Click the banner for the site map of NoticeBored.com, the information security awareness service

Warning: take great care if visiting, or downloading “useful tools”
from, dubious websites. Some of them may exploit security
vulnerabilities in your system or indeed yourself to install
Trojans and other malware. We are not responsible
for third party websites, nor for your information security.

General [anti-]hacking resources

All self-respecting geek hackers need these black or white hats. For shades of gray, try buying both and rapidly changing them.

If you program, or commission, Web-facing SQL databases, read this primer on SQL injection attacks and how to prevent them.

Hacking - The Art of Exploitation by Jon Erickson (~US$33 from Amazon) is a well-regarded technical guide to the programming techniques used by hackers to exploit bugs through buffer overflows etc. There are other good technical books on hacking but Erickson’s probably gets the best customer reviews.

Profiling Hackers (~US$48 from Amazon) is a new book resulting from a research project coupled with ‘insider knowledge’ of the hacker scene. Finding out what motivates them might just help keep the hackers out.

Hacking Exposed (fifth edition - new sixth edition due out soon), the 2005 book by Stuart McClure, Joel Scambray and George Kurtz (~US$33 from Amazon), explains how to protect one’s systems and networks, partly by demonstrating how hackers commonly exploit system and network vulnerabilities (also known as bugs). Covering Windows, UNIX, wired and wireless networking, VOIP and web hacking, the only significant category missing is application-level hacking.

The Washing Machine: How Money Laundering And Terrorist Financing Soils Us by Nick Kochan (~US$23 from Amazon) takes an in-depth look at money laundering.

Clifford Stoll, astronomer, academic researcher and author of The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, retains a deep interest in information security. Both cited works describe a real-life hacker attack and Cliff’s actions to identify and shut the intruder out of the university network he managed.

Lance Spitzner’s book Honeypots - Tracking Hackers (~$29 from Amazon) is a truly outstanding contribution to the field of information security and essential reading for security architects, network administrators and other geeks interested in securing systems and networks against hackers.

Know Your Enemy - Learning About Security Threats (2^nd edition) (~$31 from Amazon) is yet another good read from the Honeynet Project team. Read our book review elsewhere on this site. The Honeynet Project deliberately sets up servers on the Internet to be hacked. This is not some suicidal tendency but a fascinating research project to understand the latest hacking techniques and tools. They encourage the deployment of honeytokens (files or data records that nobody should be accessing), honeypots and even entire honeynets whose value lies in being probed, attacked, or compromised. The Pentagon is considering the use of honeypots as one of its controls defending military networks.

Fighting Computer Crime - a new framework for protecting information (1998) by Donn Parker (~$28 from Amazon) is an old but still valuable text from one of the ‘old guard’. Donn has been a computer security professional for more than three decades and has amassed immense experience of dealing with computer criminals. He has strong views on the futility of risk analysis in this field due to the limits of our knowledge.

How To Become A Hacker is a primer on the philosophy and ethics of hacking, more than the mechanics of hacking. Starting from the point of view that “hackers build things, crackers break them”, this is a thoughtful, well-written and stimulating piece of creative writing.

2600 magazine started in the phreaky days when a 2600 Hz whistle could be used to fool the telephone systems into making free calls. Like Phrack magazine, 2600 became an old shoe, well used but comfortable. Nothing to do with leather. The typewriter font harked back to the days when it was printed on cheap paper and circulated as an underground publication amongst phreaks (before they had that name) and hackers (real hackers, hackers who love exploring and taking control of technology without breaking it). 2600 shut up shop in 2005 but seems to have been resurrected ....

Bugtraq is THE mailing list for the disclosure of security vulnerabilities, hosted by SecurityFocus. It is a high-volume list (unfortunately). A search of the archives will generally reveal lots of reported problems with your chosen platform or application. SecurityFocus also hosts the penetration testing, VulnDev (vulnerability development), honeypots and forensics mailing lists for specialists in each of these fields, and has lots of solid technical articles on subjects such as incidents, firewalls and IDS (Intrusion Detection Systems), Windows and UNIX security.

AntiOnline is a virtual meeting room for hackers and security people. The discussion fora are very active and the site boasts a good collection of security tools and papers.

Help I think I’ve been hacked is a common cry on IT bulletin boards. Non-technical people usually don’t understand why hackers have hacked them, nor how they did it. All they want to do is get the hackers out - no mean feat without IT knowledge, even using the antivirus and antispyware tools commonly available.

