Computer Networking Resources

The following are useful online resources about data communications and computer networks. Also see my Study Guide for a list of textbooks (including free ones). Aspects of network security are not covered here; instead see my list Security Resources.

News and General Resources

Terminology and Notation

As with many technical topics, there are many terms, abbreviations, acronyms and mathematical notations used when discussing computer security. The following attempt to provide definitions of security terms. Unfortunately there is often conflicts in definitions and usage, so there is no one primary list of definitions.

• Internet Security Glossary (version 2) is IETF RFC 4949 by R. Shirey that provides more than 300 pages of definitions of security terms.
• Glossary of Key Information Security Terms, NIST Interagency Report 7298, listed across 200+ pages.

Alerts

As vulnerabilities are found in security technology, including software and algorithms, it is important to inform the developers and users of those technologies so that they can apply fixes. There are numerous companies and organisations that issues and maintain lists of security alerts and vulnerabilities. A common name is Computer Emergency Response/Readiness Team (CERT). Others are less formal and usually alerts are made via mailling lists. In addition to those listed below, many companies have their own lists/announcements.

• CERT, the original team from Carnegie Mellon University
• US-CERT, official US government CERT
• NVD: National Vulnerability Database provided by NIST.
• CVE. Database of Common Vulnerabilities and Exposures by MITRE Corporation, an official US government project.
• BugTraq is a mailling list with many vulnerability announcements.
• Full Disclosure is another mailling list with security vulnerability announcements.

Organisations

Standards Organisations

• ITU. Standardise telecommunication systems, ranging from traditional public switched telephone networks (e.g. landlines) to data networks (e.g. ISDN) to multimedia systems (e.g. H.323).
• IETF. Produce standards and guidelines on Internet protocols, including IP, TCP, routing protocols, multimedia protocols and many formats.
• IEEE Standards Association produces electronic and communications standards, including IEEE 802 series for LANs and MANs.
• ISO (often jointly with IEC and/or ITU) create standards for information and communication systems. A key contribution is the OSI 7-layer reference model.
• W3C. Produces freely available standards for web applications such as HTML, XML, URL, PNG, etc.

Internet Governance

• Several related organisations focus on technical activities on the Internet operation: IAB, IETF, IRTF, ISOC, IANA
• IP addresses are allocated by IANA, which delegates to regional Network Information Centres, e.g. APNIC, ARIN, which in turn delegate to country level NICs, e.g. THNIC.

• Naming, e.g. domain names, is an important part of the Internet run by ICANN
• IAB
• ICANN, also runs IANA

Government

Regulator authorities play an important part in determining how communication technologies can be used inside countries, especially how electromagnetic spectrum is shared between different applications/users.

• FCC regulates communications in the US.
• NBTC regulates communications in the Thailand. (Previously known as NTC)

Professional Organisations

Companies

A selection of high-profile companies in telecommunications and computer networking

• Telecommunication companies: AT&T, Verizon, ,
• Networking equipment: Cisco Systems, Juniper, Alcatel-Lucent, Huawei, Ericsson
• Domain Names:

Thailand

Companies, government departments and groups in Thailand that are related to computer and network security.

• Thailand Computer Emergency Response Team (ThaiCert)
• Thai Information Security Assocation (TISA)
• Electronic Transactions Development Agency (ETDA)
• Electronic Government Agency (EGA)
• ACIS, security certification and training in Thailand

People

There are many security researchers and professionals that have blogs and homepages, and/or are active on social networks (e.g. Google+, Twitter). Searching for "security blog" or "network security" will often lead you to popular security people. Here I list just a small selection of "famous" people that provide some interesting information on all aspects of computer and network security.

• Ross Anderson, Professor Security Engineering at the Computer Laboratory, University of Cambridge. Includes many links and articles about his and others research on a wide variety of security topics. See also his book, which is available for free.
• Bruce Schneier, an author, researcher and commentator of network security. His blog provides commentary on technical, political and legal aspects of security.
• Steve Gibson, of Gibson Research Corporation, has developed many software applications for security tasks. He, with Leo Laporte, has a weekly podcast (plus transcripts) called Security Now.
• Daniel J. Bernstein, a mathematics, computer science and cryptography researcher. Provides links and articles on secure software and algorithms he has developed, related cryptography research, as well as legal and political issues.
• Brian Krebs, a journalist who reports and blogs on computer security. His articles provide information on and links to major security attacks.

Courses

Books

Firstly, see the security textbooks in my study guide (including some free online books). Other, often more specialised online security books include:

• Secure Programming for Linux and Unix HOWTO by David A. Wheeler. Collection of hints and guidelines on writing secure scripts and programs for Linux/Unix.

Software

A very small selection of security-related software. Focus is on software used or demonstrated in my courses, which tends to be Linux and/or open-source software.

