When we asked Roberta to provide a list of the best Web sites for security information, she cleaned out her Favorites folder and rediscovered a few old friends.
My Security Favorites
When we asked Roberta to provide a list of the best Web sites for security information, she cleaned out her Favorites folder and rediscovered a few old friends.
- By Roberta Bragg
- April 01, 2000
“Please note: We are not responsible for what
you do with these links, nor the files and information
you find on them, nor do we accept any responsibility
if your computer does this…”
—From a disclaimer at www.nttoolbox.com.
With that, consider yourself forewarned that in addition
to solidly conservative, old-school security sites, I’m
about to lead you to some sites you should be wary of.
People often ask me where they can get more information
on Windows security, or security in general. One of the
best sources I’ve found is free: the World Wide Web.
You’ll find free tools, commentary, excellent reviews
and advice, notifications of conferences, and enough hacker
tools to scare you. And if you don’t have time to
surf for security, you can sign up for one of my many
favorite mailing lists. (See “Please,
Mr. Postman.”)
Why do folks share all this stuff with us? For some sites,
it’s business (the best way to sell a security product
is to provide lots of free information on security). For
other sites, it’s a need to serve the public good.
For still others, it’s ego (“Let me tell you
how much I know about security…”). For a growing
number, it’s a way to rage against the machine.
Here’s the bad part: There are just too many good
sites to tell you about in one short column. Sites also
come and go, and quality varies. In writing this column,
I revisited many sites I had placed in my Favorites list,
but hadn’t checked in a while. Sadly, many of them
were gone. I’ll try to steer you to a few musts,
and a few just for fun.
I’ve included my favorite picks as of today. Note
that some of these are considered hacker sites. I make
no claims about the safety of visiting any sites on this
list—or downloading and using any software, code,
or tips. Nor do I condone what some of these sites stand
for, although they’re on my list and I visit them
frequently. Just as a doctor studies disease in an effort
to fight it, I need to know the problems in order to protect
against them.
I’ve made no attempt to place sites into categories.
Some sites that you might classify as hacker havens I
would consider to be managed by rational, ethical people—gray-hat
hackers, if you will. You’ll have to determine whether
you should visit any site on my list or use its information.
www.microsoft.com/security
A must for any Windows administrator, information security
expert, or geek worth his or her salt. Here’s where
you can find Microsoft security bulletins, subscribe to
a notification list, read about security features in Windows
2000, learn how to protect your Web site, and more. At
a bare minimum, sign up for the security notifications.
www.sans.org
The SANS Institute (“System Administration, Networking,
and Security,”) an educational and research organization,
has many useful things:
- Request your own copy of the “NSA Glossary of
Terms Used in Security and Intrusion Detection.”
You can get this comprehensive glossary of security
terms from [email protected]
or visit the Web site at www.sans.org/newlook/resources/glossary.htm
when you need them. You’ll need Microsoft Access
to use your own copy. The glossary is updated regularly.
- Get a free security poster.
- Learn about conferences and classes.
- Sign up for newsletters.
- Purchase booklets on security like “Securing
NT—A Step by Step Guide” and “Computer
Security Incident Handling Guide.”
- Read the “7 Top Management Errors that Lead
to Computer Security Vulnerabilities” (The No.
1 error is—you guessed it—“Assign untrained
people to maintain security and provide neither the
training nor the time to make it possible to do the
job.”)
www.hackernews.com
Well, who woulda figured? At the Hacker News Network
you can visit the “defaced pages” archive, or
find a list of other hacker sites (you can become an affiliate
too by putting a cool logo link to hackernews on your
site). You can also buy a T-shirt (that would get them
talking at the office), and read a variety of short notes
on hacks and things of interest to hackers and security
geeks in the news.
This site is run by two employees of L0pht Heavy Industries,
the folks who brought you L0phtCrack, that ever-so-friendly
“find weak password tool” for NT administrators.
