Erik's IT-Security notes
Good security links. Updated 2012-11-08.
2012-11-08: A big thank you to Andreas Lindh, Tomas Bäckman and Juha Jurvanen who provided 20+ new links to this list.
Information- and news sites
SecurityFocus – searchable bugtraq archive and comprehensive articles
Sitic is the Swedish government security prevention site. Works a bit like Internet Storm Center.
(IN)Secure Magazine is near monthly security magazine
IBM DeveloperWorks discusses programming for different platforms
If you're interested in the current security-situation of the net
Podcasts for the security minded
Even more podcasts to listen and look at (MP4 video)
Latest vulnerabilities for your product
Blogs, list of "charlatans" in the IT-security field and some historical data:
Canadian news, blog, and podcast site
The Register’s security section
The Hacker News Network
Softpedia’s security section
Tech Eye’s security section
Zero Day at ZDNET
H-Online’s security section
ThreatPost, Kaspersky Labs security news site
A great site with lots of recorded presentations from Defcon, Black Hat, Hack In The Box etc
Security Now! podcast on TWiT.TV
OWASP Sweden with John Wilander et. al.
Sophos "Naked Security":
Crispin Cowan's blog
Microsoft's SDL-blog (Michael Howard et.al.) http://blogs.msdn.com/sdl/
Bruce Schneier's blog
Erik Zalitis's blog
Blog by two OWASP Gothenburg members
Australian security blog and podcast
Dan Kaminsky’s blog
Scottish security madmen
Terry Zink at MSDN
[Swedish only] Per Hellqvist @ Symantec’s blog
[Swedish only] Stefan Pettersson's blog
Brian Krebs blog
blog by CryptZone
Matthew Green’s blog
Juha Jurvanen's blog. Covers server security.
A new, Swedish product that provides intrusion protection for Windows servers http://www.syspeace.com
Mailing lists and feeds
Bruce Schneier's Cryptogram
An excellent digest of security-related news as they come.
OWASPs compilation of good security stuff
Secure Coding Mailing list
A good list of security related mailing lists
Sites about hacking and vulnerabilities
Learn to hack a real site in a "safe" way
A deliberately broken web application that you can download and learn how to hack:
Pentesting and troubleshooting tools
Wireshark - Ethereal by any other name. A tool you just must know to troubleshoot networking
Nmap - The swiss army knife of network testing. Also a must to understand
Nessus - A good if chatty lan scanner
Nikto - [Linux] The webapplication scanner everyone else is compared to
Wikto - [Windows] The Windows version of Nikto.
Cain and Abel - [Windows] All-purpose cracker, sniffer, MITM-tool and arp-poisoning tool
Metasploit - When you're ready to strike
THC Hydra - Password grinding for a large number of protocols
Insecure.org's "Tools of the trade"-list
A set of free security tools from TrueSec:
Pass the hash - Another toolkit that enables you to use an acquired hash to authenticate without knowing the clear text password
Proxies lets you test, halt, inspect and change traffic between a client and a server. Very useful for troubleshooting web applications and authentication problems. All proxies in this list have additional functionality such as spidering and calculation of hashes.
Paros proxy - One of the "big three" proxies
Webscarab - Proxy that can run as a Java webstart app which makes it very easy to get up and running
Burp suite (Includes a proxy)
Sitebased tools can be used to get a "second opinion" from another place on the internet. Remember not to trust them too much!
GRC Shields up - Steve Gibson's user friendly scanner lets you test for open ports. Be warned it has a few design flaws. E.g. it will report ports to be in "stealth" even if your firewall sends an ICMP error to it. It also uses terms like "stealth" which is not an accepted term in TCP/IP-network.
DNS Test - A free sanity check of your DNS-system
Blackviper's excellent service hardening guide for Windows XP
A dream for the paranoid firefox surfer
Security policies for websites - a good idea?
Upload suspected files and have them scanned
Some interesting OWASP-projects
The Funny side of IT-Security
The daily WTF - A site proving that security horrors are indeed real
XKCD - Nerd humour at it's very best. IT-Security is often covered or laughed at
Ubersoft - Any rumours that this comic really is about Microsoft are lies! Lies I tell you!
Much of the material has been compiled by John Wilander for OWASP Sweden. I've translated the text and added new entries to the list. Thanks to everyone who mailed me suggestions!
If you're in Sweden, join OWASP! It's free: