76

What sites, twitter accounts, FOSS software should a white-hat code 'hacker' follow these days?

Do Include:

  • Late breaking information on new security issues (RSS, Twitter, etc)
  • A website that tracks unpatched security issues per vendor
  • Twitter accounts, blogs, etc from well known people in the information security world.
    • Who are these people?
    • What are they known for?
  • Communities that publish information regarding zero day exploits
    • Blogs, twitter, conferences, chat rooms (irc)
  • A subject matter expert that provides up to date guidance on Cryptology (algorithm, key length, etc.), and up to date information on how secure each one
  • Open Source Software & tools that assist developers interested in the security space
  • Information regarding bills and laws that apply computer hacking in the US and abroad (preferably in language a programmer would understand).
    • Would probably include CAN-SPAM act, and per-state privacy legislation
  • A site that publishes an exhaustive list of XSS techniques and permutations; and hopefully code that you can use to protect yourself

Please, Do NOT include:

  • Guidance that is common among the infrastructure and network support groups
    • An exception would be the recent ASP.NET security issue.
    • Any list or notification that doesn't focus on code or programming.
  • Software and tools that aren't open source
  • Deployment checklists (especially if there is no code associated with it)
  • General forums and discussion lists, unless they are well known and trusted by the security community

Since readers are likely not an expert in all these areas, please let us know a little about each link and not create a "dumping ground" of links. Do make an earnest attempt to not post duplicate links.

Since this is "security".stackexchange.com I hope to get a more diverse range of responses than the typical sysadmin site. In my experience, sysadmins stay away from code, and developers really have no fear when it comes down to the wire.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • I'm not going to try and guess what you've read elsewhere. As this question is an important one, I hope you won't punish me (-1) for trying to be helpful. – Everett Nov 20 '10 at 14:46
  • 1
    @Everett - thank you for keeping with the spirit of this question; even if they aren't the most groundbreaking responses I hope to find ;) – makerofthings7 Nov 20 '10 at 14:54
  • 2
    NP. My point with these two (and the 2600 PodCast) is that they consistantly bring what is new in the industry to the public. Trying to find a new "groundbreakign" source of information is a bit difficult. Expeially if you read the books, visit the current websites, follow the updated tweets, and go to the current conferences. I would think the people that want this stuff in the public domain aren't going to build a new site/way to get information off of one new security incident. I'm really not trying to sound like an a$$. – Everett Nov 20 '10 at 15:14
  • 1
    I could Spam this with EFF, Hope conference, old issues of Blacklisted 411, lists of software you could find in books on the CEH and CISSP, lists of books that are current, IRC channels, etc. At the end of the day, none of my answers will have helped you, because you already know them, they are in industry somewhere. – Everett Nov 20 '10 at 15:18

19 Answers19

34

For conciseness, I'll only add two:

  • OWASP's moderated blog - they aggregate quality posts from a lot of diverse security feeds, mostly around new attacks, vectors, etc.
  • Microsoft's SDL blog, mostly focusing on remediation strategies, mitigation, threat modeling etc, and also once in a while a very open, honest analysis of discovered security flaws and the effect (or lack thereof) of the SDL.
  • (Soon I hope that http://security.stackexchange.com will be considered a top offering... :) )
Glorfindel
  • 2,235
  • 6
  • 18
  • 30
AviD
  • 72,138
  • 22
  • 136
  • 218
20

i am going to list down a couple of resources i follow to keep up to date on security issues:

  1. Security Focus: you will find a slew of information on that website about vulnerabilities and all sorts of both general and specific topics related to security. it also hosts a slew of mailing lists dealing with different aspects of information security.
  2. Bruce Schneier's blog: i don't think i need to explain who Bruce Schneier is, but if you had not heard of the guy, you can read about him over here.
  3. Bruce Schneier's Twitter: Bruce also has a Twitter account which i find worth following.
  4. product/vendor specific security mailing list: every big or small product worth its salt has a security list that that is used to track and share information about security-related issues with the product that are discovered over time. for example, i used to use slackware heavily and followed their security advisories mailing list diligently to keep slackware running on my system up to date with all security fixes.
  5. phrack.com: this magazine is a well of information about vulnerabilities, exploits, bugs, and everything else that has anything to do with information and network security.
ayaz
  • 111
  • 5
  • 1
    Very good resources, but @makerofthings7 *explicitly* asked for coding/application resources. – AviD Nov 21 '10 at 12:40
  • -1: Decent list, but OP specifically said: "Since readers are likely not an expert in all these areas, please post one site/resource per post and let us know a little about it." Hence the downvote. – mrnap Feb 28 '11 at 03:39
15

Here are some of my favorite sites to follow (I use RSS for all of them):

  1. In-depth about binary numbers, with some recent security-relevant posts http://www.exploringbinary.com
  2. The SANS Internet Storm Center, for Internet security alerts http://isc.sans.edu
  3. InfoSec News list, for consolidated security news http://www.infosecnews.org/
  4. SecurityNow podcast http://grc.com/securitynow.htm
  5. Daily Dave, technical security mailing list https://lists.immunitysec.com/mailman/listinfo/dailydave
  6. Didier Stevens's blog, lots of PDF-related security posts http://blog.didierstevens.com
  7. F-Secure's blog, for widespread malware alerts http://www.f-secure.com/weblog
  8. lcamtuf's blog, for technical security posts http://lcamtuf.blogspot.com/
  9. TaoSecurity, focused on network security monitoring http://taosecurity.blogspot.com/
  10. Ksplice's blog, more about software and Linux, but with a security flavor http://blog.ksplice.com
Eugene Kogan
  • 281
  • 2
  • 4
8

I find it very instructive to read this blog. The author takes vulnerability announcements, usually in the Linux kernel but also other open source projects, and shows:

  • the vulnerable code
  • what the problem is
  • the patch
mlp
  • 546
  • 4
  • 8
7

Why did no one mention Exploit-DB ?

