Maximum Security:

A Hacker's Guide to Protecting Your Internet Site and Network

Previous chapterNext chapterContents


- A -

How to Get More Information

This appendix is designed to provide you with some of the sources consulted in this book, as well as sites (or documents) that can assist you in better understanding security.

Establishment Resources

Following is a list of resources. This list includes articles, papers, or tools. The majority were authored or created by individuals working in security.

Sites on the WWW

General Accounting Office: Information Security: Computer Attacks at Department of Defense Pose Increasing Risks. A report on failed security at U.S. Defense sites.

The Evaluated Products List (EPL). This is a list of products that have been evaluated for security ratings based on DoD guidelines.

InterNIC (the Network Information Center). InterNIC provides comprehensive databases on networking information. These databases contain the larger portion of collected knowledge on the design and scope of the Internet. Of main importance here is the database of RFC documents.

The Rand Corporation. This site contains security resources of various sorts as well as engrossing early documents on the Internet's design.

Connected: An Internet Encyclopedia. This is an incredible online resource for RFC documents and related information, painstakingly translated into HTML.

The Computer Emergency Response Team (CERT). CERT is an organization that assists sites in responding to network security violations, break-ins, and so forth. This is a great source of information, particularly for vulnerabilities.

Dan Farmer: Security Survey of Key Internet Hosts and Various Semi-Relevant Reflections. This is a fascinating independent study conducted by one of the authors of the now famous SATAN program. The survey involved approximately 2,200 sites; the results are disturbing.

U.S. Department of Energy's Computer Incident Advisory Capability (CIAC). CIAC provides computer security services to employees and contractors of the U.S. Department of Energy, but the site is open to the public as well. There are many tools and documents at this location.

The National Computer Security Association. This site contains a great deal of valuable security information, including reports, papers, advisories, and analyses of computer security products and techniques.

Short Courses in Information Systems Security at George Mason University. This site contains information about security courses. Moreover, you'll find links to a comprehensive bibliography of security-related documents.

NCSA RECON. This is the site of the National Computer Security Association's special division. It offers a service where one can search through thousands of downloaded messages passed among hackers and crackers on BBS boards and the Internet. This commercial site is an incredible security resource.

Lucent Technologies. This site contains information about courses on security from the folks who really know security.

Massachusetts Institute of Technology Distribution Site of Pretty Good Privacy (PGP) for U.S. Residents. PGP provides some of the most powerful, military-grade encryption currently available.

The Anonymous Remailer FAQ. This document covers all aspects of anonymous remailing techniques and tools.

The Anonymous Remailer List. This is a comprehensive but often-changing list of anonymous remailers.

Microsoft ActiveX Security. This page addresses the security features of ActiveX.

Purdue University COAST Archive. This is one of the more comprehensive security sites, containing many tools and documents of deep interest to the security community.

Raptor Systems. The makers of one of the better firewall products on the Net have established a fine security library.

The Risks Forum. This is a moderated digest of security and other risks in computing. This great resource is also searchable. With it, you can tap the better security minds on the Net.

Forum of Incident Response and Security Teams (FIRST). FIRST is a conglomeration of many organizations undertaking security measures on the Net. This powerful organization is a good starting place for sources.

The CIAC Virus Database. This is the ultimate virus database on the Internet. It's an excellent resource for learning about viruses that can affect your platform.

Information Warfare and Information Security on the Web. This is a comprehensive list of links and other resources concerning information warfare over the Internet.

Criminal Justice Studies of the Law Faculty of University of Leeds, The United Kingdom. This site boasts interesting information on cryptography and civil liberties.

Federal Information Processing Standards Publication Documents (Government Guidelines). The National Institute of Standards and Technology reports on DES encryption and related technologies.

Wordlists Available at NCSA and Elsewhere. This site is for use in testing the strength of, or cracking, UNIX passwords.

Department of Defense Password Management Guideline. This is a treatment of password security in classified environments.

Dr. Solomon's. This site is filled with virus information. Anyone concerned with viruses (or anyone who just wants to know more about virus technology) should visit Dr. Solomon's site.

The Seven Locks Server. This is an eclectic collection of security resources, including a number of papers that cannot be found elsewhere!

S/Key Informational Page. This site provides information on S/Key and the use of one-time passwords in authentication.

A Page Devoted to ATP, the "Anti-Tampering Program." In some ways, ATP is similar to Tripwire or Hobgoblin.

Bugtraq Archives. This is an archive of the popular mailing list, Bugtraq, one of the most reliable sources for up-to-date reports on new-found vulnerabilities in UNIX (and at times, other operating systems).

Wang Federal. This company produces high-quality security operating systems and other security solutions. It is the leader in TEMPEST technology.

The Center for Secure Information Systems. This site, affiliated with the Center at George Mason University, has some truly incredible papers. There is much cutting-edge research going on here. The following URL sends you directly to the publications page, but you really should explore the entire site.

SRI International. This site boasts some very highbrow technical information. The technical reports here are of extreme value. However, you must have at least a fleeting background in security to even grasp some of the concepts.

The Security Reference Index. This site, maintained by the folks at telstra.com, is a comprehensive pointer page to many security resources.

Wietse Venema's Tools Page. This page, maintained by Wietse Venema (co-author of SATAN, author of TCP_Wrapper and many other security tools), is filled with papers, tools, and general information. It is a must-visit for any UNIX system administrator.

Books, Reports, and Publications

United States. Congress. House. Committee on Science, Space, and Technology. Subcommittee on Science.

Internet security: Hearing Before the Subcommittee on Science of the Committee on Science, Space, and Technology. U.S. House of Representatives, One Hundred Third Congress, second session, March 22, 1994. Washington. U.S. G.P.O. For sale by the U.S. G.P.O., Supt. of Docs., Congressional Sales Office, 1994.

An Interactive Guide to the Internet. Que Education and Training. J. Michael Blocher, Vito Amato, and Jon Storslee. ISBN: 1-5757-6354-0. 1996.

Apache Server Survival Guide. Sams.net. Manuel Alberto Ricart. ISBN: 1-57521-175-0. 1996.

Bots and Other Internet Beasties. Sams.net. Joseph Williams. ISBN: 1-57521-016-9. 1996.

