SN - Security Engineering

Security Engineering - A Guide to Building Dependable Distributed Systems
Password Management Best Practices
Best practices for enterprise password management. Classifies security threats and discusses practical strategies to counter password guessers, packet sniffers, sticky notes and more.
PGP Global Directory
An Example of RSA Encryption
CS and Security - Index of /~cs5204/fall03/Papers
PKI considered harmful
PKI - Pandora's Box or Panacea?
PKI's promise is to help make e-commerce transactions truly secure. But because it's built on a fragile underlying Web of trust, be careful when implementing it in your enterprise.
Clark-Wilson Security model
NSFOCUS Information Technology
Anatomy of an ARP Poisoning Attack: Security Basics | WatchGuard Technologies, Inc.
Anatomy of an ARP Poisoning Attack: Network Security Basics from WatchGuard LiveSecurity
Windows 2000 Authentication
RFID Handbook: Fundamentals and Applications in... - Google Book Search
DEEDS - TU Darmstadt, Germany
Public-Key Infrastructure (X.509) (pkix) Charter
Windows Vista Security and Protection
Microsoft Windows Platform Products Awarded Common Criteria EAL 4 Certification: Certification builds on Security Development Lifecycle advances to deliver unprecedented levels of assurance and quality for IT.
Certification builds on Security Development Lifecycle advances to deliver unprecedented levels of assurance and quality for IT.
Overview to the Threats and Countermeasures Guide
This is the overview for the Threats and Countermeasures Guide
Shamir47.pdf (application/pdf Object) -- Terence Spies on Identity-Based Encryption
Terence Spies, vice president of engineering at Voltage Security, recently spoke to the O'Reilly Network about Identity-Based Encryption.
Identity-Based Encryption - IBE -Secure Email By Voltage Security
Identity-Based Encryption. IBE & Secure Email. Voltage Security. Using IBE dramatically simplifies the process of securing sensitive communications.
Build and implement a single sign-on solution
It is particularly difficult to bolt a single sign-on solution -- SSO, the ability to log in once and be authenticated to all your network resources -- onto existing applications, but every developer faces this problem when building sophisticated portals. Because portals need to integrate with back-end resources, each with its own authentication needs, the portal often has to provide the appearance of single sign-on to the user. In this article, Chris Dunne provides a step-by-step description of his experience with building a single sign-on solution for a Web portal. He shows you how to set up an open source solution, the Central Authentication Service from Yale University, and how to extend it to authenticate to a Microsoft Active Directory infrastructure.
Using SSL for Authentication
Information Security Illuminated - Zoeken naar boeken met Google
John.Wiley.and.Sons.Hacking.Windows.XP.Jul.2004.eB ook-DDU.pdf - ebook4you
. John.Wiley.and.Sons.Hacking.Windows.XP.Jul.2004.eB ook-DDU.pdf Security - Hacking
Security - Hacking - Page 3 - ebook4you
. Page 3-Các ebooks thuộc chủ đề bảo mật và xâm nhập như Tường lửa, Mật mã, bảo mật ứng dụng (hệ thống), các kỹ thuật khai thác ...
Bro Intrusion Detection System - Bro Overview
Enterasys - Products - Advanced Security Applications - Intrusion Detection/Prevention - Dragon Intrusion Detection/Protection Systems
Host-Based IDS vs Network-Based IDS (Part 1)
This white paper will highlight the association between Network Based and Host based intrusion detection. A product comparison will be incorporated in a following white paper part 2 to assist in the selection of the appropriate IDS for your organization. Important facts and consideration will be highlighted to assist when selecting a sound intrusion detection system. This white paper will give you a better understanding of the differences between NID and HIDS and will highlight the strengths and weaknesses of both concurrently extending your knowledge and increasing your understanding of the IDS systems.
PGP MITM Attack - By RSnake
RSnake's official homepage.
Summary of MITM attacks with legacy authentication
P2P Networks
Security and Privacy in RFID Systems
This site references papers related to security and privacy in RFID systems.
Storm, Nugache lead dangerous new botnet barrage
Storm and Nugache Trojans are leading a dangerous new botnet barrage.
The Byzantine Generals Problem
Cryptology ePrint Archive
Microsoft Exchange Hosted Encryption
Exchange Hosted Encryption: Technical Overview
Breaking copy protection in microcontrollers
The last investigations into security of microcontrollers and copy protection mechanisms. PIC16C84, PIC16F83, PIC16F84, PIC16F84A, PIC16F873, PIC16F874, PIC16F876, PIC16F877, PIC16F627, PIC16F628, PIC12C508, PIC12C509, AT89C51, AT89C52, AT89C55, AT89C1051, AT89C2051, AT90S1200, AT90S2313, AT90S2323, uPD78F9026, uPD78F9116, MSP430F110, MSP430F112, MSP430F122, MSP430F123, MSP430F133, MSP430F135, MSP430F147, MSP430F148, MSP430F149, MSP430F412, MSP430F413, MC68HC05B6, MC68HC05B8, MC68HC05B16, MC68HC05B32, MC68HC05X16, MC68HC05X32, MC68HC11A8, MC68HC11E9, MC68HC11L6, MC68HC11KA4 and MC68HC11KG4 have been tested for possible ways of unlock and unprotect. Other PIC and AVR processors might be sensible for such attacks.
This work presents a list of desirable features as well as a list of attacks or problems to secure email, together with a corresponding score card for the technologies X.509 / PKI, PGP and IBE as used today. Usability, as an aggregation of properties, is considered the Most Important Feature of a secure email system.
Technical report - Web Single Sign On Systems
BBC NEWS | Technology | Google ranked 'worst' on privacy
Google is sharply criticised in a report looking at the privacy policies of popular net firms.
Sec w/o ID
Sci American on privacy
Navica - Open Source Maturity Model (OSMM)
Description here
The Open Source Definition
EUROPA - Rapid - Press Releases
Rapid - the press releases database for main European Institutions
OSVDB: The Open Source Vulnerability Database
The Laws of Identity - MSDN
Microsoft Exchange Hosted Encryption - Identity Based Encryption
Exchange Hosted Encryption is a convenient, easy-to-use e-mail encryption service that helps to safely deliver your confidential business communications.
Microsoft Exchange Hosted Encryption
Exchange Hosted Encryption: Technical Overview
Authentication, Crypto and Such by Rick Smith - Books, Papers, and Presentations on Computer-based Authentication, Security, and Internet Cryptography
Rick Smith's books, papers, and presentations on information security topics, with information describing his books "Authentication: From Passwords to Public Keys" and "Internet Cryptography." Papers and presentations also explore computer security basics, e-commerce, and computer security evaluations.
Research and Scholarly Activities - Dr. Rick Smith, University of St. Thomas
History of Computer Security
This page contains History of Computer Security papers.

