Security

General

• http://en.flossmanuals.net/basic-internet-security/

• http://www.blackhatlibrary.net
• http://sla.ckers.org/forum

• https://cryptoparty.org/wiki/CryptoParty

• http://techblog.rosedu.org/from-0-to-cryptography.html

• https://library.linode.com/securing-your-server

• https://vimeo.com/9260794

• http://www.youtube.com/watch?v=eL5o4PFuxTY

• http://crunchbang.org/forums/viewtopic.php?id=24722 [1]

• http://sectools.org/
• http://www.reddit.com/r/netsec/comments/r1603/some_people_asked_for_a_tool_list/

Resources

• http://securitytube.net

News

• http://infosecmash.com/

Passwords

• http://keepass.info/
  • https://en.wikipedia.org/wiki/KeePass
• http://www.keepassx.org
• https://github.com/raymontag/keepassc

• http://passwordsafe.sourceforge.net/

• http://project-rainbowcrack.com/

• http://www.wired.co.uk/news/archive/2013-05/28/password-cracking/viewall

Server

Firewalls

• https://help.ubuntu.com/community/UFW
  • http://en.wikipedia.org/wiki/Uncomplicated_Firewall

• http://www.shorewall.net/

• http://www.pfsense.org/

• http://www.endian.com/en/community/efw-252/

csf/lfd

• http://configserver.com/cp/csf.html
  • http://configserver.com/free/csf/changelog.txt
• http://configserver.com/cp/csfdemo/config.html

• http://blog.configserver.com/ - software update news

FireHOL

• https://en.wikipedia.org/wiki/FireHOL

Windows

• http://ophcrack.sourceforge.net/

Logging

• http://fail2ban.org

Integrity

• http://aide.sourceforge.net/

• http://la-samhna.de/samhain/

Hardening

AppArmor

• http://wiki.apparmor.net/index.php/Main_Page
  • http://en.wikipedia.org/wiki/AppArmor

SELinux

• http://selinuxproject.org
  • http://en.wikipedia.org/wiki/Security-Enhanced_Linux
  • https://wiki.archlinux.org/index.php/SELinux

Detection

• http://rkhunter.sourceforge.net/
  • http://en.wikipedia.org/wiki/Rkhunter

• http://en.wikipedia.org/wiki/Chkrootkit

Shells

• http://lshell.ghantoos.org/ - limited shell

Honeypot

• https://code.google.com/p/kippo/

Cryptography

• http://en.wikipedia.org/wiki/Cryptography
  • https://en.wikipedia.org/wiki/Outline_of_cryptography
  • http://en.wikipedia.org/wiki/History_of_cryptography
• http://en.wikipedia.org/wiki/Cryptanalysis

• https://en.wikipedia.org/wiki/Cryptographic_hash_function

• https://en.wikipedia.org/wiki/Block_cipher

• https://en.wikipedia.org/wiki/Cryptographic_protocol
• http://en.wikipedia.org/wiki/Key_(cryptography)

• https://developer.mozilla.org/en/docs/Introduction_to_Public-Key_Cryptography
• http://en.wikipedia.org/wiki/Public-key_cryptography
• http://en.wikipedia.org/wiki/Public-key_infrastructure

• https://en.wikipedia.org/wiki/Key_exchange
  • https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
  • https://en.wikipedia.org/wiki/Public-key_infrastructure
  • https://en.wikipedia.org/wiki/Web_of_trust
  • https://en.wikipedia.org/wiki/Password-authenticated_key_agreement

• http://www.openxpki.org/
  • https://en.wikipedia.org/wiki/OpenXPKI
  • http://www.youtube.com/watch?v=Lx8LRZNnBW8

• http://en.wikipedia.org/wiki/Security_token

• https://en.wikipedia.org/wiki/Data_Encryption_Standard

• https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
• http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

RSA

• http://en.wikipedia.org/wiki/RSA_(algorithm)

EC

• http://en.wikipedia.org/wiki/Elliptic_curve_cryptography

Encryption

• https://prism-break.org/ - various levels of advice

• http://www.slideshare.net/astamos/bh-slides [2]

PGP / GPG

• http://www.openpgp.org/
  • http://en.wikipedia.org/wiki/Pretty_Good_Privacy

• http://www.gnupg.org/
  • http://en.wikipedia.org/wiki/GNU_Privacy_Guard
  • http://www.gnupg.org/related_software/frontends.html
  • http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/

gpg --export --armor <keyid> | awk '{ print "    "$0 }' 

