White Hat Sites
American cinema of the 1930s, 40s, and early 50s, with their endless stream of big-city gangsters and singing cowboys, popularized the metaphorical idea that "good guys" wear white hats and "bad guys" reliably identify themselves by wearing black hats. Extending the tradition today, "white hat" computer security researchers find security holes in commercial software, but instead of telling everyone, they first inform the manufacturer of the flaw. Then they cooperate with the manufacturer in getting the flaw fixed before announcing their discovery to the public. We appreciate the efforts of these good guys:
http://www.ntbugtraq.com
Don't let the "NT" fool you: Russ Cooper's site tracks security vulnerabilities in every kind of Microsoft software that businesses typically use, from server software to Office. Russ's extraordinarily objective assessments neither bash Microsoft, nor cover their sometimes egregious security lapses. He has developed good relationships with key Microsoft personnel, and can often provide a straighter scoop on MS flaws than you can get through official MS channels
http://www.hackerintel.com
We like this site as a source of information about hacking and network security-related events. Administrators from educational institutions should consider bookmarking this site, because its multi-faceted coverage includes news accounts hard to find elsewhere about university networks being hacked.
http://www.counterpane.com/crypto-gram.html
Bruce Schneier has two gifts you rarely see in one person: he is a bona fide cryptographic expert, and he can write in clear, everyday English. This free e-newsletter is not an alert service; rather, Schneier's insights on security issues will, over time, teach you how to think about security in general -- for example, how to assess whether a "cure" costs more than the risk it addresses, and how to resist falling for a great-sounding plan that doesn't actually provide added security
http://www.insecure.org
Check out the online home of the well-known security researcher Fyodor, who authored nmap, the best port scanning tool available. From this site you can download nmap and 74 other security tools from others, many of them excellent. Insecure.org serves as a repository for numerous other security lists which may not have an archive of their own (such as FullDisclosure). If you don't want to junk up your Favorites with every security list (BugTraq, FullDisclosure, Pen Test, etc.) bookmark this one site and you can find 'em all from here.
http://www.governmentsecurity.org
Despite its name, this site is not sponsored by a government. Like many of the other sites we've recommended, it archives daily security news. But our favorite feature is the moderated security forums, where you can discuss relevant topics (ranging from general network security, to how to compile and run specific exploits) with other network administrators.