Securityflaw's Bible for Network Security

Fish.com Papers

• Murphy's law and computer security, Wietse Venema. This is a truly fundamental paper - in the grand tradition of Bentley or Kernighan & Plauger.
• Secure Deletion of Data from Magnetic and Solid-State Memory, Peter Gutman. Great paper on a subject no one seems to know anything about!
• Playing Hide and Seek, Unix Style, Phreak Accident. A very good - and well written, a rarity! - paper on how intruders evade detection; published in Volume four, issue 43 of a great on-line hacker's journal, Phrack Magazine. New kernel rootkits do a better job, but I've yet to see something that captured the spirit quite like this one.
• Malicious Data and Computer Security, W. Olin Sibert. Official version of this paper is at NIST's NISSC '96 archive.

  ---

  
  Mixter Papers
  
• An approach to systematic network auditing - Here is one possible approach, in a nutshell, that someone would take to secure a network systematically.
• Protecting against the unknown - A guide to improving network security to protect the Internet against future forms of security hazards
• Finding and analyzing trojans under unix - This paper will try to give a brief introduction to methods of analyzing executables under unix to recapitulate the operations they are intended to perform on a system.
• 10 Proposed 'first-aid' security measures against Distributed Denial Of Service attacks - For everyone whose systems are currently at risk, or who is generally worried, I am compiling a small list of easy and fast to implement methods to protect against those attacks.
• Writing buffer overflow exploits - a tutorial for beginners - This paper makes an attempt to teach the novice - average C programmer how an overflow condition can be proven to be exploitable.
• Commonly overlooked audit trails on intrusions - This is my attempt of compiling a 'top list' of audit trails that are being left after intrusions where the intruders try to cover their tracks but don't do a good job.
• Coding in C - a summary of some popular mistakes - Goal here is just to introduce you to some common, but nasty errors, which are not all related to security.
• Paranoia Vs. Transparency And Their Effects On Internet Security - a paper describing the necessity of legitimate network scanning and the results of criminalizing security research and information
• Peer-to-peer and the future of distributed applications - This paper describes current and future applications of distributed and decentralized technology, emphasizing on security measures, and introducing the Hacktivismo anonymity/anti-censorship project.

  ---

  
  Various Others
  
• History of Computer Security - These papers are unpublished, seminal works in computer security. They are papers every serious student of computer security should read. They are not easy to find. The goal of this collection is to make them widely available. This list was compiled by the Computer Security Laboratory of the Computer Science Department at the University of California, Davis.
• Securing DNS - The following two documents attempt to explain how to run BIND version 8.x under a chroot() environment to contain its functions in the event of a compromise.
• Windows 2000 Security Bulletins and Service Packs - by Xato Network Security, Inc.
• Strange Attractors and TCP/IP Sequence Number Analysis - We consider the problem of inserting a malicious packet into a TCP connection, as well as establishing a TCP connection using an address that is legitimately used by another machine. We introduce the notion of a Spoofing Set as a way of describing a generalized attack methodology.

• Know Your Enemy - 21 July, 2000
The tools and methodology of the most common black-hat threat on the Internet, the Script Kiddie.  By understanding how they attack and what they are looking for, you can better protect your systems and network.
• Know Your Enemy: II - 7 July, 2000
How to determine what the enemy is doing by analyzing your system log files.  Includes examples based on two commonly used scanning tools, sscan and nmap.
• Know Your Enemy: III - 27 March, 2000
What happens after the script kiddie gains root. Specifically, how they cover their tracks while they monitor your system.  The paper goes through step by step on a system that was compromised, with system logs and keystrokes to verify each step.
• Know Your Enemy: A Forensics Analysis - 23 May, 2000
This paper studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we  focus on our analysis techniques and how we pieced the information together. The purpose is to give you the  skills necessary to analyze and learn on your own the threats your organization faces. MSNBC has released an interactive, online video of the this paper.
• Know Your Enemy: Motives - 27 June, 2000
This paper studies the motives and psychology of the black-hat community, in their own words.
• Know Your Enemy: Worms at War - 7 November, 2000
See how worms probe for and compromise vulnerable Microsoft Windows systems. Based on the first Microsoft honeypot compromised in the Honeynet Project.
• Know Your Enemy: Passive Fingerprinting - 24 May, 2000
This paper details how to passively learn about the enemy, without them knowing about it. Specifically, how to determine the operating system of a remote host using passive sniffer traces only.
• Know Your Enemy: Honeynets - 23 April, 2001
This paper supersedes our previous paper "To Build a Honeypot" which has been withdrawn. This older paper was out of date and discussed outmoded techniques. Our new paper will cover what a Honeynet is, its value, how it works, and risks/issues involved.