Designing and Implementing Microsoft Internet Information Server. Sams.net. Weiying Chen, Sanjaya Hettihewa, Arthur Knowles, and Paolo Pappalardo. ISBN: 1-57521-168-8. 1996.

E-Mail Security: How To Keep Your Electronic Messages Private. John Wiley & Sons. Bruce Schneier. ISBN: 0-471-05318-X. 1995.

Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Publishing Company. William R. Cheswick and Steven M. Bellovin. ISBN: 0-201-63357-4. 1994.

Halting the Hacker: A Practical Guide to Computer Security. Prentice Hall. Donald L. Pipkin. ISBN: 0-13-243718. 1997.

Internet 1997 Unleashed, Second Edition. Sams.net. Jill Ellsworth, Billy Barron, et al. ISBN: 1-57521-185-8. 1996.

Internet Commerce. New Riders. Andrew Dahl and Leslie Lesnick. ISBN: 1-56205-496-1. 1995.

Internet Firewalls and Network Security, Second Edition. New Riders. Chris Hare and Karanjit S. Siyan, Ph.D. ISBN: 1-56205-632-8. 1996.

Internet QuickKIT. Hayden. Brad Miser. ISBN: 1-56830-240-1.

Internet Research Companion. Que Education and Training. Geoffrey McKim. ISBN: 1-5757-6050-9. 1996.

Internet Security for Business. John Wiley & Sons. Terry Bernstein, Anish B. Bhimani, Eugene Schultz, and Carol A. Siegel. ISBN 0-471-13752-9. 1996.

Internet Security Professional Reference. New Riders. Chris Hare, et al. ISBN: 1-56205-557-7. 1996.

Internet Security Resource Library (Box Set). New Riders. ISBN: 1-56205-506-2. 1996.

Linux System Administrator's Survival Guide. Sams Publishing. Timothy Parker, Ph.D. ISBN: 0-672-30850-9. 1996.

Managing Windows NT Server 4. New Riders. Howard F. Hilliker. ISBN: 1-56205-576-3. 1996.

Microsoft Internet Information Server 2 Unleashed. Sams.net. Arthur Knowles. ISBN: 1-57521-109-2. 1996.

NetWare Security. New Riders. William Steen. ISBN: 1-56205-545-3. 1996.

PC Week Intranet and Internet Firewalls Strategies. Ziff-Davis Press. Ed Amoroso and Ronald Sharp. ISBN: 1-56276-422-5. 1996.

Practical UNIX & Internet Security, Second Edition. O'Reilly & Associates. Simson Garfinkel and Gene Spafford. ISBN: 1-56592-148-8. 1996.

Protection and Security on the Information Superhighway. John Wiley & Sons. Frederick B. Cohen. ISBN: 0-471-11389-1. 1995.

The Internet Unleashed 1996. Sams.net. Sams Development Group. ISBN: 1-57521-041-X. 1995.

The Underground Guide to UNIX: Slightly Askew Advice from a UNIX Guru. Addison-Wesley Publishing Company. John Montgomery. ISBN: 0-201-40653-5. 1995.

UNIX Installation Security and Integrity. Prentice Hall. David Ferbrache and Gavin Shearer. ISBN: 0-13-015389-3. 1993.

UNIX Security: A Practical Tutorial (UNIX/C). McGraw-Hill. N. Derek Arnold. ISBN: 0-07-002560-6. 1993. Contains source code for a possible UNIX virus!

UNIX Security for the Organization. Sams Publishing. R. Bringle Bryant. ISBN: 0-672-30571-2. 1994.

UNIX System Security. Addison-Wesley Publishing Company. David A. Curry. ISBN: 0-201-56327-4. 1992.

UNIX System Security Essentials. Addison-Wesley Publishing Company. Christoph Braun and Siemens Nixdorf. ISBN: 0-201-42775-3. 1995.

UNIX System Security: How to Protect Your Data and Prevent Intruders. Addison-Wesley Publishing Company. Rick Farrow. ISBN: 0-201-57030-0. 1991.

UNIX Unleashed. Sams Publishing. Sams Development Team (Susan Peppard, Pete Holsberg, James Armstrong Jr., Salim Douba, S. Lee Henry, Ron Rose, Richard Rummel, Scott Parker, Ann Marshall, Ron Dippold, Chris Negus, John Valley, Jeff Smith, Dave Taylor, Sydney Weinstein, and David Till). ISBN: 0-672-30402-3. 1994.

Windows NT Server 4 Security, Troubleshooting, and Optimization. New Riders. ISBN: 1-56205-601-8. 1996.

Novell

A Guide to NetWare for UNIX. Prentice Hall. Cathy Gunn. ISBN: 0-13-300716-2. 1995.

NetWare to Internet Gateways. Prentice Hall. James E. Gaskin. ISBN: 0-13-521774-1. 1996.

NetWare Unleashed, Second Edition. Sams Publishing. Rick Sant'Angelo. 1995.

NetWare Web Development. Sams Publishing. Peter Kuo. ISBN: 1-57521-188-6. 1996.

Novell's Guide to Integrating NetWare and TCP/IP. Novell Press/IDG Books. Drew Heywood. ISBN: 1-56884-818-8. 1996.

Novell's Guide to NetWare LAN Analysis. Sybex. Dan E. Hakes and Laura Chappell. ISBN: 0-7821-1143-2. 1994.

The Complete Guide to NetWare 4.1. Sybex. James E. Gaskin. ISBN: 0-7821-1500A. 1995.

The NetWare to Internet Connection. Sybex. Morgan Stern. ISBN: 0-7821-1706-6. 1996.

Windows NT

Inside The Windows NT File System. Microsoft Press. Helen Custer. ISBN: 1-55615-660-X. 1994.

Inside Windows NT Server 4. New Riders. Drew Heywood. ISBN: 1-56205-649-2. 1996.

Managing Windows NT Server 4. New Riders. Howard Hilliker. ISBN: 1-56205-576-3. 1996.

Microsoft Windows NT Workstation 4.0 Resource Kit. Microsoft Press. ISBN: 1-57231-343-9. 1996.

NT Server: Management and Control. Prentice Hall. Kenneth L. Spencer. ISBN: 0-13-107046-0. 1995.

Windows NT 4 Electronic Resource Kit. Sams.net. ISBN: 0-67231-032-5.

Windows NT Administration: Single Systems to Heterogeneous Networks. Prentice Hall. Marshall Brain and Shay Woodard. ISBN: 0-13-176694-5. 1994.

Peter Norton's Complete Guide to Windows NT 4.0 Workstation. Sams Publishing. Peter Norton and John Paul Mueller. ISBN: 0-672-30-901-7. 1996.

General

A Guide to Understanding Discretionary Access Control in Trusted Systems. Technical Report NCSC-TG-003, National Computer Security Center, 1987.

A Model of Atomicity for Multilevel Transactions. 1993 IEEE Computer Society Symposium on Research in Security and Privacy; Oakland, California. Barbara T. Blaustein, Sushil Jajodia, Catherine D. McCollum, and LouAnna Notargiacomo (MITRE). USA: IEEE Computer Society Press. ISBN: 0-8186-3370-0. 1993.

Authentication and Discretionary Access Control. Karger, Paul A. Computers & Security, Number 5, pp. 314-324, 1986.

Beyond the Pale of MAC and DAC--Defining New Forms of Access Control. Catherine J. McCollum, Judith R. Messing, and LouAnna Notargiacomo. SympSecPr, pp. 190-200, IEEECSP, May 1990.

Computer Crime: A Crimefighter's Handbook. O'Reilly & Associates. David Icove, Karl Seger, and William VonStorch. ISBN: 1-56592-086-4. 1995.

Computer Security Basics. O'Reilly & Associates. Deborah Russell and G.T. Gangemi Sr. ISBN: 0-937175-71-4. 1991.

Computer Security: Hackers Penetrate DoD Computer Systems. Testimony before the Subcommittee on Government Information and Regulation, Committee on Government Affairs. United States Senate, Washington DC, November 1991.

Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon and Schuster. Katie Hafner and John Markoff. ISBN: 0-671-68322-5. 1991.

DCE Security Programming. Wei Hu. O'Reilly & Associates. ISBN: 1-56592-134-8. 1995.

Extended Discretionary Access Controls. S. T. Vinter. SympSecPr, pp. 39-49, IEEECSP, April 1988.

How to Set Up and Maintain a World Wide Web Site: The Guide for Information Providers. Addison-Wesley Publishing Company. Lincoln D. Stein. ISBN: 0-201-63389-2. 1995.

Internet Security Secrets. IDG Books. John R. Vacca. ISBN: 1-56884-457-3. 1996.

Managing Internet Information Systems. O'Reilly & Associates. Cricket Liu, Jerry Peek, Russ Jones, Bryan Buus, and Adrian Nye. ISBN: 1-56592-051-1. 1994.

Microsoft's PFX: Personal Information Exchange APIs. Microsoft Corporation (http://www.microsoft.com/workshop/prog/security/misf11-f.htm).

Network and Internetwork Security: Principles and Practice. IEEE Computer Society Press/Prentice Hall. William Stallings. ISBN: 0-02-415483-0. 1995.

Network Security: How to Plan for It and Achieve It. McGraw-Hill. Richard H. Baker. ISBN: 0-07-005141-0. 1994.

Network Security: Protocol Reference Model and The Trusted Computer System Evaluation Criteria. M. D. Abrams and A. B. Jeng. IEEE Network, 1(2), pp. 24-33, April 1987.

Protect Your Privacy: The PGP User's Guide. Prentice Hall. William Stallings. ISBN: 0-13-185596-4. 1994.

Secure Databases. 1993 IEEE Computer Society Symposium on Research in Security and Privacy; Oakland, California. USA: IEEE Computer Society Press. ISBN: 0-8186-3370-0. 1993.

Secure Networking at Sun Microsystems Inc. Katherine P. Addison and John J. Sancho. 11th NCSC; 1988. Baltimore. USA: NBS/NCSC: pp.212-218.

STRAWMAN Trusted Network Interpretation Environments Guideline. Marshall Abrams, Martin W. Schwartz, and Samuel I. Schaen (MITRE). 11th NCSC; 1988 Oct 17; Baltimore. USA: NBS/NCSC: pp.194-200.

Java

Briki: A Flexible Java Compiler. Michael Cierniak and Wei Li. TR 621, URCSD, May 1996.

Developing Intranet Applications with Java. Sams.net. Jerry Ablan, William Robert Stanek, Rogers Cadenhead, and Tim Evans. ISBN: 1-57521-166-1. 1996.

Gamelan. The ultimate Java archive.

H-38: Internet Explorer 3.x Vulnerability. CIAC Advisory, March 4, 1997.

Internet Java & ActiveX Advisor. Journal.

Javaworld. Journal.

Java & HotJava: Waking Up the Web. Sean González. PC Magazine, October 1995.

Java as an Intermediate Language. Technical Report, School of Computer Science, Carnegie Mellon University, Number CMU-CS-96-161, August 1996.

Java Developer's Guide. Sams.net. Jamie Jaworski and Cary Jardin. ISBN: 1-57521-069-X. 1996.

Java Developer's Journal.

Java Developer's Reference. Sams.net. Mike Cohn, Michael Morrison, Bryan Morgan, Michael T. Nygard, Dan Joshi, and Tom Trinko. ISBN: 1-57521-129-7. 1996.

Java in a Nutshell: A Desktop Quick Reference for Java Programmers. O'Reilly & Associates. David Flanagan. ISBN: 1-56592-183-6. 1996.

Java Report. Journal.

Java Security. SIGS. Gary McGraw and Edward Felten. ISBN: 1-884842-72-0. 1996.

Java Security: From HotJava to Netscape and Beyond. Drew Dean, Edward W. Felten, and Dan S. Wallach. 1996 IEEE Symposium on Security and Privacy, Oakland, CA, May 1996.

Java Security: Hostile Applets, Holes, & Antidotes. John Wiley & Sons. Gary McGraw and Ed Felten. ISBN: 0-471-17842-X. 1996.

Java: The Inside Story. Michael O'Connell. Sunworld Online, Volume 07, July 1995.

