Establishment Resources The following list of resources includes articles, papers, and tools. The majority were authored or created by individuals working in security. Sites on the WWW The Anonymous Remailer FAQ. This document covers all aspects of anonymous remailing techniques and tools. http://www.andrebacard.com/remail.html The Anonymous Remailer List. This is a comprehensive but often-changing list of anonymous remailers. http://www.strassmann.com/pubs/anon-remail.html BugNet. A site that claims to be "The World's Leading Supplier of Software Bug Fixes." http://www.bugnet.com Bugtraq Archives. This is an archive of the popular mailing list, Bugtraq, one of the most reliable sources for up-to-date reports on newly found vulnerabilities in UNIX (and at times, other operating systems). http://www.securityfocus.com/ The Center for Secure Information Systems. This site, affiliated with the Center at George Mason University, has some truly incredible papers. There is much cutting-edge research going on here. The following URL sends you directly to the publications page, but you really should explore the entire site. http://www.isse.gmu.edu/~csis/publication.html The CIAC Virus Database. This was the ultimate virus database on the Internet. It's an excellent resource for learning about viruses that can affect your platform. Though the information on this page is out of date, it provides links to all the virus database of the different commercial vendors. http://ciac.llnl.gov/ciac/CIACVirusDatabase.html The Computer Emergency Response Team (CERT). CERT is an organization that assists sites in responding to network security violations, break-ins, and so forth. This is a great source of information, particularly regarding vulnerabilities. http://www.cert.org Connected: An Internet Encyclopedia. This is an incredible online resource for RFC documents and related information, painstakingly translated into HTML. http://www.freesoft.org/Connected/RFC/826/ Criminal Justice Studies of the Law Faculty of University of Leeds, The United Kingdom. This site boasts interesting information on cryptography and civil liberties. http://www.leeds.ac.uk/law/pgs/yaman/cryptog.htm Dan Farmer: Security Survey of Key Internet Hosts and Various Semi-Relevant Reflections. This is a fascinating independent study conducted by one of the authors of the now famous SATAN program. The survey involved approximately 2,200 sites; the results are disturbing. http://www.trouble.org/survey/ Department of Defense Password Management Guideline. This is a treatment of password security in classified environments. http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt Dr. Solomon's. This site is filled with virus information. Anyone concerned with viruses (or anyone who just wants to know more about virus technology) should visit Dr. Solomon's site. http://www.drsolomon.com The Evaluated Products List (EPL). This is a list of products that have been evaluated for security ratings based on DoD guidelines. http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html Federal Information Processing Standards Publication Documents (Government Guidelines). The National Institute of Standards and Technology reports on DES encryption and related technologies. http://csrc.nist.gov/fips/fips46-2.txt Forum of Incident Response and Security Teams (FIRST). FIRST is a conglomeration of many organizations undertaking security measures on the Net. This powerful organization is a good starting place to find sources. http://www.first.org/ General Accounting Office: Information Security: Computer Attacks at Department of Defense Pose Increasing Risks. A report on failed security at U.S. defense sites. http://www.epic.org/security/GAO_OMB_security.html Information Warfare and Information Security on the Web. This is a comprehensive list of links and other resources concerning information warfare over the Internet. http://www.fas.org/irp/wwwinfo.html InterNIC (the Network Information Center). InterNIC provides comprehensive databases of networking information. These databases contain the larger portion of collected knowledge on the design and scope of the Internet. Of main importance here is the database of RFC documents. http://rs.internic.net Massachusetts Institute of Technology Distribution Site of Pretty Good Privacy (PGP) for U.S. Residents. PGP provides some of the most powerful, military-grade encryption currently available. http://web.mit.edu/network/pgp.html The National Computer Security Association. This site contains a great deal of valuable security information, including reports, papers, advisories, and analyses of various computer security products and techniques. http://www.ncsa.com/ TruSecure IS/RECON. This is a page which advertises an interesting for-pay service. It offers a service where one can search through thousands of downloaded messages passed among hackers and crackers on BBS boards and the Internet. This commercial site is an incredible security resource. http://www.trusecure.com/html/secsol/servprovider.shtml NTBugTraq. A NT/2000 specific version of Bugtraq. http://ntbugtraq.ntadvice.com/ A Page Devoted to ATP, the Anti-Tampering Program. In some ways, ATP is similar to Tripwire or Hobgoblin. http://www.ja.net/CERT/Vincenzetti_and_Cotrozzi/ATP_Anti_Tampering_Program.txt Purdue University COAST Archive. This is one of the more comprehensive security sites, containing many tools and documents of deep interest to the security community. http://www.cs.purdue.edu//coast/archive The Rand Corporation. This site contains security resources of various sorts as well as engrossing early documents on the Internet's design. http://www.rand.org/publications/electronic/ Raptor Systems. The makers of one of the better firewall products on the Net has established a fine security library. http://www.raptor.com/lib/index.html The Risks Forum. This is a moderated digest regarding security and other risks in computing. This great resource is also searchable. With it, you can tap the better security minds on the Net. http://catless.ncl.ac.uk/Risks S/Key Informational Page. This site provides information on S/Key and the use of one-time passwords in authentication. http://www.ece.nwu.edu/CSEL/skey/skey_eecs.html The Security Reference Index. This site, maintained by the folks at telstra.com, is a comprehensive pointer page to many security resources. http://www.telstra.com.au/info/security.html The Seven Locks Server. This is an eclectic collection of security resources, including a number of papers that cannot be found elsewhere! http://www.sevenlocks.com/ Short Courses in Information Systems Security at George Mason University. This site contains information about security courses. Moreover, you'll find links to a comprehensive bibliography of security-related documents. http://www.isse.gmu.edu:80/~gmuisi/ SRI International. This site boasts some very highbrow technical information. The technical reports here are of extreme value. However, you must have at least a fleeting background in security to even grasp some of the concepts. http://www.sri.com/ U.S. Department of Energy's Computer Incident Advisory Capability (CIAC). CIAC provides computer security services to employees and contractors of the U.S. Department of Energy, but the site is open to the public as well. There are many tools and documents at this location. http://ciac.llnl.gov/ Wang Federal. This company produces high-quality security operating systems and other security solutions. It is the leader in TEMPEST technology. http://www.wangfed.com Wietse Venema's Tools Page. This page, maintained by Wietse Venema (coauthor of SATAN and author of TCP_Wrapper and many other security tools), is filled with papers, tools, and general information. It is a must-visit for any UNIX system administrator. ftp://ftp.porcupine.org/pub/security/index.html WordlistsFAQ. This FAQ gives you links to many wordlists on the Internet that is useful in testing the strength of, or cracking, UNIX passwords. http://www.hyphenologist.co.uk/wordlist/wordfaq.htm Reports and Publications United States. Congress. House. Committee on Science, Space, and Technology. Subcommittee on Science. Internet Security: Hearing Before the Subcommittee on Science of the Committee on Science, Space, and Technology. U.S. House of Representatives, One Hundred Third Congress, second session, March 22, 1994. Washington. U.S. G.P.O. For sale by the U.S. G.P.O., Supt. of Docs., Congressional Sales Office. 1994. General Authentication and Discretionary Access Control. PaulA.Karger, Computers & Security, Number 5, pp. 314–324. 1986. Beyond the Pale of MAC and DAC—Defining New Forms of Access Control. Catherine J. McCollum JudithR. Messing, and LouAnnaNotargiacomo. SympSecPr, pp. 190–200, IEEECSP. May 1990. Computer Security: Hackers Penetrate DoD Computer Systems. Testimony before the Subcommittee on Government Information and Regulation, Committee on Government Affairs. United States Senate, Washington D.C., November 1991. Extended Discretionary Access Controls. S.T.Vinter. SympSecPr, pp. 39–49, IEEECSP, April 1988. A Guide to Understanding Discretionary Access Control in Trusted Systems. Technical Report NCSC-TG-003, National Computer Security Center. 1987. A Model of Atomicity for Multilevel Transactions. 1993 IEEE Computer Society Symposium on Research in Security and Privacy; 1993 May 24; Oakland, California. Barbara T. Blaustein, Sushil JajodiaCatherineD. McCollum, and LouAnnaNotargiacomo (MITRE). USA: IEEE Computer Society Press. 1993. 0-8186-3370-0. Network Security: Protocol Reference Model and the Trusted Computer System Evaluation Criteria. M.D.Abrams and A.B.Jeng. IEEE Network, 1(2), pp. 24–33. April 1987. Secure Networking at Sun Microsystems Inc. KatherineP.Addison and John J. Sancho. 11th NCSC; 1988. Baltimore. USA: NBS/NCSC: pp.212–218. STRAWMAN Trusted Network Interpretation Environments Guideline. Marshall Abrams MartinW. Schwartz, and SamuelI.Schaen (MITRE). 11th NCSC; Baltimore. USA: NBS/NCSC: pp.194–200. 1988 Oct 17. Java Microsoft: Vulnerabilities in Internet Explorer. CIAC Bulletin. May 18, 2000. http://www.ciac.org/ciac/bulletins/k-044.shtml Internet Java & ActiveX Advisor. Journal. http://www.advisor.com/ Java & HotJava: Waking Up the Web. Sean González. PC Magazine. October 1995. http://www.zdnet.com/~pcmag/issues/1418/pcm00085.htm Java as an Intermediate Language. Technical Report, School of Computer Science, Carnegie Mellon University, Number CMU-CS-96-161. August 1996. http://www.cs.cmu.edu/afs/cs.cmu.edu/project/scandal/public/papers/CMU-CS-96-161.ps.Z Java Developer's Journal. http://www.javadevelopersjournal.com/java/ Java Security: From HotJava to Netscape and Beyond. Drew Dean Edward W. Felten, and DanS.Wallach. 1996 IEEE Symposium on Security and Privacy, Oakland, CA. May 1996. Java: The Inside Story. Michael O'Connell. Sunworld Online, Volume 07, July 1995. http://www.sun.com/sunworldonline/swol-07-1995/swol-07-java.html Javaworld. Journal. http://www.javaworld.com/ NetProf: Network-Based High-Level Profiling of Java Bytecode. Srinivasan Parthasarathy, Michael Cierniak, and Wei Li. TR 622, URCSD. May 1996. ftp://ftp.cs.rochester.edu/pub/papers/systems/96.tr622.NetProf_network-based_high-level_profiling_of_java_bytecode.ps.gz The Ultimate Java Archive. http://www.developer.com/directories/pages/dir.java.html Databases and Security Access Control: Principles and Practice. R.S. Sandhu and P.Saramati. IEEE Communications, pp. 2–10. 