---

• Passive Host Fingerprinting - Passive Host Fingerprinting is the practice of determining a remote operating system by measuring the peculiarities of observed traffic without actively sending probes to the host.
• Internic Domain Hijacking - "It Happens" - The attempt at hijacking the domain was foiled for several reasons, which I will outline below.
• Mail Relay Tests - The following transcript shows the details of tests performed by the mail-abuse.org mail relay testing service.
• NMAP: Decoy Analysis - This page is for anyone who cares to see the details behind an NMAP scan with the -D decoy option set.
• Recent Internet Worms - The following are brief write ups on known recent Internet worms. A worm is a program or collection of programs that are able to copy themselves from system to system.

• What is the significance of the Red Queen? - The "Red Queen" principle is one of the core premises of eWarfare
• Common Criteria or ISO17799 - In this paper, I will try to give a brief description of each in an effort to understand what they are. I have compiled this into a chart to determine their similarities and differences.
• Circle of Security - The goal of an information security program is to protect the integrity, confidentiality, and availability of information.
• Anti-Hacking: The Protection of Computers - In the Computer Security industry, there are many solutions available to help combat cyber crime.
• Help Defeat Denial of Service Attacks: Step-by-Step - Immediate Actions Requested Of All Organizations Connected To The Internet
• Roadmap to Defeating DDoS - The distributed denial of service attacks during the week of February 7 highlighted security weaknesses in hosts and software used in the Internet that put electronic commerce at risk.
• Security to Think About for a Beginner in Unix - In the consulting business the question can be raised regarding the underlying knowledge of a consultant auditing the security of a system.
• Choosing The Best Firewall - Due to the phenomenal growth of the Internet in the last couple of year's companies find it hard to operate without a presence on the Internet.
• Stealth Firewalls - tealth firewalls are the little known but powerful gem of firewall architectures. The first step of any attack is to "know your enemy"
• Designing a DMZ - DMZ stands for DeMilitarized Zone. A DMZ is your frontline when protecting valuables from direct exposure to an untrusted environment.
• Firewall Load Balancers - The need for high availability has lead the industry to focus on eliminating any single points of failure in their network.
• Network Address Translation - Not a Security Panacea - Many end-users and computer professionals consider themselves secure when sitting behind a device that performs Network Address Translation (NAT).
• Firewall Network Appliance - This paper will discuss the firewall network appliance. What they are. How they compare to the traditional firewalls. What the advantages of using them are and who can benefit from them.
• Top Ten Blocking Recommendations Using Cisco ACLs - Securing the Perimeter with Cisco IOS 12 Routers
• The Packet Filter: A Basic Network Security Tool - According to the internet.com webopedia, packet filtering is "controlling access to a network by analyzing the incoming and outgoing packets and letting them pass or halting them based on the IP address of the source and destination."
• Top Ten Blocking Recommendations Using ipchains - The following 11 sections for this assignment will be demonstrated using a Redhat Linux 6.1 operating system using IPChains as the packet-filtering device.
• GIAC Firewall Practical: Implmentation of Firewall Filters - This is a practical assignment for GIAC certification from the SANS Security DC 200 conference, requiring a tutorial on implementation of several specified firewall filters. This is purely an academic and illustrative exercise, and must not be taken as a complete or practical ruleset for a real-world firewall.
• DNS Security - This paper will address security issues involved with the DNS client/server architecture within a UNIX environment. Suggestions on securing DNS by preventing unauthorized zone transfers will also be discussed.
• What is a Virtual Private Network(VPN)? - In order to understand Virtual Private Networks (or VPN's) better I built one using the Internet Security Protocol (or IPSec) VPN support that ships with Windows 2000. Based on the Microsoft experience, I will describe what an IPSec VPN is. I will also explore some of the security implications of using Virtual Private Networks (or VPN's).
• What is Egress Filtering and How Can I Implement It? Egress Filtering v 0.2 - his paper discusses the benefits of performing egress filtering on each of your border routers. As we will see, egress filtering is not only beneficial to your own network, but to therest of the Internet as well. This is because egress filtering makes your network far less appealing to attackers who are trolling for potential relay sites.
• Suggested Methods of Using PHP Securely - PHP is a simple, and efficient scripting language that allows developers to quickly integrate active content into their Web application.
