Security

General

• http://en.flossmanuals.net/basic-internet-security/

• http://www.blackhatlibrary.net
• http://sla.ckers.org/forum

• https://cryptoparty.org/wiki/CryptoParty

• http://techblog.rosedu.org/from-0-to-cryptography.html

• https://library.linode.com/securing-your-server

• https://vimeo.com/9260794

• http://www.youtube.com/watch?v=eL5o4PFuxTY

• http://crunchbang.org/forums/viewtopic.php?id=24722 [1]

• http://sectools.org/
• http://www.reddit.com/r/netsec/comments/r1603/some_people_asked_for_a_tool_list/

Resources

• http://securitytube.net
  • http://www.securitytube-tools.net/

News

• http://infosecmash.com/

Passwords

• http://keepass.info/
  • https://en.wikipedia.org/wiki/KeePass
• http://www.keepassx.org
• https://github.com/raymontag/keepassc

• http://passwordsafe.sourceforge.net/

• http://project-rainbowcrack.com/

• http://www.wired.co.uk/news/archive/2013-05/28/password-cracking/viewall

Server

See also Distros

Firewalls

• https://help.ubuntu.com/community/UFW
  • http://en.wikipedia.org/wiki/Uncomplicated_Firewall

• http://www.shorewall.net/

• http://www.pfsense.org/

• http://www.endian.com/en/community/efw-252/

csf/lfd

• http://configserver.com/cp/csf.html
  • http://configserver.com/free/csf/changelog.txt
• http://configserver.com/cp/csfdemo/config.html

• http://blog.configserver.com/ - software update news

FireHOL

• https://en.wikipedia.org/wiki/FireHOL

Windows

• http://ophcrack.sourceforge.net/

Logging

• http://fail2ban.org

Integrity

• http://aide.sourceforge.net/

• http://la-samhna.de/samhain/

Hardening

AppArmor

• http://wiki.apparmor.net/index.php/Main_Page
  • http://en.wikipedia.org/wiki/AppArmor

SELinux

• http://selinuxproject.org
  • http://en.wikipedia.org/wiki/Security-Enhanced_Linux
  • https://wiki.archlinux.org/index.php/SELinux

Intrusion detection

• http://en.wikipedia.org/wiki/Intrusion_detection_system
• http://en.wikipedia.org/wiki/Intrusion_prevention_system

• http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/intrusion.html
• http://www.sans.org/security-resources/idfaq/

• http://www.snort.org/

• http://rkhunter.sourceforge.net/
  • http://en.wikipedia.org/wiki/Rkhunter

• http://en.wikipedia.org/wiki/Chkrootkit

• http://www.tenable.com/products/nessus-family
• http://www.tenable.com/products/nessus

• http://www.sans.org/security-resources/idfaq/auto_res.php
• http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=5588654

Shells

• http://lshell.ghantoos.org/ - limited shell

Honeypot

• https://code.google.com/p/kippo/

Cryptography

• http://en.wikipedia.org/wiki/Cryptography
  • https://en.wikipedia.org/wiki/Outline_of_cryptography
  • http://en.wikipedia.org/wiki/History_of_cryptography
• http://en.wikipedia.org/wiki/Cryptanalysis

• https://en.wikipedia.org/wiki/NIST
• https://en.wikipedia.org/wiki/Federal_Information_Processing_Standard

• https://en.wikipedia.org/wiki/Cryptographic_hash_function
• https://en.wikipedia.org/wiki/Provably_secure_cryptographic_hash_function

• http://bench.cr.yp.to/ebash.html

• https://en.wikipedia.org/wiki/Cryptographic_protocol

• https://en.wikipedia.org/wiki/Stream_cipher

• https://en.wikipedia.org/wiki/Block_cipher
• https://en.wikipedia.org/wiki/Collision-resistant
• https://en.wikipedia.org/wiki/Collision_attack

There are several methods to use a block cipher to build a cryptographic hash function, specifically a one-way compression function. The methods resemble the block cipher modes of operation usually used for encryption. All well-known hash functions, including MD4, MD5, SHA-1 and SHA-2 are built from block-cipher-like components designed for the purpose, with feedback to ensure that the resulting function is not invertible. SHA-3 finalists included functions with block-cipher-like components (e.g., Skein, BLAKE) though the function finally selected, Keccak, was built on a cryptographic sponge instead.

