The following list of resources includes articles, papers, and tools. The majority were
or created by individuals working in security.
Sites on the WWW
The Anonymous Remailer FAQ.
This document covers all aspects of anonymous remailing techniques and tools.
The Anonymous Remailer List.
This is a comprehensive but often-changing list of anonymous remailers.
A site that claims to be "The World's Leading Supplier of Software Bug Fixes."
This is an archive of the popular mailing list, Bugtraq, one of the most reliable sources for up-to-date
on newly found vulnerabilities in UNIX (and at times, other operating systems).
The Center for Secure Information Systems.
with the Center at George Mason University, has some truly incredible papers. There is much cutting-edge research going on here. The following URL sends you directly to the
page, but you really should explore the entire site.
The CIAC Virus Database.
This was the ultimate virus database on the Internet. It's an
resource for learning about viruses that can affect your platform. Though the information on this page is out of date, it provides links to all the virus database of the different commercial
The Computer Emergency Response Team (CERT).
CERT is an organization that assists sites in responding to network security violations, break-ins, and so forth. This is a great source of information, particularly regarding vulnerabilities.
Connected: An Internet Encyclopedia.
This is an incredible online resource for RFC documents and
information, painstakingly translated into HTML.
Criminal Justice Studies of the Law Faculty of University of Leeds, The United Kingdom.
This site boasts interesting information on cryptography and civil liberties.
Dan Farmer: Security Survey of Key Internet Hosts and Various Semi-Relevant Reflections.
This is a fascinating independent study
by one of the authors of the now famous SATAN program. The survey involved approximately 2,200 sites; the results are
Department of Defense Password Management Guideline.
This is a treatment of password security in
This site is filled with virus information.
with viruses (or anyone who just wants to know more about virus technology) should visit Dr. Solomon's site.
The Evaluated Products List (EPL).
This is a list of products that have been evaluated for security ratings based on DoD guidelines.
Federal Information Processing Standards Publication Documents (Government Guidelines).
The National Institute of Standards and Technology reports on DES encryption and related technologies.
Forum of Incident Response and Security Teams (FIRST).
FIRST is a conglomeration of many organizations undertaking security measures on the Net. This powerful organization is a good starting place to find sources.
General Accounting Office:
Information Security: Computer Attacks at Department of Defense Pose Increasing Risks.
A report on failed security at U.S. defense sites.
and Information Security on the Web.
This is a comprehensive list of links and other resources concerning information warfare over the Internet.
InterNIC (the Network Information Center).
InterNIC provides comprehensive databases of networking information. These databases contain the larger portion of collected knowledge on the design and scope of the Internet. Of main importance here is the database of RFC documents.
Massachusetts Institute of Technology Distribution Site of Pretty Good Privacy (PGP) for U.S. Residents.
PGP provides some of the most powerful, military-grade encryption currently available.
The National Computer Security Association.
This site contains a great deal of
security information, including reports, papers, advisories, and analyses of various computer security products and techniques.
This is a page which advertises an interesting for-pay service. It offers a service where one can search through thousands of downloaded messages passed among hackers and crackers on BBS
and the Internet. This commercial site is an incredible security resource.
A NT/2000 specific version of Bugtraq.
A Page Devoted to ATP, the Anti-Tampering Program.
In some ways, ATP is similar to Tripwire or Hobgoblin.
This is one of the more comprehensive security sites, containing many tools and documents of deep interest to the security community.
The Rand Corporation.
This site contains security resources of various sorts as well as engrossing early documents on the Internet's design.
of one of the better firewall products on the Net has established a fine security library.
The Risks Forum.
This is a
digest regarding security and other risks in computing. This great resource is also searchable. With it, you can tap the better security minds on the Net.
S/Key Informational Page.
This site provides information on S/Key and the use of one-time passwords in authentication.
The Security Reference Index.
by the folks at telstra.com, is a comprehensive pointer page to many security resources.
The Seven Locks Server.
This is an eclectic collection of security resources, including a number of papers that cannot be found elsewhere!
Short Courses in Information Systems Security at George Mason University.
This site contains information about security courses. Moreover, you'll find links to a comprehensive bibliography of security-related documents.