EduCourses and Training

MIT OpenCourseWare | Home
Interactive Training - Microsoft Enterprise Learning Library
Grid - Security @ Class Pages for University of Maryland, Computer Science
Lecture Notes - Johnathan Katz - Undergraduate crypto course
Lecture Notes - Johnathan Katz - Crypto course
CMSC 858K --- Advanced Topics in Theory of Computing: Cryptography

Distance Education at a Glance
Distance learning guidelines
CEEVU: Центрально-восточно-европейский виртуальный университет
TechOnLine - Educational Resources - VirtuaLabs
Worldwide Universities Network
Kennisnet Primair onderwijs Leerkracht

TPG - Trusted Computing Group

Trusted Computing Group: Home
Trusted Computing Group: TPM
Trusted Computing Group: Infrastructure
Trusted Computing Blog
TPM Matrix (c) 2004 - 2006
TPM deployment Matrix
Trusted Computing Group: Interop 2006
Goals and objectives of OpenTC — Open_TC
Trusted Computing (TC) aims at increasing the security of the core Operating Systems (OS). This begins at the lowest level of the platform with a controlled loading of an operating system and goes on level by level, verifying the process after each level. Project development will be based on a hardware root of trust, a security hardware module to support the integrity checks and the storage of keys and other data in a protected chip, referred to as Trusted Platform Module (TPM). A secure hardware architecture is another prerequisite for the project - this will be developed outside the project by AMD and made available to the project. Making security a tangible and affordable enabling technology is of great importance for the deployment of a global security framework.
Trusted Computing - TCG proposals
OpenTC - Trusted Java Website Trusted Java
The world's largest development and download repository of Open Source code and applications
Welcome to OpenTC — Open_TC
The Open Trusted Computing (OpenTC) consortium is an R&D project focusing on the development of trusted and secure computing systems based on open source software. The project targets traditional computer platforms as well as embedded systems such as mobile phones.


AAA, Identity, PKI, Application Security


Shibboleth/OpenSAML CVS Source Code Repository Project Info - Shibboleth
Shibboleth v1.3 Software
WebHome < Shibboleth < TWiki
WebServices < Shibboleth < TWiki
GridShib: A Policy Controlled Attribute Framework
GridShib: Downloads
GridShib: A Policy Controlled Attribute Framework
Shibboleth - Download
Shibboleth is standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
TrustEngine < Shibboleth < TWiki
SourceAccess - Shibboleth - Internet2 Wiki
Announce-Shib-2.0-Beta - Shibboleth 2.0 Documentation - Internet2 Wiki

