Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network...

42
Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools

Transcript of Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network...

Page 1: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Lecture 17

Security Introduction

Cryptography basics

Web Security and

Vulnerabilities

Network SecurityTools

Page 2: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Network security comprises the measures a company takes to protect its computer system, and it is a prime concern for every company that uses computers.

Compromised network security means a hacker or competitor may gain access to critical or sensitive data, possibly resulting in data loss, or even complete destruction of the system.

Appropriate network security is achieved when a user has to go through several layers of security before being able to access the desired network.

The more layers the system has, the more secure it is.

http://www.wisegeek.com/what-is-network-security.htm

What is Network Security?

Page 3: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Cryptography

Encryption, decryption

Keys, lengths, and harness

Asymmetric key cryptography

Hash functions

Authentication

PKI and key management

Privacy

Page 4: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.
Page 5: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

We generate a special pair of values (e,d). The plaintext message M is encrypted into the cyphertext message C using modular exponentiation mod n.

The Public Key Method

nMC e mod

We decrypt C back into M by,

nCM d mod

Before we look at how e and d are generated it is important to understand what is happening in these two expressions. First of all modular exponentiation does not involved raising a value to a power.

The possible values for C (and M) are between 0 and n-1. Converting a string of characters the plaintext message into an integer is fairly straightforward. Once it is in numeric form modular exponentiation produces a value equal to the remainder after diving Me by n.

Page 6: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Computing the Key Pair (e,d)

Let's look at how to compute the values of e and d. We start with a pair of values p and q that must be relatively prime (i.e. they have no common factors). These would normally be very large but for the purposes of this example we will choose,

p = 47

q = 71

Now we need to find a value e such that the greatest common divisor between e and theproduct of (p-1) times (q-1) is 1, or gcd(e,(p-1)(q-1)) = 1.

Please don't ask why....thanks. The product of p*q will be the modulus n.

n = p*q = 3337

and so (p-1)(q-1) = 3220. We will choose e to be 79 since it is obvious that greatest common denominator between 79 and 3220 is 1.

Page 7: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

79*d = 1 mod 3220

Now we Need a d to go with our e

First use the regular Euclidean Algorithm to find gcd(79,3220). The answer must be one - otherwise we can't be sure that a solution exists, so we proceed as follows:

3220 = 40*79 + 60

79 = 1*60 + 19

60 = 3*19 + 3

19 = 6*3 + 1

3 = 3*1 + 0

The last nonzero remainder is the gcd. Thus gcd(79,3220) = 1 (as expected). Now write this gcd (one) as a linear combination of 19 and 3220 by working back up the tree that we just created:

Thus 1019*79 - 25*3220 = 1 Now do "mod 3220" on both sides to obtain:

1019*79 = 1 mod 3220

Thus d = 1019.

So the inverse of 79 mod 3220 is 1019. Another way of saying this is that 79*1019 will be one more than a multiple of 3220.

Page 8: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.
Page 9: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.
Page 10: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.
Page 11: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.
Page 12: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Modular Exponentiation

procedure mod_exp (b: int, n = (ak-1ak-2 . . . a1a0)2, m : pos_int)

x:=1;

power := b mod m

for i in 0..k-1 loop

if ai = 1 then x := (x*power) mod m

power := (power*power) mod m

end loop

Example: Find 2644 mod 645

64410 = 10100001002

2644 mod 645 = (2512.2128.24) mod 645 = (2512 mod 645).(2128 mod 645).(24 mod 645) = 1

Page 13: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

If p and q are prime, the number of values x in 0 < x < n for which gcd(x,n)=1 is given by (n) = (p-1)(q-1).

(n) = (pq) = (p)(q) = (p − 1)(q − 1)

Let's try a really simple example...

p=3q=5

n=15

so (p-1)(q-1)=(2)(4)=8.

The Euclidean Totient

gcd(8,15)= 1gcd(9,15)= 3gcd(10,15)= 5gcd(11,15)= 1gcd(12,15)= 3gcd(13,15)= 1gcd(14,15)= 1

gcd(1,15)= 1gcd(2,15)= 1gcd(3,15)= 3gcd(4,15)= 1gcd(5,15)= 5gcd(6,15)= 3gcd(7,15)= 1

Page 14: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Public Key Cryptography

In 1976, Rivest, Shamir and Adleman introduced a public key cryptosystem, known as the RSA system.

nMC e mod

Example: Encrypt the message STOP with p = 43 and q = 59, so that n = 43.59 = 2537 and e = 13.

gcd(e,(p-1)(q-1)) = gcd(13, 42.58) = 1.