This site boasts some very highbrow technical information. The technical reports here are of extreme value. However, you must have at least a fleeting background in security to even grasp some of the concepts.
Department of Energy's Computer Incident Advisory Capability (CIAC).
CIAC provides computer security services to
and contractors of the U.S. Department of Energy, but the site is
to the public as well. There are many tools and documents at this location.
This company produces
security operating systems and other security solutions. It is the leader in TEMPEST technology.
Wietse Venema's Tools Page.
This page, maintained by Wietse Venema (coauthor of SATAN and author of TCP_Wrapper and many other security tools), is filled with papers, tools, and general information. It is a must-visit for any UNIX system administrator.
This FAQ gives you links to many wordlists on the Internet that is useful in testing the strength of, or cracking, UNIX passwords.
Reports and Publications
. Congress. House. Committee on Science, Space, and Technology. Subcommittee on Science. Internet Security: Hearing Before the Subcommittee on Science of the Committee on Science, Space, and Technology.
U.S. House of Representatives, One Hundred Third Congress, second session, March 22, 1994. Washington. U.S. G.P.O. For sale by the U.S. G.P.O., Supt. of Docs., Congressional Sales Office. 1994.
Authentication and Discretionary Access Control.
PaulA.Karger, Computers & Security, Number 5, pp. 314–324. 1986.
Beyond the Pale of MAC and DAC—Defining New Forms of Access Control.
Catherine J. McCollum JudithR. Messing, and LouAnnaNotargiacomo. SympSecPr, pp. 190–200, IEEECSP. May 1990.
Computer Security: Hackers Penetrate DoD Computer Systems.
Testimony before the Subcommittee on Government Information and Regulation, Committee on Government Affairs. United States Senate, Washington D.C., November 1991.
Extended Discretionary Access Controls.
S.T.Vinter. SympSecPr, pp. 39–49, IEEECSP, April 1988.
A Guide to Understanding Discretionary Access Control in Trusted Systems.
Technical Report NCSC-TG-003, National Computer Security Center. 1987.
A Model of Atomicity for Multilevel Transactions.
Computer Society Symposium on Research in Security and Privacy;
1993 May 24; Oakland, California. Barbara T. Blaustein, Sushil JajodiaCatherineD. McCollum, and LouAnnaNotargiacomo (MITRE). USA: IEEE Computer Society Press. 1993. 0-8186-3370-0.
Network Security: Protocol Reference Model and the Trusted Computer System Evaluation Criteria.
M.D.Abrams and A.B.Jeng. IEEE Network, 1(2), pp. 24–33. April 1987.
Secure Networking at Sun Microsystems Inc.
KatherineP.Addison and John J. Sancho. 11th NCSC; 1988. Baltimore. USA: NBS/NCSC: pp.212–218.
STRAWMAN Trusted Network Interpretation Environments Guideline.
Abrams MartinW. Schwartz, and SamuelI.Schaen (MITRE). 11th NCSC; Baltimore. USA: NBS/NCSC: pp.194–200. 1988 Oct 17.
Microsoft: Vulnerabilities in Internet Explorer.
CIAC Bulletin. May 18, 2000.
Internet Java & ActiveX Advisor. Journal.
Java & HotJava: Waking Up the Web.
Sean González. PC Magazine. October 1995.
Java as an Intermediate Language.
Technical Report, School of Computer Science, Carnegie Mellon University, Number CMU-CS-96-161. August 1996.
Java Developer's Journal.
Java Security: From HotJava to Netscape and Beyond.
Drew Dean Edward W. Felten, and DanS.Wallach. 1996 IEEE Symposium on Security and Privacy, Oakland, CA. May 1996.
Java: The Inside Story.
Michael O'Connell. Sunworld Online, Volume 07, July 1995.
NetProf: Network-Based High-Level Profiling of Java Bytecode.
Srinivasan Parthasarathy, Michael Cierniak, and Wei Li. TR 622, URCSD. May 1996.
The Ultimate Java Archive.
Databases and Security
Access Control: Principles and Practice.
R.S. Sandhu and P.Saramati. IEEE Communications, pp. 2–10. 1994.
Authorizations in Relational Database Management Systems.