• https://en.wikipedia.org/wiki/Symmetric-key_algorithm

• https://en.wikipedia.org/wiki/Public_key_cryptography - also known as asymmetric cryptography
• https://en.wikipedia.org/wiki/Digital_signature

• https://developer.mozilla.org/en/docs/Introduction_to_Public-Key_Cryptography
• http://en.wikipedia.org/wiki/Public-key_cryptography
• http://en.wikipedia.org/wiki/Public-key_infrastructure

• https://en.wikipedia.org/wiki/MD4
• https://en.wikipedia.org/wiki/MD5
• https://en.wikipedia.org/wiki/SHA-1
• https://en.wikipedia.org/wiki/SHA-2
• https://en.wikipedia.org/wiki/SHA-3

• https://en.wikipedia.org/wiki/Blowfish_(cipher) - 1993

• https://en.wikipedia.org/wiki/Cryptographic_protocol

• http://en.wikipedia.org/wiki/Key_(cryptography)
• https://en.wikipedia.org/wiki/Key_exchange
  • https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
  • https://en.wikipedia.org/wiki/Public-key_infrastructure
  • https://en.wikipedia.org/wiki/Web_of_trust
  • https://en.wikipedia.org/wiki/Password-authenticated_key_agreement

• http://security.stackexchange.com/questions/25375/why-not-use-larger-cipher-keys

• The code monkey's guide to cryptographic hashes for content-based addressing
• Lifetimes of cryptographic hash functions

• http://europa.eu/legislation_summaries/information_society/other_policies/l24118_en.htm

• http://www.openxpki.org/
  • https://en.wikipedia.org/wiki/OpenXPKI
  • http://www.youtube.com/watch?v=Lx8LRZNnBW8

• http://en.wikipedia.org/wiki/Security_token

• https://en.wikipedia.org/wiki/Data_Encryption_Standard

• https://en.wikipedia.org/wiki/Elliptic_curve_cryptography
• https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman
• https://en.wikipedia.org/wiki/Elliptic_Curve_DSA

• https://en.wikipedia.org/wiki/NTRUEncrypt

• https://en.wikipedia.org/wiki/Advanced_Encryption_Standard - 2001
  • https://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process
  • http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

• https://github.com/jedisct1/libsodium

RSA

• http://en.wikipedia.org/wiki/RSA_(algorithm) - publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT

EC

• http://en.wikipedia.org/wiki/Elliptic_curve_cryptography

• http://www.lapsedordinary.net/2013/09/23/how-the-nsa-cheated-cryptography/

Suites

• https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography

Encryption

• https://prism-break.org/ - various levels of advice

• http://www.slideshare.net/astamos/bh-slides [2]

PGP / GPG

• http://www.openpgp.org/
  • http://en.wikipedia.org/wiki/Pretty_Good_Privacy

• http://www.gnupg.org/
  • http://en.wikipedia.org/wiki/GNU_Privacy_Guard
  • http://www.gnupg.org/gph/en/manual.html

• http://tools.ietf.org/html/rfc4880 - OpenPGP Message Format
• http://tools.ietf.org/html/rfc5581 - The Camellia Cipher in OpenPGP

Guides

• https://alexcabal.com/creating-the-perfect-gpg-keypair/
• GPG Tutorial
• Quick'n easy gpg cheatsheet

gpg --export --armor <keyid> | awk '{ print "    "$0 }' 

Tools

• http://www.gnupg.org/related_software/frontends.html

• http://gpg4win.org/ - Windows
• https://gpgtools.org/ - Mac

• WebPG - Browser Extensions

• Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to, as well as each other while we work online. The suite of Monkeysphere utilities provides a framework to transparently leverage the web of trust for authentication of TLS/SSL communications through the normal use of tools you are familiar with, such as your web browser0 or secure shell.