1994. Authorizations in Relational Database Management Systems. E.BertinoS.Jajodia, and P.Saramati. ACM Conference on Computer and Communications Security, Fairfax, VA (1993). pp. 130–139. Ensuring Atomicity of Multilevel Transactions. P. Ammann S.Jajodia, and I.Ray. IEEE Symposium on Research in Security and Privacy. Oakland, CA. pp. 74–84. May 1996. http://www.isse.gmu.edu/~csis/publications/oklnd96-indrksi.ps An Extended Authorization Model for Relational Databases. E.BertinoP.Samarati, and S.Jajodia. IEEE Transactions on Knowledge and Data Engineering, Volume 9, Number 1, pages 85–101. 1997. http://www.isse.gmu.edu/~csis/publications/ieee-97.ps Formal Query Languages for Secure Relational Databases. M. WinslettK.Smitth, and X.Qian. ACM TODS, 19(4):626–662. 1994. Honest Databases That Can Keep Secrets. R.S.Sandhu and S.Jajjodia, NCSC. http://www.list.gmu.edu/confrnc/ncsc/ps_ver/b91poly.ps Locking Protocol for Multilevel Secure Databases Providing Support for Long Transactions. S.Pal, Pennsylvania State University. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York. August 13–16, 1995. Messages, Communications, Information Security: Protecting the User from the Data. J.E.Dobson and M.J.Martin, University of Newcastle. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York. August 13–16, 1995. Microsoft Access 2.0 Security. TomLucas. PC Solutions. http://www.citilink.com/~jgarrick/vbasic/database/secure20.html The Microsoft Internet Security Framework (MISF) Technology for Secure Communication, Access Control, and Commerce. 1997 Microsoft Corporation. http://msdn.microsoft.com/LIBRARY/BACKGRND/HTML/MSDN_MISF.HTM Multilevel Security for Knowledge Based Systems. ThomasD.Garvey and TeresaF.Lunt. Stanford Research Institute, SRI-CSL-91-01. February 1991. On Distributed Communications: IX. Security, Secrecy and Tamper-Free Considerations. P.Baran. Technical Report, The Rand Corp. Number RM-376. August 1964. A Personal View of DBMS Security in Database Security: Status and Prospects. F.Manola.C.E.Landwehr (ed.), Elsevier Science Publishers B.V., North Holland, 1988. GTE Labs. December 1987. A Policy Framework for Multilevel Relational Databases. Xiaolei Qian and TeresaF.Lunt. SRI-CSL-94-12. August 1994. Role-Based Access Controls. D.F.Ferraiolo and R.Kuhn. NIST-NCSC National Computer Security Conference, Baltimore, MD (1993). pp. 554–563. A Secure Concurrency Control Protocol for Real-Time Databases. R.Mukkamala, Old Dominion University, and S.H.Son, University of Virginia. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York. August 13–16, 1995. A Security Model for Military Message System. C. E. LandwehrC.L Heitmeyer, and J.McLean. ACM Transactions on Computer Systems, 2(3), August 1984. Symposium on the Global Information Infrastructure: Information, Policy, and International Infrastructure. PaulA.Strassmann, U.S. Military Academy West Point and Senior Advisor, SAIC; William Marlow, Senior Vice President, SAIC. January 28–30, 1996. Trusted Database Management System. NCSC-TG-021. Trusted Database Management System Interpretation. Chief, Technical Guidelines Division. ATTN: C11 National Computer Security Center Ft. George G. Meade, MD 20755-6000. April 1991. Why Safeguard Information? Computer Audit Update, Elsevier Advanced Technology. Abo Akademi University, Institute for Advanced Management Systems Research, Turku Centre for Computer Science. Thomas Finne. 1996. http://www.tucs.abo.fi/publications/techreports/TR38.html Articles Accountability Is Key to Democracy in the Online World. WalterS.Mossberg. The Wall Street Journal. Thursday, January 26, 1995. ActiveX Used as Hacking Tool. N.Wingfield. CNET News. February 7, 1997. http://www.news.com/News/Item/0,4,7761,4000.html?latest Alleged Computer Stalker Ordered Off Internet. Stevan Rosenlind. McClatchy News Service. July 26, 1995. Are Your Employees Your Biggest Security Risk? MarkJosephEdwards. Windows IT Security. December 20, 2000. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16445 Billions and Billions of Bugs. Peter Galvin. SunworldOnline. http://www.sun.com/sunworldonline/swol-03-1996/swol-03-security.html Breaches from Inside Are Common. Infosecurity News. January/February 1997. CYBERWAR IS COMING! John Arquilla and David Ronfeldt. International Policy Department, Rand Corporation. Taylor & Francis. 0149-5933-93. 1993. DDoS attack targets chat, Linux boxes. Scott Berinato. EWeek. September 5, 2000. The First Internet War; The State of Nature and the First Internet War: Scientology, Its Critics, Anarchy, and Law in Cyberspace. DavidG.Post. Reason Magazine. April, 1996. http://www.cli.org/DPost/X0003_ARTICLE4.html Gang War in Cyberspace. M.Slatalla and J.Quitner. Wired, Volume 2, Number 12. December, 1994. http://www.hotwired.com/wired/2.12/hacker.html KC Wrestles with Equipment Theft Problem. Timothy Heider. Kansas City Star. February 17, 1997. http://www.isecure.com/newslet.htm Network Security Throughout the Ages. Jeff Breidenbach. Switzerland (Project MAC) Association. MIT Project on Mathematics and Computation. 