E.BertinoS.Jajodia, and P.Saramati. ACM Conference on Computer and Communications Security, Fairfax, VA (1993). pp. 130–139.
Ensuring Atomicity of Multilevel Transactions.
P. Ammann S.Jajodia, and I.Ray. IEEE Symposium on Research in Security and Privacy. Oakland, CA. pp. 74–84. May 1996.
An Extended Authorization Model for Relational Databases.
E.BertinoP.Samarati, and S.Jajodia. IEEE Transactions on Knowledge and Data Engineering, Volume 9, Number 1, pages 85–101. 1997.
Formal Query Languages for Secure Relational Databases.
M. WinslettK.Smitth, and X.Qian. ACM TODS, 19(4):626–662. 1994.
Honest Databases That Can Keep Secrets.
R.S.Sandhu and S.Jajjodia, NCSC.
Locking Protocol for Multilevel Secure Databases Providing Support for Long Transactions.
S.Pal, Pennsylvania State University. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York. August 13–16, 1995.
Messages, Communications, Information Security: Protecting the
from the Data.
J.E.Dobson and M.J.Martin, University of Newcastle. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York. August 13–16, 1995.
Microsoft Access 2.0 Security.
TomLucas. PC Solutions.
The Microsoft Internet Security Framework (MISF) Technology for Secure Communication, Access Control, and Commerce.
1997 Microsoft Corporation.
Multilevel Security for Knowledge Based Systems.
ThomasD.Garvey and TeresaF.Lunt. Stanford Research Institute, SRI-CSL-91-01. February 1991.
On Distributed Communications: IX. Security, Secrecy and Tamper-Free Considerations.
P.Baran. Technical Report, The Rand Corp. Number RM-376. August 1964.
A Personal View of DBMS Security in Database Security: Status and Prospects.
F.Manola.C.E.Landwehr (ed.), Elsevier Science Publishers B.V., North Holland, 1988. GTE Labs. December 1987.
A Policy Framework for Multilevel Relational Databases.
Xiaolei Qian and TeresaF.Lunt. SRI-CSL-94-12. August 1994.
Role-Based Access Controls.
D.F.Ferraiolo and R.Kuhn. NIST-NCSC National Computer Security Conference, Baltimore, MD (1993). pp. 554–563.
A Secure Concurrency Control Protocol for Real-Time Databases.
R.Mukkamala, Old Dominion University, and S.H.Son, University of Virginia. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York. August 13–16, 1995.
A Security Model for Military Message System.
C. E. LandwehrC.L Heitmeyer, and J.McLean. ACM Transactions on Computer Systems, 2(3), August 1984.
Symposium on the Global Information Infrastructure: Information, Policy, and International Infrastructure.
PaulA.Strassmann, U.S. Military Academy West Point and Senior Advisor, SAIC; William Marlow, Senior Vice President, SAIC. January 28–30, 1996.
Trusted Database Management System.
NCSC-TG-021. Trusted Database Management System Interpretation. Chief, Technical Guidelines Division. ATTN: C11 National Computer Security Center Ft. George G. Meade, MD 20755-6000. April 1991.
Why Safeguard Information?
Computer Audit Update, Elsevier Advanced Technology. Abo Akademi University, Institute for Advanced Management Systems Research, Turku Centre for Computer Science. Thomas Finne. 1996.
Accountability Is Key to Democracy in the Online World.
WalterS.Mossberg. The Wall Street Journal. Thursday, January 26, 1995.
ActiveX Used as Hacking Tool.
N.Wingfield. CNET News. February 7, 1997.
Alleged Computer Stalker Ordered Off Internet.
Stevan Rosenlind. McClatchy News Service. July 26, 1995.
Are Your Employees Your Biggest Security Risk?
IT Security. December 20, 2000.
Billions and Billions of
Peter Galvin. SunworldOnline.
Breaches from Inside Are Common.
Infosecurity News. January/February 1997.
CYBERWAR IS COMING!
John Arquilla and David Ronfeldt. International Policy Department, Rand Corporation. Taylor & Francis. 0149-5933-93. 1993.
DDoS attack targets chat, Linux boxes.
Scott Berinato. EWeek. September 5, 2000.
