blocks IPs found to be brute-forcing passwords)
Security Event Management (SEM)/Security Incident Management (SIM) systems
- Bootable CD-ROM and Virtual Machine toolkits
Lightweight Portable Security, DoD bootable ISO
IODEF/IMDEF Solutions, eCSIRT.net
Backtrack 2 w/Metasploit 3 Framework in a VMware Virtual Appliance
Firewall Knock Operator (single-packet encrypted port knocker)
SnortSam (Snort plug-in that allows for automated blocking of IP addresses)
whisker (web server vulnerability scanner)
Nessus (vulnerability auditing tool)
Ramenfind (Identification and cleanup tool for the Linux “Ramen” worm.)
ftp://ftp.psy.uq.oz.au/pub/Crypto (DES and SSL)
Sam Spade Tools (online tools)
- nmap
Overview of using nmap for scanning by Lamont Granquist
Decoy scanning by Max Vision
hunt (TCP session hijacking tool)
RFC 1470: Tools for Monitoring and Debugging TCP/IP Internets and Interconnected Devices
- Web application security testing tools
Industrial Control Systems (ICS) security¶
Introduction to National Critical Infrastructure Cyber Security: Background and Perspectives, Jack Whitsitt, April 19, 2013
A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity, by Robert M. Lee, August 28, 2016
Mobile/Smartphone Security¶
Popular anonymous SNS app leaking user id, geo location, etc, by NewSky blog, February 17, 2016
Mobile devices bundled with malware?, by NewSky Security, September 11, 2015
Smart devices as Bitcoin mining slaves, by NewSky Security, August 12, 2015
Critical Stagefright flaw, millions affected, by NewSky Security, August 4, 2015
New Free Tools Simplify Analysis Of Android Malware, by Kelly Jackson Higgins, Dark Reading, August 31, 2011
Android Malware Spreads Through QR Code, by Arun Sabapathy, McAfee, October 24, 2011
Threat Update: Malicious QR Codes Pose Risk to iPhone, Android Devices, by Ericka Chickowski, Channel Insider, January 26, 2012
QR codes as attack vector¶
QR Code and Near Field Communication Security Issues, Online QR Lab Blog
How QR Codes hide privacy, security risks, by Meg Shannon, Security News Daily, MSNBC, 2012
QR code security risks in the car park, by Terence Eden, Sophos Security Blog, September 14, 2011
Threat Update: Malicious QR Codes Pose Risk to iPhone, Android Devices, by Ericka Chickowski, Channel Insider, January 26, 2012
Android Malware Spreads Through QR Code, by Arun Sabapathy, McAfee, October 24, 2011
Interesting reading about hacker culture, sociology, attacks, etc.¶
Stalking the Wily Hacker, by Cliff Stoll, Communications of the ACM, Vol. 31, No 5, May 1988
The Hacker Crackdown, by Bruce Sterling
Hackers: Crime in the Digital Sublime, by Dr. Paul Taylor, Routledge, 1999, July 2000
@ Large: The Strange Case of the World’s Biggest Internet Invasion, by Charles C. Mann & David H. Freedman, (Simon & Schuster Trade, 0-684-82464-7) [U.S. News 06/02/97: Adaptations from “At Large,” a cracker’s escapades]
Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, by Suelette Dreyfus (Mandarin [Reed Books Australia], ISBN 1-86330-595-5)
Masters of Deception: The Gang that Ruled Cyberspace, by Michelle Slatalla and Joshua Quittner, (HarperPerennial, ISBN 0-06-017030-1)
The Fugitive Game, by Jonathan Littman (Little, Brown & Company, ISBN 0-316-52858-7)
An Analysis Of Security Incidents On The Internet: 1989 - 1995, by John D. Howard, April 7, 1997
Vipers In the Sandbox – Used to Be, the Internet Was a Safe Place to Play
Remembering the Net crash of ‘88 - Cornell student KO’d fledgling Internet with replicating ‘worm’ (MSNBC)
Phrack magazine has some articles of interest. An index of philes from issues 1-50 can be found in Phrack 51-14. (See also: their Links We Dig: Hacker Related Links)
Richard Thieme’s Hacking Culture and the Passion for Knowledge
Jenott cleared of spying – Guilty of lesser charges, GI gets 3 years
Israeli nabbed in Pentagon hack (CNET News.com)
Hackers attack NASA, Navy… and the UW! (CNET News.com)
DOJ charges youth in hack attacks (CNET News.com)
Hackers “claim” Pentagon attack (CNET News.com)
Computer security problems growing (CNET News.com)
A huge slew of news stories are found on my DDoS web page, and don’t forget to check out our book on DDoS
iPhone security¶
Exploiting the iPhone, Independent Security Evaluators web site
International Standards¶
Security Vulnerabilities¶
Vulnerability Disclosure Framework, Final Report and Recommendations to the National Infrastructure Advisory Council, January 13, 2004
Common Vulnerabilities and Exposures Impact Statement (.pdf)
INFILSEC’s vulnerabilities database
RFPolicy 2.0 by Rain Forest Puppy
Nessus (vulnerability auditing tool)
Philes/Archives/News¶
An Introduction to the Computer Underground, by The Butler, February 26, 1991
The Computer Security History Project Home Page [GREAT collection of unpublished seminal papers in computer security]
Zone-h (Archives web page defacements, etc.)
k-otik (French security site w/exploits, advisories, etc.)
Markus Hbner’s Security and Hackerscene page
Hacking Kit v2.0.b March/97 by Invisible Evil
Inadequate/improper destruction of data¶
Dangers of second-hand PC market: Thousands of PCs end up in second hand markets around the world. Bank account details of potentially thousands of Britons are being sold in West Africa for less than 20 each, BBC One, August 14, 2006
Dead disks yield live information: Identity thieves are gleaning personal information from scrapped computers, by Peter Warren, The Guardian, August 10, 2006
Disk drive researchers turn up IDs, child porn: Old hard drives handed to police, by Mark Ballard, The Register, August 15, 2006 + Hard disks still scrapped with data intact, by John E. Dunn, Techworld, August 10, 2006
Wipe your iPod before selling it, RIAA warns, by Tony Smith, The Register, February 13, 2006
I just bought your hard drive, by Bob Sullivan, MSNBC, June 5, 2006
Remembrance of Data Passed: A Study of Disk Sanitization Practices, by Simson L. Garfinkel and Abhi Shelat, Massachusetts Institute of Technology, IEEE Security & Privacy, 2003
Interesting Security Research¶
- Public security-related datasets
Malware Capture Facility datasets, Stratosphere IPS/Czech Technical University
GitHub cyber-research/APTMalware (“APT Malware Dataset Containing over 3,500 State-Sponsored Malware Samples”)
Publicly available PCAP files from Netresec
Public Security Log Sharing Site by Dr. Anton Chuvakin
Internet-Wide Scan Data Repository at scans.io
rwthCTF 2013 information and files
Phishing corpus by Jose Nazario
Matthias Vallentin’s blog and web page
D-WARD Project (DDoS Network Attack Recognition and Defense), UCLA
Computer Immune Systems research an University of New Mexico
Detecting Stepping Stones, by Yin Zhang and Vern Paxson
- DHCP analysis
Next Generation DHCP Deployments, by Dave Hull and George F. Willard III, www.SysAdmin.com (Kansas University Scholarlink reference w/source code)
dhcprint utility, by Frank Sweetser, wpi.edu
(See also: PacketFence)
Secure Hardware¶
‘Trusted Computing’ Frequently Asked Questions - TC / TCG / LaGrande / NGSCB / Longhorn / Palladium / TCPA, by Ross Anderson, Version 1.1 (August 2003)
Analysis¶
TCP/IP vulnerabilities, exploits, coding, etc.¶
Uri’s TCP/IP Resources List: FAQs, tutorials, guides, web pages & sites, and books about TCP/IP, By Uri Raz
New Stuff (a Romanian hacker’s exploit collection)
Solaris Kernel Tuning for Security, by Ido Dubrawsky
Linux Security¶
Linux BRIDGE-STP-HOWTO: About The Linux Modular Bridge And STP, by Uwe Bohme
Bastille Linux Project (hardening scripts for five Linux distributions, HP-UX and Mac OS X)
The Linux Security Audit Project is trying to harden Linux
Securing Linux, Part 1: Elementary security for your Linux box, LinuxWorld article
Linux Partition HOWTO at LinuxPlanet.com
Governmental activity on cybercrime, Information Assurance, etc.¶
Cyber Patriot High School Cyber Defense Competition
Standing Guard Over Cyberspace: A new U.S. program trains students in computer security, in exchange for government service, by David Kushner, IEEE Spectrum (republished by the Center for Information Security)
Information Assurance Support Environment (IASE) Policy and Guidance
US Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Computer Intrusion Cases
ASSURING SECURITY AND TRUST IN CYBERSPACE, White House Chief of Staff John Podesta, July 17, 2000
Draft Convention on Cyber-Crime, Council of Europe (See also Cybercrime Solution Has Bugs, by Declan McCullagh, Wired News, May. 3, 2000)
FBI Carnivore Sucks E-Mail Millions (from cryptome.org)
