When we asked Roberta to provide a list of the best Web sites for security information, she cleaned out her Favorites folder and rediscovered a few old friends.

My Security Favorites

When we asked Roberta to provide a list of the best Web sites for security information, she cleaned out her Favorites folder and rediscovered a few old friends.

“Please note: We are not responsible for what you do with these links, nor the files and information you find on them, nor do we accept any responsibility if your computer does this…”
—From a disclaimer at www.nttoolbox.com

With that, consider yourself forewarned that in addition to solidly conservative, old-school security sites, I’m about to lead you to some sites you should be wary of.

People often ask me where they can get more information on Windows security, or security in general. One of the best sources I’ve found is free: the World Wide Web. You’ll find free tools, commentary, excellent reviews and advice, notifications of conferences, and enough hacker tools to scare you. And if you don’t have time to surf for security, you can sign up for one of my many favorite mailing lists. (See “Please, Mr. Postman.”)

Why do folks share all this stuff with us? For some sites, it’s business (the best way to sell a security product is to provide lots of free information on security). For other sites, it’s a need to serve the public good. For still others, it’s ego (“Let me tell you how much I know about security…”). For a growing number, it’s a way to rage against the machine.

Here’s the bad part: There are just too many good sites to tell you about in one short column. Sites also come and go, and quality varies. In writing this column, I revisited many sites I had placed in my Favorites list, but hadn’t checked in a while. Sadly, many of them were gone. I’ll try to steer you to a few musts, and a few just for fun.

I’ve included my favorite picks as of today. Note that some of these are considered hacker sites. I make no claims about the safety of visiting any sites on this list—or downloading and using any software, code, or tips. Nor do I condone what some of these sites stand for, although they’re on my list and I visit them frequently. Just as a doctor studies disease in an effort to fight it, I need to know the problems in order to protect against them.

I’ve made no attempt to place sites into categories. Some sites that you might classify as hacker havens I would consider to be managed by rational, ethical people—gray-hat hackers, if you will. You’ll have to determine whether you should visit any site on my list or use its information.

www.microsoft.com/security

A must for any Windows administrator, information security expert, or geek worth his or her salt. Here’s where you can find Microsoft security bulletins, subscribe to a notification list, read about security features in Windows 2000, learn how to protect your Web site, and more. At a bare minimum, sign up for the security notifications.

www.sans.org

The SANS Institute (“System Administration, Networking, and Security,”) an educational and research organization, has many useful things:

  • Request your own copy of the “NSA Glossary of Terms Used in Security and Intrusion Detection.” You can get this comprehensive glossary of security terms from [email protected] or visit the Web site at www.sans.org/newlook/resources/glossary.htm when you need them. You’ll need Microsoft Access to use your own copy. The glossary is updated regularly.
  • Get a free security poster.
  • Learn about conferences and classes.
  • Sign up for newsletters.
  • Purchase booklets on security like “Securing NT—A Step by Step Guide” and “Computer Security Incident Handling Guide.”
  • Read the “7 Top Management Errors that Lead to Computer Security Vulnerabilities” (The No. 1 error is—you guessed it—“Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.”)

www.hackernews.com

Well, who woulda figured? At the Hacker News Network you can visit the “defaced pages” archive, or find a list of other hacker sites (you can become an affiliate too by putting a cool logo link to hackernews on your site). You can also buy a T-shirt (that would get them talking at the office), and read a variety of short notes on hacks and things of interest to hackers and security geeks in the news.

