The field of web security, and computer security in general, is large and growing larger every day. Rather than attempting to list all of the many useful references, we’ll note the ones we think especially appropriate. For a more extensive and up-to-date listing of references, we recommend that you pursue an online reference such as the CERIAS hotlist (cited below). Appendixes D through F of Practical Unix & Internet Security, although somewhat dated, still contain a great deal of highly useful material. The CERIAS hotlist has thousands of references to Internet-based sources of security information; the PUIS book has almost 50 pages of references to journals, organizations, books, papers, and other resources in the indicated appendixes.
There is a certain irony in trying to include a comprehensive list of electronic resources in a printed book such as this one. Electronic resources such as web pages, newsgroups, and mailing lists are updated on an hourly basis; new releases of computer programs can be published every few weeks. Books, on the other hand, are infrequently updated.
We present the following electronic resources with the understanding that this list necessarily can be neither complete nor completely up to date. What we hope, instead, is that it is expansive. By reading it, we hope that you will gain insight into places to look for future developments in web security. Along the way, you may find some information you can put to immediate use.
There are many mailing lists that cover security-related material. We describe a few of the major ones here. However, this is not to imply that only these lists are worthy of mention! There may well be other lists of which we are unaware, and many of the lesser-known lists often have a higher volume of good information.
Never place blind faith in anything you read in a mailing list, especially if the list is unmoderated. There are a number of self-styled experts on the Net who will not hesitate to volunteer their views, whether knowledgeable or not. Usually their advice is benign, but sometimes it is quite dangerous. There may also be people who are providing bad advice on purpose, as a form of vandalism. And certainly there are times when the real experts make a mistake or two in what they recommend in an offhand note posted to the Net.
There are some real experts on these lists who are (happily) willing to share their knowledge with the community, and their contributions make the Internet a better place. However, keep in mind that simply because you read it on the network does not mean that the information is correct for your system or environment, does not mean that it has been carefully thought out, does not mean that it matches your site policy, and most certainly does not mean that it will help your security. Always carefully evaluate the information you receive before acting on it.
Following are some of the major mailing lists.
Bugtraq is a full-disclosure computer security mailing list. This list features detailed discussion of Unix security holes: what they are, how to exploit them, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities (although that is known to be the intent of some of the subscribers). It is, instead, about defining, recognizing, and preventing use of security holes and risks. To subscribe, send “subscribe bugtraq” in the body of a message to bugtraq-request@securityfocus.com or use the form at http://www.securityfocus.com/forums/bugtraq/intro.html.
New CERT/CC (Computer Emergency Response Team Coordination Center) advisories of security flaws and fixes for Internet systems are posted to this list. This list makes somewhat boring reading; often the advisories are so watered down that you cannot easily figure out what is actually being described. Nevertheless, the list does have its bright spots. Send subscription requests to cert-advisory-request@cert.org or use the form at http://www.cert.org/contact_cert/certmaillist.html.
Archived past advisories are available from info.cert.org via the Web at:
| http://www.cert.org/advisories/ |
The staff at the Department of Energy CIAC (Computer Incident Advisory Capability) publish helpful technical notes on an infrequent basis. These are very often tutorial in nature. To subscribe to the list, send a message with “subscribe ciac-notes yourname” in the message body to ciac-listproc@llnl.gov. Or, you may simply wish to browse the archive of old notes:
| http://www.ciac.org/cgi-bin/cnotes |
The Firewalls mailing list is the primary forum for folks on the Internet who want to discuss the design, construction, operation, maintenance, and philosophy of Internet firewall security systems. To subscribe, send a message to firewalls-request@lists.gnac.net with “subscribe firewalls” in the body of the message.
The Firewalls mailing list is high volume (sometimes more than 100 messages per day, although usually it is only several dozen per day). To accommodate subscribers who don’t want their mailboxes flooded with lots of separate messages from Firewalls, there is also a Firewalls-Digest mailing list available. Subscribers to Firewalls-Digest receive daily (more frequent on busy days) digests of messages sent to Firewalls, rather than each message individually. Firewalls-Digest subscribers get all the same messages as Firewalls subscribers; that is, Firewalls-Digest is not moderated, just distributed in digest form.