Just Java, Second Edition. Sunsoft Press/Prentice Hall. Peter van der Linden. ISBN: 0-13-272303-4. 1996.

MIME Encapsulation of Aggregate Applet Objects (Mapplet). A. Bahreman, J. Galvin, R. Narayanaswamy.

NetProf: Network-Based High-Level Profiling of Java Bytecode. Srinivasan Parthasarathy, Michael Cierniak, and Wei Li. TR 622, URCSD, May 1996.

The Java Handbook. Osborne/McGraw-Hill. Patrick Naughton. ISBN: 0-07-882199-1. 1996.

The Java Language Specification. Addison-Wesley Publishing Company. James Gosling, Bill Joy, and Guy Steele. ISBN: 0-201-63451-1. 1996.

Databases and Security

A Personal View of DBMS Security in Database Security: Status and Prospects. F. Manola. C.E. Landwehr (ed.), Elsevier Science Publishers B.V., North Holland, 1988. GTE Labs. December 1987.

A Policy Framework for Multilevel Relational Databases. Xiaolei Qian and Teresa F. Lunt. SRI-CSL-94-12, August 1994.

A Secure Concurrency Control Protocol for Real-Time Databases. R. Mukkamala, Old Dominion University, and S. H. Son, University of Virginia. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York, August 13-16, 1995.

A Security Model for Military Message System. C. E. Landwehr, C. L Heitmeyer, and J. McLean. ACM Transactions on Computer Systems, 2(3), August 1984.

Access Control: Principles and Practice. R.S. Sandhu and P. Saramati. IEEE Communications, pp. 2-10. 1994.

An Extended Authorization Model for Relational Databases. E. Bertino, P. Samarati, and S. Jajodia. IEEE Transactions on Knowledge and Data Engineering, Volume 9, Number 1, 1997, pp. 85-101.

Authorizations in Relational Database Management Systems. E. Bertino, S. Jajodia, and P. Saramati. ACM Conference on Computer and Communications Security, Fairfax, VA, 1993. pp. 130-139.

Decentralized Management of Security in Distributed Systems. R.S. Sandhu, DSOM. 1991.

Ensuring Atomicity of Multilevel Transactions. P. Ammann, S. Jajodia, and I. Ray. IEEE Symposium on Research in Security and Privacy. Oakland, CA, May 1996. pp. 74-84.

Formal Query Languages for Secure Relational Databases. M. Winslett, K. Smith and X. Qian. ACM TODS, 19(4):626-662. 1994.

Honest Databases That Can Keep Secrets. R. S. Sandhu and S. Jajjodia, NCSC.

Locking Protocol for Multilevel Secure Databases Providing Support for Long Transactions. S. Pal, Pennsylvania State University. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York, August 13-16, 1995.

Messages, Communications, Information Security: Protecting the User from the Data. J. E. Dobson and M. J. Martin, University of Newcastle. IFIP WG 11.3 Working Conference on Database Security, Rensselaerville, New York, August 13-16, 1995.

Microsoft Access 2.0 Security. Tom Lucas. PC Solutions.

Multilevel Security for Knowledge Based Systems. Thomas D. Garvey and Teresa F. Lunt. SRI-CSL-91-01, February 1991. Stanford Research Institute.

On Distributed Communications: IX. Security, Secrecy and Tamper-Free Considerations. P. Baran. Technical Report, The Rand Corporation. Number RM-376, August 1964.

Role-Based Access Controls. D.F. Ferraiolo and R. Kuhn. NIST-NCSC National Computer Security Conference, Baltimore, MD, 1993. pp. 554-563.

Symposium on the Global Information Infrastructure: Information, Policy & International Infrastructure. Paul A. Strassmann, U.S. Military Academy West Point and Senior Advisor, SAIC; William Marlow, Senior Vice President, SAIC. January 28-30, 1996.

The Microsoft Internet Security Framework (MISF) Technology for Secure Communication, Access Control, and Commerce. " 1997 Microsoft Corporation. (All rights reserved.)

Trusted Database Management System. NCSC-TG-021. Trusted Database Management System Interpretation. April 1991. Chief, Technical Guidelines Division. ATTN: C11 National Computer Security Center Ft. George G. Meade, MD 20755-6000.

Why Safeguard Information? Computer Audit Update, Elsevier Advanced Technology, 1996. Abo Akademi University, Institute for Advanced Management Systems Research, Turku Centre for Computer Science. Thomas Finne.

Articles

"Accountability Is Key to Democracy in the Online World." Walter S. Mossberg. The Wall Street Journal. Thursday January 26, 1995.

"ActiveX Used as Hacking Tool." Wingfield, N. CNET News, February 7, 1997.

"Alleged Computer Stalker Ordered Off Internet." Stevan Rosenlind. McClatchy News Service. July 26, 1995.

"A Tiger Team Can Save You Time and Money and Improve Your Ability to Respond to Security Incidents." Peter Galvin. SunWorld Online. February 1996.

"Billions and Billions of Bugs." Peter Galvin. SunWorld Online.

"Breaches From Inside Are Common." Infosecurity News. January/February 1997.

"CYBERWAR IS COMING!" John Arquilla and David Ronfeldt. International Policy Department, Rand Corporation. 1993. Taylor & Francis. ISSN: 0149-5933-93.

"Digital IDs Combat Trojan Horses on the Web." Bray, H. Computer News Daily. February 1997.

"FBI Investigates Hacker Attack at World Lynx." B. Violino. InformationWeek Online. November 12, 1996.

"Gang War in Cyberspace." Slatalla, M. and Quitner, J. Wired, Volume 2, Number 12. December, 1994.

"KC Wrestles With Equipment Theft Problem." Timothy Heider. Kansas City Star. February 17, 1997.

"Macros Under the Microscope: To Stop the Spread of Macro Viruses, First Understand How They Work." Kenneth R. van Wyk. Infosecnews.

"Network Security Throughout the Ages." Jeff Breidenbach. 1994. Switzerland (Project MAC) Association. MIT Project on Mathematics and Computation.

"New York's Panix Service Is Crippled by Hacker Attack." Robert E. Calem. The New York Times. September 14, 1996.