ACLU and Corn-Revere Target FBI Carnivore (from cryptome.org)
Activities of the Governmental Affairs Committee on Government Information Security, 1995-1999
Kevin Mitnik testimony to U.S. Senate, March 2, 2000
President Clinton’s proposed National Plan for Information Systems Protection, January 2000
REPORT SUMMARY of The President’s Commission on Critical Infrastructure Protection
General Accounting Office reports¶
General Accounting Office (GAO) reports/testimony [ Note: Printed reports can be `ordered for FREE`_ online.]
GAO-07-65 – INFORMATION SECURITY: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing, October, 2006
GAO-06-811 – INFORMATION SECURITY: Coordination of Federal Cyber Security Research and Development, September, 2006
GAO-05-231 – INFORMATION SECURITY: Emerging Cybersecurity Issues Threaten Federal Information Systems, May 13, 2005
GAO-05-482 – INFORMATION SECURITY: Internal Revenue Service Needs to Remedy Serious Weaknesses over Taxpayer and Bank Secrecy Act Data, April 15, 2005
GAO-05-567T – Information Security: Department of Homeland Security Faces Challenges in Fulfilling Statutory Requirements, by Gregory C. Wilshusen, director, information security, before the Subcommittee on Management, Integration, and Oversight, House Committee on Homeland Security, April 14, 2005
GAO-04-699T – CRITICAL INFRASTRUCTURE PROTECTION: Establishing Effective Information Sharing with Infrastructure Sectors, testimony by Robert F. Dacey, Director, Information Security, before a joint hearing of the Subcommittee on Infrastructure and Border Security and the Subcommittee on Cybersecurity, Science, and Research and Development, House Select Committee on Homeland Security, April 21, 2004
GAO-04-628T –CRITICAL INFRASTRUCTURE PROTECTION: Challenges and Efforts to Secure Control Systems, testimony by Robert F. Dacey, director, Information Security, before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform, March 30, 2004
GAO-04-354 – CRITICAL INFRASTRUCTURE PROTECTION: Challenges and Efforts to Secure Systems, March 15, 2004
GAO-01-208t – HOMELAND SECURITY: A Risk Management Approach Can Guide Preparedness Efforts
GAO-04-140T – CRITICAL INFRASTRUCTURE PROTECTION: Challenges in Securing Control Systems,October 1, 2003
GAO-01-323 – CRITICAL INFRASTRUCTURE PROTECTION: Significant Challenges in Developing National Capabilities, April 25, 2001
GAO/T-AIMD-00-229 – CRITICAL INFRASTRUCTURE PROTECTION: Comments on the Proposed Cyber Security Information Act of 2000, June 22, 2000
GAO/T-AIMD-181 – CRITICAL INFRASTRUCTURE PROTECTION: “ILOVEYOU” Computer Virus Highlights Need for Improved Alert and Coordination Capabilities, May 18, 2000
GAO/T-AIMD-171 – INFORMATION SECURITY: “ILOVEYOU” Computer Virus Emphasizes Critical Need for Agency and Governmentwide Improvements, May 10, 2000
GAO/T-AIMD-00-7 – CRITICAL INFRASTRUCTURE PROTECTION: Fundamental Improvements Needed to Assure Security of Federal Operations, October 6, 1999
GAO/T-AIMD-99-223 – INFORMATION SECURITY: Recent Attacks on Federal Web Sites Underscore Need for Stronger Information Security Management, June 24, 1999
GAO/AIMD-99-47 – INFORMATION SECURITY: Many NASA Mission-Critical Systems Face Serious Risk, May 1999
GAO/AIMD-98-145 – COMPUTER SECURITY: Pervasive, Serious Weaknesses Jeopardize State Department Operations, May 1998
GAO/AIMD-98-155 – AIR TRAFFIC CONTROL: Weak Computer Security Practices Jeopardize Flight Safety, May 1998
GAO/T-AIMD-98-170 – INFORMATION SECURITY: Serious Weaknesses Put State Department and FAA Operations at Risk, May 1998
GAO/AIMD-98-68 – EXECUTIVE GUIDE: Information Security Management – Learning From Leading Organizations, May 1998