Subscription information and archives can be found at:
| http://lists.gnac.net/firewalls/ |
NTBugTraq is a mailing list dedicated to discussion of exploits in the Windows NT operating system. To subscribe, send “subscribe ntbugtraq firstname lastname” to listserv@listserv.ntbugtraq.com:
| http://www.ntbugtraq.com/ |
The NT-security mailing list is for discussions of problems with Windows NT security. It is hosted by ISS. To subscribe, send “subscribe ntsecurity” or “subscribe ntsecurity-digest” to request-ntsecurity@iss.net.
RISKS is officially known as the ACM Forum on Risks to the Public in the Use of Computers and Related Systems. It’s a moderated forum for discussion of risks to society from computers and computerization. Send email subscription requests to RISKS-Request@csl.sri.com.
Back issues are available from crvax.sri.com via anonymous FTP and HTTP:
| ftp://crvax.sri.com/risks/ |
| http://catless.ncl.ac.uk/Risks |
RISKS is also distributed as the comp.risks Usenet newsgroup, and this is the preferred method of subscription.
There are several Usenet newsgroups that you might find to be interesting sources of information on network security and related topics. However, the unmoderated lists are the same as other unmoderated groups on the Usenet: repositories of material that is often off-topic, repetitive, and incorrect. Our warning about material found in mailing lists, expressed earlier, applies doubly to newsgroups.
Alternative discussions of computer and network security
Computer administrative policy issues, including security
TCP/IP internals, including security
As described previously
Computer security announcements, including new CERT/CC advisories
Unix security
Miscellaneous computer and network security
Information about firewalls
Unix system administration, including security
Unix kernel internals, including security
Information on computer viruses and related topics
Information on JavaScript security and SSL in Netscape and Mozilla
Discussions about cryptology research and application
Discussions about cryptology research
There are dozens of security-related web pages with pointers to other information. Some pages are comprehensive, and others are fairly narrow in focus. The ones we list here provide a good starting point for any browsing you might do. You will find most of the other useful directories linked into one or more of these pages, and you can then build your own set of “bookmarks.”
CERIAS is the world’s foremost university center for multidisciplinary research and education in areas of information security (computer security, network security, and communications security), and information assurance. It is intended to function with close ties to researchers and engineers in major companies and government agencies. COAST focuses on real-world research needs and limitations.
CERIAS contains information about software, companies, FIRST teams, archives, standards, professional organizations, government agencies, and FAQs (frequently asked questions)—among other goodies. The web hotlist index at COAST is the most comprehensive list of its type available on the Internet at this time. Check out the “WWW Security” and “Java Security” sections of the COAST list.
| http://www.cerias.purdue.edu/ |
CERIAS also maintains a large FTP repository of software, papers, and computer security tools.
ftp://cerias.purdue.edu/ |
The staff of the CIAC keep a good archive of tools and documents available on their site. This archive includes copies of their notes and advisories, and some locally developed software.
| http://www.ciac.org/ciac/ |
Your full-service criminal computer hacking organization. This tongue-in-cheek site demonstrates some very real web security issues.
| http://www.digicrime.com/ |
The FIRST (Forum of Incident Response and Security Teams) Secretariat maintains a large archive of material, including pointers to web pages for other FIRST teams.
| http://www.first.org/ |
The Internet Engineering Task Force is the primary standards-making body of the Internet. The IETF’s web site hosts charters of the IETF working groups, final versions of the IETF “Request For Comments” series, as well as Internet drafts, recommendations, policy documents, archives of some mailing lists, and other information.
| http://www.ietf.org/ |
The Mozilla project maintains an up-to-date set of web pages on JavaScript and SSL Security.