"Pentagon Web Sites Closed After Visit from Hacker." Nando.net News Service. December 30, 1996.

"Post Office Announces Secure E-Mail." Boot. March 1997.

"SATAN Uncovers High Risk of Web Attack." S. L. Garfinkel. San Jose Mercury News. December 19, 1996.

"Secure Your Data: Web Site Attacks On The Rise!" Stewart S. Miller. Information Week. January 29, 1996.

"Security and the World Wide Web." D. I. Dalva. Data Security Letter. June, 1994.

"Security Is Lost in Cyberspace." News & Observer. February 21, 1995.

"Statement Before Senate Subcommittee on Governmental Operations." June 25, 1996. John Deutch, Director, CIA.

"Student's Expulsion Over E-Mail Use Raises Concern." Amy Harmon. Los Angeles Times. November 15, 1995.

"The First Internet War; The State of Nature and the First Internet War: Scientology, its Critics, Anarchy, and Law in Cyberspace." David G. Post. Reason Magazine. April, 1996.

"The Paradox of the Secrecy About Secrecy: The Assumption of A Clear Dichotomy Between Classified and Unclassified Subject Matter." Paul Baran. MEMORANDUM RM-3765-PR; August 1964, On Distributed Communications: IX Security, Secrecy, and Tamper-Free Considerations. The Rand Corporation.

"U.S. Files Appeal in Dismissed Baker Case." Zachary M. Raimi. The Michigan Daily. November 22, 1995.

"What's the Plan? Get a Grip on Improving Security Through a Security Plan." Peter Galvin. SunWorld Online. September 1995.

"Windows NT Security Questioned: Experts Say Hackers Could Gain Entry to System." Stuart J. Johnston (http://www.informationweek.com). CMP Media, Techweb.

Tools

Following is a list of tools. Some of these tools were coded by the establishment (the legitimate security community). Others were authored by amateur hackers and crackers.

Password Crackers

Crack: Cracks UNIX passwords on UNIX platforms.

MacKrack v2.01b1: Cracks UNIX passwords on the MacOS platform.

CrackerJack: Cracks UNIX passwords on the Microsoft platform.

PaceCrack95: Cracks UNIX passwords on the Windows 95 platform.

Qcrack: Cracks UNIX passwords on DOS, Linux, and Windows platforms.

John the Ripper: Cracks UNIX passwords on the DOS and Linux platforms.

Pcrack (PerlCrack): Cracks UNIX passwords on the UNIX platform.

Hades: This UNIX password cracker is available everywhere. Try the search string hades.zip.

Star Cracker: This utility is for the DOS4GW environment. It cracks UNIX passwords.

Killer Cracker: Cracks UNIX passwords under UNIX.

Hellfire Cracker: Cracks UNIX passwords on the DOS platform.

XIT: Cracks UNIX passwords on the DOS platform.

Claymore: A generalized password cracker for Windows.

Guess: Cracks UNIX passwords on the DOS platform. This utility is available everywhere. Try the search string guess.zip.

PC UNIX Password Cracker: The name of this utility says it all. This tool is hard to find; I know of no reliable locations, but you might try the name as a search string.

ZipCrack: Cracks the passwords on Zip archives. Try the search string zipcrk10.zip.

Password NT: Cracks NT passwords.

Sniffers

Gobbler: Sniffs in the DOS environment. This tool is good for sniffing Novell NetWare networks.

ETHLOAD: Sniffs Ethernet and token ring networks.

Netman: Awesome sniffer suite for use on UNIX platforms.

Esniff.c: Sniffer for use on UNIX machines (specifically SunOS and Solaris).

Sunsniff: The title says it all. This utility is a good sniffer for SunOS.

linux_sniffer.c: Runs on the Linux platform.

Nitwit.c: For use on the Sun platform.

Scanners and Related Utilities

NSS: Network Security Scanner. Written in Perl, runs on UNIX.

Strobe: Runs on UNIX.

SATAN: Runs on UNIX; you must have Perl.

Jakal: Runs on UNIX. Scans behind firewalls.

IdentTCPscan: Runs on UNIX; identifies the UID of all running processes.

CONNECT: Are you looking for a vulnerable TFTP server? Try this utility. It runs on UNIX.

FSPScan: This UNIX utility identifies vulnerable FSP servers.

XSCAN: Locates vulnerable X servers.

NetScan Tools: Win95 port of many UNIX snooping utilities.

Network Toolbox: Runs on Windows 95. Has many common UNIX snooping utilities and a port scanner.

IS User Information for Windows 95: A very good generalized network analysis tool.

TCP/IP Surveyor: Microsoft platform.

MacTCP Watcher: TCP/IP analysis tool for the Macintosh platform.

Query It!: Nslookup utility for Mac.

WhatRoute: Port of the popular UNIX utility Traceroute to Mac.

Destructive Devices

The UpYours Mail Bombing Program: To obtain UpYours, try the string upyours3.zip.

Kaboom: This device is an e-mail bomber. To obtain it, try the string kaboom3.exe.

Avalanche: This device is yet another mail-bombing utility. Avalanche is for Windows. Try the search string avalanche20.zip.

The UnaBomber: This utility is a mail bomber for the Windows platform. To obtain it, try the search string unabomb.exe.

eXtreme Mail: This utility is a mail bomber for the Windows platform. To obtain it, try the search string xmailb1.exe.

Homicide: This utility is a mail bomber for the Windows. platform. To obtain it, try the search string homicide.exe.

The UNIX MailBomb: This mail-bomb utility by CyBerGoAT works on all UNIX platforms. To obtain it, try the search string MailBomb by CyBerGoAT.

Bombtrack: This is a mail bombing utility for Macintosh.

FlameThrower: This is a Macintosh mail-bombing utility.

Finger Clients

WSFinger (Windows)

Macfinger (Macintosh)

FFEU (OS/2)

Technical Reports and Publications

"A Basis for Secure Communication in Large Distributed Systems." David P. Anderson and P. Venkat Rangan. UCB//CSD-87-328. January 1987.

"A Cryptographic File System for UNIX." Matt Blaze. 1st ACM Conference on Computer and Communications Security. pp. 9-16. ACM Press. November, 1993.