• Protecting the Apache HTTP Server: General Security & Protection From HTTP DoS Attacks, Buffer Overflows, and Root Access - This paper will explain factors involved in the secure installation and configuration of the Apache HTTP Server on a UNIX platform. We will focus on UNIX because the Windows
• Using Big Brother to Verify System Availability - System availability is one of the foundation precepts for computer security. Availability is typically defined as a loss of use.
• ecure Programming - "The Foundation to Secure Computing" - With the boom of the Internet, security has become a big concern for most of us that connect our systems to it. We try diligently to tweak our systems to secure as many of the vulnerabilities as we can. For those of us writing software, we can make this job easier by taking the time and responsibility to make our software more secure.
• Is Open Source Software Really More Secure? - We have all heard the claim that Open Source software is by its nature more secure.Open Source advocates claim that access to source code allows anyone to look for bugs or malicious code, so problems tend to be identified and fixed much more quickly than in proprietary closed source software. Many of us take for granted the truth of these assertions. Is our faith in Open Source justified?
• Security Code Review - The driving force behind most commercial software today, whatever its ultimate purpose, is time-to-market. Certainly everyone has had experience with software that does not do what it is supposed to do, or crashes mysteriously.
• Data Integrity - Out of sight, out of mind? - Awareness of viruses, denial of service attacks, and intrusion threats grows with each highly publicized incident, yet little attention is given to data integrity.
• ava's Evolving Security Model: Beyond the Sandbox for Better Assurance or a Murkier Brew? - Generally, Internet compressed software development schedules have outstripped the need for rigorous security design and analysis. This is a common trend in consumer software, and one that is destined to flame-out under the rigorous security demands of e-commerce.
• Common Data Security Architecture - (CDSA) - Common Data Security Architecture (CDSA) is an open and extensible software framework that addresses security requirements of applications such as e-commerce, communication, and digital content distribution.
• Hacker's Insurance: When All Else Fails - Standard insurance does not cover the above events yet millions can be lost if any of them happen. If something does go wrong, there is a relatively new service being offered by insurer's that can help ease the pain. This paper describes this new product called "hacker's insurance".
• Attacks from Within: A look at Security Concerns for ASPs - Microsoft goes further to state that in the near future almost every aspect of computing will be across the Internet. Data storage and software usage will become a subscription-based service. The user will "live" on the Internet.
• Public-Key Infrastructure and Online Banking - An Angus Reid Group finding points out that while those in the Canada and the U.S. have not been as quick to embrace online banking as compared to Europeans, that number is growing.
• Spyware - Recent Evolving Issues - Since the inception of the Internet there has been an overwhelming curiosity by a range of interests to know who does what on the web. An expected level of privacy by an Internet user is decreasing and may cease to exist because of this curiosity.
• Designing the Application Layer Security - There are several good configuration recommendations available in the industry for hardening the operating system platforms presented in YASSP, NT and LINUX among others.
• DoS Attack on a Check Point Firewall - A few months ago, on a Sunday night at 11:43 p.m., our Check Point Firewall was not responding to ping packets from monitoring system. The monitoring system uses a software package called "WhatsUp" to query various servers and routers to determine that all mission critical systems are responsive to polling.
• Managing Effective Information Security - I am the newly hired security manager for a large mortgage company that is in the process of opening a bank. This includes a branch office and electronic or on-line banking. With the banking initiative, a heightened focus on security has begun to take shape throughout the enterprise.
• A Brief Overview of Software Agent Applications and Risks - This paper gives a brief description of software agents, then describes a sampling of evolving agent applications that apply to information security and points out some of the risks incurred by employing agents, along with possible mitigation strategies.
• Securing Your Network Border-Essentials Steps - Every company has felt the benefits of networking: faster internal processes, streamlined communications, increased productivity for telecommuters and mobile users, and the tangible achievement of a global market.
• Nessus - Get on Board - The purpose of this document is to describe my real world experiences with the Nessus Security Scanner, hereafter referred to as simply Nessus. Nessus is a software tool that provides host-based vulnerability scanning.
• Netcat - The TCP/IP Swiss Army Knife - Netcat is a tool that every security professional should be aware of and possibly have in their `security tool box'.