• http://www.biglumber.com/ - signing parties

• http://www.g10code.de/p-card.html

Key servers

• http://superuser.com/questions/227991/where-to-upload-pgp-public-key-are-keyservers-still-surviving
• http://www.rossde.com/PGP/pgp_keyserv.html
• http://cryptome.org/2013/07/mining-pgp-keyservers.htm

• http://pgp.mit.edu/ (cryptonomicon.mit.edu)
  • http://pgp.uni-mainz.de/pks-faq.html
• http://sks-keyservers.net/
• https://keyserver.pgp.com/

DNS

• https://grepular.com/Publishing_PGP_Keys_in_the_DNS

E-mail

• https://we.riseup.net/dissent+secure_communication/secure-gpg-webmail-service
• http://unix.stackexchange.com/questions/59323/what-is-a-free-open-source-webmail-software-with-pgp-support

• http://pthree.org/2011/09/17/pgpmime-versus-smime/
• http://www.tankmiche.com/tips/x-pgp-key-email-header-format/
• http://beza1e1.tuxen.de/articles/pgp_header.html

• http://www.mailvelope.com/
• http://www.enigmail.net/home/index.php

Libraries

• http://www.gnupg.org/related_software/gpgme/

• https://en.wikipedia.org/wiki/Netpgp

Google

• Penango is a web browser add-on that allows people to send and receive authenticated and encrypted messages end-to-end on the Internet with standards-based, interoperable protocols.

• gAES - Encrypt your google chats and make the NSA sad

Other

• gnupg-ecc - ECC-enabled GnuPG per RFC6637

File system

• TrueCrypt - Free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux
  • http://en.wikipedia.org/wiki/TrueCrypt
  • http://istruecryptauditedyet.com/ [3]

• http://en.wikipedia.org/wiki/FreeOTFE

• http://en.wikipedia.org/wiki/Rubberhose_(file_system)

• http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations

• LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly. While LUKS is a standard on-disk format, there is also a reference implementation. LUKS for dm-crypt is implemented in an enhanced version of cryptsetup.
  • http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

• http://code.google.com/p/cryptsetup/wiki/DMCrypt
  • http://en.wikipedia.org/wiki/Dm-crypt
  • https://wiki.archlinux.org/index.php/dm-crypt_with_LUKS

Other

• http://web.monkeysphere.info/

• http://www.schneier.com/solitaire.html

• https://guardianproject.info/

• http://tom.noflag.org.uk/cryptkeeper.html

• http://www.dyne.org/software/tomb/

Homomorphic

• http://9ac345a5509a.github.io/p2p-paillier/

• https://github.com/shaih/HElib

TLS/SSL

• Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. They use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

In the TCP/IP model view, TLS and SSL encrypt the data of network connections at a lower sublayer of its application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the presentation layer): first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

• https://www.ssllabs.com/projects/best-practices/
• SSL/TLS Deployment Best Practices - tutorial whitepaper
• https://sites.google.com/site/x509certificateusage/

• https://briansmith.org/browser-ciphersuites-01.html [4]

• OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection - Touching on HTTPS, SSL and TLS

• DEFCON 19: SSL And The Future Of Authenticity - Moxie Marlinspike
• https://rx4g.com/2013/09/09/web-server-authentication-is-still-broken/
• https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html [5]
• http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services

• http://www.mysqlperformanceblog.com/2013/10/10/mysql-ssl-performance-overhead/

HTTPS

• http://tools.ietf.org/html/rfc2818 - HTTP Over TLS
• https://en.wikipedia.org/wiki/HTTPS

• https://www.tbray.org/ongoing/When/201x/2012/12/02/HTTPS - basic intro
• Living with HTTPS (19 Jul 2012)

• http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
• Improved HTTPS Performance with Early SSL Termination

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://www.scantosecure.com/blog/fencing-your-ssl-errors-with-hsts

• http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/ [6]

• http://notary.icsi.berkeley.edu/
  • http://notary.icsi.berkeley.edu/trust-tree/

• https://www.eff.org/https-everywhere
  • https://www.eff.org/deeplinks/2012/12/end-year-blog-post-2012-https-rise