Actually Useful Internet Security Techniques. New Riders. Larry J. Hughes, Jr. ISBN: 1-56205-508-9. 1995.

"A Network Perimeter With Secure External Access." Frederick M. Avolio and Marcus J. Ranum. An extraordinary paper that details the implementation of a firewall purportedly at the White House. Trusted Information Systems, Incorporated. Glenwood, MD. January 25, 1994.

"A Prototype B3 Trusted X Window System." J. Epstein, J. Mc Hugh, R. Pascale, H. Orman, G. Benson, C. Martin, A. Marmor-Squires, B. Danner, and M. Branstad, The proceedings of the 7th Computer Security Applications Conference, December, 1991.

"A Security Architecture for Fault-Tolerant Systems." Michael K. Reiter, Kenneth P. Birman, and Robbert Van Renesse. TR93-1354. June 1993.

"Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise." 1st ACM Conference on Computer and Communications Security, pp. 244-250. ACM Press. November 1993.

"Benchmarking Methodology for Network Interconnect Devices." RFC 1944. S. Bradner and J. McQuaid.

Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O'Reilly & Associates. ISBN: 1-56592-124-0. 1995.

"Charon: Kerberos Extensions for Authentication over Secondary Networks." Derek A. Atkins. 1993.

"Check Point FireWall-1 Introduction." Checkpoint Technologies firewall Information.

"Cisco PIX Firewall." Cisco Systems firewall information.

"Comparison: Firewalls." LANTimes. June 17, 1996. Comprehensive comparison of a wide variety of firewall products.

"Computer User's Guide to the Protection of Information Resources." NIST Special Publication.

"Covert Channels in the TCP/IP Protocol Suite." Craig Rowland. Rotherwick & Psionics Software Systems Inc.

"Crack Version 4.1: A Sensible Password Checker for UNIX." A. Muffett. Technical Report, March 1992.

"Daemons And Dragons UNIX Accounting." Dinah McNutt. UNIX Review. 12(8). August 1994.

"Designing Plan 9." Rob Pike, Dave Presotto, and Ken Thompson. Dr. Dobb's Journal. Volume 16, p. 49. January 1, 1991.

"Dyad: A System for Using Physically Secure Coprocessors." Dr. (Professor) J. Douglas Tygar and Bennet Yee, School of Computer Science at Carnegie Mellon University.

"Evolution of a Trusted B3 Window System Prototype." J. Epstein, J. McHugh, R. Psacle, C. Martin, D. Rothnie, H. Orman, A. Marmor-Squires, M. Branstad, and B. Danner. In proceedings of the 1992 IEEE Symposium on Security and Privacy, 1992.

"Features of the Centri Firewall." Centri firewall information.

"Firewall Application Notes." Good document that starts by describing how to build a firewall. Also addresses application proxies, sendmail in relation to firewalls, and the characteristics of a bastion host. Livingston Enterprises, Inc.

"Firewall Performance Measurement Techniques: A Scientific Approach." Marcus Ranum. February 4, 1996 (last known date of modification).

Firewalls and Internet Security : Repelling the Wily Hacker. William R. Cheswick and Steven M. Bellovin. Addison-Wesley Professional Computing. ISBN: 0-201-63357-4. 1994.

Firewalls FAQ. Marcus J. Ranum.

"Five Reasons Why an Application Gateway is the Most Secure Firewall." Global Internet.

"Group of 15 Firewalls Hold Up Under Security Scrutiny." Stephen Lawson. InfoWorld. June 1996.

"If You Can Reach Them, They Can Reach You." William Dutcher. A PC Week Online Special Report. June 19, 1995.

"Improving the Security of Your Site by Breaking Into It." Dan Farmer and Wietse Venema. 1995.

"Improving X Windows Security." Linda Mui. UNIX World. Volume IX, Number 12. December 1992.

"Integrating Security in a Group Oriented Distributed System." Michael K. Reiter, Kenneth P. Birman, and Li Gong. TR92-1269. February 1992.

"Internet Firewalls: An Introduction." Firewall white paper. NMI Internet Expert Services.

Internet Firewalls and Network Security (Second Edition). New Riders. Chris Hare and Karanjit Siyan. ISBN: 1-56205-632-8. 1996.

Internet Security Resource Library: Internet Firewalls and Network Security, Internet Security Techniques, Implementing Internet Security. New Riders. ISBN: 1-56205-506-2. 1995.

"Intrusion Protection for Networks 171." Byte Magazine. April, 1995.

"IP v6 Release and Firewalls." Uwe Ellermann. 14th Worldwide Congress on Computer and Communications Security Protection. pp. 341-354. June 1996.

"Is Plan 9 Sci-Fi or UNIX for the Future?" Anke Goos. UNIX World. Volume 7, p. 61. October 1, 1990.

"Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls." John P. Wack and Lisa J. Carnahan. National Institute of Standards and Technology. February 9, 1995.

"Making Your Setup More Secure." NCSA tutorial pages.

"Multilevel Security in the UNIX Tradition." M. D. McIlroy and J. A. Reeds. SWPE. 22(8), pp. 673-694. 1992.

"NCSA Firewall Policy Guide." Compiled by Stephen Cobb, Director of Special Projects. National Computer Security Association.

"Network Firewalls." Steven M. Bellovin and William R. Cheswick. IEEECM, 32(9), pp. 50-57. September 1994.

"Networks Without User Observability: Design Options." Andreas Pfitzmann and Michael Waidner. Eurocrypt '85, LNCS 219, Springer-Verlag, Berlin 1986, 245-253.

"On Access Checking in Capability-Based Systems." Richard Y. Kain and C. E. Landwehr. IEEE Trans. on Software Engineering Volume SE-13, Number 2 (Feb. 1987) pp. 202-207; reprinted from Proc. 1986 IEEE Symposium on Security and Privacy, April, 1986, Oakland, CA.

"On the (In)Security of the Windowing System X." Marc VanHeyningen. Indiana University. September 14, 1994.

"Packet Filtering for Firewall Systems." February 1995. CERT (and Carnegie Mellon University).

"Packets Found on an Internet." Steven M. Bellovin. Interesting analysis of packets appearing at the application gateway of AT&T. Lambda. August 23, 1993.