• http://futureboy.us/pgp.html

• http://gpg4win.org/
• https://gpgtools.org/

• http://webpg.org/

• https://we.riseup.net/dissent+secure_communication/secure-gpg-webmail-service
• http://unix.stackexchange.com/questions/59323/what-is-a-free-open-source-webmail-software-with-pgp-support

• http://pthree.org/2011/09/17/pgpmime-versus-smime/
• http://www.tankmiche.com/tips/x-pgp-key-email-header-format/
• http://beza1e1.tuxen.de/articles/pgp_header.html

• http://www.mailvelope.com/
• http://www.enigmail.net/home/index.php

• http://cryptome.org/2013/07/mining-pgp-keyservers.htm

• http://web.monkeysphere.info/

• https://code.google.com/p/gnupg-ecc/

Google

• Penango is a web browser add-on that allows people to send and receive authenticated and encrypted messages end-to-end on the Internet with standards-based, interoperable protocols.

• gAES - Encrypt your google chats and make the NSA sad

File system

• http://www.truecrypt.org/ - hard drive space
  • http://en.wikipedia.org/wiki/TrueCrypt

• http://en.wikipedia.org/wiki/FreeOTFE

• http://en.wikipedia.org/wiki/Rubberhose_(file_system)

• http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations

Other

• http://web.monkeysphere.info/

• http://www.schneier.com/solitaire.html

• https://guardianproject.info/

Homomorphic

• http://9ac345a5509a.github.io/p2p-paillier/

• https://github.com/shaih/HElib

Protocol

• https://en.wikipedia.org/wiki/Cryptographic_protocol

SSL/TLS

• Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. They use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

In the TCP/IP model view, TLS and SSL encrypt the data of network connections at a lower sublayer of its application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the presentation layer): first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

• http://www.tlspool.org/

• https://briansmith.org/browser-ciphersuites-01.html [3]

HTTPS

• https://en.wikipedia.org/wiki/HTTPS

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

• https://www.tbray.org/ongoing/When/201x/2012/12/02/HTTPS - basic intro
• Living with HTTPS (19 Jul 2012)

• OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection - Touching on HTTPS, SSL and TLS
• http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
• SSL/TLS Deployment Best Practices - tutorial whitepaper

• https://www.ssllabs.com/projects/best-practices/

• http://en.wikipedia.org/wiki/Server_Name_Indication - allows more than one domain per ip address, not supported my older browsers

• Improved HTTPS Performance with Early SSL Termination

• https://www.scantosecure.com/blog/fencing-your-ssl-errors-with-hsts

• http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/ [4]

• http://notary.icsi.berkeley.edu/
  • http://notary.icsi.berkeley.edu/trust-tree/

Certificates

• http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services

• http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers

• http://en.wikipedia.org/wiki/X.509
  • http://en.wikipedia.org/wiki/Subject_Alternative_Name

• http://en.wikipedia.org/wiki/Extended_Validation_Certificate

• http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

Wildcard

• http://en.wikipedia.org/wiki/Wildcard_certificate

Self-signed

Vulnerable to MITM as cracker can generate their own.

• How to Create A Self Signed Certificate - sslshopper.com
• How to create a self-signed SSL Certificate which can be used for testing purposes or internal usage

CAs

• http://en.wikipedia.org/wiki/Certificate_authority

• http://en.wikipedia.org/wiki/GlobalSign

Services

• https://www.ssl2buy.com/alphassl-wildcard.php
• http://www.vpsnodebox.com/ssl-certificates - AlphaSSL - GlobalSign certificate.
  • http://lowendtalk.com/discussion/4495/regular-and-wildcard-alphassl-certificates-for-everyone-for-cheap

• http://lowendtalk.com/discussion/4495/regular-and-wildcard-alphassl-certificates-for-everyone-for-cheap
• HN discussion: $50 comodo wildcard SSLs (while they last)
• http://www.garrisonhost.com/ssl.htm

• http://www.rapidssl.com/buy-ssl/ssl-certificate/index.html
• http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html

• http://www.cheapssls.com/
• https://www.gogetssl.com/

• http://www.comodo.com/
  • http://ssl.comodo.com/wildcard-ssl-certificates.php - from £224.95

• http://www.verisign.com/

Cacert.org

• http://www.cacert.org/
  • http://en.wikipedia.org/wiki/CAcert.org
  • http://wiki.cacert.org/

Community group providing certs. Web of trust based assurance point system. Not carried by major browsers, just Linux distros.

