Annex 5. Print Resources

There have been a great many books, magazines and papers published on security in the last few years, reflecting the growing concern with the topic. Trying to keep up with even a subset of this information can be quite a chore, whether you wish to stay current as a researcher or as a practitioner. Here, we have collected information about several useful references that you can use as a starting point for more information, further depth, and additional assistance.

We have tried to confine the list to a small set of accessible and especially valuable references that you will not have difficulty finding. A few of the references we have left in for historical reference as much as for any other reason. We’ve provided annotation where we think it will be helpful.

If you are interested in building your security bookshelf, we advise you to visit a bookstore, see the booksellers at a security conference, or read the reviews of books in security-related venues. The field is moving quickly. Just as you keep up with bugs and patches, it is important to maintain your currency with the literature!

UNIX Security References

These books focus on UNIX computer security.

Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix and Internet Security, 3rd Edition. Cambridge, MA: O’Reilly and Associates, Inc., 2003.

Grampp, F. T., and R. H. Morris. “UNIX Operating System Security,” AT&T Bell Laboratories Technical Journal, October 1984. This is the original article on UNIX security and remains worth reading.

Wood, Patrick H., and Stephen G. Kochan. UNIX System Security, Carmel, IN: Hayden Books, 1986. A good treatment of UNIX System V security prior to the incorporation of TCP/IP networking. This book is of mainly historical interest.

Windows Security References

Norberg, Stefan. Securing Windows NT/2000 Servers for the Internet: A Checklist for System Administrators. Cambridge, MA: O’Reilly and Associates, 2002. An excellent hardening guide for Windows NT-based systems that will be used to provide Internet services.

Anderson-Redick, Stacey. Windows System Policy Editor. Sebastopol, CA: O’Reilly and Associates, 2000.

Other Security References

The following books and articles are of general interest to all practitioners of computer security.

Computer Crime and Law

Freedman, David H., and Charles C. Mann. @Large; NYC, NY, 1997. A story about a huge computer crime spree caused entirely by two people. This incident spawned the FBI Computer Crime Squad, some FIRST teams, and the writing of the Tripwire tool at Purdue.

Icove, David, Karl Seger, and William VonStorch, Computer Crime: A Crimefighter’s Handbook, Sebastopol, CA: O’Reilly & Associates, 1995. A popular rewrite of an FBI training manual; dated, but with some worthy material.

Power, Richard. Tangled Web. Indianapolis, IN, Que, 2002. A collection of stories of cybercrime and investigation. Cites a number of statistics to give a snapshot of the problem.

Computer-Related Risks

Leveson, Nancy G. Safeware: System Safety and Computers. A Guide to Preventing Accidents and Losses Caused by Technology. Reading, MA: Addison Wesley,

1995. This textbook contains a comprehensive exploration of the dangers of computer systems, and explores ways in which software can be made more fault tolerant and safety conscious.

Neumann, Peter G. Computer Related Risks. Reading, MA: Addison & Wesley, 1995. Dr. Neumann moderates the Internet RISKS mailing list. This book is a collection of the most important stories passed over the mailing list since its creation.

Computer Viruses and Programmed Threats

Communications of the ACM, Volume 32, Number 6, June 1989 (the entire issue). This whole issue was devoted to issues surrounding the Internet Worm incident.

Ferbrache, David. The Pathology of Computer Viruses. London, England: Springer- Verlag, 1992. This was probably the best all-around book on the technical aspects of computer viruses, although it doesn’t cover macro viruses.

Denning, Peter J. Computers Under Attack: Intruders, Worms and Viruses. Reading, MA: ACM Press/Addison- Wesley, 1990. A comprehensive collection of readings related to these topics, including reprints of many classic articles. Historical interest.

Hoffman, Lance J., Rogue Programs: Viruses, Worms and Trojan Horses. New York, NY: Van Nostrand Reinhold, 1990. A comprehensive collection of readings on viruses, worms, and the like. More historical interest.

The Virus Bulletin. Virus Bulletin CTD. Oxon, England. An international publication on computer virus prevention and removal. This is an outstanding publication about computer viruses and virus prevention. It is likely to be of value only to sites with a significant PC population, however. The publication also sponsors conferences that have good papers on viruses. http://www.virusbtn.com.

Cryptography Books

Denning, Dorothy E. R. Cryptography and Data Security. Reading, MA: Addison-Wesley, 1983. The classic textbook in the field. Now out of print but worth having.

Garfinkel, Simson. PGP: Pretty Good Privacy. Sebastopol, CA: O’Reilly & Associates, 1994. Describes the history of cryptography, the history of the program PGP, and explains the PGP’s use.