"Password Security: A Case History." Robert Morris and Ken Thompson.

PCWEEK Intranet and Internet Firewall Strategies. Ed Amoroso and Ron Sharp. Ziff-Davis Press. ISBN: 1562764225. 1996.

"Plan 9." Sean Dorward, Rob Pike, and Dave Presotto. UNIX Review. Volume 10, p. 28. April 1, 1992.

"Plan 9: Feature Film to Feature-Rich OS." Paul Fillinich. Byte Magazine. Volume 21, p. 143. March 1, 1996.

"Plan 9 from AT&T." David Bailey. UNIX Review. Volume 1, p. 27. January 1, 1996.

"Plan 9 from Bell Labs." Rob Pike, Dave Presotto, and Phil Winterbottom. Computing Systems Journal. Volume 8, p. 221. Summer, 1995.

"Plan 9: Son of UNIX." Robert Richardson. LAN Magazine. Volume 11, p. 41. August 1, 1996.

"Private Communication Technology Protocol." Daniel Simon. April 1996.

"Product Overview for IBM Internet Connection Secured Network Gateway for AIX, Version 2.2." IBM firewall information.

"Program Predictability and Data Security." Charles G. Moore III and Richard W. Conway. TR74-212.

"Protecting the Fortress From Within and Without." R. Scott Raynovich. LAN Times. April 1996.

"Rating of Application Layer Proxies." Michael Richardson. November 13, 1996.

"Reducing the Proliferation of Passwords in Distributed Systems Information Processing." Education and Society. Volume II, pp. 525-531. Elsevier Science Publishers B.V. (North Holland). 1992.

"Robust and Secure Password/Key Change Method Proceedings of the Third European Symposium on Research in Computer Security (ESORICS)." Ralf Hauser, Phil Janson, Refik Molva, Gene Tsudik, and Els Van Herreweghen. LNCS, pp. 107-122, SV, November 1994.

"Secure Computing Firewall for NT." Overview. Secure Computing.

"Security and the X Window System." Dennis Sheldrick. UNIX World. 9(1), p. 103. January 1992.

"Security in Public Mobile Communication Networks." Hannes Federrath, Anja Jerichow, Dogan Kesdogan, and Andreas Pfitzmann. Proceedings of the IFIP TC 6 International Workshop on Personal Wireless Communications, Prague 1995, pp. 105-116.

"Security in Open Systems." (NIST) John Barkley, editor (with Lisa Carnahan, Richard Kuhn, Robert Bagwill, Anastase Nakassis, Michael Ransom, John Wack, Karen Olsen, Paul Markovitz, and Shu-Jen Chang). U.S. Department of Commerce. Section: The X Window System: Bagwill, Robert.

"Security in the X11 Environment." Pangolin. University of Bristol, UK. January, 1995.

"Selective Security Capabilities in ASAP--A File Management System." Richard W. Conway, W. L. Maxwell, and Howard L. Morgan. TR70-62. June 1970.

"Session-Layer Encryption." Matt Blaze and Steve Bellovin. Proceedings of the Usenix Security Workshop, June 1995.

"Site Security Handbook." Update and Idraft version; June 1996, CMU. Draft-ietf-ssh-handbook-03.txt. Barbara Fraser.

"SQL*Net and Firewalls." David Sidwell and Oracle Corporation.

"Talking Securely." Mark Arnold, Anthony Boyd, Susan Dalton, Flora Lo, Adam Millard, and Shalini Shah.1994.

"TCP WRAPPER: Network Monitoring, Access Control, and Booby Traps." Wietse Venema. Proceedings of the Third Usenix UNIX Security Symposium, p. 85-92, Baltimore, MD. September 1992.

The Cuckoo's Egg. Pocket Books. Cliff Stoll. ISBN: 0-671-72688-9. 1989.

"The Eagle Firewall Family." Raptor firewall information.

"The Empirical Evaluation of a Security-Oriented Datagram Protocol." David P. Anderson, Domenico Ferrari, P. Venkat Rangan, B. Sartirana. U of California Berkeley, CS csd-87-350. UCB//CSD-87-350, April 1987.

"There Be Dragons." Steven M. Bellovin. To appear in proceedings of the Third Usenix UNIX Security Symposium, Baltimore, September 1992. AT&T Bell Laboratories, Murray Hill, NJ. August 15, 1992.

"The Secure HyperText Transfer Protocol." E. Rescorla and A. Schiffman. EIT. July 1995.

"The SSL Protocol." (IDraft) Alan O. Freier and Philip Karlton (Netscape Communications) with Paul C. Kocher.

"The SunScreen Product Line Overview." Sun Microsystems.

"The TAMU Security Package. An Ongoing Response to Internet Intruders in an Academic Environment." David R. Safford, Douglas Lee Schales, and David K. Hess. Proceedings of the Fourth Usenix UNIX Security Symposium, pp. 91-118, Santa Clara, CA. October 1993.

"The X Window System." Robert W. Scheifler and Jim Gettys. ACM Transactions on Graphics. Volume5, Number 2, pp. 79-109. April 1986.

"Undetectable Online Password Guessing Attacks." Yun Ding and Patrick Horster. OSR. 29(4), pp. 77-86. October 1995.

"Using Screend to Implement TCP/IP Security Policies." Jeff Mogul. Rotherwick and Digital.

"Vulnerability in Cisco Routers Used as Firewalls." Computer Incident Advisory Capability Advisory: Number D-15. May 12, 1993.

"WAN-Hacking with AutoHack--Auditing Security behind the Firewall." Alec D.E. Muffett. (Network Security Group, Sun Microsystems, United Kingdom.) Written by the author of Crack, the famous password-cracking program. Extraordinary document that deals with methods of auditing security from behind a firewall (and auditing of a network so large that it contained tens of thousands of hosts). June 6, 1995.

"Warding Off the Cyberspace Invaders." Amy Cortese. Business Week. March 13, 1995.

"Windows NT Firewalls Are Born." PC Magazine. February 4, 1997. Jeffrey G. Witt.

"X Through the Firewall, and Other Application Relays." Treese/Wolman. Digital Equipment Corp. Cambridge Research Lab. October, 1993(?).