1994. New York's Panix Service Is Crippled by Hacker Attack. RobertE.Calem. The New York Times. September 14, 1996. The Paradox of the Secrecy About Secrecy: The Assumption of a Clear Dichotomy Between Classified and Unclassified Subject Matter. Paul Baran. MEMORANDUM RM-3765-PR; On Distributed Communications: IX Security, Secrecy, and Tamper-Free Considerations. Rand Corporation. August 1964. Pentagon Web Sites Closed After Visit from Hacker. Nando.net News Service. December 30, 1996. http://www.nando.net/newsroom/ntn/info/123096/info1_29951.html Post Office Announces Secure E-Mail. Boot. March 1997. Secure Your Data: Web Site Attacks on the Rise! StewartS.Miller. Information Week. January 29, 1996. Security Is Lost in Cyberspace. News & Observer. February 21, 1995. http://www.nando.net/newsroom/ntn/info/other/02219540865.html Statement Before Senate Subcommittee on Governmental Operations. John Deutch, Director, CIA. June 25, 1996. Student's Expulsion Over E-Mail Use Raises Concern. Amy Harmon. Los Angeles Times. November 15, 1995. http://www.caltech.edu/~media/times.html U.S. Files Appeal in Dismissed Baker Case. ZacharyM.Raimi. The Michigan Daily. November 22, 1995. What's the Plan? Get a Grip on Improving Security Through a Security Plan. Peter Galvin. SunWorld Online. September 1995. http://www.sun.com/sunworldonline/swol-09-1995/swol-09-security.html Tools Some of these tools were coded by the establishment (the legitimate security community). Others were authored by amateur hackers and crackers. (Windows) Cetus StormWindows. http://www.cetussoft.com/ ConfigSafe 95. http://207.8.148.186/html/products.html DECROS Security Card. http://www.decros.cz/ Desktop Surveillance 97. http://www.omniquad.com/ HD95Protect. http://www.geocities.com/SiliconValley/Lakes/8753/ Secure4U. http://www.sandboxsecurity.com/main.htm StopLock 95. http://www.conclusive.com/downloads/index.php Windows Task-Lock. http://posum.com/ Windows NT Administrator Assistant Tool Kit. http://www.aelita.com/Products/AdminAssist.htm DumpEvt. http://www.somarsoft.com/ DumpReg. http://www.somarsoft.com/ Kane Security Analyst. http://www.intrusion.com/ NetXRay Analyzer. http://www.axial.co.uk/products/manufacturers/nai/sniffer/snifferbasic_intro.html NT Crack. http://www.secnet.com/ NT Locksmith. http://www.winternals.com/ NTFSDOS. http://www.winternals.com/ NTHandle. http://www.ntinternals.com/ NTRecover. http://www.winternals.com/ NTUndelete. http://www.winternals.com/ PC Firewall. http://www.nai.com/ PWDUMP. ftp://samba.anu.edu.au/pub/samba/pwdump/pwdump.c RedButton. http://www.ntsecurity.com/ RegAdmin. http://www.ntsecurity.com/ ScanNT Plus. http://www.ntsecurity.com/ Somarsoft DumpAcl. http://www.somarsoft.com/ Somarsoft RegEdit. http://www.somarsoft.com/ Virtuosity: http://www.ntsecurity.com/ Windows 2000 Security Tools NOSadmin. http://www.webmarshall.com Security Expressions. http://www.securityexpressions.com Windows 2000 Internet Server Security Configuration Tool. http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19889 Windows 2000 Resource Kit. http://support.microsoft.com/support/kb/articles/q264/1/78.asp Macintosh Security Tools Empower. http://www.magna1.com/ EtherPeek. http://www.aggroup.com/ InterMapper. http://www.dartmouth.edu/netsoftware/intermapper/ KeysOff. http://www.blueglobe.com/~cliffmcc/products.html MacRadius. http://www.cyno.com/ Network Security Guard. http://www.mrmac.com/ Network Scout. http://www.mrmac.com/ Password Key. http://www.cp3.com/ Secure-It Locks. http://secure-it.com/ Timbuktu Pro. http://www.netopia.com/ Password Crackers Claymore. A generalized password cracker for Windows. http://www.jabukie.com/Password_Crackerz/claymore.zip Crack. Cracks UNIX passwords on UNIX platforms. http://www.users.dircon.co.uk/~crypto/download/c50-faq.html Crack Documentation. http://www.parkline.ru/Library/html-KOI/SECURITY/crackfaq.txt CrackerJack. Cracks UNIX passwords on the Microsoft platform. http://www.fc.net/phrack/under/misc.html Guess. Cracks UNIX passwords on the DOS platform. This utility is available everywhere. Try the search string guess.zip. Hades. This UNIX password cracker is available everywhere. Try the search string hades.zip. Hellfire Cracker. Cracks UNIX passwords on the DOS platform. http://www.jabukie.com/Password_Crackerz/hc130.zip John the Ripper. Cracks UNIX passwords on the DOS and Linux platforms. http://tms.netrom.com/~cassidy/crack.htm Killer Cracker. Cracks UNIX passwords under DOS. http://dafunks.9ug.com/killercracker.html Qcrack. Cracks UNIX passwords on DOS, Linux, and Windows platforms. ftp://ftp.infospace.com/pub/qcrack/ Password NT. Cracks NT passwords. http://www.ntsecurity.com/Services/Recovery/index.html PC UNIX Password Cracker. The name of this utility says it all. This tool is hard to find; I know of no reliable locations, but you might try the name as a search string. Pcrack (PerlCrack). Cracks UNIX passwords on the UNIX platform. http://tms.netrom.com/~cassidy/crack.htm XIT. Cracks UNIX passwords on the DOS platform. http://www.jabukie.com/Password_Crackerz/xit20.zip ZipCrack. Cracks the passwords on Zip archives. Try the search string zipcrk10.zip. Sniffers Esniff.c. Sniffer for use on Linux machines. http://www.esniff.com/ ETHLOAD. Sniffs Ethernet and token ring networks. http://www.ping.be/ethload/ Gobbler. Sniffs in the DOS environment. This tool is good for sniffing Novell NetWare networks. http://www.computercraft.com/noprogs/gobbler.zip linux_sniffer.c. Runs on the Linux platform. http://www.rootshell.com/archive-j457nxiqi3gq59dv/199707/linux_sniffer.c.html Netman. Awesome sniffer suite for use on UNIX and Windows 95. http://www.ja.net/CERT/Software/netman/ Scanners and Related Utilities CONNECT. Are you looking for a vulnerable TFTP server? Try this utility. It runs on UNIX. http://www.giga.or.at/pub/hacker/unix/ FSPScan. This UNIX utility identifies vulnerable FSP servers. http://www.giga.or.at/pub/hacker/unix IdentTCPscan. Runs on UNIX; identifies the UID of all running processes. http://www.giga.or.at/pub/hacker/unix Jakal. Runs on UNIX. Scans behind firewalls. http://www.giga.or.at/pub/hacker/unix NetScan Tools. Win95 port of many UNIX snooping utilities. http://www.eskimo.com/~nwps/index.html Network Toolbox. Runs on Windows 95. Has many common UNIX snooping utilities and a port scanner. http://www.jriver.com/netbox.html NSS. Network Security Scanner. Written in Perl, runs on UNIX. http://www.giga.or.at/pub/hacker/unix SATAN. Runs on UNIX; you must have Perl. http://www.fish.com Strobe. Runs on UNIX. http://www.asmodeus.com/archive/IP_toolz/strobe/strobe.c TCP/IP Surveyor. Microsoft platform. http://www.winsite.com/info/pc/win95/netutil/wssrv32n.zip/ WhatRoute. Port of the popular UNIX utility Traceroute to Macintosh. http://homepages.ihug.co.nz/~bryanc/ XSCAN. Locates vulnerable X servers. http://www.giga.or.at/pub/hacker/unix Destructive Devices Avalanche. This device is yet another mail-bombing utility. Avalanche is for Windows. Try the search string avalanche20.zip. Bombtrack. This is a mail-bombing utility for Macintosh. eXtreme Mail. This utility is a mail bomber for the Windows platform. To obtain it, try the search string xmailb1.exe. FlameThrower. This is a Macintosh mail-bombing utility. Homicide. This utility is a mail bomber for the Windows platform. To obtain it, try the search string homicide.exe. Kaboom. This device is an email bomber. To obtain it, try searching for the string kaboom3.exe. The UnaBomber. This utility is a mail bomber for the Windows platform. To obtain it, try the search string unabomb.exe. The UNIX MailBomb. This mail-bomb utility by CyBerGoAT works on all UNIX platforms. To obtain it, try the search string MailBomb by CyBerGoAT. The UpYours Mail Bombing Program. To obtain this mail bomber, try searching for the string upyours3.zip. Finger Clients FFEU (OS/2). http://hobbes.nmsu.edu/pub/os2/apps/internet/misc/ffeu101.zip WSFinger (Windows). http://www.internexus.net/pub/tools/win/wsfngr14.zip Intrusion Detectors Cisco Secure Intrusion Detection System. http://www.cisco.com/ Network Fligher Recorder. http://www.nfr.net/ RealSecure. http://www.iss.com/ Shadow. http://www.nswc.navy.mil/ISSEC/CID Snort. http://www.snort.org/ Technical Reports, Government Standards, and Papers The Rainbow Books and Related Documentation The Rainbow Books set forth the U.S. government's criteria for the use and certification of trusted systems. Computer Security Requirements: Guidance for Applying the DoD TCSEC in Specific Environments(Light Yellow Book). June 1985. http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.html DoD Password Management Guideline(Green Book). April 1985. http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.html DoD Trusted Computer System Evaluation Criteria (Orange Book). December 1985. http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html Glossary of Computer Security Terms (Teal Green Book). October 21, 1988. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-004.txt A Guide to Understanding Audit in Trusted Systems (Tan Book). June 1988. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.html A Guide to Understanding Configuration Management in Trusted Systems (Amber Book). March 1988. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.html A Guide to Understanding Design Documentation in Trusted Systems (Burgundy Book). October 1988. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.html A Guide to Understanding Discretionary Access Control in Trusted Systems (Neon Orange Book). September 1987. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.html A Guide to Understanding Identification and Authentication in Trusted Systems (Light Blue Book). September 1991. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.html A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems (Turquoise Book). May 1992. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-027.txt A Guide to Understanding Object Reuse in Trusted Systems (Light Blue Book). July 1992. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.html A Guide to Understanding Security Modeling in Trusted Systems (Aqua Book). October 1992. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-010.txt A Guide to Understanding Trusted Distribution in Trusted Systems (Dark Lavender Book). December 1988. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.html A Guide to Understanding Trusted Facility Management (Brown Book). October 1989. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.html Guidelines for Formal Verification Systems (Purple Book). April 1989. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.html Guidelines for Writing Trusted Facility Manuals (Yellow-Green Book). October 1992. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.html RAMP Program Document (Pink Book). March 1995, Version 2. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.html Technical Rational Behind CSC-STD-003-85: Computer Security Requirements—Guidance for Applying the DoD TCSEC in Specific Environments (Yellow Book). June 1985. http://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.html Trusted Database Management System Interpretation of the TCSEC (Purple Book). April 1991. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.html Trusted Network Interpretation of the TCSEC (Red Book). July 1987. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.html Trusted Product Evaluations: A Guide for Vendors (Bright Blue Book). June 1990. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.html Trusted Product Evaluation Questionnaire (Blue Book). May 1992, Version 2.www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.html Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System (Silver Book). July 1989. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.html .Selected Publications from the NCSC Auditing Issues in Secure Database Management Systems. http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-4.pdf Computer Viruses: Prevention, Detection, and Treatment. March 1990. http://www.radium.ncsc.mil/tpep/library/rainbow/C1-TR-001.html The Design and Evaluation of INFOSEC Systems: The Computer Security Contribution to the Composition Discussion.June 1992. http://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.html Discretionary Access Control Issues in High Assurance Secure Database Management Systems.http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-5.pdf Integrity in Automated Information Systems.September 1991. http://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-79-91.txt Turning Multiple Evaluated Products into Trusted Systems.http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-003.pdf Other Governmental Security Documents and Advisories Augmented Encrypted Key Exchange: A Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise. 1st ACM Conference on Computer and Communications Security pp. 244–250. ACM Press. November 1993. Australian Computer Emergency Response Team.http://www.auscert.org.au/Information/advisories.html A Basis for Secure Communication in Large Distributed Systems. DavidP.Anderson and P.VenkatRangan. UCB//CSD-87-328, January 1987. ftp://tr-ftp.cs.berkeley.edu/pub/tech-reports/csd/csd-87-328/ Benchmarking Methodology for Network Interconnect Devices. RFC 1944. S.Bradner and J.McQuaid. http://www.ietf.org/rfc/rfc1944.txt Charon: Kerberos Extensions for Authentication over Secondary Networks. DerekA.Atkins. 1993.ftp://coast.cs.purdue.edu/pub/doc/authentication/Derek_Atkins-Charon.ps.Zcoast Check Point FireWall-1 Introduction. Checkpoint Technologies Firewall Information. http://www.checkpoint.com/products/firewall-1/descriptions/products.html Cisco PIX Firewall. Cisco Systems firewall information. http://www.cisco.com/univercd/data/doc/cintrnet/prod_cat/pcpix.htm Covert Channels in the TCP/IP Protocol Suite. CraigRowland.Rotherwick & Psionics Software Systems, Inc. http://www.firstmonday.dk/issues/issue2_5/rowland/ Crack Version 4.1: A Sensible Password Checker for UNIX. A.Muffett. Technical Report, March 1992 A Cryptographic File System for UNIX. Matt Blaze. 1st ACM Conference on Computer and Communications Security. pp. 9–16. ACM Press. November 1993. Daemons and Dragons UNIX Accounting. Dinah McNutt. UNIX Review. 12(8). August 1994. Designing Plan 9. DavePresottoRob Pike, and KenThompson. Dr. Dobb's Journal. Volume 16, p. 49. January 1, 1991. The Eagle Firewall Family. Raptor firewall information. http://www.raptor.com/products/brochure/40broch.html The Empirical Evaluation of a Security-Oriented Datagram Protocol. David P. Anderson Domenico FerrariP. Venkat RanganB.Sartirana. University of California Berkeley, CS csd-87-350. UCB//CSD-87-350, April 1987. ftp://tr-ftp.cs.berkeley.edu/pub/tech-reports/csd/csd-87-350/ Evolution of a Trusted B3 Window System Prototype. J.Epstein,J.McHughR.Psacle C.Martin D.RothnieH.Orman A. Marmor-Squires,M. Branstad and B.Danner. In proceedings of the 1992 IEEE Symposium on Security and Privacy, 1992. Firewall Application Notes. A good document that starts by describing how to build a firewall. Also addresses application proxies, Sendmail in relation to Livingston Enterprises, Inc. ftp://coast.cs.purdue.edu/pub/doc/firewalls/Livingston_Firewall_Notes.ps.Z Improving the Security of Your Site by Breaking Into It. Dan Farmer and Wietse Venema. 1995. http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html Improving X Windows Security. Linda Mui. UNIX World. Volume IX, Number 12. December 1992. Intrusion Protection for Networks 171. Byte Magazine. April, 1995. IP v6 Release and Firewalls Uwe Ellermann. 14th Worldwide Congress on Computer and Communications Security Protection. pp. 341–354. June 1996. Is Plan 9 Sci-Fi or UNIX for the Future? Anke Goos. UNIX World. Volume 7, p. 61.October 1, 1990. Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls. JohnP.Wack and LisaJ.Carnahan. National Institute of Standards and Technology. Thursday, Feb 9 18:17:09 EST 1995. http://csrc.ncsl.nist.gov./nistpubs/800-10/ Making Your Setup More Secure. NCSA Tutorial Pages. http://hoohoo.ncsa.uiuc.edu/docs/tutorials/security.html Multilevel Security in the UNIX Tradition. M.D.McIlroy and J.A.Reeds. SWPE. 22(8), pp. 1992. NCSA Firewall Policy Guide. Compiled by Stephen Cobb, Director of Special Projects. National Computer Security Association. http://www.ncsa.com/fpfs/fwpg_p1.html Network Firewalls. StevenM.Bellovin and WilliamR.Cheswick. IEEECM, 32(9), pp. 50–57. September 1994. A Network Perimeter with Secure External Access. FrederickM.Avolio and MarcusJ.Ranum. An extraordinary paper that details the implementation of a firewall purportedly at the White House. Trusted Information Systems, Incorporated. Glenwood, MD. January 25, 1994. http://www.alw.nih.gov/Security/FIRST/papers/firewall/isoc94.ps On Access Checking in Capability-Based Systems. RichardY.Kain and C.E.Landwehr. IEEE Trans. on Software Engineering Volume SE-13, Number 2 (Feb. 1987) pp. 202–207; reprinted from the proceedings of the 1986 IEEE Symposium on