See HTTP#SSL

PFS

• http://en.wikipedia.org/wiki/Perfect_forward_secrecy

• http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

• http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/

• https://news.ycombinator.com/item?id=5955866

Software

• https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations

Gnutils

• http://www.gnutls.org/
  • https://en.wikipedia.org/wiki/Gnutls

OpenSSL

• http://www.openssl.org/
  • https://en.wikipedia.org/wiki/OpenSSL

openssl ciphers -v

Other

• http://www.tlspool.org/

Certificates

• http://en.wikipedia.org/wiki/X.509

• SSL Certificate Types and Purposes
• https://www.globalsign.com/ssl-information-center/types-of-ssl-certificate.html
• http://blogs.msdn.com/b/kaushal/archive/2010/11/05/ssl-certificates.aspx

• http://wiki.cacert.org/Glossary/Validation

• http://en.wikipedia.org/wiki/Subject_Alternative_Name - allows multiple domains, but not like a wildcard

• http://en.wikipedia.org/wiki/Certificate_signing_request

• http://en.wikipedia.org/wiki/Server_Name_Indication - allows more than one domain per ip address, not supported by older IE and Android 2

• http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

some rfcs..

• http://tools.ietf.org/html/rfc2712 - Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
• http://tools.ietf.org/html/rfc4279 - Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
• http://tools.ietf.org/html/rfc5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• http://tools.ietf.org/html/rfc6091 - Using OpenPGP Keys for Transport Layer Security (TLS) Authentication
• http://tools.ietf.org/html/rfc6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)

Wildcard

• http://en.wikipedia.org/wiki/Wildcard_certificate

Domain Validation

• http://en.wikipedia.org/wiki/Certificate_authority#Domain_validation

Organisational Validation

involving better/slower background checks for the Organisation Name field

Extended Validation

• http://en.wikipedia.org/wiki/Extended_Validation_Certificate - provides a green address bar, bit of a rip-off though

Self-signed

Vulnerable to MITM as cracker can generate their own, OK if you control both ends.

• How to Create A Self Signed Certificate - sslshopper.com
• How to create a self-signed SSL Certificate which can be used for testing purposes or internal usage

CAs

• http://en.wikipedia.org/wiki/Certificate_authority

• https://www.eff.org/observatory
• http://www.certificate-transparency.org/

• http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers

• https://www.eff.org/sovereign-keys
  • https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=master

Services

Comodo

• http://www.comodo.com/ - security history a bit of a joke
  • http://ssl.comodo.com/wildcard-ssl-certificates.php - from £224.95

• HN discussion: $50 comodo wildcard SSLs (while they last)

• http://www.cheapssls.com/
• https://www.gogetssl.com/

VeriSign

• http://www.verisign.com/ - owned by Symantec

• http://www.geotrust.com/

• http://www.rapidssl.com/buy-ssl/ssl-certificate/index.html
• http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html

GlobalSign

• http://en.wikipedia.org/wiki/GlobalSign - owned by GMO CLOUD K.K. in Japan

• https://www.ssl2buy.com/alphassl-wildcard.php
• http://www.vpsnodebox.com/ssl-certificates - AlphaSSL - GlobalSign certificate.
  • http://lowendtalk.com/discussion/4495/regular-and-wildcard-alphassl-certificates-for-everyone-for-cheap

• http://www.garrisonhost.com/ssl.htm

StartCom

• https://startssl.com
  • http://en.wikipedia.org/wiki/StartCom - based in Israel, provides StartSSL certs.

• https://konklone.com/post/switch-to-https-now-for-free [7]

Free certs, one cert per domain, 1 year. One only pays for acions that require human intervention, i.e., validation.

• How to renew an expired personal certificate

Cacert.org

• http://www.cacert.org/
  • http://en.wikipedia.org/wiki/CAcert.org
  • http://wiki.cacert.org/

Community group providing certs. Web of trust based assurance point system. Not carried by major browsers, just Linux distros.

Other

• http://lolroot.ca/ - lol

Tools

• http://www.whynopadlock.com/
• https://www.ssllabs.com/ssltest/

• https://github.com/mikecardwell/sslScanner

• http://www.cert-depot.com/

• https://www.sslshopper.com/ssl-converter.html

• https://polarssl.org/

Software

• https://en.wikipedia.org/wiki/Network_Security_Services

DNSSEC

• http://jpmens.net/2011/02/16/ssl-certificate-validation-and-dnssec/
• http://blog.huque.com/2012/10/dnssec-and-certificates.html
• http://blogs.cisco.com/security/top-of-mind-problems-with-ssl-solved-with-dnssec/

• https://os3sec.org/

DANE

• https://datatracker.ietf.org/wg/dane/charter/

Future

• TACK, a proposal for a dynamically activated public key pinning framework that provides a layer of indirection away from Certificate Authorities, but is fully backwards compatible with existing CA certificates, and doesn't require sites to modify their existing certificate chains.