Space Rogue ran the first Macintosh hacking site, Whacked
Mac Archives. There’s no staff, but lots of folks
contribute. Where else could you find out that Russian
politician Vladimir Zhirinovski has threatened to steal
money from Western bank accounts electronically and unleash
a computer virus if he’s elected? In addition to
news, you can find articles on everything imaginable,
including the editorial, “What it feels like to be
raided by the FBI and it ain’t worth it.” In
short:
“…Consider that when some hackers are busted,
they are caught with a list of thousands of logins and
passwords to systems around the world. Disturbing to
think that each one can be used as a felony charge against
you…”
—Brian Martin, HNN
www.phrack.com
Phrack is a famous hacker magazine. You can buy
it at Borders, or current and archive issues can be found
at the Web site. Some of its first issues documented how
to make long-distance calls for free. A recent issue (volume
9, issue 55, 9/9/99, “A REAL NT Rootkit”) calls
Back Orifice an amateur version of PC-Anywhere or SMS
and defines rootkit as a program that patches or Trojans
the OS. A rootkit puts back doors in the OS and breaks
its security system. So it might turn off auditing for
a particular user, create a universal password (that anyone
can log on with), or allow anyone to run privileged code
by using a special filename.
| Please
Mr. Postman |
| Too busy to visit security
sites on a regular basis? Like to get
lots of email? Don’t have a life?
Sign up for security lists.
There are two types of lists to join:
discussions and announcements. Both
send you information automatically as
it becomes available. Announcement lists,
like Microsoft’s security bulletins,
keep you informed; you can’t reply
to them or post questions. In discussion
lists you can take part. Ask questions,
answer them, or just add your two cents.
There are a couple of things to remember.
Although many lists are moderated, that
may mean their posted content is read
for suitability, not necessarily accuracy,
before it’s relayed. Don’t
believe everything someone says on a
list. I’ve run into a lot of claims,
half truths, and “I heard…”
types of messages. I don’t know
everything, so I try to verify any claims
that would cause me to act differently
or advise someone else to. Use proper
list etiquette. Don’t use security
lists to ask questions about networking
or NT in general. It’s annoying
to others to have their in-box cluttered
with questions and discussions on mundane
matters. And remember, you have no way
of knowing who that person is who’s
posting. Don’t open attachments
from list posters, and don’t use
code or instruction in messages until
you check it out elsewhere—it could
be someone’s idea of a cruel joke
or their idea for saving society.
I’ve narrowed down my list to
a few I’ve found very useful. For
a one-stop shop that will show you many
other lists and tell you how to subscribe,
go to http://xforce.iss.net/maillists.
Microsoft—If
you’re going to subscribe to one
list, here it is. You won’t get
inane chatter or sweet notes from Microsoft
about how great they are. Instead, you
get each security bulletin when it’s
announced. Security bulletins are published
when Microsoft perceives a problem.
(They respond quite well to criticisms,
I just don’t want you to think
that if Microsoft doesn’t call
it a problem, it isn’t a problem.)
Each security bulletin states the problem,
suggests a resolution, and contains
links to patches and more information.
Join the list by going to the www.microsoft.com/security
page and following the links.
Counterpane Internet
Security CryptoGram—Subscribe
to the CryptoGram newsletter from this
link: www.counterpane.com/crypto-gram.html.
Bugtraq—Technical
information on all operating systems.
Send an email message to [email protected]
with a message body of:
subscribe bugtraq Lastname, Firstname
Ntbugtraq—One
just for us; the quality varies. Go
to
www.ntbugtraq.com and follow the
links.
SANS—Several
digests or newsletters are offered here.
Many tips and links to useful tools.
Go to
www.sans.org and follow the links.
Phrack—To
join, send email to [email protected]
and in the text of your message (not
the subject line) write:
SUBSCRIBE Phrack
CERT Advisory—To
join, send email to [email protected] and
in the text of your message (not the
subject line), write:
I want to be on your mailing list.
—Roberta Bragg
|
|
|
www.crypto.com
Visit Mat Blaze’s Web site to learn more about cryptography.
In real life he works for AT&T doing cryptography
research.
www.cdt.org
Visit The Center for Democracy & Technology to learn
the latest on legislation and what the center thinks should
be legislation on free speech, data privacy, wiretapping,
and cryptography. Of course, you’re going to get
opinions as well.