Hinsley, F.H., and Alan Stripp. Code Breakers: The Inside Story of Bletchley Park. Oxford, England: Oxford University Press, 1993.

Hoffman, Lance J. Building in Big Brother: The Cryptographic Policy Debate. New York, NY: Springer- Verlag, 1995. An interesting collection of papers and articles about the Clipper Chip, Digital Telephony legislation, and public policy on encryption. Of some historical interest.

Kahn, David. The Codebreakers. New York, NY: Macmillan Company, 1972. The definitive history of cryptography prior to the invention of public key.

Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C. Second edition. New York, NY: John Wiley & Sons, 1996. The most comprehensive, unclassified book about computer encryption and data-privacy techniques ever published.

Singh, Simon. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. NY: Anchor Books, 2000. A very readable and up-to-date treatment of the history and principles of cryptography.

Wayner, Peter. Disappearing Cryptography; Boston, MA: Academic Press, 1996. Good coverage of steganography.

Cryptography Papers and Other Publications

Association for Computing Machinery. “Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy.” Report of a Special Panel of the ACM U.S. Public Policy Committee location: USACM, June 1994. (URL: http://info.acm.org/reports/acm_crypto_study.html)

Diffie, Whitfield. “The First Ten Years of Public-Key Cryptography.” Proceedings of the IEEE 76 (1988): 560–76. Whitfield Diffie’s tour-de-force history of public key cryptography, with revealing commentaries.

Diffie, Whitfield, and M.E. Hellman. “New Directions in Cryptography.” IEEE Transactions on Information Theory IT-22 (1976). The article that introduced the concept of public key cryptography

Lai, Xuejia. “On the Design and Security of Block Ciphers.” ETH Series in Information Processing 1 (1992). The article describing the IDEA cipher.

LaMacchia, Brian A. and Andrew M. Odlyzko. “Computation of Discrete Logarithms in Prime Fields.” Designs, Codes, and Cryptography. (1991):, 46–62.

Lenstra, A.K., H. W. Lenstra, Jr., M.S. Manasse, and J.M. Pollard. “The Number Field Sieve.” Proceedings of the 22nd ACM Symposium on the Theory of Computing. Baltimore MD: ACM Press, 1990, 564–72.

Merkle, Ralph. “Secure Communication Over Insecure Channels.” Communications of the ACM 21 (1978): 294–99 (submitted in 1975). The article that should have introduced the concept of public key cryptography.

Merkle, Ralph, and Martin E. Hellman. “On the Security of Multiple Encryption.” Communications of the ACM 24 (1981): 465–67.

Merkle, Ralph, and Martin E. Hellman. “Hiding Information and Signatures in Trap Door Knapsacks.” IEEE Transactions on Information Theory 24 (1978): 525–30.

Rivest, Ron, A. Shamir, and L. Adleman. “A Method for Obtaining Digital Signatures and Public Key Cryptosystems.” Communications of the ACM 21 (1978).

General Computer Security

Amoroso, Edward. Fundamentals of Computer Security Technology. Englewood Cliffs, NJ: Prentice-Hall, 1994. A very readable and complete introduction to computer security at the level of a college text.

Anderson, Ross. Security Engineering; NYC, NY: John Wiley & Sons, 2001. A comprehensive book on end- toend system design with security in mind.

Bace, Rebecca. Intrusion Detection; Indianapolis, IN: Macmillan, 2000. An excellent book on the history and structure of intrusion detection systems for hosts and networks.

Computers & Security. This is a journal published eight times each year by Elsevier Press, Oxford, England. (Order from Elsevier Press, +44-(0) 865-512242.) It is one of the main journals in the field. This journal is priced for institutional subscriptions, not individuals. Each issue contains pointers to dozens of other publications and organizations that might be of interest, as well as referenced articles, practicums, and correspondence. The URL for the WWW page is included in “Security Periodicals.”

Gasser, Morrie. Building a Secure Computer System. New York, NY: Van Nostrand Reinhold, 1988. A solid introduction to issues of secure system design. Most of the principles still aren’t followed in modern systems (unfortunately).

Gollmann, Dieter. Computer Security; Chichester, UK, John Wiley & Sons, 1999. A good survey textbook, widely used in academic settings.

Hunt, A. E., S. Bosworth, and D. B. Hoyt, eds. Computer Security Handbook, 3rd edition. New York, NY: Wiley,

1995. A massive and thorough collection of essays on all aspects of computer security.

Pfleeger, Charles P and Shari Lawrence Pfleeger. Security in Computing. Englewood Cliffs, NJ: Prentice-Hall, 3rd edition, 2002. Another good introduction to computer security.