Security and Privacy, Oakland, CA. April, 1986. http://www.itd.nrl.navy.mil/ITD/5540/publications/CHACS/Before1990/1987landwehr-tse.ps Online Firewall Buyers Guide.http://www.icsa.net/html/communities/firewalls/buyers_guide/index.shtml Packets Found on an Internet. Steven M. Bellovin. Interesting analysis of packets appearing at the application gateway of AT&T. Lambda. August 23, 1993. ftp://ftp.research.att.com/dist/smb/packets.ps Password Security: A Case History. RobertMorris and KenThompson. http://www.alw.nih.gov/Security/FIRST/papers/password/pwstudy.ps Plan 9. Sean Dorward,RobPike and DavePresotto. UNIX Review. Volume 10, p. 28. April 1, 1992. Plan 9: Feature Film to Feature-Rich OS. Paul Fillinich. Byte Magazine. Volume 21, p. 143. March 1, 1996. Plan 9 from AT&T. David Bailey. UNIX Review. Volume 1, p. 27. January 1, 1996. Plan 9 from Bell Labs. DavePresottoRob Pike, and Phil Winterbottom. Computing Systems Journal. Volume 8, p. 221. Summer 1995. Plan 9: Son of UNIX. Robert Richardson. LAN Magazine. Volume 11, p. 41. August 1, 1996. Private Communication Technology Protocol. Daniel Simon. April 1996. A Prototype B3 Trusted X Window System. B.DannerA. Marmor-Squires, and M.Branstad. The proceedings of the seventh Computer Security Applications Conference, December, 1991. Rating of Application Layer Proxies. MichaelRichardson. Wednesday, Nov 13, 13:54:09 EST 1996. http://www.sandelman.ottawa.on.ca/SSW/proxyrating/proxyrating.html Reducing the Proliferation of Passwords in Distributed Systems Information Processing. Education and Society. Volume II, pp. 525–531. Elsevier Science Publishers B.V. (North Holland). 1992. Robust and Secure Password/Key Change Method Proceedings of the Third European Symposium on Research in Computer Security (ESORICS). Ralf Hauser Phil Janson Refik Molva Gene Tsudikand ElsVanHerreweghen. LNCS, pp. 107–122, SV, November 1994. Security in Open Systems. (NIST) John Barkley, Editor (with Lisa Carnahan, Richard Kuhn, Robert Bagwill, Anastase Nakassis, Michael Ransom, John Wack, Karen Olsen, Paul Markovitz, and Shu-Jen Chang). U.S. Department of Commerce. Section: The X Window System: Bagwill, Robert. http://csrc.ncsl.nist.gov/nistpubs/800-7/node62.html#SECTION06200000000000000000 Security in Public Mobile Communication Networks. Hannes Federrath Anja Jerichow DoganKesdogan, and AndreasPfitzmann. Proceedings of the IFIP TC 6 International Workshop on Personal Wireless Communications,Prague 1995, pp. 105–116. Session-Layer Encryption. Matt Blaze and Steve Bellovin. Proceedings of the Usenix Security Workshop, June 1995. Site Security Handbook Barbara Fraser. Update and Idraft version, CMU. Draft-ietf-ssh-handbook-03.txt. June 1996. http://sunsite.cnlab-switch.ch/ftp/doc/standard/rfc/21xx/2196 SQL*Net and Firewalls. David Sidwell and Oracle Corporation. http://www.zeuros.co.uk/firewall/library/oracle-and-fw.pdf The SSL Protocol. (IDraft) AlanO.Freier and PhilipKarlton (Netscape Communications) with PaulC.Kocher. http://home.netscape.com/eng/ssl3/ssl-toc.html The SunScreen Product Line Overview. Sun Microsystems. http://www.sun.com/security/overview.html The TAMU Security Package. An Ongoing Response to Internet Intruders in an Academic Environment. David R. Safford DouglasLee Schales, and DavidK.Hess. Proceedings of the Fourth Usenix UNIX Security Symposium, p. 91–118, Santa Clara, CA. October 1993. http://drawbridge.tamu.edu/tamu-security.pdf TCP WRAPPER: Network Monitoring, Access Control, and Booby Traps. Wietse Venema. Proceedings of the Third Usenix UNIX Security Symposium p. 85–92, Baltimore, MD. September 1992. ftp://ftp.porcupine.org/pub/security/tcp_wrapper.ps.Zftp There Be Dragons. StevenM.Bellovin. To appear in proceedings of the Third Usenix UNIX Security Symposium, Baltimore, September 1992. AT&T Bell Laboratories, Murray Hill, NJ. August 15, 1992. Undetectable Online Password Guessing Attacks. Yun Ding and Patrick Horster. OSR. 29(4), pp. 77–86. October 1995. Using Screens to Implement TCP/IP Security Policies. JeffMogul.Rotherwick and Digital. http://www.zeuros.co.uk/firewall/library/screend.ps Vulnerability in Cisco Routers Used as Firewalls. Computer Incident Advisory Capability Advisory: Number D-15. May 12, 1993 1500 PDT. http://ciac.llnl.gov/ciac/bulletins/d-15.shtml Warding Off the Cyberspace Invaders. Amy Cortese. Business Week. March 13, 1995. Windows NT Firewalls Are Born.JeffreyG.Witt. PC Magazine. February 4, 1997. http://www.pcmagazine.com/features/firewall/_open.htm and http://www.raptor.com/lib/9419.ps +X Window System Security.Ben Gross andBaba Buehler. Beckman Institute System Services. Last Apparent Date of Modification:January 11, 1996. http://edessa.topo.auth.gr/~thalis/xsecurity.html X Through the Firewall, and Other Application Relays. Treese/Wolman.Digital Equipment Corp. Cambridge Research Lab. October 1993. ftp://crl.dec.com/pub/DEC/CRL/tech-reports/93.10.ps.Zcrl X Security.http://consult.cern.ch/writeup/security/security_4.html The X Window System. RobertW.Scheifler and Jim Gettys. ACM Transactions on Graphics. Volume5, Number 2, pp. 79–109. April 1986. http://www.acm.org/pubs/toc/Abstracts/0730-0301/24053.html Intrusion Detection Bibliography on Intrusion Detection. The Collection of Computer Science Bibliographies. http://src.doc.ic.ac.uk/computing/bibliographies/Karlsruhe/Misc/intrusion.detection.html Detecting Unusual Program Behavior Using the Statistical Component of the Next-Generation Intrusion Detection Expert System (NIDES). Debra Anderson,TeresaF. Lunt Harold Javitz, Ann Tamaru, and Alfonso Valdes. SRI-CSL-95-06, May 1995. Available in hard copy only. The abstract is at the following address: http://www.csl.sri.com/tr-abstracts.html#csl9506 Fraud and Intrusion Detection in Financial Information Systems. W.LeeD. Wei, and A.Prodromidis. 