The First Internet War; The State of Nature and the First Internet War: Scientology, Its Critics, Anarchy, and Law in
DavidG.Post. Reason Magazine. April, 1996.
Gang War in Cyberspace.
M.Slatalla and J.Quitner. Wired, Volume 2, Number 12. December, 1994.
KC Wrestles with Equipment Theft Problem.
Timothy Heider. Kansas City Star. February 17, 1997.
Network Security Throughout the Ages.
Jeff Breidenbach. Switzerland (Project MAC) Association. MIT Project on Mathematics and Computation. 1994.
New York's Panix Service Is Crippled by Hacker Attack.
RobertE.Calem. The New York Times. September 14, 1996.
The Paradox of the Secrecy About Secrecy: The Assumption of a Clear Dichotomy Between Classified and Unclassified Subject Matter.
Paul Baran. MEMORANDUM RM-3765-PR; On Distributed Communications: IX Security, Secrecy, and Tamper-Free Considerations. Rand Corporation. August 1964.
Pentagon Web Sites Closed After Visit from Hacker.
Nando.net News Service. December 30, 1996.
Post Office Announces Secure E-Mail.
Boot. March 1997.
Secure Your Data: Web Site Attacks on the Rise!
StewartS.Miller. Information Week. January 29, 1996.
Security Is Lost in Cyberspace.
News & Observer. February 21, 1995.
Statement Before Senate Subcommittee on Governmental Operations.
John Deutch, Director, CIA. June 25, 1996.
Student's Expulsion Over E-Mail Use Raises Concern.
Amy Harmon. Los Angeles Times. November 15, 1995.
U.S. Files Appeal in Dismissed Baker Case.
ZacharyM.Raimi. The Michigan Daily. November 22, 1995.
What's the Plan? Get a Grip on Improving Security Through a Security Plan.
Peter Galvin. SunWorld Online. September 1995.
Some of these tools were coded by the establishment (the
security community). Others were authored by
hackers and crackers.
DECROS Security Card.
Desktop Surveillance 97.
Administrator Assistant Tool Kit.
Kane Security Analyst.
Windows 2000 Security Tools
Windows 2000 Internet Server Security Configuration Tool.
Windows 2000 Resource Kit.
Macintosh Security Tools
Network Security Guard.
A generalized password cracker for Windows.
Cracks UNIX passwords on UNIX platforms.
Cracks UNIX passwords on the Microsoft platform.
Cracks UNIX passwords on the DOS platform. This utility is available everywhere. Try the search string
This UNIX password cracker is available everywhere. Try the search string
Cracks UNIX passwords on the DOS platform.
John the Ripper.
Cracks UNIX passwords on the DOS and Linux platforms.
Cracks UNIX passwords under DOS.
Cracks UNIX passwords on DOS, Linux, and Windows platforms.
Cracks NT passwords.
PC UNIX Password Cracker.
The name of this utility says it all. This tool is hard to find; I know of no reliable locations, but you might try the
as a search string.
Cracks UNIX passwords on the UNIX platform.
Cracks UNIX passwords on the DOS platform.
Cracks the passwords on Zip archives. Try the search string
Sniffer for use on Linux machines.
Sniffs Ethernet and token ring networks.
Sniffs in the DOS environment. This tool is good for sniffing Novell NetWare networks.
Runs on the Linux platform.
Awesome sniffer suite for use on UNIX and Windows 95.
Scanners and Related Utilities
Are you looking for a vulnerable TFTP server? Try this utility. It runs on UNIX.
This UNIX utility identifies vulnerable FSP servers.
Runs on UNIX; identifies the UID of all running processes.
Runs on UNIX. Scans behind firewalls.
Win95 port of many UNIX snooping utilities.
Runs on Windows 95. Has many common UNIX snooping utilities and a port scanner.
Network Security Scanner. Written in Perl, runs on UNIX.
Runs on UNIX; you must have Perl.
Runs on UNIX.
Port of the popular UNIX utility Traceroute to Macintosh.
Locates vulnerable X servers.
This device is yet another mail-
utility. Avalanche is for Windows. Try the search string
This is a mail-bombing utility for Macintosh.