This site is run by two employees of L0pht Heavy Industries, the folks who brought you L0phtCrack, that ever-so-friendly “find weak password tool” for NT administrators. Space Rogue ran the first Macintosh hacking site, Whacked Mac Archives. There’s no staff, but lots of folks contribute. Where else could you find out that Russian politician Vladimir Zhirinovski has threatened to steal money from Western bank accounts electronically and unleash a computer virus if he’s elected? In addition to news, you can find articles on everything imaginable, including the editorial, “What it feels like to be raided by the FBI and it ain’t worth it.” In short:

“…Consider that when some hackers are busted, they are caught with a list of thousands of logins and passwords to systems around the world. Disturbing to think that each one can be used as a felony charge against you…”
—Brian Martin, HNN 
www.phrack.com 

Phrack is a famous hacker magazine. You can buy it at Borders, or current and archive issues can be found at the Web site. Some of its first issues documented how to make long-distance calls for free. A recent issue (volume 9, issue 55, 9/9/99, “A REAL NT Rootkit”) calls Back Orifice an amateur version of PC-Anywhere or SMS and defines rootkit as a program that patches or Trojans the OS. A rootkit puts back doors in the OS and breaks its security system. So it might turn off auditing for a particular user, create a universal password (that anyone can log on with), or allow anyone to run privileged code by using a special filename.

Please Mr. Postman
Too busy to visit security sites on a regular basis? Like to get lots of email? Don’t have a life? Sign up for security lists.

There are two types of lists to join: discussions and announcements. Both send you information automatically as it becomes available. Announcement lists, like Microsoft’s security bulletins, keep you informed; you can’t reply to them or post questions. In discussion lists you can take part. Ask questions, answer them, or just add your two cents.

There are a couple of things to remember. Although many lists are moderated, that may mean their posted content is read for suitability, not necessarily accuracy, before it’s relayed. Don’t believe everything someone says on a list. I’ve run into a lot of claims, half truths, and “I heard…” types of messages. I don’t know everything, so I try to verify any claims that would cause me to act differently or advise someone else to. Use proper list etiquette. Don’t use security lists to ask questions about networking or NT in general. It’s annoying to others to have their in-box cluttered with questions and discussions on mundane matters. And remember, you have no way of knowing who that person is who’s posting. Don’t open attachments from list posters, and don’t use code or instruction in messages until you check it out elsewhere—it could be someone’s idea of a cruel joke or their idea for saving society.

I’ve narrowed down my list to a few I’ve found very useful. For a one-stop shop that will show you many other lists and tell you how to subscribe, go to http://xforce.iss.net/maillists

Microsoft—If you’re going to subscribe to one list, here it is. You won’t get inane chatter or sweet notes from Microsoft about how great they are. Instead, you get each security bulletin when it’s announced. Security bulletins are published when Microsoft perceives a problem. (They respond quite well to criticisms, I just don’t want you to think that if Microsoft doesn’t call it a problem, it isn’t a problem.) Each security bulletin states the problem, suggests a resolution, and contains links to patches and more information. Join the list by going to the www.microsoft.com/security page and following the links.

Counterpane Internet Security CryptoGram—Subscribe to the CryptoGram newsletter from this link: www.counterpane.com/crypto-gram.html

Bugtraq—Technical information on all operating systems. Send an email message to [email protected] with a message body of:

subscribe bugtraq Lastname, Firstname

Ntbugtraq—One just for us; the quality varies. Go to www.ntbugtraq.com and follow the links.

SANS—Several digests or newsletters are offered here. Many tips and links to useful tools. Go to www.sans.org and follow the links.

Phrack—To join, send email to [email protected] and in the text of your message (not the subject line) write:

SUBSCRIBE Phrack

CERT Advisory—To join, send email to [email protected] and in the text of your message (not the subject line), write:

I want to be on your mailing list.

—Roberta Bragg

www.crypto.com

Visit Mat Blaze’s Web site to learn more about cryptography. In real life he works for AT&T doing cryptography research.

www.cdt.org

Visit The Center for Democracy & Technology to learn the latest on legislation and what the center thinks should be legislation on free speech, data privacy, wiretapping, and cryptography. Of course, you’re going to get opinions as well.

