Security Resources
The following are useful online resources about computer and network security. Also see my Study Guide for a list of textbooks (including free ones).
News and General Resources
- Cryptome is an archive of documents relating to cryptography, US national security and intelligence, and surivellance.
As with many technical topics, there are many terms, abbreviations, acronyms and mathematical notations used when discussing computer security. The following attempt to provide definitions of security terms. Unfortunately there is often conflicts in definitions and usage, so there is no one primary list of definitions.
Alerts
As vulnerabilities are found in security technology, including software and algorithms, it is important to inform the developers and users of those technologies so that they can apply fixes. There are numerous companies and organisations that issues and maintain lists of security alerts and vulnerabilities. A common name is Computer Emergency Response/Readiness Team (CERT). Others are less formal and usually alerts are made via mailling lists. In addition to those listed below, many companies have their own lists/announcements.
- CERT, the original team from Carnegie Mellon University
- US-CERT, official US government CERT
- NVD: National Vulnerability Database provided by NIST.
- CVE. Database of Common Vulnerabilities and Exposures by MITRE Corporation, an official US government project.
- BugTraq is a mailling list with many vulnerability announcements.
- Full Disclosure is another mailling list with security vulnerability announcements.
Conferences
Many of the latest advances in computer security, especially new attacks and countermeasures, are presented in conferences. Often presentation slides (and sometimes full papers or examples) are available freely on the conference website. Below are a selection of some security conferences.
- BlackHat: a series of events on information security, with archives of the conferences often including presentations, white papers and videos.
- USENIX Security: annual symposium with latest research papers, all available in full for download.
- Virus Bulletin: both a journal and series of conferences on viruses and other malware.
- DEF CON: a hacker convention usually held in conjunction with BlackHat. Most articles and presentations are available on the website.
Organisations
Standards Organisations
Government
Includes the signals intelligence and communication security departments of different governments. If you explore their websites, you may find interesting historical records, general descriptions of security technologies, as well as security algorithms and software.
- NSA, US signals intelligence and security organisation.
- GCHQ, UK signals intelligence and security organisation.
- See also: NIST, US CERT
Professional Organisations
Some organisations promote awareness of computer security and certify skills of security professionals, issuing certificates.
- OWASP, the Open Web Application Security Project describes and presents solutions for many common security risks for web applications. It maintains a Top 10 of web vulnerabilities, as well as cheat sheets in how to improve security of web applications. Many useful resources if you are developed web applications.
- (ISC)2 - security certification
- SANS Institute - security training and certification
- COMPTIA - computer and security certification and training
Companies
A selection of high-profile companies in computer and network security.
- RSA (now owned by EMC) led the development and commericalisation of public key products
- VeriSign (now owned by Symantec) provides key, certificate and authentication services
Australia
Companies, government departments and groups in Australia that are related to computer and network security.
- Australian Computer Emergency Response Team (AusCERT), a major, independent CERT in Australia based at University of Queensland
- CERT Australia, the Australian government's CERT
- Australian Signals Directorate (ASD), the information security arm of the Australian Department of Defence. A number of publications are available, some aimed towards a general audience and others quite technical, including the Australian Government Information Security Manual, Strategies to Mitigate Target Cyber Intrusions, DNS Security, and Hardening Guides.
- Australian Cyber Security Centre (ACSC), run by ASD
Thailand
Companies, government departments and groups in Thailand that are related to computer and network security.
- Thailand Computer Emergency Response Team (ThaiCert)
- Thai Information Security Assocation (TISA)
- Electronic Transactions Development Agency (ETDA)
- Electronic Government Agency (EGA)
- ACIS, security certification and training in Thailand
People
There are many security researchers and professionals that have blogs and homepages, and/or are active on social networks (e.g. Google+, Twitter). Searching for "security blog" or "network security" will often lead you to popular security people. Here I list just a small selection of "famous" people that provide some interesting information on all aspects of computer and network security.
- Ross Anderson, Professor Security Engineering at the Computer Laboratory, University of Cambridge. Includes many links and articles about his and others research on a wide variety of security topics. See also his book, which is available for free.
- Bruce Schneier, an author, researcher and commentator of network security. His blog provides commentary on technical, political and legal aspects of security.
- Steve Gibson, of Gibson Research Corporation, has developed many software applications for security tasks. He, with Leo Laporte, has a weekly podcast (plus transcripts) called Security Now.
- Daniel J. Bernstein, a mathematics, computer science and cryptography researcher. Provides links and articles on secure software and algorithms he has developed, related cryptography research, as well as legal and political issues.
- Brian Krebs, a journalist who reports and blogs on computer security. His articles provide information on and links to major security attacks.
- Peter Ferrie, a leader at Symantec that provides technical descriptions of various malware and encryption techniques.
Courses
Books
Firstly, see the security textbooks in my study guide (including some free online books). Other, often more specialised online security books include:
Software
A very small selection of security-related software. Focus is on software used or demonstrated in my courses, which tends to be Linux and/or open-source software.
