======Links - Security====== {{::secure_easy-to-use_cheap_choose_two.png|}} \\ {{::secure_easy-to-use_cheap_choose_two.zip|Dia original in .zip file.}} Similar to [[wp>Zooko's_triangle|Zooko's triangle]]. =====Security sites===== [[http://www.kb.cert.org/vuls/|US-CERT Vulnerability Notes Database]] \\ [[http://www.cert.org/|CERT]] \\ [[http://secunia.com/|Secunia - Vulnerability and Virus Information]] \\ [[http://www.securityfocus.com/|SecurityFocus]] \\ [[http://www.vulnwatch.org/|VulnWatch - Vulnerability Disclosure List]] \\ [[http://computersecuritynews.us/|Computer Security News]] \\ [[http://www.threatminded.com/|Threat Minded]] \\ [[http://www.ultimatewindowssecurity.com/|Ultimate Windows Security]] \\ [[http://insecure.org/|Insecure.Org]] \\ [[http://www.cisecurity.org/|Center for Internet Security]] \\ [[https://www.commoncriteriaportal.org/|Common Criteria Portal]] [[http://www.cvedetails.com/|CVE Details]] provides an overview of CVEs per vendor/product. Examples: * [[http://www.cvedetails.com/version-list/45/66/1/Apache-Http-Server.html|CVE Details - Apache HTTPD vulnerabilities by version]] * [[http://www.cvedetails.com/version-list/45/887/1/Apache-Tomcat.html|CVE Details - Apache Tomcat vulnerabilities by version]] * [[http://www.cvedetails.com/version-list/97/163/1/Openbsd-Openbsd.html|CVE Details - OpenBSD vulnerabilities by version]] * [[http://www.cvedetails.com/version-list/74/128/1/PHP-PHP.html|CVE Details - PHP vulnerabilities by version]] * [[http://www.cvedetails.com/version-list/252/22134/1/Vmware-Esxi.html|CVE Details - VMware ESXi vulnerabilities by version]] * [[http://www.cvedetails.com/version-list/252/23748/1/Vmware-Vcenter-Server-Appliance.html|CVE Details - VMware vCenter Server Appliance vulnerabilities by version]] [[https://github.com/distributedweaknessfiling/|GitHub - Distributed Weakness Filing]] \\ [[https://cve.mitre.org/cve/data_updates.html|CVE Data Updates and RSS Feeds]] \\ [[https://nvd.nist.gov/vuln/data-feeds|NVD Data Feeds]] \\ [[http://www.schneier.com/|Bruce Schneier - security technologist.]] \\ [[http://www.nsa.gov/snac/|NSA Security Configuration Guides]] \\ [[http://www.bluetack.co.uk/forums/index.php|B.I.S.S. - Bluetack Internet Security Solutions]] home van BlockList Manager (BLM) \\ [[http://www.blacksheepnetworks.com/infosec.html|Black Sheep Networks - Information Security]] contains security guides for Windows, Netware and serveral flavors of UNIX. \\ [[http://www.cs.auckland.ac.nz/~pgut001/|Peter Gutmann's Home Page]]: * [[http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html|Secure Deletion of Data from Magnetic and Solid-State Memory]] ====Non-CVE vulnerability IDs==== [[https://www.freeovi.com/numbers.html|OVI - Open Vulnerability ID]] is a free vulnerability identification number that can be obtained by anyone. Just click below to get your number and use it for your disclosure. \\ [[http://www.openwall.com/ove/|OVE]] These are unique IDs that you may use to refer to software security vulnerabilities (one ID per vulnerability), much like we use CVE IDs. The difference is that OVE IDs are trivial and quick to obtain, unlike CVE IDs, but as a consequence OVE IDs are issued without any verification, and moreover there's currently no mechanism to reject wrongly assigned/used OVE IDs, nor to merge duplicates. \\ [[https://github.com/distributedweaknessfiling/DNA-Registry/|GitHub - distributedweaknessfiling/DNA-Registry]] The goal of this project is to allow well-known security researchers and company security teams to assign DWF-style identifiers to security vulnerabilities with minimal overhead. \\ ====Blogs==== [[http://stvrly.wordpress.com/|Get secure with Steve Riley]] \\ [[http://whatthehellsecurity.com/|What The Hell? Security]] \\ =====Tools===== [[http://www.remote-exploit.org/backtrack.html|BackTrack]] is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. \\ [[http://www.portknocking.org/|Portknocking]] \\ =====Suites/Applicaties===== [[http://www.packetfence.org/|PacketFence]] is a Free and Open Source network access control (NAC) system. \\ =====Misc===== [[http://www.schneier.com/crypto-gram-9812.html|Iomega Zip Disks]] \\ [[http://www.ieee-security.org/Cipher/PastIssues/1996/issue9602/issue9602.txt|Hacker Challenges -- Boon or Bane?]] Commentary by Gene Spafford, with responses from Sameer Parekh, Jon Wiederspan, and Jeff Weinstein \\ [[http://www.ieee-security.org/|IEEE Computer Society's Technical Committee on Security and Privacy]] [[http://www.neohapsis.com/|Neohapsis]] \\ "Lichtelijk offtopic, maar wellicht een leuk weetje.. Met Javascript kan een website uitlezen wat je op je Clipboard(Ctrl+C) hebt staan.. [[http://www.skateboarden-denbosch.nl/clipboard.html|Voorbeeld]] \\ Geen bug maar een feature \\ Denk de volgende keer maar 2 keer na als je aan wachtwoord kopieerd en plakt.." [[http://gathering.tweakers.net/forum/list_messages/1134479|USB Stick beveiligingsmethoden]] \\ [[http://www.zdnet.com.au/blogs/securifythis/soa/Why_popular_antivirus_apps_do_not_work_/0,39033341,39264249,00.htm|Why popular antivirus apps 'do not work']] \\ [[http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,2000061744,39263949,00.htm|Eighty percent of new malware defeats antivirus]] \\ [[http://it.slashdot.org/article.pl?sid=06/07/22/1612257|Why Popular Anti-Virus Apps 'Don't Work']] [[http://it.slashdot.org/article.pl?sid=06/07/30/0547227|JavaScript Malware Open The Door to the Intranet]] \\ [[http://tweakers.net/nieuws/43712|JavaScript vormt toenemend veiligheidsrisico]] [[http://www.mozilla.org/projects/security/known-vulnerabilities.html|Known Vulnerabilities in Mozilla Products]] \\ [[http://slashdot.org/article.pl?sid=06/07/28/212210|Thunderbird 2.0 Alpha 1, Firefox 1.5.0.5 Available]] \\ [[http://tweakers.net/nieuws/43698|Nieuwe update verhelpt ernstige Firefox-fouten (1.5.0.5)]] http://www.firewallleaktester.com/ \\ [[http://www.boran.com/security/index.html|IT Security Cookbook]] [[http://www.crypto.com/masterkey.html|Master-Keyed Lock Vulnerability]] \\ [[http://www.crypto.com/hobbs.html|Is it harmful to discuss security vulnerabilities?]] \\ [[http://cm.bell-labs.com/who/ken/trust.html|Reflections on Trusting Trust]] by Ken Thompson \\ [[http://www.networkworld.com/community/node/31124|SSLVPN Vulnerabilities - Client Certificates offer a superior defense over OTP devices]] \\ [[http://www.securityfocus.com/infocus/1876|SecurityFocus - Analyzing Malicious SSH Login Attempts]] \\ [[http://www.leastprivilege.com/|dominick baier on .net, security and other stuff]] \\ [[http://insecure.org/stf/tcp-dos-attack-explained.html|Explaining the “New” TCP Resource Exhaustion Denial of Service (DoS) Attack]] \\ [[http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038646.html|[Full-disclosure] Blocking Skype]]: \\ The access list then is of the following form : # Your acl definitions acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl connect method CONNECT # Apply your acls http access deny connect numerics_IPs all [[http://www.smashingmagazine.com/2009/09/25/svn-strikes-back-a-serious-vulnerability-found/|Smashing Magazine - SVN Server Admin Issue: Fix It!]] .svn directories van productie websites die in SVN worden ontwikkeld zijn in veel gevallen in te zien. \\ [[http://socialmediasecurity.com/|Social Media Security - Exposing the insecurities of social media]] \\ [[http://www.dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html|Fully Countering Trusting Trust through Diverse Double-Compiling]] \\ [[http://mobilitics.blogspot.com/2009/03/why-nokia-wants-my-email-password.html|Mobile Matters - Why Nokia wants my email password?]] describes how Nokia's e-mail settings wizzard sends your emailaddress and password over HTTPS to their server(s) and asks why. \\ [[http://mobilitics.blogspot.com/2009/03/information-about-nokia-email-case.html|Mobile Matters - Information about Nokia email case]] contains instructions to reproduce the tests yourself. \\ [[http://mobilitics.blogspot.com/2009/04/info-about-nokiagate.html|Mobile Matters - Info about the "Nokiagate"]] \\ [[http://mobilitics.blogspot.com/2009/04/nokias-statement-about-nokiagate.html|Mobile Matters - Nokia's statement about the Nokiagate]] \\ [[https://blog.torproject.org/blog/life-without-ca|Life without a CA]] \\ [[http://www.skullsecurity.org/blog/|SkullSecurity - Just another security weblog]] \\ [[http://www.skullsecurity.org/blog/2010/dns-backdoors-with-dnscat|SkullSecurity - DNS Backdoors with dnscat]] \\ [[http://www.skullsecurity.org/blog/2010/weaponizing-dnscat-with-shellcode-and-metasploit|SkullSecurity - Weaponizing dnscat with shellcode and Metasploit]] \\ [[http://www.skullsecurity.org/wiki/index.php/Dnscat|SkullSecurity - Wiki - dnscat]] \\ [[http://pauldotcom.com/2011/11/cracking-md5-passwords-with-bo.html|PaulDotCom - Cracking MD5 Passwords with BozoCrack]] "(...)it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results."\\ [[http://codahale.com/how-to-safely-store-a-password/|Coda Hale - How To Safely Store A Password]] \\ [[https://www.owasp.org/index.php/Main_Page|The Open Web Application Security Project (OWASP)]] \\ [[http://www.dwheeler.com/secure-programs/|Secure Programming for Linux and Unix HOWTO -- Creating Secure Software]] free ebook by David A. Wheeler. \\ [[http://www.w3.org/Security/|W3C Security Home]] \\ [[http://irccrew.org/~cras/security/|UNIX Security]] \\ [[http://www.matousec.com/|matousec.com]] is a project run by a group of security experts oriented on desktop users security. [[http://xkcd.com/936/|xkcd - Password Strength]] correct horse battery staple [[http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html|Beneath the Waves - Motorola Is Listening]] \\ [[http://frank.geekheim.de/?p=2379|Knowledge Brings Fear - Blackberry 10 macht E-Mail-Passworte für NSA und GCHQ zugreifbar]] \\ [[http://www.heise.de/newsticker/meldung/BlackBerry-spaeht-Mail-Login-aus-1919718.html|heise online - BlackBerry späht Mail-Login aus]] \\ [[http://doctarbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html|DoctorBeet's Blog - LG Smart TVs logging USB filenames and viewing info to LG servers]] via [[http://yro.slashdot.org/story/13/11/19/1318212/user-alleges-lg-tvs-phone-home-with-your-viewing-habits|Slashdot - User Alleges LG TVs Phone Home With Your Viewing Habits]] \\ [[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/|CloudCracker Blog - Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate]] in other words: stop using PPTP. \\ [[http://www.helsinkitimes.fi/finland/finland-news/domestic/9516-nokia-smartphone-leaks-information-abroad.html|Helsinki Times - Nokia smartphone leaks information abroad]] via [[http://beta.slashdot.org/story/198573|Slashdot - Lumia Phones Leaking Private Data To Microsoft]] \\ [[https://miknet.net/security/skey-dungeon-attack/|MikNet - S/Key Dungeon Attack]] \\ [[http://www.links.org/?p=1268|Links - Ben Laurie blathering - Who Remembers VASCO?]] [[http://www.circl.lu/pub/tr-27/#recommendations|CIRCL - TR-27 - GNU Bash Critical Vulnerability - CVE-2014-6271 - CVE-2014-7169]] \\ [[https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/|Red Hat - Security Blog - Bash specially-crafted environment variables code injection attack]] \\ [[http://lcamtuf.blogspot.nl/2014/09/quick-notes-about-bash-bug-its-impact.html|lcamtuf's