• Tripwire - An Integrity Assessment Tool - n your effort to protect your system against hackers, it is critical that you have a comprehensive picture of your entire system. Tripwire is not designed to keep out intruders, however it does provide an inventory of what files may have been tampered with.
• War Dialing Your Company: A How To - "Hello ... Hello?" It sure seems like there's someone there. But there's no response, and after a moment you hang up.
• A Survey of the Basic Functionality of SAINT - Understanding the services available on a network is intrinsic to providing a secure computing environment. Even though you may have installed the operating system and applications, you may not know all of the services that are available on a computer.
• Nmap - The Tool, It's Author and It's Implications - Nmap (available at http://www.insecure.org) is the commonly accepted authority in information gathering tools. It is the first tool that both an attacker and a defender reach for, for a reason.
• Stronger Authentication Methods: Biometrics and Public Acceptance - Accounts of major computer systems being compromised in some form or another make big news stories. When Microsoft gets hacked, the whole world notices.
• Authentication Mechanisms - Which Is Best? - The foundation of commerce is built on trust and security incorporating principles of confidentiality, authentication, integrity and non-repudiation. Trust and security are fundamental requirements and business success factors for electronic commerce applications over the Internet.
• Biometric Technologies Overview - The objective of this document is to understand various biometric identification techniques and analyze them in terms of accuracy.
• Biometrics: Face Recognition Technology - "The word "biometric" simply means the measurement of a living trait, whether physiological or behavioral. Biometric technologies compare a person's unique characteristics against a previously enrolled image for the purpose of recognizing them, similar to the way our brains identify each other, but on a lesser scale."
• Biometrics: Fingerprint Authentication - How secure are passwords? With the numerous passwords that an individual has to remember, they are often forgotten, misplaced, or stolen.
• Biometric Security - Practical and Affordable! - Once the stuff of James Bond movies, biometric security devices--scanners that read your fingerprints, cameras that recognize your face, software that knows your voice--are in use and readily available.
• Eye Scans - Authentication with Biometrics - Authentication is the process of verifying that a person is indeed who they claim tobe. Biometric authentication refers to using a physiological characteristic toperform that verification.
• Biometrics: Has its time come? - The word biometrics basically means "bio" or life and "metrics" or measurement. So the literal translation is "life measurement". Biometrics measures the life traitsof a person, this can be anything from physical measurements such as fingerprints, irises, retinas, or facial and hand measurements, to more behavioral traits ofsomeone such as voice patterns, keystroke rhythms or even heat patterns.
• Risks in Biometric-based Authentication Schemes - "Stronger authentication methods often involve hardware -- a tangible object or artifact -- that must be associated with authorized users and that is not easily duplicated.
• Smart Cards - Ready for Prime Time? - This purpose of this paper is to provide some basic information on smart card technology. Smart cards and their uses are described as well as some implementation and security issues that should be considered.
• SSH, Secure Shell - This document will examine a sample session of SSH and provide an illustration on how it can be used, and what information a user needs to know before implementing SSH.
• Protecting the Online Privacy of Children - It's called by many names. The `Web', the `Information Super-Highway', the `Net' or simply being `online'.
• Introduction to Steganography - The historic use of steganography was the concealing of communications. This has been accomplished in a number of ways ranging from microdot printing andinvisible inks to spread spectrum communications.
• What is Steganography? - Steganography, literally meaning covered writing, involves the hiding of data in anotherobject. From the time of Herodotus in ancient Greece to the terrorist of today, the secretwriting of steganography has been used to deny one's adversaries the knowledge ofmessage traffic.
• Steganography: A Privacy Protector or Just a Computer Security Trick - n a world where privacy is a right, many people try to find a way to hide information especially when it comes to sensitive documents and files.
• Cookies vs. Internet Privacy - What is a cookie? What does a cookie do? What information, if any, do web sites through the use of cookies transmit? Does this constitute an invasion of privacy?
• Covert Shells - In modern information theory, multilevel systems by definition require inter-levelcommunication, which in turn requires implicit or explicit security mechanismsbetween levels to mediate the communication process.
• Secure Electronic Transactions (SET)[tm] - In the world of e-commerce, there is a continuing need to create a safe and trustedpurchasing environment for consumers, merchants, and financial institutions alike.
