IT Security and Hacking knowledge base

"a VMware image with a set of vulnerable Web Applications and scripts"

"a new easy-to-use high-speed software library for network communication, encryption, decryption, signatures, etc."

This could actually talk me into not loathing OpenID.

"At the end of the day you are likely to still be doing a significant amount of reverse engineering manually, however employing one or more of the automated tools and techniques prior to this undertaking can certainly clear away some of the low-hanging fruit and give you some momentum in the correct direction."

"a simple positive model for preventing XSS using output escaping/encoding properly"

"a repository of [...] packets, providing full-text search, automatic tagging, viewing and editing of these packets"

"a list of the most significant programming errors that can lead to serious software vulnerabilities"

"The following list presents common information security mistakes and misconceptions, so you can avoid making them."

"We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol."

"a domain specific language for the design, implementation and verification of cryptographic algorithms, developed over the past decade by Galois for the United States National Security Agency"

"This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers."

"a C compiler that is capable of preventing common C programming errors, including out-of-bounds memory accesses as well as many other common type-safety errors"

Makes JavaScript safe(-ish?) for IFRAMEs and widgets and such.

Close the hole.

"a new information gathering and correlation engine built for and by members of the security research and testing communities"

"a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies"

"reliable, pre-configured platforms that work with cutting-edge security software"

Security economics is so totally my jam.

"The Information Security Industry at a Glance". Meh, could be better.

"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-ini

"delivers the tools, information, and visibility to reveal problems in TLS configurations and offer better alternatives so folks can improve their security posture and make sure it stays improved"

I'm fairly neutral about OpenID, and I think the spec itself is fairly explicit about not attempting to solve the problems listed herein. That said, there's a ton of real-world, right-now problems to tackle here.

"a pastebin that runs your code for you".

A Rails fuzzer.

Bruce Schnier sez: open your home wi-fi network. I just wish my current ISP (Yginition) wouldn't send a nastygram every time I sustain 400k/sec down.

"Prevx's Community Intrusion Prevention (CIP) system identifies malicious code by its 'behavior' and is able to neutralize whole classes of malware before it ever has a recognized signature"

a Ruby implementation of the sanitization approach taken in the Universal Feed Parser. to be incorporated into acts_as_sanitized ASAP.

XSS (cross-site scripting) information and vulnerable websites archive

hella thorough look at a bunch of webappsec issues

"a sub-set of the intelligence derived from the ATLAS sensor network on host/port scanning activity, zero-day exploits and worm propagation, security events, vulnerability disclosures and dynamic botnet and phishing infrastructures"

rsnake shares his faves

The most vulnerable and exploitable operating system ever

brutal vulnerability disclosures. good work.

Monitor Arp Traffic on OS X

Security Mailing List Archive

Matt and John get crunk

rss feeds for popular infosec lists and sites

h1kari and co.