• http://blather.michaelwlucas.com/archives/1591

• http://perspectives-project.org/
• http://convergence.io/
  • http://en.wikipedia.org/wiki/Convergence_(SSL)

HTML

• http://html5sec.org/

• http://lcamtuf.coredump.cx/postxss/

• https://www.owasp.org/index.php/Main_Page

Vulnerabilities

• http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

• http://www.cvedetails.com/
  • http://www.cvedetails.com/vulnerability-feed.php?vendor_id=0&product_id=0&version_id=0&orderby=3&cvssscoremin=0

• https://cassandra.cerias.purdue.edu/main/index.html

• https://www.us-cert.gov/ncas/current-activity

• http://googleonlinesecurity.blogspot.co.uk/2013/01/enhancing-digital-certificate-security.html

Legal

• http://safeharbor.export.gov/list.aspx - UK DPA safe harbours

UX

• Everything you ever wanted to know about building a secure password reset feature

Windows

• http://www.winpcap.org/install/default.htm

• http://www.piotrbania.com/all/kon-boot/

• http://hak5.org/usb-switchblade

• * http://www.winpcap.org/install/default.htm

• http://www.piotrbania.com/all/kon-boot/

• http://hak5.org/usb-switchblade

Testing

Metasploit

• http://www.metasploit.com/
  • http://www.metasploit.com/modules/
  • http://www.metasploit.com/development/
  • http://dev.metasploit.com/redmine/projects/framework/issues?set_filter=1&tracker_id=1

• http://en.wikipedia.org/wiki/Metasploit_Project
  • http://en.wikibooks.org/wiki/Metasploit

• http://fastandeasyhacking.com/
  • http://fastandeasyhacking.com/manual
  • http://fastandeasyhacking.com/start
  • http://wiki.backbox.org/index.php/Armitage

Web

• w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

DB

• http://sqlmap.org/

Burp

• http://en.wikipedia.org/wiki/Burp_suite
• http://portswigger.net/burp/proxy.html

Inception

• Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
  • [https://github.com/carmaa/inception

DetecTor.io

• http://detector.io/

to sort

• http://www.datagenetics.com/blog/september32012/index.html

• http://daeken.com/2013-03-17_So_You_Want_To_Be_A_Breaker__Pt__1__Web_Security.html

• https://onetimesecret.com/

• http://en.wikipedia.org/wiki/Cypherpunk

• http://cryptonation.com/

• http://www.openwall.com/
  • http://oss-security.openwall.org/wiki/

• http://telecomix.org/
  • http://en.wikipedia.org/wiki/Telecomix
  • http://cryptoanarchy.org - Telecomix Crypto Munitions Bureau is part of Telecomix. Many good and tasty links.
• http://web.archive.org/web/20130310120019/http://www.infoanarchy.org/en/Main_Page

• http://cryptoparty.informatick.net/parties/howto
• http://booki.cc/cryptoparty-handbook/a-cryptoparty-history-party-like-its-1984/
• More Encryption Is Not the Solution [8]

• cryptosphere - Encrypted peer-to-peer web application platform for decentralized, privacy-preserving applications
  • https://github.com/cryptosphere/cryptosphere

• http://tobtu.com/decryptocat.php - don't use cryptocat

• http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis
  • http://xkcd.com/538/ [9]

• Gitian is a secure source-control oriented software distribution method. This means you can download trusted binaries that are verified by multiple builders.

Other

• Pond is forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker. [10]

• EZCrypt - We provide you with the power to encrypt the data BEFORE it gets stored on our site. All encryption/decryption is done on the client end using AES-CBC 128bit with a hash key generated on each paste. The server will only store the encrypted data without the hash key, so only you have the power to decrypt it.