4th ACM Computer and Communications Security Conference, 1997. http://www.cs.columbia.edu/~sal/hpapers/acmpaper.ps.gz GrIDS—A Graph-Based Intrusion Detection System for Large Networks. s. Staniford-Chen, S.CheungR.Crawford M. DilgerJ. Frank J. HoaglandK. LevittC.WeeR.Yip, and D.Zerkle. The 19th National Information Systems Security Conference. http://seclab.cs.ucdavis.edu/papers/nissc96.ps Holding Intruders Accountable on the Internet. S.Staniford-Chen and L.T.Heberlein. Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 8–10, 1995. http://seclab.cs.ucdavis.edu/~stanifor/papers/ieee_conf_94/revision/submitted.ps Intrusion Detection Bibliography. http://www.cs.purdue.edu/coast/intrusion-detection/ids_bib.html Intrusion Detection for Network Infrastructures. S. Cheung, K.N.Levittand C.Ko. 1995 IEEE Symposium on Security and Privacy, Oakland, CA. May 1995. http://seclab.cs.ucdavis.edu/papers/clk95.ps Intrusion Detection Systems (IDS): A Survey of Existing Systems and a Proposed Distributed IDS Architecture.S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Grance, L.T. Heberlein, C. Ho, K.N.Levitt, B. Mukherjee, D.L. Mansur, K.L. Pon, and S.E. Smaha. Technical Report CSE-91-7, Division of Computer Science, University of California, Davis. February 1991. Machine Learning and Intrusion Detection: Current and Future Directions. J.Frank. Proceedings of the 17th National Computer Security Conference. October 1994. A Methodology for Testing Intrusion Detection Systems. N.F. Puketza, K. Zhang, M. Chung, B.MukherjeeM. Chung, and R.A.Olsson. IEEE Transactions on Software Engineering, Volume 22, Number 10, October 1996. http://seclab.cs.ucdavis.edu/papers/tse96.ps NetKuang—A Multi-Host Configuration Vulnerability Checker. D.Zerkle and K.Levitt. Proceedings of the 6th Usenix Security Symposium. San Jose, California. 1996. http://seclab.cs.ucdavis.edu/papers/zl96.ps Network Intrusion Detection. Biswanth Mukherjee, L.Todd Heberlein, and KarlN.Levitt. IEEE Network, May 1994. http://seclab.cs.ucdavis.edu/papers/bd96.ps A Pattern-Oriented Intrusion-Detection Model and Its Applications. ShiuhpyngW.Shieh and VirgilD.Gligor. Research in Security and Privacy, IEEECSP, May 1991. Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions. M. Chung, N. Puketza, R.A.Olsson, and B.Mukherjee. Proceedings of the 1995 National Information Systems Security Conference. Baltimore, Maryland. 1995. http://seclab.cs.ucdavis.edu/papers/cpo95.ps Mailing Lists The Bugtraq List. This list is for posting or discussing bugs in various operating systems, though UNIX is the most often discussed. The information here can be quite explicit. If you are looking to learn the fine aspects (and cutting-edge news) of UNIX security, this list is for you. Target: LISTSERV@NETSPACE.ORG Command: SUBSCRIBE BUGTRAQ (in body of message) Intrusion Detection Systems. This list concentrates on discussions about methods of intrusion or intrusion detection. Target: majordomo@uow.edu.au Command: subscribe ids (in body of message) The NT Security List. This list is devoted to discussing all techniques of security related to the Microsoft Windows NT operating system. Individuals also discuss security aspects of other Microsoft operating systems. Target: request-ntsecurity@iss.net Command: subscribe ntsecurity (in body of message) The NTBugtraq List. This list is for posting or discussing bugs in Windows NT/2000. Target: LISTSERV@LISTSERV.NTBUGTRAQ.COM Command: SUBSCRIBE NTBUGTRAQ firstname lastname The Secure HTTP List. This list is devoted to the discussion of S-HTTP and techniques to facilitate this new form of security for WWW transactions. Target: shttp-talk-request@OpenMarket.com Command: SUBSCRIBE (in body of message) The Sneakers List. This list discusses methods of circumventing firewall and general security. This list is reserved for lawful tests and techniques. Target: majordomo@CS.YALE.EDU Command: SUBSCRIBE Sneakers (in body of message) The WWW Security List. List members discuss all techniques to maintain (or subvert) WWW security (things involving secure methods of HTML, HTTP and CGI). Target: www-security-request@nsmx.rutgers.edu Command: SUBSCRIBE www-security your_email_address (in body of message) Underground Resources 2600 Magazine. A magazine that historically focused on phone phracking but has increasingly been following computer hacking. http://www.2600.com/ The alt.2600/#hack F.A.Q. The FAQ for the popular Usenet newsgroup, alt.2600. Some interesting information can be found here, ranging from wardialers to tips for covering your tracks after a break-in. http://www-personal.engin.umich.edu/~jgotts/hack-faq/hack-faq-cp.html EFF Hacking, Cracking, Phreaking Archive. This is the archive of the Electronic Frontier Foundation, a non-profit organization that advocates civil liberties in cyberspace. http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/ LHI Technologies (L0pht Heavy Industries). This group comprises some of most talented underground hackers. The archives at this site contain rare papers and reports, some of which were written by the site's proprietors. http://l0pht.com/ Phrack Magazine. A hacker e-zine that has been in existence for many years. There is a great deal of hard-core technical information in it, as well as a fascinating section called Phrack World News, which recounts cracker and hacker activities in recent months. http://www.phrack.com | 