This utility is a mail bomber for the Windows platform. To obtain it, try the search string
This is a Macintosh mail-bombing utility.
This utility is a mail bomber for the Windows platform. To obtain it, try the search string homicide.exe.
This device is an email bomber. To obtain it, try searching for the string
This utility is a mail bomber for the Windows platform. To obtain it, try the search string
The UNIX MailBomb.
This mail-bomb utility by CyBerGoAT works on all UNIX platforms. To obtain it, try the search string
MailBomb by CyBerGoAT.
The UpYours Mail Bombing Program.
To obtain this mail bomber, try searching for the string
Cisco Secure Intrusion Detection System.
Network Fligher Recorder.
Technical Reports, Government Standards, and Papers
The Rainbow Books and Related Documentation
The Rainbow Books set forth the U.S. government's criteria for the use and certification of trusted systems.
Computer Security Requirements: Guidance for Applying the DoD TCSEC in Specific Environments
(Light Yellow Book). June 1985.
DoD Password Management Guideline
(Green Book). April 1985.
DoD Trusted Computer System Evaluation Criteria
(Orange Book). December 1985.
Glossary of Computer Security Terms
(Teal Green Book). October 21, 1988.
A Guide to Understanding Audit in Trusted Systems
(Tan Book). June 1988.
A Guide to Understanding Configuration Management in Trusted Systems
(Amber Book). March 1988.
A Guide to Understanding Design Documentation in Trusted Systems
(Burgundy Book). October 1988.
A Guide to Understanding Discretionary Access Control in Trusted Systems
(Neon Orange Book). September 1987.
A Guide to Understanding Identification and Authentication in Trusted Systems
(Light Blue Book). September 1991.
A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems
(Turquoise Book). May 1992.
A Guide to Understanding Object Reuse in Trusted Systems
(Light Blue Book). July 1992.
A Guide to Understanding Security Modeling in Trusted Systems
(Aqua Book). October 1992.
A Guide to Understanding Trusted Distribution in Trusted Systems
(Dark Lavender Book). December 1988.
A Guide to Understanding Trusted Facility Management
(Brown Book). October 1989.
Guidelines for Formal Verification Systems
(Purple Book). April 1989.
Guidelines for Writing Trusted Facility Manuals
(Yellow-Green Book). October 1992.
RAMP Program Document
(Pink Book). March 1995, Version 2.
Technical Rational Behind CSC-STD-003-85: Computer Security Requirements—Guidance for Applying the DoD TCSEC in Specific Environments
(Yellow Book). June 1985.
Trusted Database Management System Interpretation of the TCSEC
(Purple Book). April 1991.
Trusted Network Interpretation of the TCSEC
(Red Book). July 1987.
Trusted Product Evaluations: A Guide for Vendors
(Bright Blue Book). June 1990.
Trusted Product Evaluation Questionnaire
(Blue Book). May 1992, Version 2.
Trusted UNIX Working
(TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System
(Silver Book). July 1989.
Selected Publications from the NCSC
Auditing Issues in Secure Database Management Systems.
Computer Viruses: Prevention, Detection, and Treatment.
The Design and Evaluation of INFOSEC Systems: The Computer Security Contribution to the Composition Discussion.
Discretionary Access Control Issues in High Assurance Secure Database Management Systems.
Integrity in Automated Information Systems.
Turning Multiple Evaluated Products into Trusted Systems.
Other Governmental Security Documents and Advisories
Augmented Encrypted Key Exchange: A Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise.
1st ACM Conference on Computer and Communications Security pp. 244–250. ACM Press. November 1993.
Australian Computer Emergency Response Team.
A Basis for Secure Communication in Large Distributed Systems.
DavidP.Anderson and P.VenkatRangan. UCB//CSD-87-328, January 1987.
Benchmarking Methodology for Network Interconnect Devices.
RFC 1944. S.Bradner and J.McQuaid.
Charon: Kerberos Extensions for Authentication over Secondary Networks.
Check Point FireWall-1 Introduction.
Checkpoint Technologies Firewall Information.
Cisco PIX Firewall.
Cisco Systems firewall information.
Covert Channels in the TCP/IP Protocol Suite.