| http://www.mozilla.org/projects/security/components/index.html |
The web index page at NIH (National Institutes of Health) provides a large set of pointers to internal collections and other archives.
| http://www.alw.nih.gov/Security/security.html |
The National Institutes of Standards and Technology Computer Security Resource Clearinghouse. This center seeks to distribute complete and accurate information about computer security issues to government and the general public.
| http://csrc.ncsl.nist.gov/ |
These pages follow the ongoing efforts of the Princeton SIP (Secure Internet Programming) group in finding problems with Internet programming systems and solutions for making these systems more reliable.
| http://www.cs.princeton.edu/sip |
This site is the largest list of cryptographic programs and software that are freely redistributable.
| http://crypto.radiusnet.net/ |
These pages are for the OpenSSL project, a free implementation of the SSL protocol.
| http://www.openssl.org/ |
SecurityFocus is a for-profit web site that tracks news and current events about computer security.
| http://www.securityfocus.org/ |
SANS is a for-profit educational organization that runs conferences, sends out mailings, and publishes books that are generally dedicated to the topics of system administration, networking, and security. SANS sends out customized email alerts on a regular basis that are a general distillation and summary of all important advances and alerts in the field. Highly recommended.
| http://www.sans.org/ |
The World Wide Web Consortium is one of two standards-making bodies for the Web (the other being the Internet Engineering Task Force). At the W3C’s web site you can find many information about current web security standards and practices, projects, and current security issues.
| http://www.w3c.org/ |
This is Lincoln D. Stein’s FAQ about web security. It contains a lot of good, practical information, and it is updated on a regular basis.
| http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html |
This section describes some of the tools and packages available on the Internet that you might find useful in maintaining security at your site. Many of these tools are mentioned in this book. Although this software is freely available, some of it is restricted in various ways by the authors (e.g., it may not be permitted to be used for commercial purposes or be included on a CD-ROM, etc.) or by the U.S. government (e.g., if it contains cryptography, it may not be able to be exported outside the United States). Carefully read the documentation files that are distributed with the packages. If you have any doubt about appropriate use restrictions, contact the author(s) directly. Although we have used most of the software listed here, we can’t take responsibility for ensuring that the copy you get will work properly and won’t cause any damage to your system. As with any software, test it before you use it!
Some software distributions carry an external PGP signature. This signature helps you verify that the distribution you receive is the one packaged by the author. It does not provide any guarantee about the safety or correctness of the software, however. Because of the additional confidence that a digital signature can add to software distributed over the Internet, we strongly encourage authors to take the additional step of including a standalone signature. We also encourage users who download software to check multiple sources if they download a package without a signature. This may help in locating malicious modifications.
The chrootuid daemon, by Wietse Venema, simplifies the task of running a network service at a low privilege level and with restricted filesystem access. The program can be used to run gopher, HTTP, WAIS, and other network daemons in a minimal environment: the daemons have access only to their own directory tree and run with an unprivileged user ID. This arrangement greatly reduces the impact of possible security problems in daemon software.
You can get chrootuid from:
| ftp://ftp.porcupine.org/pub/security/ |
The COPS package is a collection of short shell files and C programs that perform checks of your system to determine whether certain weaknesses are present. Included are checks for bad permissions on various files and directories, and malformed configuration files. The system has been designed to be simple and easy to verify by reading the code, and simple to modify for special local circumstances.
The original COPS paper was presented at the summer 1990 USENIX Conference in Anaheim, CA. It was entitled “The COPS Security Checker System,” by Dan Farmer and Eugene H. Spafford. Copies of the paper can be obtained as a Purdue technical report by requesting a copy of technical report CSD-TR-993 from:
| Technical Reports |
| Department of Computer Sciences |
| Purdue University |
| West Lafayette, IN 47907-1398 |
COPS can be obtained from:
| ftp://coast.cs.purdue.edu/pub/tools/unix/cops |
In addition, any of the public USENIX repositories for comp.sources.unix will have COPS in Volume 22.
Kerberos is a secure network authentication system that is based upon private key cryptography. The Kerberos source code is integrated into many operating systems, including FreeBSD, NetBSD, OpenBSD, Linux, and Windows 2000. The papers are available from the Massachusetts Institute of Technology. Contact:
| MIT Software Center |
| W32-300 |
| 20 Carlton Street |
| Cambridge, MA 02139 |
| (617) 253-7686 |
You can use anonymous FTP to transfer files over the Internet from:
| ftp://athena-dist.mit.edu/pub/kerberos |
The Multi Router Traffic Grapher (MRTG) is a tool that generates web pages with graphs of data about your network. Originally, it was designed to show data from routers, gathered with SNMP, but it is easy to use it to show any data that can be gathered via SNMP, and only slightly harder to adapt it for other ways of getting numeric values. It provides historical data (that is, it shows values over time), but it updates the web pages in real time, as information comes in. These graphs are very useful for recognizing patterns and trends in network usage—especially for detecting and diagnosing cases of misuse.
| http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html |
The portmap daemon, written by Wietse Venema, is a replacement program for Sun Microsystem’s portmapper program. Venema’s portmap daemon offers access control and logging features that are not found in Sun’s version of the program. It also comes with the source code, allowing you to inspect the code for problems or modify it with your own additional features, if necessary.
You can get portmap from:
| ftp://ftp.porcupine.org/pub/security/ |
Venema’s portmap daemon is included as the standard portmap daemon with most versions of free Unix and Linux.
rsync is a synchronization system that uses checksums to determine differences (instead of relying on modification dates) and does partial file transfers (transferring only the differences instead of the entire files). rsync was developed by Andrew Tridgell and Paul Mackerras. rsync can use SSH for tunneling, and you should run it that way.
| http://rsync.samba.org/rsync |
SATAN, by Wietse Venema and Dan Farmer, is the Security Administrator Tool for Analyzing Networks.[234] Despite the authors’ strong credentials in the network security community (Venema is from Eindhoven University in the Netherlands and is the author of the tcpwrapper package and several other network security tools; Farmer is the author of COPS), SATAN was a somewhat controversial tool when it was released. Why? Unlike COPS, Tiger, and other tools that work from within a system, SATAN probes the system from the outside, as an attacker would. The unfortunate consequence of this approach is that someone (such as an attacker) can run SATAN against any system, not only those that he already has access to. According to the authors:
SATAN was written because we realized that computer systems are becoming more and more dependent on the network, and at the same time becoming more and more vulnerable to attack via that same network.
SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.
For each type of problem found, SATAN offers a tutorial that explains the problem and what its impact could be. The tutorial also explains what can be done about the problem: correct an error in a configuration file, install a bug-fix from the vendor, use other means to restrict access, or simply disable service.
SATAN collects information that is available to everyone with access to the network. With a properly configured firewall in place, that should be near-zero information for outsiders.
The controversy over SATAN’s release was largely overblown. SATAN scans are usually easy to spot, and the package is not easy to install and run. Most response teams seem to have more trouble with people running ISS scans against their networks.
From a design point of view, SATAN is interesting in that the program was among the first to use a web browser as its presentation system. The source may be obtained from:
| ftp://ciac.llnl.gov/pub/ciac/sectools/unix/satan/ |
Source, documentation, and pointers to defenses may be found at:
| http://www.cs.purdue.edu/coast/satan.html |
Originally written by David Koblas and Michelle Koblas, SOCKS is a proxy-building toolkit that allows you to convert standard TCP client programs to proxied versions of those same programs. There are two parts to SOCKS: client libraries and a generic server. Client libraries are available for most Unix platforms, as well as for Macintosh and Windows systems. The generic server runs on most Unix platforms and can be used by any of the client libraries, regardless of the platform.
You can get SOCKS from:
| http://www.socks.nec.com/ |
The SSH program is the secure shell. This program lets you log into another computer over the network over a cryptographically protected link that is secure from eavesdropping. SSH also provides for secure copying of files and for secure X Window System commands. SSH is meant as a replacement for rlogin, rsh, and rcp. It can also be used to replace Telnet and FTP.
There are many programs available that implement the SSH protocol, including the original SSH, OpenSSH, putty, SecureCRT, and others.
More information about SSH can be found in the SSH FAQ at:
| http://www.uni-karlsruhe.de/~ig25/ssh-faq/ |
The SSH Security home page is located at:
| http://www.ssh.fi/ |
You can get OpenSSH from:
| http://www.openssh.com/ |
Swatch, by Todd Atkins of Stanford University, is the Simple Watcher. It monitors log files created by syslog, and allows an administrator to take specific actions (such as sending an email warning, paging someone, etc.) in response to logged events and patterns of events. You can get Swatch from:
| ftp://stanford.edu/general/security-tools/swatch |
| ftp://coast.cs.purdue.edu/pub/tools/unix/swatch/ |
The tcpwrapper is a system written by Wietse Venema that allows you to monitor and filter incoming requests for servers started by inetd. You can use it to selectively deny access to your sites from other hosts on the Internet, or, alternatively, to selectively allow access.
The tcpwrapper system is built into most versions of Free Unix and Linux on the market today as either a standalone program or as a linkable library that is part of programs such as inetd and sshd. If you are using a free version of Unix you probably don’t need to specially download tcpwrapper, but if you want it, you can get it from:
| http://oit.ucsb.edu/~eta/swatch/ |
Tiger, written by Doug Schales of Texas A&M University (TAMU), is a set of scripts that scans a Unix system looking for security problems, in a manner similar to that of Dan Farmer’s COPS. Tiger was originally developed to provide a check of the Unix systems on the A&M campus that users wanted to be able to access off-campus. Before the packet filtering in the firewall would be modified to allow off-campus access to the system, the system had to pass the Tiger checks.
You can get Tiger from:
| ftp://net.tamu.edu/pub/security/TAMU/ |
The TIS Internet Firewall Toolkit (FWTK), from Trusted Information Systems, Inc., is a useful, well-designed, and well-written set of programs for controlling access to Internet servers from the Internet. FWTK includes:
An authentication server that provides several mechanisms for supporting nonreusable passwords
An access control program (wrapper for inetd-started services), netac
Proxy servers for a variety of protocols (FTP, HTTP, gopher, rlogin, Telnet, and X11)
A generic proxy server for simple TCP-based protocols using one-to-one or many-to-one connections, such as NNTP
A wrapper (the smap package) for SMTP servers such as sendmail to protect them from SMTP-based attacks. You should install smap if you run sendmail at your site.
The toolkit is designed so that you can pick and choose only the pieces you need; you don’t have to install the whole thing. The pieces you do install share a common configuration file, however, which makes managing configuration changes somewhat easier.
You can get the toolkit from:
| ftp://ftp.tis.com/pub/firewalls/toolkit/ |
Tripwire, originally written by Gene H. Kim and Eugene H. Spafford of the COAST project at Purdue University, is a file integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Added or deleted files are flagged and reported, as are any files that have changed from their previously recorded state in the database. Run Tripwire against system files on a regular basis. If you do so, the program will spot any file changes when it next runs, giving system administrators information to enact damage-control measures immediately.
After Kim graduated from Purdue, he helped start Tripwire, Inc., which is commercializing the Tripwire technology. The Tripwire.org is an open source version of the product.
You can get Tripwire from:
| http://www.tripwire.com/ |
| http://www.tripwire.org/ |
This package, by Tom Fitzgerald, is a proxy system that provides much the same functionality for UDP-based clients that SOCKS provides for TCP-based clients.
| ftp://coast.cs.purdue.edu/pub/tools/unix/udprelay-0.2.tar.gz |
[234] If you don’t like the name SATAN, it comes with a script named repent that changes all references from SATAN to SANTA: Security Administrator Network Tool for Analysis.