Resources

The following is a list of blogs, communities, or other miscellaneous resources that can provide some great reads and educational info on topics pertaining to security. Feel free to leave comments below if you think anything should be added!

News

http://packetstormsecurity.org/ -- News/Current Exploits (Gathers top stories from other security news sites [and shows new exploits at the bottom])
http://www.theregister.co.uk/security/ --News (One of my favorites, stays very up to date)
http://www.wired.com/threatlevel/ --News – Another good general security blog (not so much technically oriented)
http://www.schneier.com/  --Blog “Schneier on Security”
http://googleonlinesecurity.blogspot.com/  --Security Blog (Just saw this one, but seems very good with good information)
http://www.exploit-db.com/ --Current Exploits
http://www.guardian.co.uk/technology/hacking --News (Up-to-date resource)

Classes:

http://pentest.cryptocity.net/ -- Arguably the best free security class on the web. Excellent videos, slides, content, and information. Definitely check it out!
http://www.security-class.org [tentatively unavailable 01/28/2012]- Security class offered for free by Stanford Univ. Starts late March 2012.
https://www.coursera.org/crypto/class - Free Cryptography class offered by Stanford Univ. Started early March.
http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-857-network-and-computer-security-fall-2003/ - Free Network and Computer Security course offered by MIT
http://www.codecademy.com/ - Great resource if you're looking to learn programming

Books:

Hacking: The Art of Exploitation - Great book to that teaches low level exploitation techniques, as well as crucial fundamentals
Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers - Book on using Python for penetration testing tasks
Metasploit: The Penetration Tester's Guide - Book covering the ins and outs of Metasploit. Provides in depth information on usage as well as development
File System Forensic Analysis - Covers forensic techniques for different filesystems. Very thorough and in depth information
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws - Great book covering techniques for auditing and exploiting web applications
SQL Injection Attacks and Defense - The "SQL Injection Bible". Covers numerous auditing and exploiting techniques using SQL Injection
The Shellcoder's Handbook - Great resource for developing shellcode for use with exploitation 
Real Digital Forensics - Similar to File System Forensic Analysis but with Network forensics and response techniques
Silence on the Wire: A Field Guide to Passive Reconnaissance and Passive Attacks - Interesting book covering fundamentals of fingerprinting and other passive attack techniques 
Social Engineering: The Art of Human Hacking - In depth coverage of social engineering techniques and exploitation
Bejtlich Best Books - Annual lists of best security books read by security professional Richard Bejtlich

Communities:

http://www.reddit.com/r/netsec - Netsec subreddit - always up-to-date with the latest stories in netsec
http://www.reddit.com/r/SocialEngineering - Social Engineering subreddit
http://www.reddit.com/r/computerforensics - Computer Forensics subreddit
http://www.reddit.com/r/ReverseEngineering - Reverse Engineering subreddit
http://www.reddit.com/r/lockpicking/ - Lockpicking subreddit
http://www.criticalsecurity.net/ - Security forum (many of these exist)

Training/Wargames:

http://www.hackthissite.org/ - Challenges to test exploitation skills
http://smashthestack.org/ - Different exploitation challenges
http://www.overthewire.org/wargames/ - Many different wargames teaching a variety of security techniques
https://www.pentesterlab.com/ - Free Penetration Testing exercises geared towards web app exploitation
http://code.google.com/p/dvwa/ - Damn Vulnerable Web App

Tutorials:
https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/ - Corelan Exploit Writing tutorials (ie a great and thorough Buffer Overflow tutorial can be found here.)
http://www.offensive-security.com/metasploit-unleashed/Main_Page - Metasploit Unleashed tutorials provide coverage of using Metasploit
http://www.unixwiz.net/techtips/sql-injection.html - Simple SQL Injection Tutorial

Security Conference Whitepapers and Presentations:

http://defcon.org/html/links/dc-archives.html -- Presentations (Years’ worth of whitepapers and video/audio presentations)
http://defcon.org/html/links/dc-tools.html       -- Tools released at Defcon
https://www.blackhat.com/html/archives.html --Presentations (Years’ worth of whitepapers and video/audio presentations)
https://www.derbycon.com/videos-2011/ - All videos from the 2011 DerbyCon
http://cansecwest.com/pastevents.html - Slides and content from past CanSecWest conferences
http://www.irongeek.com/i.php?page=videos/derbycon2/mainlist - Derbycon 2012 videos

Existing Vulnerability Research (what we aim to protect against):

http://projects.webappsec.org/w/page/13246978/Threat-Classification -- Seems very similar to the webpage right below – Discusses attack vectors and threats
https://www.owasp.org/index.php/Category:Attack – I’ve been looking at this recently and I enjoyed their analysis of many attack vectors
http://en.wikipedia.org/wiki/Portal:Computer_Security – General Wikipedia portal for all things Computer Security
http://resources.infosecinstitute.com/ --Scroll to the bottom for archives of whitepapers

Multimedia Resources

http://www.securitytube.net/ --The "YouTube of Security" (couldn’t recommend this site highly enough!!)
http://www.grc.com/securitynow.htm -- Incredible Security Podcast (available on iTunes!)
http://www.social-engineer.org/podcast/ --Great social engineering podcast by social-engineer.org

Notable Blogs

Carnal0wnage - Attack and Research blog
http://www.devttys0.com/blog/ - Blog focused on hardware and reverse engineering
Metasploit Blog
SkullSecurity - Blog focused on misc. security topics
TrailofBits Blog - Misc. Security topics
Room362 Blog - Misc. Security topics
Volatility Labs Blog - Focused on malware and memory forensic analysis
Pentest Geek - Misc. Security topics

Other Resources:

http://www.ctftime.org/ - Resource that provides information for ongoing and upcoming CTF events
http://www.social-engineer.org/ --Social Engineering Framework and Blog (Great Resource to learn SE!)
http://safaribooksonline.com/ -- Site full of great resources - requires subscription (provided for free if you're a Tech student - will show you how to access it in the meetings).
Amazon Security Books – Amazon is (IMHO) one of the best places for security books. I’ve bought numerous over the years and have enjoyed the price.
http://www.lockpicking101.com/ -- A great resource (forum) for learning best physical security practices as well as being able to measure physical security deficiencies with standard locks.

For Twitter Users:

http://blogs.csoonline.com/1539/follow_friday_security_pros_to_find_on_twitter_june_3 -- Security Professionals on Twitter that you may want to follow (I’m not a twitter user, so I haven’t checked any of these out personally.)

Want to Learn Python?

http://www.codecademy.com/tracks/python - Codecademy Python course
http://learnpythonthehardway.org/ - Fantastic book (free to read online) that teaches Python
http://www.diveintopython.net/toc/index.html - Another great book (free to read online) that teaches Python
http://www.learnpython.org/ - Python tutorials (contains in-browser code-editor)

4 comments:

  1. What about MOOC's, do you think they are worth it?

    ReplyDelete
    Replies
    1. Absolutely! I'm currently taking the "Malicious Software and its Underground Economy: Two Sides to Every Story" via coursera, and it's great.

      MOOC's are becoming more and more popular, which is good - it's time we open-source high-quality education. Places like Coursera provide fantastic class at a price I tend to like (free!).

      Delete
  2. Nice post, very helpful for us.I will
    vulnerability assessment
    penetration testing come back here again & again...:)

    ReplyDelete
  3. Such a nice blogs, communities, or other miscellaneous resources for the it security course
    Thanks for sharing this nice blog..!!!!

    ReplyDelete