• OpenSSL is a library (and command line application) that implements many cryptographic algorithms.
• GnuPG implements mainly public key cryptography operations (although symmetric encryption is also supported).
• TrueCrypt is open source disk encryption software.
• John the Ripper, a password cracker.
• CrypTool. Free software for apply many encryption algorithms (classical, symmetric, public key) and analysing (breaking) ciphertexts. There are different variants of the software that run on different operating systems and online. It is designed to be educational, showing steps of ciphers and attacks.
• hashcat is a fast password cracker that supports running on GPUs.

By Topic

Performance and Benchmarking

• eBACS: ECRYPT Benchmarking of Cryptographic Systems. Presents benchmarks when using different hash, public key and stream algorithms running on a variety of hardware.
• GPU Speed Estimations by Ivan Golubev gives estimates of the speeds (in particular with respect to hashing and encryption) of many GPUs.
• See also: Hashcat

Encryption Algorithms

• DES Standard, FIPS-46
• AES Standard, FIPS-197
• Twofish by Bruce Schneier
• Serpent by Ross Anderson

Hash Algorithms

• MD5, RFC1321
• SHA Standard, FIPS-180
• SHA-3 standardisation efforts by NIST
• PKCS #5: Password-Based Cryptography Specification, RFC2898, covers PBKDF2
• RainbowCrack Project includes software for generating/using Rainbow tables, as well as ability to purchace Rainbow tables. The list of rainbow tables for sale gives good examples of key spaces covered by different password sets.
• See also: John the Ripper, Hashcat

Attacks

• Digital Attack Map is a live visualisation of DDoS attacks across the world. DDoS data comes from Arbor Networks.
• Acoustic Cryptanalysis of RSA uses a microphone to listen to a laptop computer, and from the different sounds heard when that computer is decrypting a chosen ciphertext, determines the private key used in the decryption. It is a very well-explained and interesting example of a side-channel attack. The FAQ gives a summary of the attack, while the 60+ page paper has the details (despite being long, the first few sections are quite clear and worth reading for most technical readers). I have a lecture trying to summarize the attack, with slides and YouTube screencast available.
• See also: Alerts

Random Numbers

• Ensuring Randomness with Linux's Random Number Generator is an article by Nick Sullivan that explains how the Linux kernel random number generator works, and how the output is accessed by /dev/random and /dev/urandom. It is quite long, but is a good explanation of how the Linux kernel uses different sources to generate random numbers.
• An example of how writing software that uses secure algorithms, but in an incorrect manner, can lead to security vulnerabilities and attacks. In this case, Android applications that use a Java library of cryptographic functions (the Java Cryptography Architecture), which in turn uses the OpenSSL Pseudo Random Number Generator (PRNG), were vulnerable to attacks because the PRNG was not initialised (seeded) correctly. A brief explanation of and fix for the problem by an Android developer. This implementation flaw meant that, for example, electronic wallets in Android had a serious security vulnerability: they could be easily stolen. Some popular Android apps that stored Bitcoins were vulnerable. (14 Aug 2013)
• Intel® Digital Random Number Generator (DRNG) Software Implementation Guide. Recent Intel CPUs offer a RDRAND operation which provides a very fast (compared to software) implemention of a random number generator. It uses the concept of using a true random number generator to create a seed as input to a cryptographically secure pseudo random number generator.

Passwords

• Password dictionaries and leaked passwords collected by SkullSecurity. The dictionaries can be used in attacks, and also for analysis of what types of passwords are chosen by users.
• Troy Hunt has a blog that covers aspects of computer security, especially passwords. He has analysed many leaked password databases and provides interesting insights into the structure of passwords.
• Is Everything We Know About Password Stealing Wrong? (7 page PDF) is an article that discusses who makes and loses many out of password stealing, and makes the argument that because banks and their customers most likely don't lose much money from password stealing, that focussing efforts on making (banking) passwords more secure may not be very beneficial.
• OWASP maintains several cheat sheets that offer advice and guidelines in implementing web systems that use passwords. They include: authentication in web systems, session management, password storage, dealing with forgotten passwords and choosing security questions.
• See also: John the Ripper, Hashcat

Media Sanitization

Deleting data and destructing media.

• NIST Special Publication 800-88 DRAFT Guidelines for Media Sanitization (). Techniques for deleting electronic data so that it is very hard to recover, as well as destroying media (including paper, USB drives, hard disks). Gives recommendations depending on the level of sanitization, such as just clearing the data or full destruction. Check the list of Special Publications by the NIST Computer Security Research Center to see if there is an updated version.
• hdparm is open source software for getting and setting parameters of ATA/SATA hard drives. Works in Linux and Windows and can apply ATA commands to sanitize hard disks. Possibly already installed in popular Linux distributions like Ubuntu.
• NSA Media Destruction Guidance. Lists NSA approved products for destroying paper, optical media, tape (degaussers) and hard drives.

Letter Frequency

• English Letter Frequency Counts: Mayzner Revisited by Peter Norvig, Director of Research, Google. Uses data from Google Books to provide statistics about occurrence of letters, digrams and generall n-grams in the English language.

Return to: Course List | Steven Gordon's Home | SIIT