There’s also a link to help you remove your name from profiling, marketing, and research databases. It sends you to opt-out.cdt.org and generates the opt-out forms section. This section can generate letters to companies that don’t allow online opt-out forms. You can also visit the on-line opt-out pages of many organizations. The pages are in a frame so you can move from one to the next. Watch out though; you may have to negotiate the site you’re sent to in order to find the opt-out form. On one site I was presented with a form that would have added me to the database.

www.security-focus.com

Security-Focus offers tools. You can search its lists by platform. The Web folks maintain a conference calendar and offer a place to submit questions. It offers a great link list.

www.ietf.org

Learn about Internet Engineering Task Force’s standards for the Internet. Read the RFCs (Requests for Comments), get on a mailing list, learn the facts from the source. Does the Windows 2000 implementation of Kerberos conform to the standard? Read the standard, check out Windows 2000, and make up your own mind. Not sure which RFC you want? Go to www.rfc-editor.org/rfc.html to search on topic name.

www.somarsoft.com

SomarSoft is famous for its free tools, which can help you document ACLs or other security information on your system. They’re now distributed by SystemTools.com, which also has tools and books that will cost you money.

www.grc.com

Steve Gibson’s been around for a long time. One of Gibson Research Corp.’s products is SpinRite, a disk defragmenter. On his site you’ll find lots of information on PC security. He’s got reviews of personal Web servers, diatribes on removing Network Neighborhood from Windows 9.x (he’s talking to home users here, I hope), and a really unique penetration service for the individual. With your permission (you click a button) he scans your machine and tries to connect to common ports (21, 23, 25, 79, 80, and 110), then reports on the results. I use it to do a first-level check on personal intrusion detection (ID) systems. The ID system should sound an alarm when Steve’s site scans it. On the site, Steve spends a lot of time explaining in very simple terms why you might want to check this out and why folks might want to protect their computers. This is a good site to send Uncle Harry to if he can take the excitement; but I sure hope my end users don’t take Steve seriously about removing Network Neighborhood, or I’m going to have a lot of helpdesk calls in the morning.

www.nttoolbox.com

You can download lots of interesting tools at the NT Toolbox site, including that famous remote administration tool NetBus. But remember, this is where I borrowed that disclaimer I tacked onto the beginning of my column.

www.cert.org

The Carnegie Mellon Software Engineering Institute Computer Emergency Response Team (CERT) Coordination Center is part of a federally-funded research and development center. It was started by the Defense Applied Research Projects Agency (DARPA) (part of the U. S. Department of Defense) in December 1988 after the Morris Worm incident. This worm infected a tenth of all computers connected to the Internet and ushered in a new era of security vulnerabilities. CERT is involved in coordinating response teams when large-scale incidents occur, and providing training and research on security vulnerabilities and their prevention, especially the survivability of large-scale networks.

To report an intrusion incident, you can communicate securely with CERT (mailto:[email protected]) using PGP (pretty good privacy, which is publicly available email encryption software) with DES or via secure fax. You can obtain advisories and other information related to computer security. You can also find reports on incidents and vulnerabilities reported. In the first three quarters of 1999, CERT handled 6,844 incidents. Six were handled in 1988. The total since 1988 is 22,940, which means nearly a third of the reports over a period of 10 years happened in the first three quarters of last year.

www.counterpane.com/labs.html 

Counterpane Internet Security, Inc. is Bruce Schneier’s company. Schneier is the author of Applied Cryptography (John Wiley & Sons, 1994), a classic in its field. Schneier also wrote the Blowfish and Twofish encryption algorithms. Counterpane is primarily a research organization, and you’ll find excellent papers and links to other security companies, along with a database of security papers on the Web.

Here you’ll be able to read analyses of algorithms, protocols, and security devices, such as “Breaking Up is Hard to Do: Modeling Security Threats for Smart Cards” and “Why Cryptography is Harder than it Looks.”

