LINKS

October 4, 2014

Domain, Site & IP Information

SANS Internet Storm Center: Summarizes the overall security health of the Internet. Shows security trends including the top 10 rising ports. Also has a quick and easy to use port/ip lookup search feature at the top right.

ARIN WHOIS Database Search: Provides a mechanism for finding contact and registration information for resources registered with ARIN. Often used in penetration testing for discovering all the IP address space registered by an organization.

Robtex: A collection of various online tools such as DNS, whois, blacklist checking, reverse IP, etc., for examining domain names and IP addresses.

DNS History: Historical archive for DNS records.

MultiRBL.valli.org: A DNS blacklist and Forward Confirmed reverse DNS tool for checking multiple blacklists simultaneously. Used to see if a given IP is in any of the hundreds of separate blacklists, likely for spam or abuse reasons.

SHODAN: Search engine that looks for public service banners.

Namedroppers: Lists registered domain names that match your search query. Useful for showing possible phishing sites.

Team Cymru: Provides charts and graphs on malicious Internet activity, as well as an always up-to-date bogon list (series of IP blocks that should never be routed globally on the Internet. These IP addresses, which change periodically as IANA sees fit, are commonly found as the source address of DDoS attacks, which is why they should be included in your ingress/egress filters). They also manage the Darknet Project.

URLVoid: Allows visitors to submit a domain name and have it scanned by multiple web site reputation engines in order to flag malicious web sites.

Google Safe Browsing: Enter an address at the end of the URL (example.com used as an example) to see whether the site engages in malicious behavior such as drive by downloads.

urlQuery.net: Allows you to process the response to a URL request to see if there is anything malicious. Very detailed.

Unmask Parasites: Submit a web site name and have the page scanned for external references and suspicious scripts.

LongURL: Expand the shortened URLs that were compacted by any one of hundreds of different URL shortening services. Will also reveal any redirects and information about the final destination page.

Web Sniffer: Allows you to view the HTTP requests and responses of a site without visiting it. A similar site is Rex Swain's HTTP Viewer.

SSL Labs: SSL test for websites, allowing you to verify SSL metrics for a web site.


Malware, Crime, & Exploits

Note: Some of the following may contain links to actual exploits, hacking tools, and/or possible "underground" sites. Do not click carelessly.

VirusTotal: An online service that allows you to upload a file and have it scanned by over 40 different virus scanners in order to detect any possible malware. Another site that provides similar services is Jotti's malware scan.

Comodo Instant Malware Analysis: Allows you to submit a suspicious executable for behavioral analysis. See the changes that the executable makes to registry keys, files, directories, drivers, processes, threads, as well as network behavior such as DNS queries, HTTP traffic generated, etc. Other good sites for this are malwr.com and Anubis.

Wepawet: Another online malware analysis tool, but this one specializes in Flash, JavaScript, and PDF files.

Cyber-Threat Analytics: The Cyber-TA Project Page provides Internet attack reconnaissance information. Their goal is to allow for rapid distribution of this content to the general network community in order to help mitigate emerging attacks. Their malware analysis page is where the goodies are. This will show you their daily infection log summaries that were harvested live from the SRI high-interaction honeynet. Drilling down through these reports will reveal a lot of technical details about malware infections that are currently circling the globe (including IP addresses of attackers, botnet command and control servers, and failed DNS lookups attempted by malware). Essentially, this page tells you where the bad guys are, and what they are doing.

Shadowserver Foundation: The Shadowserver Foundation is a volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. The purpose of the site is to raise awareness of the presence of compromised servers, malicious attackers, and the spread of malware.

PhishTank: A collaborative clearing house where anyone can submit, verify, track and share phishing data.

Exploit-DB: A repository of exploits that is frequently updated with the latest attacks. A somewhat similar site would be Packet Storm.

Offensive Computing: A well stocked-database of malware used for analysis purposes.

Malware Domain List: A frequently updated list of malicious domains and URLs.

Hackmageddon.com: A listing and timeline of cyber attacks.


