E.2 Paper References

E.2 Paper References

There are many excellent books and articles available on web security and computer security in general. We are personally familiar with those listed here and can recommend them.

E.2.1 Computer Crime and Law

Arkin, S. S., B. A. Bohrer, D. L. Cuneo, J. P. Donohue, J. M. Kaplan, R. Kasanof, A. J. Levander, and S. Sherizen. Prevention and Prosecution of Computer and High Technology Crime. New York, NY: Matthew Bender Books, 1989. A book written by and for prosecuting attorneys and criminologists.

BloomBecker, J. J. Buck. Introduction to Computer Crime. Santa Cruz, CA: National Center for Computer Crime Data, 1988. (Order from NCCCD, 408-475-4457.) A collection of essays, news articles, and statistical data on computer crime in the 1980s.

BloomBecker, J. J. Buck. Spectacular Computer Crimes. Homewood, IL: Dow Jones-Irwin, 1990. Lively accounts of some of the more famous computer-related crimes of the 1970s and 1980s.

Cook, William J. Internet & Network Law.A comprehensive volume which is updated regularly; the title may change to reflect the year of publication. For further information, contact the author at:

Willian Brinks Olds Hofer Gilson and Lione

Suite 3600, NBC Tower

455 N. Cityfront Plaza Dr.

Chicago, IL 60611-4299

Icove, David, Karl Seger, and William VonStorch, Computer Crime: A Crimefighter's Handbook, Sebastopol, CA: O'Reilly & Associates, 1995. A popular rewrite of an FBI training manual.

Power, Richard. Current and Future Danger: A CSI Primer on Computer Crime and Information Warfare, Second Edition. San Francisco, CA: Computer Security Institute, 1996. An interesting and timely summary.

E.2.2 Computer-Related Risks

Leveson, Nancy G. Safeware: System Safety and Computers. A Guide to Preventing Accidents and Losses Caused by Technology. Reading, MA: Addison-Wesley, 1995. This textbook contains a comprehensive exploration of the dangers of computer systems, and explores ways in which software can be made more fault tolerant and safety conscious.

Neumann, Peter G. Computer Related Risks . Reading, MA: Addison-Wesley, 1995. Dr. Neumann moderates the Internet RISKS mailing list. This book is a collection of the most important stories passed over the mailing list since its creation.

Nissenbaum, Helen, and Deborah G. Johnson, editors. Computers, Ethics & Social Values. Englewood Cliffs, NJ: Prentice Hall, 1995. A fascinating collection of readings on issues of how computing technology impacts society.

Peterson, Ivars. Fatal Defect . New York, NY: Random House, 1995. A lively account of how computer defects kill people.

Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. New York, NY: John Wiley & Sons, 2000. Covers digital attacks, security, risk assessment in companies, implementation of security policies and coutermeasures, and more.

E.2.3 Computer Viruses and Programmed Threats

Communications of the ACM , Volume 32, Number 6, June 1989 (the entire issue). This whole issue was devoted to issues surrounding the Internet Worm incident.

Denning, Peter J. Computers Under Attack: Intruders, Worms, and Viruses. Reading, MA: ACM Press/Addison-Wesley, 1990. One of the two most comprehensive collections of readings related to these topics, including reprints of many classic articles. A "must-have."

Ferbrache, David. The Pathology of Computer Viruses. London, England: Springer-Verlag, 1992. This is probably the best all-around book on the technical aspects of computer viruses.

Hoffman, Lance J., Rogue Programs: Viruses, Worms, and Trojan Horses. New York, NY: Van Nostrand Reinhold, 1990. The other most comprehensive collection of readings on viruses, worms, and the like. A must for anyone interested in the issues involved.

E.2.4 Cryptography

Denning, Dorothy E. R. Cryptography and Data Security. Reading, MA: Addison-Wesley, 1983. The classic textbook in the field.

Garfinkel, Simson. PGP: Pretty Good Privacy. Sebastopol, CA: O'Reilly & Associates, 1994. Describes the history of cryptography and the history of the program PGP, and explains PGP's use.

Hoffman, Lance J. Building in Big Brother: The Cryptographic Policy Debate. New York, NY: Springer-Verlag, 1995. An interesting collection of papers and articles about the Clipper chip, Digital Telephony legislation, and public policy on encryption.