Geoff Shivley’s bio tells the story of how his phreaking exploits gradually turned into computer hacking, along the way giving an insight into the hacker mindset.

Hacking and anti-hacking tools & techniques

Johnny I Hack Stuff is the website of ‘Johhny Long’, author of the book Google Hacking for Penetration Testers (~$28 from Amazon). Johnny explains how to construct interesting Google queries in order to identify vulnerabilities such as security holes in system and application software, disclosure of sensitive information and so on.

Metasploit is an open project developing the tools to exploit known vulnerabilities. Open tools of this nature have pros and cons. On the downside, they can be used by hackers and crackers to exploit vulnerable systems. On the upside, the white hats have access to the same tools for penetration testing their own networks.

Dumpster diving covers a broad range of pastimes from those who casually remove and recycle all manner of useful but discarded materials from dumpsters, waste bins or skips, through to those who target much more valuable booty including personal data on credit card bills/bank statements, internal phone books, system admin manuals, computer printouts in general and so forth.

Perusing this list of 100 websites gives a flavor of what certain hackers find interesting - hacking/cracking tools and how-to courses, warez and cracked serial numbers for examples.

Microsoft’s Security Monitoring and Attack Detection Guide is designed to help organizations plan a security monitoring and attack detection system based on Windows Security Event logs. It explains how to interpret the events (albeit within the rather limited capabilities of standard Windows tools) and which events indicate the possibility that an attack is in progress. Their Services and Service Accounts Security Planning Guide is another useful document that addresses the important issue of running Windows services under reduced-privilege user IDs (not SYSTEM!).

Hacking news and incidents

A survey of hackers at DefCon suggests that “only” 25% are malicious. So that’s alright then.

Astalavista is a hacker/information security search site/portal dating from the far-off pre-Google days when AltaVista was the coolest search engine on the web (eons ago in Internet time).

Hakin9 is a bi-monthly hacker/information security magazine, also available as an electronic magazine (e -zine). The mag used to be free but now costs nearly US$50 for a year. Still, there’s a little collection of hacking-related papers on the site.

A team of researchers/hackers has demonstrated the ability to obtain rogue digital certificates to authenticate rogue websites, based on crafting rogue certificate requests matching genuine certificate requests that are actioned by a common Certificate Authority. The crux of the attack is that the MD5 hashing algorithm used by that and a few other CAs is vulnerable to collisions, a weakness that has been known publicly since 2004. The team used a bank of 200 Sony Playstation consoles (with fast graphics processors ideally suited to this kind of calculation) to perform the vital crytographic steps quickly, achieving the whole process including issue of an authenticated but rogue website certificate over the course of a weekend. They advise all CAs to stop using MD5 for certificate hashing but move on to SHA-1 or better still one of the SHA-2 variants. [Their conference presentation paper is a work of art, describing such a complex mathematical process with great clarity. Excellent!]

If MD5 collisions are all Greek to you, try this paper explaining how Alice might fool Caesar into effectively signing a rogue order giving Alice access to his most private information.

Invasion of the Computer Snatchers describes several hackers through the journalist’s pen. It’s easy to typecast hackers - that’s exactly what Hollywood does every time - but still it’s an interesting peek into what’s sometimes an ethically challenged hacker underworld.

Here’s a hacking story with a difference: after investigating a hack perpetrated by a suspected Chinese -government-backed gang of uberhackers, Shawn Carpenter, a network security specialist at Sandia National [nuclear research] Laboratories, got caught up in the FBI investigation. Time Magazine reports that he was dismissed by Sandia when they discovered his out-of-hours hacking, even though Shawn claims to have been encouraged by the FBI to help them track the gang. The FBI has acknowledged their role in the investigation and Shawn subsequently got his security clearance reinstated, so the story seems to hold water.

A Microsoft UK website was defaced with a GIF image file supporting an arrested hacker. The Register reported that the GIF was removed. Crude website defacements of this nature are at the ‘vandal’ end of the hacking scale.

Russian extortionists who used DDoS attacks to extort money from UK betting firms were arrested. Complaints to the National High-Tech Crime Unit of attacks fell after the arrest of a Russian gang believed to be behind the protection racket which forced Web-gambling firms to pay up or face extended service outages.

A US-CERT Cyber Security Tip gives advice on DoS attacks.

General [anti-]hacking resources

Hacking and anti-hacking tools & techniques

Hacking news and incidents

Related NoticeBored links collections