Security

General

• http://en.flossmanuals.net/basic-internet-security/

• http://www.blackhatlibrary.net
• http://sla.ckers.org/forum

• https://cryptoparty.org/wiki/CryptoParty

• http://techblog.rosedu.org/from-0-to-cryptography.html

• https://library.linode.com/securing-your-server

• https://vimeo.com/9260794

• http://www.youtube.com/watch?v=eL5o4PFuxTY

• http://crunchbang.org/forums/viewtopic.php?id=24722 [1]

News

• http://infosecmash.com/

FreeBSD jail

• http://en.wikipedia.org/wiki/FreeBSD_jail

Firewalls

• https://help.ubuntu.com/community/UFW
  • http://en.wikipedia.org/wiki/Uncomplicated_Firewall

• http://www.shorewall.net/

• http://www.pfsense.org/

csf/lfd

• http://configserver.com/cp/csf.html
  • http://configserver.com/free/csf/changelog.txt
• http://configserver.com/cp/csfdemo/config.html

• http://blog.configserver.com/ - software update news

Passwords

• https://github.com/raymontag/keepassc

Logging

http://www.fail2ban.org/wiki/index.php/Main_Page

Hardening

AppArmor

• http://wiki.apparmor.net/index.php/Main_Page
  • http://en.wikipedia.org/wiki/AppArmor

SELinux

• http://selinuxproject.org
  • http://en.wikipedia.org/wiki/Security-Enhanced_Linux
  • https://wiki.archlinux.org/index.php/SELinux

Detection

• http://rkhunter.sourceforge.net/
  • http://en.wikipedia.org/wiki/Rkhunter

• http://en.wikipedia.org/wiki/Chkrootkit

Shells

• http://lshell.ghantoos.org/ - limited shell

Honeypot

• https://code.google.com/p/kippo/

Cryptography

• http://en.wikipedia.org/wiki/Cryptography
  • http://en.wikipedia.org/wiki/History_of_cryptography
• http://en.wikipedia.org/wiki/Cryptanalysis

• http://en.wikipedia.org/wiki/Key_(cryptography)

• https://developer.mozilla.org/en/docs/Introduction_to_Public-Key_Cryptography
• http://en.wikipedia.org/wiki/Public-key_cryptography
• http://en.wikipedia.org/wiki/Public-key_infrastructure

RSA

• http://en.wikipedia.org/wiki/RSA_(algorithm)

EC

• http://en.wikipedia.org/wiki/Elliptic_curve_cryptography

Encryption

See also Comms#Encryption

• http://www.slideshare.net/astamos/bh-slides [2]

File system

• http://www.truecrypt.org/ - hard drive space
  • http://en.wikipedia.org/wiki/TrueCrypt

• http://en.wikipedia.org/wiki/FreeOTFE

• http://en.wikipedia.org/wiki/Rubberhose_(file_system)

Other

• http://www.keepassx.org/ - passwords

• http://web.monkeysphere.info/

• http://www.schneier.com/solitaire.html
• http://security.stackexchange.com/questions/25375/why-not-use-larger-cipher-keys

• http://valerieaurora.org/hash.html

Homomorphic

• http://9ac345a5509a.github.io/p2p-paillier/

• https://github.com/shaih/HElib

HTTPS, SSL and TLS

• https://en.wikipedia.org/wiki/HTTPS
• https://en.wikipedia.org/wiki/Transport_Layer_Security

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
  • Living with HTTPS (19 Jul 2012)

• http://en.wikipedia.org/wiki/Server_Name_Indication - allows more than one domain per ip address, not supported my older browsers

• OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection - Touching on HTTPS, SSL and TLS

• SSL/TLS Deployment Best Practices - tutorial whitepaper
• https://www.ssllabs.com/projects/best-practices/

• Improved HTTPS Performance with Early SSL Termination

• https://www.tbray.org/ongoing/When/201x/2012/12/02/HTTPS - basic intro

• http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

• https://www.scantosecure.com/blog/fencing-your-ssl-errors-with-hsts

• http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/ [3]

• http://notary.icsi.berkeley.edu/
  • http://notary.icsi.berkeley.edu/trust-tree/

Certificates

• http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers

• HN: $50 comodo wildcard SSLs (while they last)

Services

• http://www.rapidssl.com/buy-ssl/ssl-certificate/index.html
• http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html

• http://www.comodo.com/

• http://www.verisign.com/

• http://www.vpsnodebox.com/ssl-certificates - AlphaSSL - GlobalSign certificate.
  • http://lowendtalk.com/discussion/4495/regular-and-wildcard-alphassl-certificates-for-everyone-for-cheap

Self-signed

Vulnerable to MITM as cracker can generate their own.