"X Window System Security." Ben Gross and Baba Buehler. Beckman Institute System Services. Last Apparent Date of Modification: January 11, 1996.

"X Window Terminals." Björn Engberg and Thomas Porcher. Digital Technical Journal of Digital Equipment Corporation. 3(4), pp. 26-36. Fall 1991.

Intrusion Detection

"A Methodology for Testing Intrusion Detection Systems." N. F. Puketza, K. Zhang, M. Chung, B. Mukherjee, R. A. Olsson. IEEE Transactions on Software Engineering, Volume 22, Number 10. October 1996.

"An Introduction to Intrusion Detection." Aurobindo Sundaram. Last apparent date of modification: October 26, 1996.

"A Pattern-Oriented Intrusion-Detection Model and Its Applications." Shiuhpyng W. Shieh and Virgil D. Gligor. Research in Security and Privacy, IEEECSP. May 1991.

Bibliography on Intrusion Detection. The Collection of Computer Science Bibliographies.

"Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System (NIDES)." Debra Anderson, Teresa F. Lunt, Harold Javitz, Ann Tamaru, and Alfonso Valdes. SRI-CSL-95-06, May 1995. Available in hard copy only. The abstract is at

"Fraud and Intrusion Detection in Financial Information Systems." S. Stolfo, P. Chan, D. Wei, W. Lee, and A. Prodromidis. 4th ACM Computer and Communications Security Conference, 1997.

"GrIDS--A Graph-Based Intrusion Detection System for Large Networks." S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. The 19th National Information Systems Security Conference.

"Holding Intruders Accountable on the Internet." S. Staniford-Chen and L.T. Heberlein. Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 8-10, 1995.

Intrusion Detection Bibliography.

Intrusion Detection Bibliography (Another)

"Intrusion Detection for Network Infrastructures." S. Cheung, K.N. Levitt, C. Ko. 1995 IEEE Symposium on Security and Privacy, Oakland, CA, May 1995.

"Intrusion Detection Systems (IDS): A Survey of Existing Systems and A Proposed Distributed IDS Architecture." S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, T. Grance, L.T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, D.L. Mansur, K.L. Pon, and S.E. Smaha. Technical Report CSE-91-7, Division of Computer Science, University of California, Davis, February 1991.

"Machine Learning and Intrusion Detection: Current and Future Directions." J. Frank. Proceedings of the 17th National Computer Security Conference, October 1994.

"NetKuang--A Multi-Host Configuration Vulnerability Checker." D. Zerkle and K. Levitt. Proceedings of the 6th Usenix Security Symposium. San Jose, California. 1996.

"Network Intrusion Detection." Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt. IEEE Network, May 1994.

"Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions." M. Chung, N. Puketza, R.A. Olsson, B. Mukherjee. Proceedings of the 1995 National Information Systems Security Conference. Baltimore, Maryland. 1995.

Mailing Lists

Intrusion Detection Systems. This list concentrates primarily on discussions about methods of intrusion or intrusion detection.

Target: majordomo@uow.edu.au

Command: subscribe ids (in body of message)

The WWW Security List. Members of this list discuss all techniques to maintain (or subvert) WWW security (things involving secure methods of HTML, HTTP, and CGI).

Target: www-security-request@nsmx.rutgers.edu

Command: SUBSCRIBE www-security your_email_address (in body of message)

The Sneakers List. This list discusses methods of circumventing firewall and general security. This list is reserved for lawful tests and techniques.

Target: majordomo@CS.YALE.EDU

Command: SUBSCRIBE Sneakers (in body of message)

The Secure HTTP List. This list is devoted to the discussion of S-HTTP and techniques to facilitate this new form of security for WWW transactions.

Target: shttp-talk-request@OpenMarket.com

Command: SUBSCRIBE (in body of message)

The NT Security List. This list is devoted to discussing all techniques of security related to the Microsoft Windows NT operating system. Individuals also discuss security aspects of other Microsoft operating systems.

Target: request-ntsecurity@iss.net

Command: subscribe ntsecurity (in body of message)

The Bugtraq List. This list is for posting or discussing bugs in various operating systems, though UNIX is the most often discussed. The information here can be quite explicit. If you are looking to learn the fine aspects (and cutting-edge news) of UNIX security, this list is for you.

Target: LISTSERV@NETSPACE.ORG

Command: SUBSCRIBE BUGTRAQ (in body of message)

Underground Resources

Phrack Magazine: A hacker e-zine that has been in existence for many years. There is a great deal of hard-core technical information in it, as well as a fascinating section called "Phrack World News," which recounts cracker and hacker activities in recent months.

Underground: The home page of Aleph 1 (and the computer underground society). This page has practical information and tools. Aleph 1 is an authority of UNIX security, and Underground is probably one of the best underground pages ever posted.

LHI Technologies (L0pht Heavy Industries): This group is composed of some of most talented underground hackers. The archives at this site contain rare papers and reports, some written by the site's proprietors.

The Infonexus: This site houses most of the tools that have ever been made for UNIX, NT, Novell, and DOS. It also houses some very interesting files that you cannot find elsewhere. The proprietor is Route, an individual who authored one of the most recent denial-of-service tools, the syn_flooder. This site is smokin'.

Eight Little Green Men [8LGM]: A group of individuals who work independently to discover holes in various platforms. Famous for posting exploit scripts.

The alt.2600/#hack FAQ: The FAQ for the popular Usenet newsgroup, alt.2600. Some interesting information can be found here, ranging from info about war dialers to tips for covering your tracks after a break-in.

The Hacks and Cracks Page: Files, files, and more files. Many files for different platforms, including but not limited to DOS, Windows, and Mac.

The Mac Hack Page: Mac hacking and cracking. Many files and links to other sites. A good starting place for the Mac hacker or cracker.

H/P/A Links and Bullshit: A rather anarchistic but somewhat informational page with many, many links.

EFF "Hacking, Cracking, Phreaking" Archive: This is the archive of the Electronic Frontier Foundation, a non-profit organization that advocates civil liberties in cyberspace.


Previous chapterNext chapterContents


Macmillan Computer Publishing USA

© Copyright, Macmillan Computer Publishing. All rights reserved.