Russell, Deborah, and G. T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O’Reilly & Associates, 1991. An excellent introduction to many areas of computer security and a summary of government security requirements and issues.

Schneier, B. Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons, 2000.

Thompson, Ken. “Reflections on Trusting Trust” Communications of the ACM, Volume 27, Number 8, August (1984). This is a “must-read” for anyone seeking to understand the limits of computer security and trust.

Viega, John and Gary McGraw. Building Secure Software; Indianapolis, IN: Pearson/ Addison-Wesley, 2002. An excellent book about how to code secure software, and the pitfalls of haphazard coding and deployment.

Wood, Charles Cresson, et al. Computer Security: A Comprehensive Controls Checklist, New York, NY: John Wiley & Sons, 1987. Contains many comprehensive and detailed checklists for assessing the state of your own computer security and operations. Out of print, but a valuable reference if you can find one used.

Network Technology and Security

Cheswick, Bill, Steve Bellovin, and Aviel Rubin. Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition. Reading, MA: Addison-Wesley, 2003. The second edition of the classic book on firewalls. This book will teach you almost everything you need to know about how firewalls work. The first edition text is largely available online for free, as well, at http://www.wilyhacker.com/1e/

Chapman, D. Brent, and Elizabeth D. Zwicky. Building Internet Firewalls. Sebastopol, CA: O’Reilly & Associates, 2nd edition, 2000. A great how-to book that describes in clear detail how to build your own firewall.

Comer, Douglas E. Internetworking with TCP/IP. 3rd Edition. Englewood Cliffs, NJ: Prentice Hall, 4th edition,

2000. A complete, readable reference that describes how TCP/IP networking works, including information on protocols, tuning, and applications.

Garfinkel, Simson. Web Security, Privacy, and Commerce, 2nd Edition. Cambridge, MA: O’Reilly and Associates, Inc. 2002.

Garman, Jason. Kerberos – The Definitive Guide. Cambridge, MA: O’Reilly and Associates, Inc, 2003. Provides full coverage of Kerberos in Windows 2000 and Unix environments.

Hunt, Craig. TCP/IP Network Administration. Sebastopol, CA: O'Reilly & Associates, 3rd edition, 2002. This book is an excellent system administrator's overview of TCP/IP networking (with a focus on UNIX systems), and a very useful reference to major UNIX networking services and tools such as BIND and send-mail.

Kaufman, Charles, Radia Perlman, and Mike Speciner. Network Security: Private Communications in a Public World. Englewood Cliffs, NJ: Prentice-Hall, 2nd edition, 2002.

Stallings, William. Cryptography and Network Security: Principles and Practices. Englewood Cliffs, NJ: Prentice Hall, 2003. A good introductory textbook.

Security Products and Services Information

Computer Security Buyer’s Guide. Computer Security Institute, San Francisco, CA. (Order from CSI, 415-905-

2626.) Contains a comprehensive list of computer security hardware devices and software systems that are commercially available. The guide is free with membership in the Institute. The URL is at http://www.gocsi.com.

Understanding the Computer Security “Culture”

All of these describe views of the future and computer networks that are much discussed (and emulated) by system crackers.

Brunner, John. Shockwave Rider. New York, NY: A Del Ray Book, published by Ballantine, 1975. One of the first descriptions of a computer worm.

Dreyfus, Suelette. Underground; Australia, Reed Books,

1997. A book about the exploits of several Australian hackers relatively early on. Some of the story is incorrect, however, as the author failed to contact all parties to verify the facts.

Gibson, William. Burning Chrome, Neuromancer, Count Zero, Mona Lisa Overdrive, Virtual Light, Idoru, All Tomorrow’s Parties. New York, NY: Bantam Books Cyberpunk books by the science fiction author who coined the term “cyberspace.”

Hafner, Katie and John Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York, NY: Simon and Schuster, 1991. Tells the stories of three hackers— Kevin Mitrick, Pengo, and Robert T. Morris.

Levy, Steven. Hackers: Heroes of the Computer Revolution. New York, NY: Dell Books, 1984. One of the original publications describing the “hacker ethic.”

Littman, Jonathan, The Fugitive Game: Online with Kevin Mitnick. Boston, MA: Little, Brown, 1996. A year prior to his capture in 1995, Jonathan Littman had extensive telephone conversations with Kevin Mitnick and learned what it is like to be a computer hacker on the run. This is the story.