GAO/HR-97-1 – HIGH RISK SERIES: An Overview, February 1997
GAO/HR-97-9 – HIGH RISK SERIES: Information Management and Technology, February 1997
Department of Defense publications¶
NIST Computer Security Standards, Checklists, and Special Publications¶
NIST Computer Security Resource Center home page
NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing (Draft)
Special Publication 800-92: Guide to Computer Security Log Management, September, 2006
Special Publication 800-88: Guidelines for Media Sanitization, September, 2006
Draft NIST Special Publication 800-86: Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response, August 11, 2005
Special Publication 800-61: Computer Security Incident Handling Guide, January 2004
Recommended Security Controls for Federal Information Systems, Revision 2, December, 2007
DRAFT Special Publication 800-45 – Guidelines on Electronic Mail Security
Computer Security Resource Center Practices & Checklists / Security Guides
DRAFT Special Publication 800-40 – Procedures for Handling Security Patches
Special Publication 800-30: Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology (NIST)
The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell, National Security Agency
NIST 800-18 – Guide for Developing Security Plans for Information Technology Systems, December 1998
NIST 800-10 – Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls.
NIST 800-14 – Generally Accepted Principles and Practices for Securing Information Technology Systems, June 1996
NIST 800-12 – An Introduction to Computer Security: The NIST Handbook, October 1995
NIST DRAFT Special Publication Internet Security Policy: A Technical Guide
Risk Management¶
Security Guidelines for the Electricity Sector: Cyber Risk Management, North American Electric Reliability Council, June 14, 2002
Special Publication 800-30: Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology (NIST)
GAO-01-208t HOMELAND SECURITY: A Risk Management Approach Can Guide Preparedness Efforts
Risk Taking: Time for a Comeback, by Rob Preston, September 18, 2003
Chapter 3: Understanding the Security Risk Management Discipline, Microsoft TechNet
Security Policy/Incident Response¶
A New Approach to Cyber Incident Response, by Anne Connell, February 23, 2014
Creating a proactive enterprise security incident response program, by Marcos Christodonte II, SearchSecurity, Mar 29, 2010
CSIRT Case Classification (Example for Enterprise CSIRT), by Dustin Schieber and Gavin Reid (Cisco Systems) and Ivo Peixinho (CAIS/RNP)
RTIR: RT for Incident Response (RT == Request Tracker)
RFPolicy 2.0 by Rain Forest Puppy
(See NIST 800-30)
(See NIST 800-18)
(See NIST 800-14)
(See NIST 800-12)
(See NIST 800-xx)
A Framework for Incident Response, Information Security Team, DePaul University, December 13, 2002
Harvard University’s Information Security Handbook
Handbook for Computer Security Incident Response Teams (CSIRTs), Moira J. West-Brown, Don Stikvort, and Klaus-Peter Kossakowski
Forming an Incident Response Team, Danny Smith
Secure Email¶
- GNU Privacy Guard (GPG)
Email Self-Defense, Free Software Foundation
Creating GPG Keys, Fedora Wiki
Implementing Privacy Using GnuPG on Linux, by sinister (at) computertorture.com (See notes on passphrase selection)
How to change the expiration date of a GPG key, by George Notaras
- Integrating Pine with PGP/GPG
UNIX: Using PGP with Pine, University of Maryland OIT
pgpenvelope (Pine & PGP/GPG integration tool)
The latest version of gpg4pine looks likes its someplace in the linuxdoc.org CVS tree
MIT’s PGP Freeware site
Attack on Private Signature Keys, by Vlastimil Klíma and Tomáš Ro