You can download a screensaver that automatically brute-forces 40-bit RC2 keys. (Huh? It was written to demonstrate how easy it is to break that algorithm when used with a 40-bit key. This was written several years ago when most S/MIME implementations were using 40-bit RC2 keys. Why put it in a screensaver? Well, it’ll work when you don’t need your computer for other things. You have to do some preliminary work before anything will be accomplished. Just running the screensaver doesn’t start it reading your encrypted email. Take a look at the screensaver, then go check your security products and their specifications. See “Please, Mr. Postman” for help on subscribing to the Counterpane newsletter.

www.icsa.net

ICSA is a security assurance company. It publishes Information Security Magazine (www.infosecuritymag.com) and is recognized as the certification lab of choice for testing security products. Go here to read the magazine or to see if popular security products have passed the industry certification test. Categories include: anti-virus, firewall, IPSec/VPN, cryptography, filtering, and monitoring. You’ll also find a listing of current hoaxes (www.icsa.net/html/communities/antivirus/hoaxes), along with warnings about non-existent viruses and such that clutter our email. Visit this site before you mail a copy to 5,000 of your friends.

www.itl.nist.gov/div893

NIST is the computer security division of the National Institute of Standards and Technology. Its mission is to improve information security by developing awareness of IT vulnerabilities (sounds like the cult of the dead cow—I wondered where they got that line!) and protection requirements. Here you can find information on current technology, standards including metrics and tests, and management guidance.

www.isc2.org

The International Information Systems Security Certification Consortium, Inc., or ISC2, promotes and manages the CISSP—Certified Information Systems Security Professional exam. I covered this in my September 1999 column. You’ll also find a code of ethics listed on the site.

www.misti.com

Travel here to read the MIS Training Institute newsletter, TransMISsion On Line, find a class or seminar, or purchase Audit Program and Security Review Kits (detailed compendiums of instructions for auditing information systems). You’ll also find the “Swiss Army Knife Reference,” an extensive bibliography of articles and links on security information. You’ll get the information auditor’s perspective here.

Set Up Your Own Security Links Folder
Note: Due to problems preventing the viewing of this story using Netscape Navigator, the file mysites.zip has not been included with the article. To obtain it, you must write to [email protected]; put "mysites.zip" on the Subject line of your message.
  1. Download a copy of mysites.zip (as instructed above), then extract the URLs contained in the file to your desktop into a new folder labeled "Security" or something comparable. 
  2. Open Windows Explorer.
  3. Navigate to the Windows/Favorites folder (Windows 95/98); find your profile folder in Windows NT.
  4. Drag the security folder from your desktop to this location. 
  5. Close Windows Explorer.
  6. Open up Internet Explorer/Favorites/Security folder.
  7. Click on a shortcut and check out the site.
  8. If you don't like it, delete it.
  9. As you find others that you like, add them in the normal manner.

I developed and tested this process on Internet Explorer 4.x and 5.0. I have no idea whether it works with any other versions or browsers.

www.L0pht.com

Would you believe that this company, the birthplace of the lophtcrack password-cracking tool and many diatribes against Microsoft security, has merged with a traditional group (@Stake) to form a security consulting firm? Say it isn’t so, Mudge!

@Stake (www.atstake.com) offers e-commerce security services, including VPNs, firewalls, content security, (anti-virus and email scanning), applications security, and intrusion detection. Officers at @Stake include Dr. Daniel Gear, who was manager of systems development at MIT’s Project Athena, which developed Kerberos; Ted Julian, former lead security analyst at Forrester Research; and, of course, Mudge, of L0pht.

You can still find downloads of Lophtcrack at the old site, as well as other tools and a lot of good information.

www.gocsi.com

The Computer Security Institute advocates protection of information assets. It sponsors two conferences, NetSec in June and CIS Annual in November, along with a multitude of seminars.

www.issa-intl.org

The Information Systems Security Association (ISSA) is a not-for-profit international organization with educational forums and publications. Most items are restricted to members (you can sign up for a free 90-day trial), but you can read the current issue of their newsletter for free, The Password: The only password you should share.

www.cultdeadcow.com

Finally, no list of sites would be complete without this. Go here to find a copy of and information on the famous Back Orifice remote administration program. Be astounded by these self-proclaimed saviors. They’re going to make our information more secure by allowing everyone to break into it. See my columns in the July 1999 and February 2000 issues.

Featured