Useful links about computer security

This page contains a number of useful links to pages which discuss various aspects of computer security. If you have suggestions for good pages which should be referred to, send me a mail with the link. If you find that some of the links referred to on this page have moved, please send me the new link (if you know it).

General links on security

• Terminology. A useful list of terms related to computer security.

Security evaluation

• Common Criteria. These are a set of web pages describing the Common Criteria for Information Technology Security Evaluation.
  The most recent version of the actual documents is version 3.1. It consists of three parts:
  1. Part 1: Introduction, including general concepts and principles of IT security evaluation.
  2. Part 2: Security functional requirements.
  3. Part 3: Security assurance requirements.
• ITsec. The UK Government security evaluation scheme.
• Rainbow books. The US Department of Defense series on security evaluation, in particular:
  1. Orange Book: Trusted Computer System Evaluation Criteria (TCSEC).
  2. Yellow Book: Technical Rationale behind Guidance for Applying the DoD TCSEC in Specific Environments.
  3. Green Book: Password Management Guideline.

Approved products

• Infosec Directory. The UK Government Communications Electronics Security Group (CESG)'s list of assured products for use in secure environments.

Network security

• W3C Web Security. A site dealing with many aspects of security on the World Wide Web.
• Vulnerabilities. SANS Institute's page on the 20 most critical Internet security vulnerabilities.
• IPSec is described in a series of Internet RFCs, of which the most important to know about are currently:
  • RFC 4301. "Security Architecture for the Internet Protocol".
  • RFC 4302. "IP Authentication Header".
  • RFC 4303. "IP Encapsulating Security Payload (ESP)".
• NIST Cerberus. A Linux based reference implementation of IPSec.
• FreeS/WAN. A freeware implementation of IPSec for Linux.
• Diameter. This describes the base protocol for Diameter, a proposed standard intended to provide an Authentication, Authorization and Accounting (AAA) framework for applications such as network access or IP mobility.
• WEP security. A review of the security problems in the Wired Equivalent Privacy algorithm used in IEEE802.11b Wireless LAN systems. For more detailed accounts of further problems with WEP, see the papers:
  • N. Borisov, I. Goldberg & D. Wagner: "Intercepting Mobile Communications: The Insecurity of 802.11", in Proceedings of the 7th Annual Intl. Conf. on Mobile Computing and Networking (July 2001).
  • A. Bittau, M. Handley & J. Lackey: "The Final Nail in WEP's Coffin", in Proceedings of the IEEE Symposium on Security and Privacy, Oakland (2006).
• 802.1X. The actual standard, as approved by the IEEE. A security analysis of 802.1X can be found in:
  • A. Mishra & W. Arbaug: "An Initial Security Analysis of the IEEE 802.1X Standard", Technical Report, University of Maryland, CS-TR-4328 (February 2002).
• EAP. The proposed IETF standard for the Extensible Authentication Protocol. Since it is extensible, there are lots of variants (i.e. extensions), some of which have security vulnerabilities. For a discussion of some of these, see for example:
  • Cisco Security Notice: "Dictionary Attack on Cisco LEAP Vulnerability".
  • N. Asokan, V. Niemi & K. Nyberg: "Man-in-the-Middle in Tunnelled Authentication Protocols", in Proceedings of the Security Protocols Workshop, Cambridge (April 2003).
• 802.11i. The improved standard for wireless network security. For a discussion of possible weaknesses in 802.11i, see:
  • Chapter 3 of Magnus Falk: "Fast and Secure Roaming in WLAN", M.Sc. Thesis, University of Linköping (2004).
  • Changhua He & John C. Mitchell: "Analysis of the 802.11i 4-Way Handshake", in Proceedings of the ACM Workshop on Wireless Security, WiSe'04, Philadelphia (October 2004).
• Bluetooth security. An example of a weakness in Bluetooth-based systems which may reveal private information.

Vulnerability and activity monitoring

• Stealth. A scanning tool (available as Freeware) for checking Web security.
• Ethereal. A protocol analyser for Unix and Windows which can analyse IP traffic, including IPSec.
• Nessus. A network security scanner which checks for vulnerabilities. For a more complete list of vulnerability scanners, see here.
• SNORT. An open-source network intrusion detection system. Detects suspicious traffic and other undesirable events.

Physical security and related issues

• TEMPEST. How to pick up information at a distance by exploiting the electromagnetic emanation from electronic equipment, including screens and telephone lines.
• Optical eavesdropping. How to read CRT displays at a distance by exploiting the optical emanation.

Cryptographic libraries

• Crypto++. A large selection of cryptographic routines in C++.
• Cryptix 1.1. A large selection of cryptographic routines in Java.

Security policies

• NIST Internet. NIST's (1997 draft) document on Internet security policies.
• RFC2196. The IETF Site Security Handbook.
• Reference Library. InfoSys Security Policy reference library, containing a large number of links about designing security policies.

E-commerce

• Payment methods. A site offering a review of different types of payment method for use in connection with e-commerce.
• SET. The Secure Electronic Transactions specifications.
• Millicent. A collection of pages on the Millicent micro-payment system.
• PayPal. An e-mail based e-payment system.
• PayWord and MicroMint. Two systems for micro-payments proposed by Rivest and Shamir.
• Achieving Electronic Privacy. David Chaum's Scientific American article on blind signatures and their use for anonymous payments.

Legal issues

• Reference Library. InfoSys Security Ethics, Policy and Laws reference library, containing a large number of links related to legal and moral issues. The legal links mostly refer to US and Canadian law.
• Unauthorized Access to Computer Systems. A summary of penal law related to unauthorised access.
• Computer Law. A collection of links related to legal issues in Europe.
• Danish Act on Processing of Personal Data. (English version of "Persondataloven") Issues related to protection of personal data in Denmark.
• Den Digitale Forvaltning. (In Danish) Issues related to IT-based public administration.
• Cybercrime. The Council of Europe Convention on Cybercrime (also signed by several non-European countries).