- OpenSSL is a library (and command line application) that implements many cryptographic algorithms.
- GnuPG implements mainly public key cryptography operations (although symmetric encryption is also supported).
- TrueCrypt is open source disk encryption software. (Note it is no longer maintained and later versions may be considered compromised)
- John the Ripper, a password cracker.
- CrypTool. Free software for apply many encryption algorithms (classical, symmetric, public key) and analysing (breaking) ciphertexts. There are different variants of the software that run on different operating systems and online. It is designed to be educational, showing steps of ciphers and attacks.
- hashcat is a fast password cracker that supports running on GPUs.
By Topic
Performance and Benchmarking
- eBACS: ECRYPT Benchmarking of Cryptographic Systems. Presents benchmarks when using different hash, public key and stream algorithms running on a variety of hardware.
- GPU Speed Estimations by Ivan Golubev gives estimates of the speeds (in particular with respect to hashing and encryption) of many GPUs.
- See also: Hashcat
Encryption Algorithms
Hash Algorithms
Attacks
- Digital Attack Map is a live visualisation of DDoS attacks across the world. DDoS data comes from Arbor Networks.
- Acoustic Cryptanalysis of RSA uses a microphone to listen to a laptop computer, and from the different sounds heard when that computer is decrypting a chosen ciphertext, determines the private key used in the decryption. It is a very well-explained and interesting example of a side-channel attack. The FAQ gives a summary of the attack, while the 60+ page paper has the details (despite being long, the first few sections are quite clear and worth reading for most technical readers). I have a lecture trying to summarize the attack, with slides and YouTube screencast available.
- See also: Alerts and Malware
Random Numbers
- Ensuring Randomness with Linux's Random Number Generator is an article by Nick Sullivan that explains how the Linux kernel random number generator works, and how the output is accessed by /dev/random and /dev/urandom. It is quite long, but is a good explanation of how the Linux kernel uses different sources to generate random numbers.
- An example of how writing software that uses secure algorithms, but in an incorrect manner, can lead to security vulnerabilities and attacks. In this case, Android applications that use a Java library of cryptographic functions (the Java Cryptography Architecture), which in turn uses the OpenSSL Pseudo Random Number Generator (PRNG), were vulnerable to attacks because the PRNG was not initialised (seeded) correctly. A brief explanation of and fix for the problem by an Android developer. This implementation flaw meant that, for example, electronic wallets in Android had a serious security vulnerability: they could be easily stolen. Some popular Android apps that stored Bitcoins were vulnerable. (14 Aug 2013)
-
Intel Digital Random Number Generator (DRNG) Software Implementation Guide. Recent Intel CPUs offer a RDRAND operation which provides a very fast (compared to software) implemention of a random number generator. It uses the concept of using a true random number generator to create a seed as input to a cryptographically secure pseudo random number generator.
Media Sanitization
Deleting data and destructing media.
- NIST Special Publication 800-88 DRAFT Guidelines for Media Sanitization (). Techniques for deleting electronic data so that it is very hard to recover, as well as destroying media (including paper, USB drives, hard disks). Gives recommendations depending on the level of sanitization, such as just clearing the data or full destruction. Check the list of Special Publications by the NIST Computer Security Research Center to see if there is an updated version.
- hdparm is open source software for getting and setting parameters of ATA/SATA hard drives. Works in Linux and Windows and can apply ATA commands to sanitize hard disks. Possibly already installed in popular Linux distributions like Ubuntu.
- NSA Media Destruction Guidance. Lists NSA approved products for destroying paper, optical media, tape (degaussers) and hard drives.
Letter Frequency
Malware
- W32.Stuxnet Dossier (PDF) by Symantec. A detailed report explaining how Stuxnet worked. Stuxnet was complex malicious software, which utilised multiple differnet vulnerabilities, observed around 2009 and 2010. It caused dedicated hardware in industrial control systems to operate unexpectedly, and it is believed the intention was to shutdown centrifuges used for separating nuclear material in Iran.
- Equation Group: Questions and Answers (PDF) by Kaspersky Lab. Explains the Equation Group and the many pieces of malware they have used to perform attacks. Their attack tools are considered to be some of the most complex in the world, and sombe believe they are connected to US intelligence agencies. One tool, GRAYFISH, infects a boot loader, essentially taking control of Windows operating systems as it boots. GRAYFISH and EQUATIONDRUG were used to infect hard drive firmware, meaning erasing a hard disk would not even remove the malware.
- Hunting for Metamorphic (PDF) by Peter Szor and Peter Ferrie in Virus Bulletin Conference. Written in 2001, provides a evolutionary view of viruses, starting from encrypted and oligomorphic viruses, then polymorphic viruses, and explaining the techniques and countermeasures of metamorphic viruses.
- See also: Attacks
Return to: Course List | Steven Gordon's Home | SIIT