InfoSec Self Education Resources
Blogs / Websites
- Hackers for Charity – Donate to Johnny Long’s efforts to build computer classrooms in Uganda.
- Dark Reading – Nice articles from a variety of angles and writers
- Iron Geek – Iron Geek makes some great videos and presentations
- carnal0wnage / attackresearch the carnal0wnage and Attack Research guys joined forces and produce a great blog
- Pauldotcom Blog – The Pauldotcom Team makes some good blog posts related to their podcast technical segments and other things that they are currently working on
- Uncommon Sense Security
- Social-engineer.org – Recently launched site that is focused on building a Social Engineering resource via community interaction
- Security Tube – Video aggregation-type site. They have embedded security-related videos from viddler, vimeo, youtube, etc. Some of the videos are talks given at cons, others are training/education type stuff.
- VMWare – Chose not to have a tools section because there are just too many. But VMWare Server/Player (free) or Workstation (costs $$) are must have tools for anyone trying to self educate or anyone trying to test things out.
- VirtualBox – Completely free open-source virtualization tool similar to VMWare. I’ve had compatibility issues with a few Linux distros on it but thats about it.
- Metasploit Unleashed – Not really a website, but still a resource that needs to be included. This is the Offensive Security teams Metasploit training course. The video and PDF portion of the course will be available for a nominal fee sometime after the 3.3 release of Metasploit.
- Room 362 – Great blog by Rob Fuller aka Mubix
- SANS Information Security Reading Room – Whitepapers on various InfoSec topic
- SANS Internet Storm Center – SANS ISC Diary
- Jeremiah Grossman’s Blog – Must read, he has great weekly “Best of” posts
- Metasploit Blog – Blogs from the Metasploit team
- Carlos “Dark 0perator” Perez – Metasploit contributor, great examples of Metasploit uses & scripts
- Command Line Kung Fu – Increase your CLI skills by learning from Ed Skoudis, Hal Pomeranz, and Paul Asadoorian
- Saecur Blog – Marcus J Carey posts on security topics and also shares some of the presentation videos from DojoSec
- Security Twits – Great resource for finding security people, companies, and events on twitter. Also acts as a great way to poll the security community.
- NIST CSRC – NIST Computer Security Resource Center: contains the NIST publications related to computer security
- NSA Security Configuration Guidelines
- OSVDB – Open Source Vulnerability Database
- VulnerabilityAssessment.co.uk – Nice resource for vuln assessment and pen testing, including a Penetration Testing Framework
- DataLossDB – Database of Data Lost in Breaches
- The H Online – Nice security & vuln news site
- Via mubix (aka Rob Fuller aka Room362.com) Getting your n00b fill of security
-
- The Academy – Kinda like Security Tube, but these videos are all professionally done by Peter Giannoulis and crew, and are on some of the big iron security tools and appliances that you wouldn’t normally be able to get your hands on to play with. This is a great way to beef up your knowledge of a product that your potential employer is running (after you have cyber stalked them: http://www.irongeek.com/i.php?page=security/how-to-cyberstalk-potential-employers). Or you just want to find out what that Security guy from the other section installed in your rack
Books
- Google Hacking by Johnny Long
- No Tech Hacking by Johnny Long
- Open Source Pen Tester’s Toolkit
- Gray Hat Hacking
- Counter Hack Reloaded by Ed Skoudis
- Professional Penetration Testing by Thomas Wilhelm
Conference Materials
- DEFCON – The DEFCON team holds a great conference every year in Vegas, selected videos and all presentation materials are usually available on their site
- BlackHat – Host multiple conferences per year worldwide. Conference materials and select audio/video are usually available.
- BruCON – Annual security conference held in Brussels, all video & presentation materials are available via links on their site
- Security B-Sides – Qouting from their site: “BSides is an ad-hoc gathering of information security types born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants. It is entirely community driven. It is where conversations for the next-big-thing may be happening. We’ve followed the BarCamp format… because it works.” . Audio of talks available via RSS or by searching on iTunes.
- SecTor – Toronto security conference held in Oct 2009, they have quite a few of the videos and presentation materials.
IRC Channels
- IRC Server: irc.freenode.net
- #pauldotcom
- #exoitcliability
- #metasploit
- #securabit
- #securityjustice
Live Distributions
- Backtrack – Awesome live distro that is nearing a V4 release that will support installation and persistent changes (including package updates).
- FRHACK OS – Newish live pentesting/security distro. Can’t find a website link, only the link to the v1 alpha 1 .iso
- Damn Vulnerable Linux – Nice live distro made for practicing your penetration testing skills
- Damn Vulnerable WebApp – Not a live distribution, but it’s a great tool to test your webapp hacking skills and automated testing tools against
- Mutillidae – Great intentionally vulnerable webapp made by IronGeek that implements the OWASP top 10 vulnerabilities
- Samurai WTF! – Great live distro with a focus towards web testing made by Kevin Johnson of InGuardians
Mailing Lists
Podcasts
- Exotic Liability – Great podcast that goes through a wide range of topics and never fails to inform and entertain
- Pauldotcom Security Weekly – Great podcast that features interviews, technical segments, and discussions about the past weeks security-related stories.
- Social Media Security – Newish monthly podcast that discusses security-related issues with social networks/media and how to both secure and exploit
- Securabit – Nice informative podcast run by InfoSec professionals
- Social-engineer.org Podcast – The recently released social-engineer.org website has started up a monthly podcast. Very young so far, but good content.
- Risky Business – Patrick Gray hosts this weekly podcast that goes over major news, has a feature interview and a sponsor interview where the sponsor chooses an area to discuss (but not necessarily plug a product).
- OWASP Security Podcast Since pretty much everyone has to deal with webapps from either offense/defense perspective this podcast is a must listen
- Network Security Podcast If you deal with PCI-DSS you should be listening to this
- CyberSpeak Podcast – Great computer forensics and cybercrime discussion
- Hak5 – Nice video podcast by Darren, Matt, and Shannon that regularly features guests such as Mubix and Chris Gerling.
- Security Justice – Great monthly podcast by InfoSec guys from Cleveland where they discuss topics from the Northeast Ohio Information Security Forum
- GRM N00bs – The podcast for n00bs by n00bs
- HNNCast – Weekly video podcast that covers recent security topics
- Scam School – Nice video podcast by Brian Brushwood where he talks about bar tricks, scams, and how to con people. Interesting from a social engineering perspective and also shows handcuff escapes and busting open combination locks and padlocks.
Coursework / Training
Webcasts
- SANS – Great webcast series that feature topics relating to courses they offer and other interesting security topics
- WhiteHatWorld – Another nice series of webcasts
- BlackHat – Webcast series from the BlackHat guys
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)