News & Publications

Rootsecure.net's News Feeds Console: Quite possibly the most complete collection of security news information amalgamated together on a single page. It may take your browser a few moments to display it in full.

Security Wizardry Computer Network Defence Situational Awareness: A site that is probably familiar to most people who have worked in a SOC. If you plan on displaying it 24x7 in an enterprise, as a safety measure I would recommend doing so on a dedicated hardened system (a hardened system with a browser that has no plugins enabled, with security extensions installed, and that isn't logged into the admin interfaces of your security appliances).

Threatpost: Up to date security news delivered by Kaspersky Labs.

Computer Crime Research Center: Divulges the latest cybercrime news.

Global Incident Map: Combines security news and events with Google maps. Very interesting to see.

DataLossDB: Documents, tracks, and analyzes incidents involving data loss worldwide.

(IN)SECURE Magazine: Free downloadable magazine that discusses the latest security topics on a technical and operational level.

Cryptology ePrint Archive: Archive of cryptology research papers.

Infosec Writers: A collection of various Information Security articles, white papers, and projects, contributed by people willing to share their knowledge and experiences on various aspects such as cryptography, email security, exploitation, firewalls, forensics, general security concepts, honeypots, IDS, malware, wireless security, etc.

IAnewsletter: The Information Assurance Technology Analysis Center's newsletter for information assurance technology professionals. IATAC is a U.S. Department of Defense sponsored organization.

CSIS Technology Publications: The Washington DC based Center for Strategic & International Studies' publications on technology topics, many of which relate to cybersecurity issues.

Symantec Internet Security Threat Report: Lengthy, well-presented report offered in multiple formats (PDF, Flash, Podcast) that provides analysis and discussion of threat activity over a six-month period, covering Internet attacks, vulnerabilities, malicious code, Phishing, spam, security risks, and future trends.

Microsoft Security Intelligence Report: A semi-annual report from Microsoft that analyzes threats, vulnerabilities, exploits and attacks based on data from hundreds of millions of systems worldwide.

NSA Security Configuration Guides: The National Security Agency has written a series of security configuration guides for securing specific network devices, services, and operating systems.

NIST Computer Security Special Publications (800 Series): A collection of documents published by NIST's Information Technology Laboratory that are of general interest to the computer security community.


Media Archives of Security Conventions

DEFCON Media Archive: A listing of all the content (audio, video, PDF, PowerPoint, executables, etc.) that was presented at DEFCON.

Black Hat Archives: Essentially the same as above but for the Black Hat briefings.

BlueHat Archive: An invitation-only Microsoft security conference held twice a year.

USENIX Multimedia Archives: Various conferences, workshops, and symposiums sponsored by the Advanced Computing Systems Association.

CanSecWest Material Archives: Three-day digital security conference held in Vancouver, Canada.

RECON Archive: Security conference with a focus on reverse engineering and exploitation, held annually in Montreal, Canada.

DFRWS Archives: Papers and slides presented at the annual Digital Forensic Research Workshop conferences.

Hack.lu Archive: Conference held in Luxembourg that discusses computer security, privacy, and the implication of IT on society.

VB Conference: Virus Bulletin conference held in various locations with a focus on anti-malware.


Security Blogs

Metasploit: Blog related to the Metasploit Project.

Schneier on Security: Known by almost everybody in the security community.

F-Secure Weblog: Frequently updated with detailed analysis of recent malware and online scams.

Sophos Naked Security Blog: Lists the latest online scams and malware threats.

Mandiant M-unition: Insightful technical blog by Mandiant.

Krebs on Security: Brian Krebs has written many excellent reports for The Washington Post, some that resulted in action being taken against the criminal organizations. He now continues on his own with his blog.

Google Online Security Blog: Security news and insight from Google.

Websense Security Labs Blog: A frequent source of insight on new web-based security threats.


Twitter Security Feeds

Mikko Hypponen: Always tweeting interesting things.

Malware Domain List: Updates from Malware Domain List.

Microsoft Security Response: Important security-related information from Microsoft.


Vulnerability Information

Secunia Security Advisories: Excellent up-to-date source for the latest vulnerabilities. Another good source for similar content is SecurityFocus.