Kaufman, Charles, Radia Perlman, and Mike Speciner. Network Security: Private Communications in a Public World. Englewood Cliffs, NJ: Prentice Hall, 1995. A technical but readable account of many algorithims and protocols for providing cryptographic security on the Internet. The discussion of the Web is very limited.

Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition. New York, NY: John Wiley & Sons, 1996. The most comprehensive, unclassified book about computer encryption and data privacy techniques ever published.

E.2.5 General Computer Security

Amoroso, Edward. Fundamentals of Computer Security Technology. Englewood Cliffs, NJ: Prentice Hall, 1994. A very readable and complete introduction to computer security at the level of a college text.

Anderson, Ross. Security Engineering. New York, NY: Wiley & Sons, 2001. A general overview of security engineering and practice.

Carroll, John M. Computer Security, Second Edition. Stoneham, MA: Butterworth Publishers, 1987. Contains an excellent treatment of issues in physical communications security.

Mandia, Kevin and Chris Prosise. Incident Response: Investigating Computer Crime. New York, NY: McGraw-Hill Professional Publishing, 2001. Describes the methods and techniques necessary to perform a professional and successful response to computer security incidents.

Northcutt, Stephen and Judy Novak. Network Intrusion Detection: An Analyst's Handbook, Second Edition. Indianapolis, IN: New Riders, 2000. A training aid and reference for intrusion detection analysts.

Pfleeger, Charles P. Security in Computing, Second Edition. Englewood Cliffs, NJ: Prentice Hall, 1996. A good introduction to computer security.

Van Wyk, Kenneth R. and Richard Forno. Incident Response. Sebastopol, CA: O'Reilly & Associates, 2001. Shows both the technical and administrative aspects of building an effective incident response plan.

E.2.6 System Administration, Network Technology, and Security

E.2.6.1 Network Technology

Comer, Douglas E. Internetworking with TCP/IP, Third Edition. Englewood Cliffs, NJ: Prentice Hall, 1995. A complete, readable reference that describes how TCP/IP networking works, including information on protocols, tuning, and applications.

Hunt, Craig. TCP/IP Network Administration, Second Edition. Sebastopol, CA: O'Reilly & Associates, 1998. This book is an excellent system administrator's overview of TCP/IP networking (with a focus on Unix systems), and a very useful reference to major Unix networking services and tools such as BIND (the standard Unix DNS server) and sendmail (the standard Unix SMTP server).

Stevens, Richard W. TCP/IP Illustrated. Volume 1, The Protocols. Reading, MA: Addison-Wesley, 1994. This is a good guide to the nuts and bolts of TCP/IP networking. Its main strength is that it provides traces of the packets going back and forth as the protocols are actually in use, and uses the traces to illustrate the discussions of the protocols.

E.2.6.2 Secure Programming

Gundavaram, Shishir, Scott Guelich, and Gunther Birznieks. CGI Programming with Perl, Second Edition. Sebastopol, CA: O'Reilly & Asscociates, 2000. An excellent discussion of using CGI on the Web.

McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code, Second Edition.New York, NY: Wiley Computer Publishing, 1999. A book on web browser security from a user's point of view.

Musciano, Chuck and Bill Kennedy. HTML & XHTML: The Definitive Guide, Fourth Edition. Sebastopol, CA: O'Reilly & Associates, 2000. Truly is the definitive guide covering everything you need to know about HTML and the newer XHTML.

Oaks, Scott. Java Security, Second Edition. Sebastopol, CA: O'Reilly & Associates, 2001. Focuses on the Java platform features that provide security the class loader, bytecode verifier, and security manager and recent additions to Java that enhance this security model: digital signatures, security providers, and the access controller.

Viega, John and Gary McGraw. Building Secure Software. Reading, MA: Addison-Wesley, 2001. Describes how to determine an acceptable level of risk, develop security tests, and plug security holes before shipping software.

E.2.6.3 Security and Networking

Bellovin, Steve, and Bill Cheswick. Firewalls and Internet Security. Reading, MA: Addison-Wesley, 1994. The classic book on firewalls. This book will teach you everything you need to know about how firewalls work, but it will leave you without implementation details unless you happen to have access to the full source code to the Unix operating system and a staff of programmers who can write bug-free code.