S T O P18 19 14 15

253713 modMC

M1 M2

218225371415

20812537181913

13

mod

modC

To decrypt we need d, which is an inverse of e mod (p-1)(q-1)

141525372182

181925372081

mod

modd

dC

Page 15: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

SAFER+ Algorithm Details

Pseudo-Hadamard Transform

9 12 13 16 3 2 7 6 11 10 15 14 1 8 5 4Armenian Shuffle

Page 16: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Diffie-HellmanAn algorithmic method For Key Agreement allows two hosts to create and share a secret key. VPNs operating on the IPSec standard use the Diffie-Hellman method for key management.

Key management in IPSec begins with the overall framework called the Internet Security Association and Key Management Protocol (ISAKMP). Within that framework is the Internet Key Exchange (IKE) protocol.

IKE relies on yet another protocol known as OAKLEY and it uses Diffie-Hellman.

Diffie-Hellman Key Exchange

http://philipfox.net/dh/dh.htmlhttp://www.sans.org/reading_room/whitepapers/vpns/review-diffie-hellman-algorithm-secure-internet-protocols_751

Page 17: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

KerberosCreated by MIT as a solution to network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After client and server have used Kerberos to prove their identity, they can encrypt all of their communications to assure privacy.

http://www.answers.com/topic/kerberos-protocol-1

When users log in to a Kerberos system, their password is encrypted and sent to the authentication service in the Key Distribution Center (KDC). If successfully authenticated,

the KDC creates a master ticket that is sent back to the user's machine. Each time the user wants access to a service, the master ticket is presented to the KDC in order to obtain a service ticket for that service. The master-service ticket method keeps the password more secure by sending it only once at logon. From then on, service tickets are used, which function like session keys. After users are authenticated, they are granted a master ticket that is used to obtain service tickets. Service tickets act like session keys in other security systems.

Page 18: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Network & ITSecurity Threats

and

Countermeasures

Page 19: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.
Page 20: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

BD_ADDR AttacksBluetooth Vulnerability

The BD_ADDR spoofing attack allows an attacker to masquerade as some trusted/paired device and use the credentials to gain access to profiles requiring authorization/authentication in one another remote device.

The BD_ADDR spoofing attack can be perfomed in two ways:

(1) Spoofing the BD_ADDR of a trusted device to access profiles requiring authorization.

(2) Spoofing the BD_ADDR and obtaining the shared secret link key created during the pairing procedure to access profiles requiring authentication.

http://www.seguridadmobile.com/bluetooth/bluetooth-security/BD_ADDR-spoofing.html

Page 21: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Each Bluetooth device is allocated a unique 48-bit Bluetooth device address (BD_ADDR). This number is obtained by contacting the IEEE to get an OUI that forms 24bits of the 48bit address. You can apply for a further OUI when more BD_ADDR values are required.

Bluetooth Device Address (BD_ADDR)

4.2.1 Authentication

The authentication procedure is based on a challenge-response scheme […]. The verifier sends […] a random number (the challenge) to the claimant. The claimant calculates a response, that is a function of this challenge, the claimant’s BD_ADDR and a secret key. The response is sent back to the verifier, that checks if the response was correct or not. […] A successful calculation of the authentication response requires that two devices share a secret key.

www.bluetooth.org

Page 22: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

The BD_ADDR Attack

Assume that the attacker eavesdropped on an entire pairing and authentication process, and saved all the messages

The attacker can now use a brute force algorithm to find the PIN used.

The attacker enumerates all possible values of the PIN. Knowing IN_RAND and the BD_ADDR, the attacker runs E22 with those inputs and the guessed PIN, and finds a hypothesis for Kinit.

The attacker can now use this hypothesis of the initialization key, to decode messages 2 and 3. Messages 2 and 3 contain enough information to perform the calculation of the link key Kab, giving the attacker a hypothesis of Kab.

The attacker now uses the data in the last 4 messages to test the hypothesis: Using Kab and the transmitted AU_RANDA (message 4), the attacker calculates SRES and compares it to the data of message 5.

If necessary, the attacker can use the value of messages 6 and 7 to re-verify the hypothesis Kab until the correct PIN is found.

Page 23: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Sending AT commands to mobile phones

The execution of AT commands is one of the main goals in hypothetical attacks to mobile phones. AT commands are a set of instructions that allow remote configuration and operation in a GSM device, such as mobile phones. Like a "remote shell". However, not all the AT commands are always implemented by manufacturers in their devices:

• Basic operations: voice and data calls, set call divert, manufacturer info, model info, IMEI, battery status, signal status.

• Address book operations: read, add and delete contacts from the address book and also get the last dialed/missed/received calls list.

• SMS operations: list, read, write, send and delete SMS messages.

http://www.brics.dk/~jones/sms/packed/dg_at_r3a.pdf

Page 24: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Sending / Getting files from mobile phones

The capability of sending files and even getting files is another important goal when it comes to attack mobile phones. Bluetooth supports file exchange through the OBEX protocol. Two profiles can be used for this, among all defined by the Bluetooth SIG:

Object Push Profile: requires Authorization.

This profile allows you to send files.

Page 25: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

You can use ussp-push tool, available after installing ussp-push package in Ubuntu.