CVE Details: Billed as the ultimate security vulnerability datasource.

CIRT.net default password list: A list of default hardware and software passwords, searchable by vendor, product, and model number. If you are currently using a product with the default password still set, or with a variant of the default password, change it now!

PatchManagement.org: A mailing list dedicated to discussing patches.


Network

Packet Clearing House: Provides the worldwide list of Internet Exchange Points which form the core of the global Internet.

The Cooperative Association for Internet Data Analysis: Offers research, analysis, and visualization efforts into the behavior, usage, evolution, and infrastructure of the Internet.

CiscoNet.com: Provides a list of public route servers that anybody can telnet to. Use them to run traceroutes and to help troubleshoot network issues.

IP to CIDR: One of the few CIDR calculators that converts IP ranges into CIDR notation.

Internet Traffic Report: Reveals the overall performance of the Internet's bandwidth.

GRC's Shields UP! test: Runs an online scan against your ports. Helpful for knowing which one of your ports are visible on the Internet. Given that many people's home Internet connections are behind a router or DSL model with a built-in firewall, this type of scan is very helpful in revealing which ports are open on the Internet versus which ports are open on your local network.


Operating Systems & Applications

CentOS: CentOS is essentially a binary copy of Red Hat Enterprise Linux (RHEL), except that contrary to RHEL, CentOS is 100% free. Probably this author's favorite Linux distribution for running a server (yes, more so than Debian). CentOS is stable, secure, easy to use, and is supported for a good length of time, unlike certain Linux distributions which cease supporting their distributions 1 year after the newest version is released. For example, CentOS 4, released in 2005, will have maintenance updates until 2012. It is also arguably the best known and most popular of the Red Hat Enterprise Linux clones. For those who are comfortable with your "*nix" skills and don't mind spending time configuring, you may also want to look into FreeBSD, which (for the uninitiated) is a Unix-like OS outside of the Linux family.

Qubes OS: An open source operating system designed to provide strong security through isolation.

Windows Sysinternals: A collection of several useful Windows tools, including network connection monitors, rootkit scanners, event log dumps, etc.

Microsoft Technet security tools list: Another collection of various Microsoft information security related tools.

OldVersion.com: An archive of older versions of software programs. Can be a useful educational tool in order to experiment with certain software vulnerabilities that become patched in newer versions. A similar site is OldApps.com.

PRISM Break: Provides software suggestions to help opt out of global surveillance programs.


Other

Open Reverse Code Engineering: A user community for reverse engineering focused heavily on malware and security tools.

Open HUB: Provides information regarding code for open source projects.

The Center for Internet Security: A not-for-profit organization that develops best practice guidance such as security hardening recommendations for the Internet community. Their benchmarks are well worth submitting your e-mail address to download.

FILExt: Online database of file extensions. Also provides the unique identifying characters for certain file types. Can be helpful for computer forensics. See also TrID for a downloadable utility that provides similar functionality.

Keylength: Use Keylength to easily compare encryption key requirements as recommended by various organizations.

Free Rainbow Tables: One of the better places to download rainbow tables and to understand the security implications of relying on hashes for password authentication.

Yellowpipe Encrypter / Decoder: Online tool that allows you to encode and decode documents in various formats. For example by using the URL Decode function, you can decode a obscure URL such as "http://192.0.2.1/%65%78%70%6c%6f%69%74%2d%63%6f%64%65" into its human-readable text equivalent which would be "http://192.0.2.1/exploit-code", or to decode a string that was encoded in base64 as an attempt of IDS evasion.

User-agent-string.info: Analyzes user agent strings to reveal browser and operating system information. A similar site is User Agent String.Com.

AccountKiller: Provides specific instructions for deleting your account or profile from popular web sites such as Facebook, MSN, Gmail, Yahoo, etc. A similar site is justdelete.me.

DuckDuckGo: A search engine with a focus on privacy, that unlike many other search engines doesn't track you.

Market Share: Displays charts, statistics, and trends of the market share for web browsers, operating systems and search engines.