• Web Bugs - Web Bugs are tiny one pixel graphic images that are hidden on a website, in E-mail messages.
• Sniffer Detection Tools and Countermeasures - This paper focuses on tools designed specifically for detecting network interfacecards in promiscuous mode and on some countermeasures that lessen their effectiveness.
• Carnivore - An Issue of Trust, a Legal Framework, a Necessasry Tool - The Federal Bureau of Investigation (FBI) in 1999 implemented a newly developed system designed to make it easier for them to monitor electronic communications.
• Secure Servers with SSL in the World Wide Web - The Internet is one of the most current and largest sources of data-sharinginformation. The web offers multimedia capabilities along with hypertext to make iteasy for anybody to browse, wander over and participate.
• PGP in a Networked, Multi-user Environment - Most discussions of PGP (Pretty Good Privacy) seem to follow the notion that a user has a non-networked, single-user PC or laptop that is solely in their possession and control.
• Cookies and Exploits - There are many questions and discussions about cookies. What are cookies? Arethere any security risks with cookies? Cookies and security. Cookies and privacy.
• Third-Party Mail Relay - An Email Threat - This document is written for the email administrator who received notificationfrom MAPS stating that his/her email server has been blacklisted for allowingThird-Party Mail Relay.
• Secure Messaging - Standard email is not considered to be secure. Email is typically transported acrossnetworks in clear text, may or may not get to its intended destination and therecipient is not assured that the actual sender was, in fact, the purported sender of the message.
• Extranet: Belt, Suspenders, Elastic WaistBand, and Double Sticky Tape - There are many definitions of an Extranet verses a DMZ. My purpose is not to present arguments as to what it is and what it is not.
• Enterprise-Wide Virus Protection - On a bright sunny day when all was going well, the alert alarms from all of the fourExchange E-mail Servers interrupted the daily routine of intrusion detection logmonitoring, policy updating, addressing "ad hoc requests" to punch holes in the firewallfor reasons of user convenience, and other activities that typically occupy the time ofAutomated Information Systems (AIS) security personnel.
• Locking Down a Lotus Domino Server - In the following paper I will be discussing the basics of locking down your LotusDomino R5 server. I'll discuss access control lists, templates and server databases,internet ports used, and settings on the server configuration document that control access.
• Secure Messaging2 - There was a time when business-to-business secure messaging meant licking theenvelope, hiring a courier and stamping a big red "confidential" on it prior to beingsent.
• E-mail Content Scanning: the Pro's, the Cons and the Legal Issues - Even if we don't like it, e-mail is now part of our life and while the Internet has broughta major change in the way that we do things from shopping to system support, it hasalso introduced legal problems and issues that can effect productivity.
• Defense Message System - The Defense Message System (DMS) was initiated in 1988, when a study of theoutdated Department of Defense's (DoD) dedicated point-to-point communication system
• Securing Microsoft Exchange 5.5 - When considering the security of an Exchange 5.5 server, it is very important toremember that Exchange is living on a server that has its own securityrequirements.
• Unsolicited Bulk Email - The Problem and Some Hope - This paper is intended to explain the problem of Unsolicited Bulk Email (UBE),commonly referred to as "Spam", or sometimes called Unsolicited CommercialEmail (UCE).
• Lotus Notes and Domino Security: An Overview of Authentication and Access Control - Lotus Notes was first introduced by Lotus in 1989. Now in its fifth version, Lotus claims that Notes was the first viable groupware product.
• "AnnaKournikova Virus" - Lessons Not Learned - By the time most of us saw the evening news on Feb 12th 2001 we were all very aware of the "AnnaKournikova" virus.
• A Security Practices Look at the Clinical Use of E-mail - The clinical use of email will be the most sweeping technological change in patient-physician communications in the last 100 years.
• The Case for an SMTP Gateway Anti-Virus System - The Internet has removed the need for floppies in the spread of computer viruses, and e-mail is now the major means of transport.
• Securing Microsoft Outlook - I was on the expressway, heading home from the office, when my heart actually stopped beating for a nanosecond.
• Threats - They Come from Within Sometimes - t has been a belief that attacks to a corporate network would come from an outsidesource. Such is not always the case. A commonly held thought is that a largerpercentage of threats come from with-in the organization that you work for.
• You Got Mail - I Mean Spam! - Not too long ago e-mail was actually mail from someone a person knew, or information thatwas asked for. "You Got Mail" in the early days of e-mail was the swan song of electronic mail sophistication. Today that swan song should be changed to "You've Got Spam".