CraigRowland.Rotherwick & Psionics Software Systems, Inc.
Crack Version 4.1: A Sensible Password Checker for UNIX.
A.Muffett. Technical Report, March 1992
A Cryptographic File System for UNIX.
Matt Blaze. 1st ACM Conference on Computer and Communications Security. pp. 9–16. ACM Press. November 1993.
Daemons and Dragons UNIX Accounting.
Dinah McNutt. UNIX Review. 12(8). August 1994.
Designing Plan 9.
DavePresottoRob Pike, and KenThompson. Dr. Dobb's Journal. Volume 16, p. 49. January 1, 1991.
The Eagle Firewall Family.
Raptor firewall information.
The Empirical Evaluation of a Security-Oriented Datagram Protocol.
David P. Anderson Domenico FerrariP. Venkat RanganB.Sartirana. University of California Berkeley, CS csd-87-350. UCB//CSD-87-350, April 1987. ftp://tr-ftp.cs.berkeley.edu/pub/tech-reports/csd/csd-87-350/
Evolution of a Trusted B3 Window System Prototype.
J.Epstein,J.McHughR.Psacle C.Martin D.RothnieH.Orman A. Marmor-Squires,M. Branstad and B.Danner. In
of the 1992 IEEE Symposium on Security and Privacy, 1992.
Firewall Application Notes.
A good document that starts by describing how to build a firewall. Also addresses application proxies, Sendmail in relation to Livingston Enterprises, Inc.
Improving the Security of Your Site by Breaking Into It.
Dan Farmer and Wietse Venema. 1995.
Improving X Windows Security.
Linda Mui. UNIX World. Volume IX, Number 12. December 1992.
Intrusion Protection for Networks 171.
Byte Magazine. April, 1995.
IP v6 Release and Firewalls
Uwe Ellermann. 14th Worldwide Congress on Computer and Communications Security Protection. pp. 341–354. June 1996.
Is Plan 9 Sci-Fi or UNIX for the Future?
Anke Goos. UNIX World. Volume 7, p. 61.October 1, 1990.
Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls.
JohnP.Wack and LisaJ.Carnahan. National Institute of Standards and Technology. Thursday, Feb 9 18:17:09 EST 1995.
Making Your Setup More Secure.
NCSA Tutorial Pages.
Multilevel Security in the UNIX Tradition.
M.D.McIlroy and J.A.Reeds. SWPE. 22(8), pp. 1992.
NCSA Firewall Policy Guide.
Compiled by Stephen Cobb, Director of Special Projects. National Computer Security Association.
StevenM.Bellovin and WilliamR.Cheswick. IEEECM, 32(9), pp. 50–57. September 1994.
A Network Perimeter with Secure External Access.
FrederickM.Avolio and MarcusJ.Ranum. An extraordinary paper that details the implementation of a firewall purportedly at the White House. Trusted Information Systems, Incorporated. Glenwood, MD. January 25, 1994.
On Access Checking in Capability-Based Systems.
RichardY.Kain and C.E.Landwehr. IEEE Trans. on Software Engineering Volume SE-13, Number 2 (Feb. 1987) pp. 202–207; reprinted from the proceedings of the 1986 IEEE Symposium on Security and Privacy, Oakland, CA. April, 1986.
Packets Found on an Internet.
Steven M. Bellovin. Interesting analysis of packets appearing at the application gateway of AT&T. Lambda. August 23, 1993.
Password Security: A Case History.
RobertMorris and KenThompson.
Sean Dorward,RobPike and DavePresotto. UNIX Review. Volume 10, p. 28. April 1, 1992.
Plan 9: Feature Film to Feature-Rich OS.
Paul Fillinich. Byte Magazine. Volume 21, p. 143. March 1, 1996.
Plan 9 from AT&T.
David Bailey. UNIX Review. Volume 1, p. 27. January 1, 1996.
Plan 9 from Bell Labs.
DavePresottoRob Pike, and Phil Winterbottom. Computing Systems Journal. Volume 8, p. 221. Summer 1995.
Plan 9: Son of UNIX.
Robert Richardson. LAN Magazine. Volume 11, p. 41. August 1, 1996.
Private Communication Technology Protocol.
