From Erik\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

Erik's IT-Security notes
Good security links. Updated 2012-11-08.
2012-11-08: A big thank you to Andreas Lindh, Tomas Bäckman and Juha Jurvanen who provided 20+ new links to this list.

Information- and news sites

SecurityFocus – searchable bugtraq archive and comprehensive articles
http://www.securityfocus.com/

Sitic is the Swedish government security prevention site. Works a bit like Internet Storm Center.
http://www.sitic.se/

Dark Reading
http://www.darkreading.com/

(IN)Secure Magazine is near monthly security magazine
http://www.net-security.org/insecuremag.php

IBM DeveloperWorks discusses programming for different platforms
http://www.ibm.com/developerworks/

If you're interested in the current security-situation of the net
http://isc.sans.org/

Podcasts for the security minded
http://www.cigital.com/silverbullet/

Even more podcasts to listen and look at (MP4 video)
http://www.cerias.purdue.edu/news_and_events/events/security_seminar/

Latest vulnerabilities for your product
http://secunia.com/

Blogs, list of "charlatans" in the IT-security field and some historical data:
http://attrition.org/

Canadian news, blog, and podcast site
http://www.liquidmatrix.org/blog/

The Register’s security section
http://www.theregister.co.uk/security/

The Hacker News Network
http://www.thehackernews.com/

Infosec Island
http://www.infosecisland.com/

Softpedia’s security section
http://news.softpedia.com/cat/Security/

Tech Eye’s security section
http://www.techeye.net/security

Zero Day at ZDNET
http://www.zdnet.com/blog/security?tag=mantle_skin;content

H-Online’s security section
http://www.h-online.com/security/

ThreatPost, Kaspersky Labs security news site
http://threatpost.com/en_us

A great site with lots of recorded presentations from Defcon, Black Hat, Hack In The Box etc
http://www.securitytube.net/

Security Now! podcast on TWiT.TV
http://www.grc.com/securitynow.htm

Blogs

OWASP Sweden with John Wilander et. al.
http://owaspsweden.blogspot.com/

Michael Boman
http://blog.michaelboman.org/

Matasano's blog
http://matasano.com/research/

Sophos "Naked Security":
http://nakedsecurity.sophos.com/

Crispin Cowan's blog
http://blogs.msdn.com/crispincowan/default.aspx

Microsoft's SDL-blog (Michael Howard et.al.) http://blogs.msdn.com/sdl/

Bruce Schneier's blog
http://www.schneier.com/blog/

F-Secure's blog
http://www.f-secure.com/weblog/

Erik Zalitis's blog
http://erik.zalitis.se/

Blog by two OWASP Gothenburg members
http://3vildata.com

Australian security blog and podcast
http://risky.biz/

Dan Kaminsky’s blog
http://dankaminsky.com/

Scottish security madmen
http://www.finux.co.uk/

Terry Zink at MSDN
http://blogs.msdn.com/b/tzink/

[Swedish only] Per Hellqvist @ Symantec’s blog
http://blog.perhellqvist.se/

[Swedish only] Stefan Pettersson's blog
http://enligthps.wordpress.com/

Brian Krebs blog
http://krebsonsecurity.com/

blog by CryptZone
http://blog.dataleaktoday.com/

Matthew Green’s blog
http://blog.cryptographyengineering.com/

Juha Jurvanen's blog. Covers server security.
http://jufflan.wordpress.com

A new, Swedish product that provides intrusion protection for Windows servers http://www.syspeace.com

Their blog:
http://syspeace.wordpress.com

Mailing lists and feeds

Bruce Schneier's Cryptogram
http://www.schneier.com/crypto-gram.html

An excellent digest of security-related news as they come.
http://www.infosecnews.org/

OWASPs compilation of good security stuff
http://www.owasp.org/index.php/Feed

Secure Coding Mailing list
http://securecoding.org/list/

A good list of security related mailing lists
http://archives.neohapsis.com/

Sites about hacking and vulnerabilities

Learn to hack a real site in a "safe" way
http://www.hackthissite.org/

A deliberately broken web application that you can download and learn how to hack:
https://www.owasp.org/index.php/WebGoat_Installation

Pentesting and troubleshooting tools

Wireshark - Ethereal by any other name. A tool you just must know to troubleshoot networking
http://www.wireshark.org/

Nmap - The swiss army knife of network testing. Also a must to understand
http://insecure.org/

Nessus - A good if chatty lan scanner
http://www.nessus.org/nessus/

Nikto - [Linux] The webapplication scanner everyone else is compared to
http://www.cirt.net/nikto2/

Wikto - [Windows] The Windows version of Nikto.
http://www.sensepost.com/research/wikto/

Cain and Abel - [Windows] All-purpose cracker, sniffer, MITM-tool and arp-poisoning tool
http://www.oxid.it/

Metasploit - When you're ready to strike
http://www.metasploit.com/

THC Hydra - Password grinding for a large number of protocols
http://www.thc.org/thc-hydra/

Insecure.org's "Tools of the trade"-list
http://sectools.org/

A set of free security tools from TrueSec:
http://www.truesec.com/security/tools

Pass the hash - Another toolkit that enables you to use an acquired hash to authenticate without knowing the clear text password
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pass-The-Hash_Toolkit

Proxies lets you test, halt, inspect and change traffic between a client and a server. Very useful for troubleshooting web applications and authentication problems. All proxies in this list have additional functionality such as spidering and calculation of hashes.

Paros proxy - One of the "big three" proxies
http://www.parosproxy.org/

Webscarab - Proxy that can run as a Java webstart app which makes it very easy to get up and running
http://dawes.za.net/rogan/webscarab/

Burp suite (Includes a proxy)
http://portswigger.net/

Sitebased tools can be used to get a "second opinion" from another place on the internet. Remember not to trust them too much!

GRC Shields up - Steve Gibson's user friendly scanner lets you test for open ports. Be warned it has a few design flaws. E.g. it will report ports to be in "stealth" even if your firewall sends an ICMP error to it. It also uses terms like "stealth" which is not an accepted term in TCP/IP-network.
http://www.grc.com/

DNS Test - A free sanity check of your DNS-system
http://www.checkdns.net/

Specific products

Blackviper's excellent service hardening guide for Windows XP
http://www.blackviper.com/WinXP/servicecfg.htm

A dream for the paranoid firefox surfer
http://noscript.net/

Security policies for websites - a good idea?
http://people.mozilla.org/~bsterne/content-security-policy/

Upload suspected files and have them scanned
http://www.virustotal.com/sv/

Some interesting OWASP-projects

Java Project
http://www.owasp.org/index.php/Category:OWASP_Java_Project

.NET Project
http://www.owasp.org/index.php/Category:OWASP_.NET_Project

PHP Project
http://www.owasp.org/index.php/Category:OWASP_PHP_Project

The Funny side of IT-Security

The daily WTF - A site proving that security horrors are indeed real
http://thedailywtf.com/

XKCD - Nerd humour at it's very best. IT-Security is often covered or laughed at
http://xkcd.com/

Ubersoft - Any rumours that this comic really is about Microsoft are lies! Lies I tell you!
http://www.ubersoft.net/


Much of the material has been compiled by John Wilander for OWASP Sweden. I've translated the text and added new entries to the list. Thanks to everyone who mailed me suggestions!

If you're in Sweden, join OWASP! It's free:
https://lists.owasp.org/mailman/listinfo/owasp-sweden