Where can I get more information?

[Kochan & Wood]

Unix System Security
A little dated for modern matters, but still a very good book on the basics of Unix security.

[Spafford & Garfinkel]

Practical Unix Security
This wonderful book is a worthy successor to the above, and covers a wide variety of the topics which the Unix (and some non Unix) system manager of the 90's will come across.

Appendix E contains an extensive bibliography with even more pointers to security books than this FAQ contains.

[Stoll]

The Cuckoo's Egg
A real life 1980's thriller detailing the tracing of a cracker from Berkeley across the USA and over the Atlantic to Germany. An excellent view from all points: a good read, informative about security, funny, and a good illustration of the cracker psyche. Contains an excellent recipie for chocolate chip cookies.

A videotape of the "NOVA" (PBS's Science Program on TV) episode that explained/reenacted this story is available from PBS Home Video. They have a toll-free 800 number within North America.

I believe that this program was aired on the BBC's "HORIZON" program, and thus will be available from BBC Enterprises, but I haven't checked this out yet - AEM

[Raymond] (Ed.)

The New Hackers Dictionary/Online Jargon File
A mish-mash of history and dictionary definitions which explains why it is so wonderful to be a hacker, and why those crackers who aren't hackers want to be called "hackers". The Jargon File version is available online - check an archie database for retails. Latest revision: 2.99.

[Gasser]

Building a Secure Computer System.
By Morrie Gasser, and van Nostrand Reinhold; explains what is required to build a secure computer system.

[Rainbow Series]

(Especially the "Orange Book")
The "Rainbow Series" consists of about 25 volumes. Some of the more interesting ones are:

• The "Orange Book", or Trusted Computer Systems Evaluation Criteria, which describes functional and assurance requirements for computer systems
• Trusted Database Interpretation, which talks both about trusted databases and building systems out of trusted components
• Trusted Network Interpretation, which (obviously) talks about networked systems

A (possibly) complete list is:

• Department of Defense Trusted Computer System Evaluation Criteria (TCSEC), aka the "Orange Book"
• Computer Security Subsystem Interpretation of the TCSEC
• Trusted Data Base Management System Interpretation of the TCSEC
• Trusted Network Interpretation of the TCSEC
• Trusted Network Interpretation Environments Guideline
• Guidance for Applying the Trusted Network Interpretation
• Trusted Unix Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the Unix System
• Trusted Product Evaulations -- A Guide for Vendors
• Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments
• Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements
• Trusted Product Evaluation Questionnaire
• Rating Maintenance Phase -- Program Document
• Guidelines for Formal Verification Systems
• A Guide to Understanding Audit in Trusted Systems
• A Guide to Understanding Trusted Facility Management
• A Guide to Understanding Discretionary Access Control in Trusted Systems
• A Guide to Understanding Configuration Management in Trusted Systems
• A Guide to Understanding Design Documentation in Trusted Systems
• A Guide to Understanding Trusted Distribution in Trusted Systems
• A Guide to Understanding Data Remanence in Automated Information Systems
• Department of Defense Password Management Guideline
• Glossary of Computer Security Terms
• Integrity in Automated Information Systems

You can get your own copy (free) of any or all of the books by writing or calling:

	INFOSEC Awareness Office
	National Computer Security Centre
	9800 Savage Road
	Fort George G. Meade, MD  20755-6000
	Tel +1 301 766-8729

If you ask to be put on the mailing list, you'll get a copy of each new book as it comes out (typically a couple a year).

I was told that this offer is only valid for US citizens ("We only send this stuff to a US postal address"). Non-US people have to PAY to get hold of these documents. They can be ordered from NTIS, the National Technical Information Service:

	NTIS,
	5285 Port Royal Rd,
	Springfield VA 22151,
	USA
	order dept phone: +1-703-487-4650, fax +1-703-321-8547

The ITSEC (Information Technology Security Evaluation Criteria) is a harmonized document developed by the British, German, French, and Netherlands governments. It separates functional and assurance requirements, and has many other differences from the TCSEC.

You can get your copy (again, free/gratis) by writing:

	Commission of the European Communities
	Directorate XIII/F
	SOG-IS Secretariat
	Rue de la Loi 200
	B-1049 BRUSSELS
	Belgium

Also note that NCSC periodically publish an "Evaluated Products List" which is the definitive statement of which products have been approved at what TCSEC level under which TCSEC interpretations. This is useful for separating the output of marketdroids from the truth.

[Morris & Thompson]

Password Security, A Case History
A wonderful paper, first published in CACM in 1974, which is now often to found in the Unix Programmer Docs supplied with many systems.

[Curry]

Improving the Security of your Unix System.
A marvellous paper detailing the basic security considerations every Unix systems manager should know. Available as "security-doc.tar.Z" from FTP sites (check an Archie database for your nearest site.)

[Klein]

Foiling the Cracker: A Survey of, and Improvements to, Password Security.
A thorough and reasoned analysis of password cracking trends, and the reasoning behind techniques of password cracking. Your nearest copy should be easily found via Archie, searching for the keyword "Foiling".

[Cheswick]

The Design of a Secure Internet Gateway.
Great stuff. It's research.att.com:/dist/Secure_Internet_Gateway.ps

[Cheswick]

An Evening With Berferd: in which a Cracker is Lured, Endured and Studied.
Funny and very readable, somewhat in the style of [Stoll] but more condensed. research.att.com:/dist/berferd.ps

[Bellovin89]

Security Problems in the TCP/TP Protocol Suite.
A description of security problems in many of the protocols widely used in the Internet. Not all of the discussed protocols are official Internet Protocols (i.e. blessed by the IAB), but all are widely used. The paper originally appeared in ACM Computer Communications Review, Vol 19, No 2, April 1989.

[Bellovin91]

Limitations of the Kerberos Authentication System
A discussion of the limitations and weaknesses of the Kerberos Authentication System. Specific problems and solutions are presented. Very worthwhile reading. Available on research.att.com via anonymous ftp, originally appeared in ACM Computer Communications Review but the revised version (identical to the online version, I think) appeared in the Winter 1991 USENIX Conference Proceedings.

[Muffett]

Crack documentation.
The information which accompanies Crack contains a whimsical explanation of password cracking techniques and the optimisation thereof, as well as an incredibly long and silly diatribe on how to not choose a crackable password. A good read for anyone who needs convincing that password cracking is really easy.

[Farmer]

COPS
Read the documentation provided with COPS. Lots of hints and philosophy. The where, why and how behind the piece of security software that started it all.

[CERT]

maillists/advisories/clippings
CERT maintains archives of useful bits of information that it gets from USENET and other sources. Also archives of all the security "advisories" that it has posted (ie: little messages warning people that there is a hole in their operating system, and where to get a fix)

[OpenSystemsSecurity]

A notorious (but apparently quite good) document, which has been dogged by being in a weird postscript format. I've received many replies to my posting about Arlo Karila's paper, including the news (that I and many others have missed) that a manageable postscript file and text file are available via anonymous ftp from ajk.tele.fi (131.177.5.20) in the directory PublicDocuments.

These are all available for FTP browsing from "cert.sei.cmu.edu".

[RFC-1244]

Site Security Handbook
RFC-1244 : JP Holbrook & JK Reynolds (Eds.) "The Site Security Handbook" covering incident handling and prevention. July 1991; 101 pages (Format: TXT=259129 bytes), also called "FYI 8"

[USENET]

• comp.virus: for discussions of virii and other nasties, with a PC bent.
• comp.unix.admin: for general administration issues
• comp.unix.: for the hardware/software that YOU use.
• comp.protocols.tcp-ip: good for problems with NFS, etc.