From Erik\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s IT-Security notes
Jump to: navigation, search

Erik's IT-Security notes
Good security links. Updated 2012-11-08.
2012-11-08: A big thank you to Andreas Lindh, Tomas Bäckman and Juha Jurvanen who provided 20+ new links to this list.

Information- and news sites

SecurityFocus – searchable bugtraq archive and comprehensive articles

Sitic is the Swedish government security prevention site. Works a bit like Internet Storm Center.

Dark Reading

(IN)Secure Magazine is near monthly security magazine

IBM DeveloperWorks discusses programming for different platforms

If you're interested in the current security-situation of the net

Podcasts for the security minded

Even more podcasts to listen and look at (MP4 video)

Latest vulnerabilities for your product

Blogs, list of "charlatans" in the IT-security field and some historical data:

Canadian news, blog, and podcast site

The Register’s security section

The Hacker News Network

Infosec Island

Softpedia’s security section

Tech Eye’s security section

Zero Day at ZDNET;content

H-Online’s security section

ThreatPost, Kaspersky Labs security news site

A great site with lots of recorded presentations from Defcon, Black Hat, Hack In The Box etc

Security Now! podcast on TWiT.TV


OWASP Sweden with John Wilander et. al.

Michael Boman

Matasano's blog

Sophos "Naked Security":

Crispin Cowan's blog

Microsoft's SDL-blog (Michael Howard

Bruce Schneier's blog

F-Secure's blog

Erik Zalitis's blog

Blog by two OWASP Gothenburg members

Australian security blog and podcast

Dan Kaminsky’s blog

Scottish security madmen

Terry Zink at MSDN

[Swedish only] Per Hellqvist @ Symantec’s blog

[Swedish only] Stefan Pettersson's blog

Brian Krebs blog

blog by CryptZone

Matthew Green’s blog

Juha Jurvanen's blog. Covers server security.

A new, Swedish product that provides intrusion protection for Windows servers

Their blog:

Mailing lists and feeds

Bruce Schneier's Cryptogram

An excellent digest of security-related news as they come.

OWASPs compilation of good security stuff

Secure Coding Mailing list

A good list of security related mailing lists

Sites about hacking and vulnerabilities

Learn to hack a real site in a "safe" way

A deliberately broken web application that you can download and learn how to hack:

Pentesting and troubleshooting tools

Wireshark - Ethereal by any other name. A tool you just must know to troubleshoot networking

Nmap - The swiss army knife of network testing. Also a must to understand

Nessus - A good if chatty lan scanner

Nikto - [Linux] The webapplication scanner everyone else is compared to

Wikto - [Windows] The Windows version of Nikto.

Cain and Abel - [Windows] All-purpose cracker, sniffer, MITM-tool and arp-poisoning tool

Metasploit - When you're ready to strike

THC Hydra - Password grinding for a large number of protocols's "Tools of the trade"-list

A set of free security tools from TrueSec:

Pass the hash - Another toolkit that enables you to use an acquired hash to authenticate without knowing the clear text password

Proxies lets you test, halt, inspect and change traffic between a client and a server. Very useful for troubleshooting web applications and authentication problems. All proxies in this list have additional functionality such as spidering and calculation of hashes.

Paros proxy - One of the "big three" proxies

Webscarab - Proxy that can run as a Java webstart app which makes it very easy to get up and running

Burp suite (Includes a proxy)

Sitebased tools can be used to get a "second opinion" from another place on the internet. Remember not to trust them too much!

GRC Shields up - Steve Gibson's user friendly scanner lets you test for open ports. Be warned it has a few design flaws. E.g. it will report ports to be in "stealth" even if your firewall sends an ICMP error to it. It also uses terms like "stealth" which is not an accepted term in TCP/IP-network.

DNS Test - A free sanity check of your DNS-system

Specific products

Blackviper's excellent service hardening guide for Windows XP

A dream for the paranoid firefox surfer

Security policies for websites - a good idea?

Upload suspected files and have them scanned

Some interesting OWASP-projects

Java Project

.NET Project

PHP Project

The Funny side of IT-Security

The daily WTF - A site proving that security horrors are indeed real

XKCD - Nerd humour at it's very best. IT-Security is often covered or laughed at

Ubersoft - Any rumours that this comic really is about Microsoft are lies! Lies I tell you!

Much of the material has been compiled by John Wilander for OWASP Sweden. I've translated the text and added new entries to the list. Thanks to everyone who mailed me suggestions!

If you're in Sweden, join OWASP! It's free: