USENIX and SAGE - the UNIX and Large Installation System Administration user groups.

NIST - National Institute of Standards and Technology.

CERIAS - Center for Education and Research in Information Assurance and Security (has subsumed Purdue's COAST - Computer Operations, Audit, and Security Technology).

PCERT - Purdue Computer Emergency Response Team.

CERT - Computer Emergency Response Team.

AUSCERT - Australian Computer Emergency Response Team.

National Computer System Security and Privacy Board.

RSA - RSA Data Security.

ISS - Internet Security Systems.

PGP - pretty good privacy, a public key encryption system often used for mail

CBW (code breakers workbench) - useful in breaking files encrypted with crypt(1)

descore is a package containing just the core DES functionality: specifying keys, encryption and decryption. It is for those who want to implement such things as DES filters, rather than UNIX password crackers.

md5 and md5check generate and check cryptographic checksums for files. MD5 is more precise and secure than the typical unix sum(1) command.

The ufc-crypt implementation is plugin compatible with crypt(3)/fcrypt. It has extremely high performance when used for password cracking.

Crypto sites listed at www.ssh.fi.

Kerberos Authentication Service - the kerberos system is a replacement for traditional UNIX passwords that uses encrypted streams and keys

Security Dynamics, maker of ACE/Server security software, the SecureID card and more.

Bellcore skey archive - s/key is a one time password scheme developed to avoid passive password sniffing. Bellcore offers a commercial version for Win3.1, WinNT, and Win95.

The original ssh - login and execute remote commands using a securely encrypted shell

F-Secure ssh a commercial version of the ssh protocols, including v2.

openssh is an open source version of ssh protocols v1.5 and v2, maintained by the OpenBSD group.

OPIE (One Time Passwords in Everything) is a freely redistributable kit that will drop into most UNIX systems and replace your login and FTP daemon with versions that use OTP for user authentication. It also includes an OTP generator and a library to make it easy to add OTP authentication to existing clients and servers.

Articles and papers on secure programming include:

• The Secure UNIX Programming FAQ, maintained by Thamer Al-Herbish, answers questions about secure programming in the UNIX environment. It is a guide for programmers and not administrators. The FAQ is a work in progress, and the maintainer solicits any applicable contributions.
• A Lab engineers check list for writing secure Unix code, by AUCERT.
• How to find security holes, by Kragen Sitaker.
• setuid - checklist for security of setuid programs.
• perlsec - Perl security.
• Matt Bishop's class notes for his Intro to Computer Security and other classes.
• How to Write a Setuid Program, by Matt Bishop.
• Security Code Review Guidelines, by Adam Shostack.
• Secure Programming For Linux and Unix HOWTO, by David A. Wheeler.

Secure programming talks, tutorials, and classes include:

• EnGarde's Secure Programming Tutorial.
• The SANS Conference covers system administration and network security.
• Writing Safe Privileged Programs, by Matt Bishop.
• UNIX Security: Security in Programming, by Matt Bishop.
• Shifting the Odds: Writing (More) Secure Software, by Steve Bellovin.

Books on writing secure and bug free code include:

• Practical Unix and Internet Security, from O'Reilly & Associates.
• Writing Solid Code, by Steve Maguire.
• Code Complete, by Steve McConnel.

Crash Course in X Security - how to snoop the windows and keyboard as well as ways to prevent it.

Securing the X Window System - a government sponsored paper written by Lawrence Livermore National Laboratory detailing how the X Window system works and how to do Host and Token authentication.

CheckXUsers - script checks for people logged on to this machine from insecure X servers.

anonymous FTP FAQ - details how to set up a secure anonymous FTP environment on a UNIX machine, and also gives pointers to third party FTP server software.

compromise FAQ - deals with some suggestions for securing your Unix machine after it has already been compromised. Includes a list of tools to trace the hacker and its origin as well as listing some commonly attacked weak spots on a UNIX system.

patches FAQ, provided by ISS, lists various operating systems and how to patch programs on those systems as well as pointing out common vulnerabilities and giving pointers to vendor patch sites.

vendor contacts FAQ - a list of vendor security contacts and details how to report vulnerabilities and obtain new security related patches.

sci.crypt FAQ - gives a basic overview of cryptology and goes into the definition and differences between product ciphers, public-key cryptography, digital signatures, and various technical aspects of password generation and cracking.

RSA Cryptography FAQ covers the algorithms and techniques used in RSA cryptography as well as describing the security protocols and services and their implementation in the real world.

PGP FAQ - covers where to get the latest version of PGP, by Phil Zimmerman, and other Crypto/PGP related news.

RFC 1244: The Site Security Handbook - written by the Security Area and User Services Area of the IETF, this document is a first attempt at providing Internet users guidance on how to deal with security issues in the Internet. The document includes sections on defining security policies and procedures, risk assessment, security audits, incident handling, and post-incident procedures.

CERT's recovering from and incident FAQ details how to detect intrusions, recover from a root compromist, and how better to avoid compromises in the future.

Rootshell.com is a site dedicated to making security information freely available to the public in a timely fashion. They publish information describing security problems in a wide array of operating systems, and believe in full disclosure including example scripts.

The L0pht, now owned by @stake was a bunch of hackers who got together and started working on projects together. There are remnants of different groups that make up L0pht such as RDT, cDc, RL, etc. L0pht has a hardware group works with wireless communications, packet radio, microwave links, and various telephony projects. L0pht's software group deals a lot with computer security of various OS's.

Phrack Magazine includes philes on telcom (phreaking/hacking), anarchy (guns and death & destruction), and cracking.

2600 includes a list of the latest sites cracked by various known and unknown crackers and script kiddies, and information about the quarterly magazine.

Various security FTP pointers from CMU - lists of various security/crypto related FAQs, sites, and news articles.

Wietse's tools and papers - Netherlands site of security tools and papers written by Wietse Venema, as well as a collection of links to other useful security software and papers.

NIH's Security Page includes a large number of links to various aspects of security including organizations, FAQs, ecommerce, cryptography, and much much more.

Lycos Unix Security Search - lycos search of the web on +unix +security

Altavista Unix Security Search - altavista search of the web for +unix +security

The Shake Vulnerabilities Database is a commercial subscription database of computer software and hardware vulnerabilities that is updated on a daily basis. It contains vulnerabilities in commonly used operating systems, hardware, software and languages, including patches and fixes.

Not a web site, but worth mention, the Rainbow series of books. A copy of the most commonly known one, the Orange book resides at CERT. To get the Rainbow series, write or call:

INFOSEC Awareness Division
ATTN: Y13
Fort George G. Meade, MD 20755-6000
Tel: (410)-684-7661 TollFree: 800-688-6115