Shimomura, Tsutomu, with John Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw—By the Man Who Did It. New York, NY: Hyperion, 1995. On Christmas Day, 1994, an attacker broke into Tsutomu Shimomura’s computer. A few weeks later, Shimomura was asked to help out with a series of break-ins at two major Internet service providers in the San Fransisco area. Eventually, the trail led to North Carolina, where Shimomura participated in the tracking and capture of Kevin Mitnick. This is the story, written by Shimomura and Markoff. Markoff is the journalist with The New York Times who covered the capture.

Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. This book is available in several places on the WWW; http://www-swiss.ai.mit.edu/~bal/sterling/contents.html is one location; other locations can be found in the COAST hot-list.

Stoll, Cliff. The Cuckoo’s Egg, Garden City, NY: Doubleday,

1989. An amusing and gripping account of tracing a computer intruder through the networks. The intruder was later found to be working for the KGB and trying to steal sensitive information from U. S. systems.

Varley, John. “Press” Enter. Reprinted in several collections of science fiction, including Blue Champagne, Ace Books, 1986; Isaac Asimov’s Science Fiction Magazine, 1984; and Tor SF Doubles, October, Tor Books, 1990.

Vinge, Vernor. True Names and Other Dangers. New York, NY: Baen, distributed by Simon & Schuster, 1987.

UNIX System Administration

Albitz, Paul and Cricket Liu. DNS and BIND. Sebastopol, CA: O’Reilly & Associates, 4th edition, 2001. An excellent reference for setting up DNS nameservers.

Bolsky, Morris I., and David G. Korn. The New Kornshell Command and Programming Language. Englewood Cliffs, NJ: Prentice-Hall, 2nd edition, 1995. This is a complete tutorial and reference to the ksh—the only shell some of us use when given the choice, and the inspiration for the POSIX shell standard used by bash and others.

Kernighan, Brian, Dennis Ritchie and Rob Pike. The UNIX Programming Environment. Englewood Cliffs, NJ: Prentice-Hall, 1984. A nice guide to the UNIX philosophy and how to build shell scripts and command environments under UNIX.

Nemeth, Evi, Garth Snyder, Scott Seebass, and Trent R. Hein. UNIX System Administration Handbook. 3rd Edition. Englewood Cliffs, NJ: Prentice-Hall, 2000. An excellent reference on the various ins and outs of running a UNIX system. This book includes information on system configuration, adding and deleting users, running accounting, performing backups, configuring networks, running sendmail, and much more. Highly recommended.

Welsh, Matt, Kaufman, Lar, Dalheimer, Matthias K., and Dawson, Terry. Running Linux (4th edition). Sebastopol, CA: O’Reilly & Associates, 2002.

Wall, Larry, Christiansen, Tom, and Orwant, Jon. Programming perl (3rd edition), Sebastopol, CA: O’Reilly & Associates, 2000. The definitive reference to the Perl scripting language. A must for anyone who does much shell, awk, or sed programming or would like to quickly write some applications in UNIX.

Windows System Administration

O’Reilly and Associates has a series of helpful books on Windows system administration, including Windows NT TCP/IP Network Administration (Craig Hunt and Robert Bruce Thompson, 1998), Managing the Windows 2000 Registry (Robichaux, 2000), DHCP for Windows 2000 (Neall Alcott, 2001), DNS on Windows 2000, 2nd Edition (Matt Larson and Cricket Liu, 2001), Windows 2000 Administration in a Nutshell (Mitch Tulloch, 2001), and Windows Server 2003 in a Nutshell (Mitch Tulloch, 2003).

Security Periodicals

Computer Audit Update

Computer Fraud & Security Update

Computer Law & Security Report

Computers & Security

Elsevier Advanced Technology

Crown House, Linton Rd.

Barking, Essex I611 8JU

England

Voice: +44-81-5945942

Fax: +44-81-5945942

Telex: 896950 APPSCI G

North American Distributor:

P.O. Box 882

New York, NY 10159

Voice: +1-212-989-5800

http://www.elsevier.nl/catalogue/

Computer Security Alert

Computer Security Journal

Computer Security Buyers Guide

Computer Security Institute

600 Harrison Street

San Francisco, CA 94107

Voice: +1-415-905-2626

http://www.gocsi.com

Disaster Recovery Journal

PO Box 510110

St. Louis, MO 63151

+1 314-894-0276

http://www.drj.com

InfoSecurity News

West Coast Publishing, Inc.

161 Worcester Road, Suite 201

Framingham, MA 01701

http://www.scmagazine.com

Information Security

85 Astor Ave, Suite 2

Norwood, MA 02062

http://www.infosecuritymag.com