**Edit:

I would highly recommend everyone this project: pentest-bookmark. Personally I found a lot of useful informations.

Tornike
  • 593
  • 1
  • 6
  • 8
7

http://packetstormsecurity.org

Orca
  • 491
  • 1
  • 5
  • 12
7

How has no one mentioned Krebs yet? He is one of the most well known and reliable security journalists out there.

KrebsOnSecurity

I would post more, but the OP only asked for one per post (which evidently some people neglected to read).

mrnap
  • 1,308
  • 9
  • 15
  • ... but feel free to add more posts so they can be individually voted on. Let the best one(s) bubble up to the top! – makerofthings7 Feb 28 '11 at 05:02
  • Or again, perhaps I should edit the original post to just say try not to post duplicate links? Your thoughts? I don't want to lose valuable insight otherwise – makerofthings7 Feb 28 '11 at 05:04
  • 1
    @makerofthings I think if your goal is to maximize knowledge, having one post with maybe <=5 links in it and making sure they are not duplicates is a good policy. That way people are still forced to select their top resources, but it also limits oversaturation. – mrnap Feb 28 '11 at 15:55
6

2600

an American publication that specializes in publishing technical information on a variety of subjects including telephone switching systems, Internet protocols and services, as well as general news concerning the computer "underground" and left wing, and sometimes (but not recently), anarchist issues.

Community
  • 1
Everett
  • 1,506
  • 1
  • 12
  • 20
  • It's not very developer-ey though. I've been reading since some time in the 1990s and don't remember more than a couple of pages of code. These days it's mainly "look what happens if I press the buttons on my microwave in _this_ order". I still enjoy reading it though. –  May 10 '11 at 16:27
5

lightbluetouchpaper.org - the blog of the Security Group at the University of Cambridge Computer Laboratory - provides coverage on emerging legal issues in the UK among other bits of interest but not necessarily immediate practical benefit to coders.

Nate Lawson's blog provides some really nice practical vulnerability and mitigation stuff on a code level. He co-developed the BD+ crypto for BluRay and has presented at RSA, BlackHat and Google Tech Talk.

Bell
  • 975
  • 9
  • 12
4

DefCon

Originally started in 1993, it was a meant to be a party for member of "Platinum Net", a Fido protocol based hacking network out of Canada. As the main U.S. hub I was helping the Platinum Net organizer (I forget his name) plan a closing party for all the member BBS systems and their users. He was going to shut down the network when his dad took a new job and had to move away. We talking about where we might hold it, when all of a sudden he left early and disappeared. I was just planning a party for a network that was shut down, except for my U.S. nodes. I decided what the hell, I'll invite the members of all the other networks my BBS (A Dark Tangent System) system was a part of including Cyber Crime International (CCI), Hit Net, Tired of Protection (ToP), and like 8 others I can't remember. Why not invite everyone on #hack? Good idea!

Community
  • 1
Everett
  • 1,506
  • 1
  • 12
  • 20
3

For very technical stuff, keeping up with the research literature is a great resource. I follow the cryptography and software engineering feeds of the pre-print server (arxiv.org), I certainly don't read every paper but it's useful to see what academia is coming up with, to keep up to speed with the abstracts and dive into the interesting or relevant material.

2

Open Source Software & tools that assist developers interested in the security space:

http://fuzzdb.googlecode.com

1

Get a Twitter account so that you can follow popular security researches/hackers within the community. Look up recent hacker conferences and look for novel presentations and hunt down the presenter's twitter account. If they microblog personal info, unfollow, but keep them if they retweet news. Look at Twitter's recommendations and the people they follow and continue the process. You end up with a pretty awesome peer-reviewed news feed.

Also try hanging out in IRC support channels for various security related open source projects. I learned a lot from just hanging out in #metasploit, to be honest.

chao-mu
  • 2,801
  • 18
  • 22
1

SecDocs from lonerunners.net

Nice website, consists of daily updated papers, slides, audios, videos from security conferences. Pretty huge database of security information.

p____h
  • 1,527
  • 7
  • 11
1

Haacked is a great resource for Web Developers on the Microsoft stack

Least Privilege is another great one geared for Authentication, Identity, and Federation with Microsoft technologies.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1

Been reading http://rootsecure.net for a while, just a conglomeration of daily security links, although the webmaster just left the article posting process in the hands of the community.

Savara
  • 490
  • 3
  • 15
Brandon Frohbieter
  • 101
  • 3
1

I would highly recommend SpaceRogue's HNN Cast

http://www.hackernews.com

It is a weekly video cast that rounds up the top stories from the previous week as well as mentioning new security related tools and updates.

Casey
  • 895
  • 5
  • 18
0

https://www.reddit.com/r/netsec/wiki/meetups/citysec This is ULtimate Resouces you will find in infosec field Period

https://www.reddit.com/r/netsec/wiki/start

Ankush_nl
  • 1
0
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
kiran
  • 193
  • 6