StartCom

• http://en.wikipedia.org/wiki/StartCom

Free certs, one cert per domain, 1 year.

Tools

• http://www.whynopadlock.com/

• https://github.com/mikecardwell/sslScanner

• http://www.cert-depot.com/

• https://www.sslshopper.com/ssl-converter.html

• https://polarssl.org/

PFS

• http://en.wikipedia.org/wiki/Perfect_forward_secrecy

• http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

• http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/

• https://news.ycombinator.com/item?id=5955866

Other

• https://raymii.org/s/tutorials/IPSEC_L2TP_vpn_with_Ubuntu_12.04.html

Software

• https://en.wikipedia.org/wiki/Network_Security_Services

DNSSEC

• http://jpmens.net/2011/02/16/ssl-certificate-validation-and-dnssec/
• http://blog.huque.com/2012/10/dnssec-and-certificates.html
• http://blogs.cisco.com/security/top-of-mind-problems-with-ssl-solved-with-dnssec/

• https://os3sec.org/

DANE

• https://datatracker.ietf.org/wg/dane/charter/

Articles

• https://www.eff.org/deeplinks/2012/12/end-year-blog-post-2012-https-rise

Future

• http://tack.io/

• http://blather.michaelwlucas.com/archives/1591

• http://perspectives-project.org/

• http://convergence.io/

HTML

• http://html5sec.org/

• http://lcamtuf.coredump.cx/postxss/

• https://www.owasp.org/index.php/Main_Page

Vulnerabilities

• http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

• http://www.cvedetails.com/
  • http://www.cvedetails.com/vulnerability-feed.php?vendor_id=0&product_id=0&version_id=0&orderby=3&cvssscoremin=0

• https://cassandra.cerias.purdue.edu/main/index.html

• https://www.us-cert.gov/ncas/current-activity

Legal

• http://safeharbor.export.gov/list.aspx - UK DPA safe harbours

UX

• Everything you ever wanted to know about building a secure password reset feature

Windows

• http://www.winpcap.org/install/default.htm

• http://www.piotrbania.com/all/kon-boot/

• http://hak5.org/usb-switchblade

• * http://www.winpcap.org/install/default.htm

• http://www.piotrbania.com/all/kon-boot/

• http://hak5.org/usb-switchblade

Testing

Metasploit

• http://www.metasploit.com/
  • http://www.metasploit.com/modules/
  • http://www.metasploit.com/development/
  • http://dev.metasploit.com/redmine/projects/framework/issues?set_filter=1&tracker_id=1

• http://en.wikipedia.org/wiki/Metasploit_Project
  • http://en.wikibooks.org/wiki/Metasploit

• http://fastandeasyhacking.com/
  • http://fastandeasyhacking.com/manual
  • http://fastandeasyhacking.com/start
  • http://wiki.backbox.org/index.php/Armitage

Other

• w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

Burp

• http://en.wikipedia.org/wiki/Burp_suite
• http://portswigger.net/burp/proxy.html

Inception

• Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
  • [https://github.com/carmaa/inception

to sort

• http://www.datagenetics.com/blog/september32012/index.html

• http://daeken.com/2013-03-17_So_You_Want_To_Be_A_Breaker__Pt__1__Web_Security.html

• https://onetimesecret.com/

• http://en.wikipedia.org/wiki/Cypherpunk

• http://cryptonation.com/

• http://telecomix.org/
  • http://en.wikipedia.org/wiki/Telecomix
  • http://cryptoanarchy.org - Telecomix Crypto Munitions Bureau is part of Telecomix. Many good and tasty links.
• http://web.archive.org/web/20130310120019/http://www.infoanarchy.org/en/Main_Page

• http://cryptoparty.informatick.net/parties/howto
• http://booki.cc/cryptoparty-handbook/a-cryptoparty-history-party-like-its-1984/
• More Encryption Is Not the Solution [5]

• cryptosphere - Encrypted peer-to-peer web application platform for decentralized, privacy-preserving applications
  • https://github.com/cryptosphere/cryptosphere

• http://tobtu.com/decryptocat.php - don't use cryptocat

• http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis
  • http://xkcd.com/538/ [6]

Other

• Pond is forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker. [7]

• EZCrypt - We provide you with the power to encrypt the data BEFORE it gets stored on our site. All encryption/decryption is done on the client end using AES-CBC 128bit with a hash key generated on each paste. The server will only store the encrypted data without the hash key, so only you have the power to decrypt it.