Daniel Simon. April 1996.
A Prototype B3 Trusted X Window System.
B.DannerA. Marmor-Squires, and M.Branstad. The proceedings of the seventh Computer Security Applications Conference, December, 1991.
Rating of Application Layer Proxies.
MichaelRichardson. Wednesday, Nov 13, 13:54:09 EST 1996.
Reducing the Proliferation of Passwords in Distributed Systems Information Processing.
Education and Society. Volume II, pp. 525–531. Elsevier Science Publishers B.V. (North Holland). 1992.
Robust and Secure Password/Key Change Method Proceedings of the Third European Symposium on Research in Computer Security (ESORICS).
Ralf Hauser Phil Janson Refik Molva Gene Tsudikand ElsVanHerreweghen. LNCS, pp. 107–122, SV, November 1994.
Security in Open Systems.
(NIST) John Barkley, Editor (with Lisa Carnahan, Richard Kuhn, Robert Bagwill, Anastase Nakassis, Michael Ransom, John Wack, Karen Olsen, Paul Markovitz, and Shu-Jen Chang). U.S. Department of Commerce. Section: The X Window System: Bagwill, Robert.
Security in Public Mobile Communication Networks.
Hannes Federrath Anja Jerichow DoganKesdogan, and AndreasPfitzmann. Proceedings of the IFIP TC 6 International Workshop on Personal Wireless Communications,Prague 1995, pp. 105–116.
Matt Blaze and Steve Bellovin. Proceedings of the Usenix Security Workshop, June 1995.
Site Security Handbook
Barbara Fraser. Update and Idraft version, CMU. Draft-ietf-ssh-handbook-03.txt. June 1996.
SQL*Net and Firewalls.
David Sidwell and Oracle Corporation.
The SSL Protocol.
(IDraft) AlanO.Freier and PhilipKarlton (Netscape Communications) with PaulC.Kocher.
The SunScreen Product Line Overview.
The TAMU Security Package. An Ongoing Response to Internet Intruders in an Academic Environment.
David R. Safford DouglasLee Schales, and DavidK.Hess. Proceedings of the Fourth Usenix UNIX Security Symposium, p. 91–118, Santa Clara, CA. October 1993.
TCP WRAPPER: Network Monitoring, Access Control, and Booby Traps.
Wietse Venema. Proceedings of the Third Usenix UNIX Security Symposium p. 85–92, Baltimore, MD. September 1992.
There Be Dragons.
StevenM.Bellovin. To appear in proceedings of the Third Usenix UNIX Security Symposium, Baltimore, September 1992. AT&T Bell Laboratories, Murray Hill, NJ. August 15, 1992.
Undetectable Online Password Guessing Attacks.
Yun Ding and Patrick Horster. OSR. 29(4), pp. 77–86. October 1995.
Using Screens to Implement TCP/IP Security Policies.
JeffMogul.Rotherwick and Digital.
Vulnerability in Cisco Routers Used as Firewalls.
Computer Incident Advisory Capability Advisory: Number D-15. May 12, 1993 1500 PDT.
Warding Off the Cyberspace Invaders.
Amy Cortese. Business Week. March 13, 1995.
Windows NT Firewalls Are Born.
JeffreyG.Witt. PC Magazine. February 4, 1997.
+X Window System Security.
Ben Gross andBaba Buehler. Beckman Institute System Services. Last Apparent Date of Modification:January 11, 1996.
X Through the Firewall, and Other Application Relays.
Treese/Wolman.Digital Equipment Corp. Cambridge Research Lab. October 1993.
The X Window System.
RobertW.Scheifler and Jim Gettys. ACM Transactions on Graphics. Volume5, Number 2, pp. 79–109. April 1986.
Bibliography on Intrusion Detection.
The Collection of Computer Science
Detecting Unusual Program Behavior Using the Statistical Component of the Next-Generation Intrusion Detection Expert System (NIDES).
Debra Anderson,TeresaF. Lunt Harold Javitz, Ann Tamaru, and Alfonso Valdes. SRI-CSL-95-06, May 1995. Available in hard copy only. The abstract is at the following address:
Fraud and Intrusion Detection in Financial Information Systems.