Secure Programming¶
How to Write Secure Code, by the Shmoo Group
Writing Secure SUID Programs by Matt Bishop
Secure Programming for Linux and Unix HOWTO, by David A. Wheeler
Designing secure software – SunWorld, April 1998
Security Code Review Guidelines by Adam Shostack
Writing More Secure CGI Scripts, by Les Cottrell
Readings for Critical Infrastructure “Cyberterrorism” course¶
The Rise of Complex Terrorism, by Thomas Homer-Dixon, Petroleum World, April 4, 2004
Whitepaper on the IT-ISAC
Critical Infrastructures: What Makes an Infrastructure Critical? (.pdf)
National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (.pdf)
President’s Commission on Critical Infrastructure Protection documents list
Secure passwords, Password crackers and dictionaries¶
xkpasswd (a secure memorable password generator)
Adding Easy SSL Client Authentication To Any Webapp, by scriptjunkie, November 30, 2013
Storing Passwords Securely, June 6, 2012
Packetstorm Security’s password crackers and wordlists
Securing Password Against Dictionary Attack, by Benny Pinkas and Tomas Sander
Storing Passwords Securely, June 6, 2012
SPAM¶
I didn’t like it on my breakfast plate as a kid, I don’t like it in my inbox now!
David Harley’s anti-spam resource list
- Tools for fighting spam
Spam Assassin Rules Emporium (RBL checker)
The Internet Mail Relay Services Survey Project can test to see if your server can be abused and has instructions on how to prevent third party relaying of spam
Washington State Office of the Attorney General Consumer Protection Division Junk Email page (complaints, WA State anti- spam laws, etc.)
FTC Names Its Dirty Dozen: 12 Scams Most Likely to Arrive Via Bulk Email
Social Engineering¶
Microsoft Impersonation Scam, Snopes
How to recognize a PC support scam, by David Harley, ESET, April 18, 2012
Technical Support Phone Scams, Orla Cox, Symantec, June 24, 2010
Avoid tech support phone scams, Microsoft Safety & Security Center
Microsoft tech calling to try to sell me malware, ccleaner, superaniti spyware after installing new windows 7 os, Microsoft Answers web site, December 14, 2010
Phone call from “Microsoft” about virus is a scam, Computer Repair Tips [Note the HUGE number of responses, indicating this is a very widespread problem.]
Watch out for “Microsoft Tech Support” scams, by Woody Leonhard, WindowsSecrets
Virus phone scam being run from call centres in India, Petersfield Area Neighborhood Watch Association (PANWA)
Call from Microsoft a scam, police say, Salina Journal, February 16, 2012
Cyber Media Group Gurgaon India - False Advertising for $190.00 on 06/14/2011
800notes (801-839-2099)
800notes (347-289-3770)
CallerComplaints (801-839-2099)
CallerComplaints (206-456-0661)
ReverseAustralia (02-8006-2875)
US-CERT: Social engineers target utilities with fake Microsoft support calls, by Ms. Smith, Networkworld,April 19, 2012
Social engineering: examples and countermeasures from the real-world, by Anonymous
Social Engineering Fundamentals, Part I: Hacker Tactics, by Sarah Granger
The Use of Social Engineering as a Means of Violating Computer Systems, by Malcolm Allen, October 12, 2001
Hoax email goads users into deleting harmless files by Matt Loney, May 30, 2001
“Social Engineering” just a new twist on an old con game
Social Engineering: Policies and Education a Must, by Rick Tims, February 16, 2001
Social Engineering: What is it, why is so little said about it and what can be done?, by John Palumbo, July 26, 2000
People Hacking: The Psychology of Social Engineering, text of Harl’s talk at Access All Areas III, May 7, 1997
VMYTHS: Truth about computer security hysteria