blog - Quick notes about the bash bug, its impact, and the fixes so far]] \\ [[http://www.puscii.nl/blog/content/whats-wrong-kids-these-days|Ranting for the Revolution! - What's wrong with the kids these days?]] \\ [[https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH|EFF - How to Protect Yourself from NSA Attacks on 1024-bit DH]] [[https://capec.mitre.org/data/definitions/471.html|CAPEC-471: DLL Search Order Hijacking]] [[https://tweakers.net/nieuws/128885/onderzoekers-schakelen-intel-management-engine-uit-via-ongedocumenteerde-functie.html|Tweakers.net - Onderzoekers schakelen Intel Management Engine uit via ongedocumenteerde functie]] =====Certificate Authorities===== [[http://ps-enable.com/articles/Certificate_file_types.html|ps Enable - A Brief Primer on Digital Certificates and File Types]] \\ ====Open Source==== [[http://www.openca.org/|OpenCA]] \\ [[http://www.openxpki.org/|OpenXPKI]] \\ =====Cryptography===== [[http://www.crypto.com/index.html|Matt Blaze's cryptography resource]] \\ [[http://rechten.uvt.nl/koops/cryptolaw/|Crypto Law Survey]] by Bert-Jaap Koops \\ =====DNS===== [[https://www.dnsleaktest.com/|DNS leak test.com]] \\ =====USB===== [[https://github.com/adamcaudill/Psychson|GitHub - Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB)]] \\ [[http://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe|USB Rubber Ducky]], [[https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads|GitHub - Payloads]] \\ =====FTP===== [[http://tools.ietf.org/html/rfc2577|RFC 2577 - FTP Security Considerations]] \\ =====Keyloggers===== ====Hardware==== [[https://www.keelog.com/|KeyGrabber]] \\ =====BIOS/UEFI/Firmware===== [[https://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-presentation.pdf|Mitre - Extreme Privilege Escalation on Windows 8/UEFI Systems]] presentation. Via [[http://tweakers.net/nieuws/99203/onderzoekers-vinden-ernstige-kwetsbaarheden-in-uefi.html|Tweakers - Onderzoekers vinden ernstige kwetsbaarheden in uefi]] \\ [[https://isc.sans.edu/diary/New+Supermicro+IPMIBMC+Vulnerability/18285|InfoSec Handlers Diary Blog - New Supermicro IPMI/BMC Vulnerability]] & [[http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/|CARISIRT: Yet Another BMC Vulnerability (And some added extras)]]\\ =====Physical Locks===== [[https://www.youtube.com/watch?v=YcpSvHpbHQ4|YouTube - Combo Breaker - motorized combo lock cracking device]] by Samy Kamkar. Via [[http://tweakers.net/geek/103105/hacker-automatiseert-lockpicking-met-arduino-systeem.html|Tweakers - Hacker automatiseert lockpicking met Arduino-systeem]]. \\ [[https://www.youtube.com/watch?v=09UgmwtL12c|YouTube - Break open any Master Combo Lock in 8 tries or less!]] by Samy Kamkar \\ =====Routers===== [[http://mis.fortunecook.ie/|Misfortune Cookie]] is a critical vulnerability that allows an intruder to remotely take over an Internet router and use it to attack home and business networks. =====CPUs===== [[http://tweakers.net/nieuws/104636/architectuurfout-in-oudere-x86-cpus-intel-maakt-rootkit-mogelijk.html|Tweakers - Architectuurfout in oudere x86-cpu's Intel maakt rootkit mogelijk - update]] \\ [[https://tweakers.net/nieuws/124189/intels-zakelijke-processors-bevatten-al-sinds-2008-ernstig-lek.html|Tweakers - Intels zakelijke processors bevatten al sinds 2008 ernstig lek]] " Intels Active Management Technology bevat ernstige kwetsbaarheden waardoor aanvallers de beheerfuncties kunnen gebruiken en zo toegang kunnen krijgen tot hele systemen en netwerken. De kwetsbaarheden zitten in firmwareversies vanaf 2008." \\ =====Cloud===== ====Blogposts/Articles==== [[http://www.dwheeler.com/essays/cloud-security-virtualization-containers.html|Cloud Security: Virtualization, Containers, and Related Issues by David A. Wheeler]] \\