• How to Create A Self Signed Certificate - sslshopper.com
• How to create a self-signed SSL Certificate which can be used for testing purposes or internal usage

Cacert.org

• http://www.cacert.org/
  • http://en.wikipedia.org/wiki/CAcert.org
  • http://wiki.cacert.org/

Community group providing certs. Web of trust based assurance point system. Not carried by major browsers, just Linux distros.

StartCom

• http://en.wikipedia.org/wiki/StartCom

Free certs, one cert per domain, 1 year.

Tools

• https://github.com/mikecardwell/sslScanner

• http://www.cert-depot.com/

• https://www.sslshopper.com/ssl-converter.html

• https://polarssl.org/

PFS

• http://en.wikipedia.org/wiki/Perfect_forward_secrecy

• http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

• http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/

• https://news.ycombinator.com/item?id=5955866

DNSSEC

• http://jpmens.net/2011/02/16/ssl-certificate-validation-and-dnssec/
• http://blog.huque.com/2012/10/dnssec-and-certificates.html
• http://blogs.cisco.com/security/top-of-mind-problems-with-ssl-solved-with-dnssec/

• https://os3sec.org/

DANE

• https://datatracker.ietf.org/wg/dane/charter/

Articles

• https://www.eff.org/deeplinks/2012/12/end-year-blog-post-2012-https-rise

Future

• http://tack.io/

• http://blather.michaelwlucas.com/archives/1591

• http://perspectives-project.org/

HTML

• http://html5sec.org/

• http://lcamtuf.coredump.cx/postxss/

Scripting

• https://www.owasp.org/index.php/Main_Page

Vulnerabilities

• http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

• http://www.cvedetails.com/
  • http://www.cvedetails.com/vulnerability-feed.php?vendor_id=0&product_id=0&version_id=0&orderby=3&cvssscoremin=0

• https://cassandra.cerias.purdue.edu/main/index.html

• https://www.us-cert.gov/ncas/current-activity

VPN

• http://en.wikipedia.org/wiki/Virtual_private_network
• http://en.wikipedia.org/wiki/Social_VPN

OpenVPN

• http://openvpn.net/index.php/open-source.html
  • http://en.wikipedia.org/wiki/OpenVPN

• http://library.linode.com/networking/openvpn
• http://akensai.com/linode-vpn/

IPsec

• http://en.wikipedia.org/wiki/IPsec

• https://www.openswan.org/projects/openswan/
  • http://en.wikipedia.org/wiki/Openswan

Legal

• http://safeharbor.export.gov/list.aspx - UK DPA safe harbours

UX

• Everything you ever wanted to know about building a secure password reset feature

Resources

• http://securitytube.net

Testing

Metasploit

• http://www.metasploit.com/
  • http://www.metasploit.com/modules/
  • http://www.metasploit.com/development/
  • http://dev.metasploit.com/redmine/projects/framework/issues?set_filter=1&tracker_id=1

• http://en.wikipedia.org/wiki/Metasploit_Project
  • http://en.wikibooks.org/wiki/Metasploit

• http://fastandeasyhacking.com/
  • http://fastandeasyhacking.com/manual
  • http://fastandeasyhacking.com/start
  • http://wiki.backbox.org/index.php/Armitage

Other

• w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

Burp

• http://en.wikipedia.org/wiki/Burp_suite
• http://portswigger.net/burp/proxy.html

Misc

• http://www.datagenetics.com/blog/september32012/index.html

• http://daeken.com/2013-03-17_So_You_Want_To_Be_A_Breaker__Pt__1__Web_Security.html