Zwicky, Elizabeth, D., Simon Cooper, and D. Brent Chapman, Building Internet Firewalls, Second Edition. Sebastopol, CA: O'Reilly & Associates, 2000. A superb how-to book that describes in clear detail how to build your own firewall. Covers Unix, Linux, and Windows.

E.2.6.4 Unix System Administration

Albitz, Paul, and Cricket Liu. DNS and BIND, Third Edition. Sebastopol, CA: O'Reilly & Associates, 1998. An excellent reference for setting up DNS nameservers.

Costales, Bryan, with Eric Allman and Neil Rickert. sendmail, Second Edition. Sebastopol, CA: O'Reilly & Associates, 1997. Rightly or wrongly, many Unix sites continue to use the sendmail mail program. This huge book will give you tips on configuring it more securely.

Frisch, leen. Essential System Administration, Second Edition. Sebastopol, CA: O'Reilly & Associates, 1995. A fine discussion of the most important aspects of Unix system administration.

Garfinkel, Simson and Gene Spafford. Practical Unix & Internet Security, Second Edition. Sebastopol, CA: O'Reilly & Associates, 1996. Nearly 1000 pages of Unix and network security, with many helpful scripts and checklists.

Honeynet Project (Ed). Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Reading, MA: Addison-Wesley, 2001. Describes the technical skills needed to study a blackhat attack and learn from it. The CD includes examples of network traces, code, system binaries, and logs used by intruders from the blackhat community.

Killelea, Patrick. Web Performance Tuning. Sebastopol, CA: O'Reilly & Associates, 1998. Gives concrete advice for quick results the "blunt instruments" for improving crippled performance right away. The book also approaches each element of a web transaction from client to network to server to examine the weak links in the chain and how to strengthen them.

Nemeth, Evi, Garth Snyder, Scott Seebass, and Trent R. Hein. UNIX System Administration Handbook, Third Edition. Englewood Cliffs, NJ: Prentice Hall, 2000. An excellent reference on the various ins and outs of running a Unix system. This book includes information on system configuration, adding and deleting users, running accounting, performing backups, configuring networks, running sendmail, and much more. Highly recommended.

Prestin, W. Curtis. Unix Backup and Recovery. Sebastopol, CA: O'Reilly & Associates, 1999. Provides a complete overview of all facets of Unix backup and recovery and offers practical, affordable backup and recovery solutions for environments of all sizes and budgets.

Stein, Lincoln, Web Security, a Step-By-Step Reference Guide. Reading, MA: Addison-Wesley, 1998. An excellent all-around book on web security topics.

E.2.6.5 Windows System Administration

Albitz, Paul, Matt Larson, and Cricket Liu. DNS on Windows NT. Sebastopol, CA: O'Reilly & Associates, 1998. This version of the book provides an explanation of the details of how Internet name service works on Windows NT.

Cox, Philip, and Tom Sheldon, Windows 2000 Security Handbook, New York, NY: McGraw-Hill Professional Publishing, 2000. An excellent book on Windows 2000 security issues. Provides step-by-step instructions on how to locate and plug security holes and backdoors, authenticate users, and defend against the latest methods of attack in Windows 2000.

Grimes, Roger. Malicious Mobile Code: Virus Protection for Windows. Sebastopol, CA: O'Reilly & Associates, 2001. Reveals what destructive programs (including viruses, worms, trojans, and rogue Internet content) can and can't do and how to recognize, remove, and prevent them. Readers learn effective strategies, tips, and tricks for securing any system.

Norberg, Stefan, Securing Windows NT/2000 Servers for the Internet. Sebastopol, CA: O'Reilly & Associates, 2000. A concise and excellent checklist-oriented guide to hardening Windows bastion hosts. Also provides some information on OpenSSH, TCP wrappers, VNC, and Cygwin.

E.2.7 Security Products and Services Information

Computer Security Buyer's Guide. San Francisco, CA: Computer Security Institute. (Order from CSI, 415-905-2626.) Contains a comprehensive list of computer security hardware devices and software systems that are commercially available. The guide is free with membership in the Institute. The URL is at http://www.gocsi.com.

E.2.8 Miscellaneous References

Miller, Barton P., Lars Fredriksen, and Bryan So. "An Empirical Study of the Reliability of UNIX Utilities," Communications of the ACM, Volume 33, Number 12, December 1990, 32-44. A thought-provoking report of a study showing how Unix utilities behave when given unexpected input.