W.LeeD. Wei, and A.Prodromidis. 4th ACM Computer and Communications Security Conference, 1997.
GrIDS—A Graph-Based Intrusion Detection System for Large Networks.
s. Staniford-Chen, S.CheungR.Crawford M. DilgerJ. Frank J. HoaglandK. LevittC.WeeR.Yip, and D.Zerkle. The 19th National Information Systems Security Conference.
Holding Intruders Accountable on the Internet.
S.Staniford-Chen and L.T.Heberlein. Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 8–10, 1995.
Intrusion Detection Bibliography.
Intrusion Detection for Network Infrastructures.
S. Cheung, K.N.Levittand C.Ko. 1995 IEEE Symposium on Security and Privacy, Oakland, CA. May 1995.
Intrusion Detection Systems (IDS): A Survey of Existing Systems and a Proposed Distributed IDS Architecture.
S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Grance, L.T. Heberlein, C. Ho, K.N.Levitt, B. Mukherjee, D.L. Mansur, K.L. Pon, and S.E. Smaha. Technical Report CSE-91-7, Division of Computer Science, University of California,
. February 1991.
Machine Learning and Intrusion Detection: Current and Future Directions.
J.Frank. Proceedings of the 17th National Computer Security Conference. October 1994.
A Methodology for Testing Intrusion Detection Systems.
N.F. Puketza, K. Zhang, M. Chung, B.MukherjeeM. Chung, and R.A.Olsson. IEEE Transactions on Software Engineering, Volume 22, Number 10, October 1996.
NetKuang—A Multi-Host Configuration Vulnerability Checker.
D.Zerkle and K.Levitt. Proceedings of the 6th Usenix Security Symposium. San Jose, California. 1996.
Network Intrusion Detection.
Biswanth Mukherjee, L.Todd Heberlein, and KarlN.Levitt. IEEE Network, May 1994.
A Pattern-Oriented Intrusion-Detection Model and Its Applications.
ShiuhpyngW.Shieh and VirgilD.Gligor. Research in Security and Privacy, IEEECSP, May 1991.
Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions.
M. Chung, N. Puketza, R.A.Olsson, and B.Mukherjee. Proceedings of the 1995 National Information Systems Security Conference. Baltimore, Maryland. 1995.
The Bugtraq List.
This list is for posting or discussing bugs in various operating systems, though UNIX is the most often discussed. The information here can be quite explicit. If you are looking to learn the fine aspects (and cutting-edge news) of UNIX security, this list is for you.
(in body of message)
Intrusion Detection Systems.
This list concentrates on discussions about
of intrusion or intrusion detection.
(in body of message)
The NT Security List.
This list is devoted to discussing all techniques of security related to the Microsoft Windows NT operating system. Individuals also discuss security aspects of other Microsoft operating systems.
(in body of message)
The NTBugtraq List.
This list is for posting or discussing bugs in Windows NT/2000.
The Secure HTTP List.
This list is devoted to the discussion of S-HTTP and techniques to facilitate this new form of security for WWW transactions.
(in body of message)
The Sneakers List.
This list discusses methods of circumventing firewall and general security. This list is reserved for lawful tests and techniques.
(in body of message)
The WWW Security List.
discuss all techniques to maintain (or subvert) WWW security (things involving secure methods of HTML, HTTP and CGI).
SUBSCRIBE www-security your_email_address
(in body of message)
A magazine that historically focused on phone phracking but has increasingly been following computer hacking.
The alt.2600/#hack F.A.Q.
The FAQ for the popular Usenet newsgroup, alt.2600. Some interesting information can be found here,
from wardialers to tips for covering your tracks after a break-in.
EFF Hacking, Cracking, Phreaking Archive.
This is the archive of the Electronic Frontier Foundation, a non-profit organization that advocates civil liberties in cyberspace.
LHI Technologies (L0pht Heavy Industries).
This group comprises some of most talented underground hackers. The archives at this site contain rare papers and reports, some of which were written by the site's proprietors.
A hacker e-zine that has been in existence for many
. There is a great deal of hard-
technical information in it, as well as a fascinating section called Phrack World News, which recounts cracker and hacker activities in recent months.