• Hacker's Manifesto - The FAMOUS Hacker's Manifesto by Mentor "The Conscience of a Hacker"
• Computer Hacking and Ethics - by Brian Harvey from University of California, Berkeley
• Is there a Hacker Ethic for 90s Hackers? - The goal of this text analysis project was to take the texts of the computer underground and to analyze them
• Why Hackers Do the Things They Do? - by Ira Winkler, NCSA's Director of Technology
• Cracking the Code of Ethics - by Edmund Lee
  

• Snort - Lightweight Intrusion Detection for Networks - Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected.
• Writing Snort Rules - Snort uses a simple, lightweight rules description language that is flexible and quite powerful. There are a number of simple guidelines to remember when developing Snort rules.
• USENIX Snort Presentation Slides
• Running and installing Snort under Daemontools - Information on installing snort and running it under Dan Bernsteins daemontools.
• SnortNet DOCs - With rapid development of networks worldwide Intrusion Detection Systems become an important part of network infrastructure in small companies, average-size ISPs and even huge enterprises.
• Extraction from SnortNet Paper - This is extraction from my 'SnortNet' paper. Full paper is available at http://snortnet.scorpions.net - An official snortnet page.

  ---

fygrave@tigerteam.net Papers

• Exploiting buffer overflows on PA-RISC/HP-UX platform paper
• Exploiting buffer overflows on Sparc/Solaris platform