There’s also a link to help you remove your name
from profiling, marketing, and research databases. It
sends you to opt-out.cdt.org
and generates the opt-out forms section. This section
can generate letters to companies that don’t allow
online opt-out forms. You can also visit the on-line opt-out
pages of many organizations. The pages are in a frame
so you can move from one to the next. Watch out though;
you may have to negotiate the site you’re sent to
in order to find the opt-out form. On one site I was presented
with a form that would have added me to the database.
www.security-focus.com
Security-Focus offers tools. You can search its lists
by platform. The Web folks maintain a conference calendar
and offer a place to submit questions. It offers a great
link list.
www.ietf.org
Learn about Internet Engineering Task Force’s standards
for the Internet. Read the RFCs (Requests for Comments),
get on a mailing list, learn the facts from the source.
Does the Windows 2000 implementation of Kerberos conform
to the standard? Read the standard, check out Windows
2000, and make up your own mind. Not sure which RFC you
want? Go to www.rfc-editor.org/rfc.html
to search on topic name.
www.somarsoft.com
SomarSoft is famous for its free tools, which can help
you document ACLs or other security information on your
system. They’re now distributed by SystemTools.com,
which also has tools and books that will cost you money.
www.grc.com
Steve Gibson’s been around for a long time. One
of Gibson Research Corp.’s products is SpinRite,
a disk defragmenter. On his site you’ll find lots
of information on PC security. He’s got reviews of
personal Web servers, diatribes on removing Network Neighborhood
from Windows 9.x (he’s talking to home users here,
I hope), and a really unique penetration service for the
individual. With your permission (you click a button)
he scans your machine and tries to connect to common ports
(21, 23, 25, 79, 80, and 110), then reports on the results.
I use it to do a first-level check on personal intrusion
detection (ID) systems. The ID system should sound an
alarm when Steve’s site scans it. On the site, Steve
spends a lot of time explaining in very simple terms why
you might want to check this out and why folks might want
to protect their computers. This is a good site to send
Uncle Harry to if he can take the excitement; but I sure
hope my end users don’t take Steve seriously about
removing Network Neighborhood, or I’m going to have
a lot of helpdesk calls in the morning.
www.nttoolbox.com
You can download lots of interesting tools at the NT
Toolbox site, including that famous remote administration
tool NetBus. But remember, this is where I borrowed that
disclaimer I tacked onto the beginning of my column.
www.cert.org
The Carnegie Mellon Software Engineering Institute Computer
Emergency Response Team (CERT) Coordination Center is
part of a federally-funded research and development center.
It was started by the Defense Applied Research Projects
Agency (DARPA) (part of the U. S. Department of Defense)
in December 1988 after the Morris Worm incident. This
worm infected a tenth of all computers connected to the
Internet and ushered in a new era of security vulnerabilities.
CERT is involved in coordinating response teams when large-scale
incidents occur, and providing training and research on
security vulnerabilities and their prevention, especially
the survivability of large-scale networks.
To report an intrusion incident, you can communicate
securely with CERT (mailto:[email protected])
using PGP (pretty good privacy, which is publicly available
email encryption software) with DES or via secure fax.
You can obtain advisories and other information related
to computer security. You can also find reports on incidents
and vulnerabilities reported. In the first three quarters
of 1999, CERT handled 6,844 incidents. Six were handled
in 1988. The total since 1988 is 22,940, which means nearly
a third of the reports over a period of 10 years happened
in the first three quarters of last year.
www.counterpane.com/labs.html
Counterpane Internet Security, Inc. is Bruce Schneier’s
company. Schneier is the author of Applied Cryptography
(John Wiley & Sons, 1994), a classic in its field.
Schneier also wrote the Blowfish and Twofish encryption
algorithms. Counterpane is primarily a research organization,
and you’ll find excellent papers and links to other
security companies, along with a database of security
papers on the Web.
Here you’ll be able to read analyses of algorithms,
protocols, and security devices, such as “Breaking
Up is Hard to Do: Modeling Security Threats for Smart
Cards” and “Why Cryptography is Harder than
it Looks.”
You can download a screensaver that automatically brute-forces
40-bit RC2 keys. (Huh? It was written to demonstrate how
easy it is to break that algorithm when used with a 40-bit
key. This was written several years ago when most S/MIME
implementations were using 40-bit RC2 keys. Why put it
in a screensaver? Well, it’ll work when you don’t
need your computer for other things. You have to do some
preliminary work before anything will be accomplished.