PKI &Trust

Grid Policy Management Authority Website
PinkRoccade Infrastructure Services - - Managed PKI - Digital Certificates - qualified certificate
OpenPGP Public Key Server Commands
Pgp-keyserver-folk Info Page
X.509 - Using PFX and PEM Certificate Formats with Keystores
There are a number of certificate formats in cryptography. This tutorial demonstrates how to convert between the most common formats and build keystores that can be used for two-way SSL.
VeriSign Secure Site Services

Identiy Mngnt/Authentication

Central Authentication Service - CaseWiki
Microsoft .NET Passport Member Services
Liberty Alliance
SourceID | Open Source Federated Identity Management | Liberty Alliance, WS-Federation, SAML | Home
opensso: Home
The A-Select Authentication System
Authentication Authorisation Accounting ARCHitecture Research Group
About the Group - Policy Research Group, DoC, Imperial College
Akenti Distributed Access Control
Sun Java System Access Manager
Global working Group eduroam Area
pGina: Making the big boys play nice - Latest News
TWiki - Shibboleth - Ohio Univ
uPortal by JA-SIG
Information Systems Security Group
Samoa: Formal Tools for Securing Web Services
OpenLDAP, Software
LDAP @Stig Venaas
DAASI International
PAPI project
GAA-API Home Page
Access Control in Operating Systems - Simple Policy Control Protocol
Phaos Technology Corporation - XML Certificate, XML Security Suite, Encryption XML
bhold company - role based acces control (rbac)
Build and implement a single sign-on solution
Securent Entitlement Management Solution (EMS)
Entitlement management solution: Securent entitlement management solution (EMS) is a unique, scalable, enterprise-ready solution for achieving fine-grained or application specific role-based distributed entitlement.
9Star Research Inc: Open Source Campus/Enterprise IdM Solution
US - NIST New Computer Security Publications (eGovernment Resource Centre)
The US National Institute of Standards and Technology has published reports on computer security including Windows XP Home Edition, IT plans, acess control policies, and computer security log management.
Interoperability Prototype for Liberty
Microsoft .NET Passport
PRIMA - Privilege Management and Authorization
Report about identity management online
SWITCH - AAI - Dukono Test Identity Provider

Security: Operational and Network

NewsBites: Security Digest
Brutus - The Remote Password Cracker
Security Forum - Home Page
Computer Security Alerts
Technology Support - Laws and TTU Policies Affecting Computer Use - main page - Integrity & Confidentiality of Networked Systems
Threat Classification - Web Application Security Consortium
Secure BGP
ORG (Owasp Report Generator) - OWASP
Security Risk Management and Network Change Management Solution from Skybox Security, Inc.
Skybox Security pioneered the science of quantifiable security risk analysis and is driving the advancement of the Security Risk Management (SRM) market. The company’s award-winning product suite, Skybox View™, is the first and only software solution to create a virtual model and staging environment of an organization’s network security profile. Skybox View™ collects network infrastructure and security configurations, evaluates vulnerability scan results, maps dependencies among security devices and incorporates the business value of critical assets. Through exclusive attack simulation, it uses this data to calculate all possible access paths, and highlight vulnerabilities that can be exploited by internal and external attackers as well as malicious worms. Creating a virtual sandbox, or simulating a staging environment, is possible through unique “what-if” analysis capability. By using Skybox View, the information overload associated with thousands of network security policies, control devices and vulnerability scans can be demystified and automated. The benefit is business continuity through a measurable, repeatable and predictable network connectivity and risk assessment process. This is achieved through continuous evaluation of an organization’s risk profile, security control effectiveness and justifiable price tag on mitigating exposures. With Skybox View, the security team receives a precise and prioritized battle plan; IT operations can reduce IT workload; and management gains unprecedented visibility into the organization’s risk and governance profile. Skybox View has two applications: Skybox Secure for Security Risk Management, and Skybox Assure for Network Change Management. Designed for the security and auditing teams, Skybox Secure runs unique attack simulations on the virtual model to evaluate which threats pose the greatest potential harm. It evaluates all possible access paths and vulnerabilities that can be exploited by internal and external attackers as well as malicious worms. Designed for the IT network and operations team, Skybox Assure runs unique access simulation within a virtual staging environment in order to evaluate effectiveness and compliance of security controls with defined policies. It simulates all possible access paths, validates connectivity and enables the testing of proposed changes before implementation.
The Open Group Security Forum
The Open Group is an international vendor and technology-neutral consortium that is committed to delivering greater business efficiency by bringing together buyers and suppliers of information technology to lower the time, cost and risk associated with integrating new technology across the enterprise. With its proven certification methodology and conformance testing expertise, The Open Group is the international guarantor of the interoperability that single economic entities require to achieve independence. The flexible structure of membership of The Open Group allows for almost any size of organization to join and influence the future of the IT world, and the introduction of membership for individuals is currently being considered. However, members include some of the largest and most influential organizations in the world and buy-side members have combined budgets of over $50 billion per annum.