"Real" Security Sites

[Moby-Dick]

Forget about Steve Gibson - I'm talking about proper scurity lists , free of phoney "experts" like the above.

The following is shamelessly copied and pasted form a news mail I periodically receive

By Scott Pinzon, LiveSecurity Lead Editor, and Corey Nachreiner, Network Security Analyst, WatchGuard Technologies, Inc.

In January 2004, LiveSecurity readers applauded our Foundations article listing security sites especially helpful to "newbie" network administrators. In this sequel, Corey and I recommend a second batch of sites, this time for the more clueful administrator. If you know what a packet sniffer is, like to inspect actual exploit code, or can readily grasp the security implications of new findings, we think you'll value these sites just as we do.

First, a note to any intrepid beginner who is reading this: not all of these sites are sponsored by good guys. Some of them post malicious code that hackers use. Don't download or execute anything you don't fully understand.

And with that caveat, we present more great sites ranging from the technically lofty to the down-and-dirty.

[Moby-Dick]

White Hat Sites
American cinema of the 1930s, 40s, and early 50s, with their endless stream of big-city gangsters and singing cowboys, popularized the metaphorical idea that "good guys" wear white hats and "bad guys" reliably identify themselves by wearing black hats. Extending the tradition today, "white hat" computer security researchers find security holes in commercial software, but instead of telling everyone, they first inform the manufacturer of the flaw. Then they cooperate with the manufacturer in getting the flaw fixed before announcing their discovery to the public. We appreciate the efforts of these good guys:

http://www.ntbugtraq.com

Don't let the "NT" fool you: Russ Cooper's site tracks security vulnerabilities in every kind of Microsoft software that businesses typically use, from server software to Office. Russ's extraordinarily objective assessments neither bash Microsoft, nor cover their sometimes egregious security lapses. He has developed good relationships with key Microsoft personnel, and can often provide a straighter scoop on MS flaws than you can get through official MS channels

http://www.hackerintel.com

We like this site as a source of information about hacking and network security-related events. Administrators from educational institutions should consider bookmarking this site, because its multi-faceted coverage includes news accounts hard to find elsewhere about university networks being hacked.

http://www.counterpane.com/crypto-gram.html

Bruce Schneier has two gifts you rarely see in one person: he is a bona fide cryptographic expert, and he can write in clear, everyday English. This free e-newsletter is not an alert service; rather, Schneier's insights on security issues will, over time, teach you how to think about security in general -- for example, how to assess whether a "cure" costs more than the risk it addresses, and how to resist falling for a great-sounding plan that doesn't actually provide added security

http://www.insecure.org

Check out the online home of the well-known security researcher Fyodor, who authored nmap, the best port scanning tool available. From this site you can download nmap and 74 other security tools from others, many of them excellent. Insecure.org serves as a repository for numerous other security lists which may not have an archive of their own (such as FullDisclosure). If you don't want to junk up your Favorites with every security list (BugTraq, FullDisclosure, Pen Test, etc.) bookmark this one site and you can find 'em all from here.

http://www.governmentsecurity.org

Despite its name, this site is not sponsored by a government. Like many of the other sites we've recommended, it archives daily security news. But our favorite feature is the moderated security forums, where you can discuss relevant topics (ranging from general network security, to how to compile and run specific exploits) with other network administrators.

[Blub2k]

Ok so it all makes sense now, edited accordingly.

[Moby-Dick]

Grey-hat sites
We characterize these security researchers as "grey hats" because, unlike white hats, they might not inform the appropriate manufacturer before publicly revealing their findings and posting exploit code (often passed off euphemistically as "proof of concept" code). Technically they're not breaking laws or acting maliciously, like "black hats." But announcing security holes before vendors can fix them is like giving an army a map of the castle they're attacking, with a big red arrow marking the secret entrance. Grey hats commonly claim their behavior contributes to overall security by making vendors watch themselves more diligently. Whether that is true is a religious battle we'll leave to someone else.

Nonetheless, "grey hat" sites are worth inspecting when you want to understand more about how a particular vulnerability works. These sites are often the first to reveal new vulnerabilities, much sooner than you'll get the info from the appropriate vendor. When trying to prioritize how urgently you need to patch flawed software on your network, flaws where the exploit code is publicly posted should go to the top of your list. To learn whether exploit code is publicly available, monitor our LiveSecurity alerts, and check some of the following sites.

http://www.safecenter.net/UMBRELLAWE...hed/index.html

Researchers have found numerous security flaws in Internet Explorer that Microsoft has not patched yet. Some holes are serious (for example, one enables a hacker who has lured you to his malicious Web site to silently install and execute code on your computer). Liu Die Yu's site maintains a list of these unresolved flaws, which numbered a whopping two dozen as we wrote this. Many of his descriptions include workarounds that minimize the vulnerability while we all wait for Microsoft's patch.

http://www.packetstormsecurity.org

This site offers a repository of the Top 20 security tools, advisories, and exploits, updated throughout each week.

http://www.k-otik.com

This French site is usually the first place you'll find significant exploit code. They also archive notable white papers in various languages, so multilingual administrators can get a world of security instruction here.


http://www.2600.com/"

This Web site supplements the printed journal 2600 , the seminal, well-known "hacker's quarterly," where programmers inform one another of new flaws, exploits, and attacks on everything from networks to phone systems. Worth a read so you can realistically assess the strength of your countermeasures.


http://www.phrack.org

Much like 2600, but e-zine only and freely available for download.

[Moby-Dick]

But Wait, There's More...
Ever seen those infomercials that tout feature after feature of some ludicrous gewgaw, asking, "Now how much would you pay? But wait -- there's more!" Time (yours) and space (ours) prevent us from listing all of the useful resources available on the Net. But we just have to mention, if only in passing, the sites of three security experts we admire:


If you like Dave Piscitello's monthly LiveSecurity articles, check out the incisive, unleashed version of Dave at his blog

http://hhi.corecom.com/weblogindex.htm

Fred Avolio dispenses conversational, highly-readable security advice at his site:

http://www.avolio.com/papers.html

Rik Farrow hosts unique resources, such as a list of what ports various attacks use, on his site

http://www.spirit.com/

For fun, no self-respecting geek should miss viewing science, pop culture, and the world of computers through the perspective of the IT-minded community (millions strong!) who contribute to Slashdot .

( not gonna post the /. link as you should all know it )

[/quote]

Thanks to the guys at watchguard.com for that

[Paul Adams]

Nice info, though I went to the www.safecenter.net link and saw the 2 dozen reported vulnerabilities in IE (list dated 27th Jan?) and I tested a couple but couldn't produce the expected (flawed) outcome.

Also, the "%01" phishing hole was resolved by making "user@password:site" format links an invalid syntax in IE now, so that's definitely one off the list.


Oh, and it should be Microsoft patch day tomorrow (well, late tonight) - it's the second Tuesday of the month... everyone make a note to visit Windows Update tomorrow morning

[Stoo]

http://neworder.box.sk/

Probably nearer Black Hat thatn anything else, but there's still usually a few nuggets