Just running the screensaver doesn’t start it reading
your encrypted email. Take a look at the screensaver,
then go check your security products and their specifications.
See “Please, Mr. Postman” for help on subscribing
to the Counterpane newsletter.
www.icsa.net
ICSA is a security assurance company. It publishes Information
Security Magazine (www.infosecuritymag.com)
and is recognized as the certification lab of choice for
testing security products. Go here to read the magazine
or to see if popular security products have passed the
industry certification test. Categories include: anti-virus,
firewall, IPSec/VPN, cryptography, filtering, and monitoring.
You’ll also find a listing of current hoaxes (www.icsa.net/html/communities/antivirus/hoaxes),
along with warnings about non-existent viruses and such
that clutter our email. Visit this site before you mail
a copy to 5,000 of your friends.
www.itl.nist.gov/div893
NIST is the computer security division of the National
Institute of Standards and Technology. Its mission is
to improve information security by developing awareness
of IT vulnerabilities (sounds like the cult of the dead
cow—I wondered where they got that line!) and protection
requirements. Here you can find information on current
technology, standards including metrics and tests, and
management guidance.
www.isc2.org
The International Information Systems Security Certification
Consortium, Inc., or ISC2, promotes and manages the CISSP—Certified
Information Systems Security Professional exam. I covered
this in my September
1999 column. You’ll also find a code of ethics
listed on the site.
www.misti.com
Travel here to read the MIS Training Institute newsletter,
TransMISsion On Line, find a class or seminar, or purchase
Audit Program and Security Review Kits (detailed compendiums
of instructions for auditing information systems). You’ll
also find the “Swiss Army Knife Reference,”
an extensive bibliography of articles and links on security
information. You’ll get the information auditor’s
perspective here.
|
Set Up Your Own Security Links Folder |
Note:
Due to problems preventing the viewing
of this story using Netscape Navigator,
the file mysites.zip
has not been included with the article.
To obtain it, you must write to [email protected];
put "mysites.zip" on the Subject
line of your message.
- Download a copy of mysites.zip (as
instructed above), then extract the
URLs contained in the file to your
desktop into a new folder labeled
"Security" or something
comparable.
- Open Windows Explorer.
- Navigate to the Windows/Favorites
folder (Windows 95/98); find your
profile folder in Windows NT.
- Drag the security folder from your
desktop to this location.
- Close Windows Explorer.
- Open up Internet Explorer/Favorites/Security
folder.
- Click on a shortcut and check out
the site.
- If you don't like it, delete it.
- As you find others that you like,
add them in the normal manner.
I developed and tested this process
on Internet Explorer 4.x and 5.0. I
have no idea whether it works with any
other versions or browsers.
|
|
|
www.L0pht.com
Would you believe that this company, the birthplace of
the lophtcrack password-cracking tool and many diatribes
against Microsoft security, has merged with a traditional
group (@Stake) to form a security consulting firm? Say
it isn’t so, Mudge!
@Stake (www.atstake.com)
offers e-commerce security services, including VPNs, firewalls,
content security, (anti-virus and email scanning), applications
security, and intrusion detection. Officers at @Stake
include Dr. Daniel Gear, who was manager of systems development
at MIT’s Project Athena, which developed Kerberos;
Ted Julian, former lead security analyst at Forrester
Research; and, of course, Mudge, of L0pht.
You can still find downloads of Lophtcrack at the old
site, as well as other tools and a lot of good information.
www.gocsi.com
The Computer Security Institute advocates protection
of information assets. It sponsors two conferences, NetSec
in June and CIS Annual in November, along with
a multitude of seminars.
www.issa-intl.org
The Information Systems Security Association (ISSA) is
a not-for-profit international organization with educational
forums and publications. Most items are restricted to
members (you can sign up for a free 90-day trial), but
you can read the current issue of their newsletter for
free, The Password: The only password you should
share.
www.cultdeadcow.com
Finally, no list of sites would be complete without this.
Go here to find a copy of and information on the famous
Back Orifice remote administration program. Be astounded
by these self-proclaimed saviors. They’re going to
make our information more secure by allowing everyone
to break into it. See my columns in the July
1999 and February
2000 issues.