Or either you can use Obexftp, available after installing obexftp package in Ubuntu.

It's important to force it to use the channel associated to the Object Push Profile.

Page 26: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

File Transfer Profile: requires Authentication and Authorization.

Allows you to send files, get files and list directories.

You can use Obexftp to send files. If no channel is specified, it will use the one associated to the File Transfer Profile by default. Finally, you can get files from the phone to the PC.

Page 27: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Dictionary (Brute-Force) Password Attacks A method of accessing an obstructed device through attempting multiple combinations of numeric and/or alphanumeric passwords.

Cain and Abel - Password recovery tool for Windows. Recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

John the Ripper - A multi-platform password hash cracker currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches.

THC Hydra - A network authentication cracker which supports different services. It can perform rapid dictionary attacks against telnet, ftp, http, https, smb, and several databases.

Aircrack - A suite of cracking tools for WEP/WPA 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered, as well as attack WPA 1 or 2 networks using cryptographic methods or by brute force.

http://sectools.org/crackers.html

Page 28: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

L0phtcrack - Windows password auditing and recovery application attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire, includes methods for generating password guesses (dictionary, brute force, etc).

Airsnort - 802.11 WEP Encryption Cracking Tool, a wireless LAN (WLAN) tool that recovers encryption keys. It was developed by the Shmoo Group and operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Similar to Aircrack.

SolarWinds - A suite of network discovery/monitoring/attack tools targeted at systems administrators. Security-related tools include network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, and a set of router config download/upload applications.

Pwdump - A Windows password recovery tool to extract NTLM and LanMan hashes from a Windows target, whether or not Syskey is enabled. It can display password histories if they are available, and output or write to a log file the data in L0phtcrack-compatible form.

RainbowCrack - A hash cracker that makes use of a time-memory trade-off to do all the cracking-time computation in advance and store the results in "rainbow tables". RainbowCrack can be hundreds of times faster than a brute force cracker once the precomputation is finished.

Brutus - A Windows-only network brute-force authentication cracker. Attacks network services of remote systems trying to guess passwords by using a dictionary with permutations. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, etc.

Page 29: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Buffer Overflow AttackAlso known as stack overflow attack, works by exploiting a known bug in one of the applications running on a server. It then causes the application to overlay system areas, such as the system stack, thus gaining administrative rights.

void function (char *str) { char buffer[16]; strcpy (buffer, str);}

int main () { char *str = “XXXXXXXXX... ...XXXXX.... ...XXXXXXXX”; function (str);}

http://www.thehackerslibrary.com/?p=488

Page 30: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Cache CrammingThe technique of tricking a browser to run cached Java code from the local disk, instead of the internet zone, so it runs with less restrictive permissions.

The Java Security Manager usually disallows port-scanning behavior, but crackers use the trick of placing Java code (e.g. a port scanner) into the browser's cache (only works with MS Explorer) and later executing it through a file: URL (using frames in the usual way). This attack works because Microsoft's cache layout is transparent.

http://www.securingjava.com/chapter-five/chapter-five-13.html

Page 31: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Cache PoisoningMalicious or misleading data from a remote name server is saved [cached] by another name server. Typically used with DNS cache poisoning attacks.

http://courses.csail.mit.edu/6.857/2010/

see also DNS Bug, DNS Spoofing

Page 32: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Denial of service attackA user or program takes up all the system resources by launching a multitude of requests, leaving no resources and thereby "denying" service to other users. Typically, denial-of-service attacks are aimed at bandwidth control. (see Flooding Attack)

Detecting DDoS attacks

Simply blocking the attacker does not work because there are too many zombies and to recognize them you usually have to receive and decrypt the incoming packets.

Tupakula and Varadharajan suggest a Packet Marking Technique that reduces the number of packets needed to tag, identify and block suspicous requests to as few as a single packet.

http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group2/index.html

Page 33: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Easter EggHidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes are entered. Easter eggs are typically used to display the credits for the development team and are intended to be non-threatening.

http://www.pocket-lint.com/news/9889/google-earth-flight-sim-game

Hidden inside Google Earth is a secret flight simulator game that uses Google's satellite imagery.

To get to the game, you need to open Google Earth and hit

Cmd+Option+capitalA

or

Ctrl+Alt+A

if you’re using a Windows Machine.

Page 34: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Emanations AnalysisGaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data.

https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr200810sf2.html

Page 35: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

TEMPESTEavesdropping on PC displays.

Information on a PC screen can be remotely reconstructed exactly as it appeared on the display by monitoring and appropriately demodulating the weak emanations generated by the PC and its peripheral equipment

Such an eavesdropping technique had been researched by some military organizations since around 1960, but most of the results were classified and not disclosed to the public.

It came to public attention in 1985 when Wim van Eck pointed out that information on a cathode ray tube display can easily be reconstructed.

Since his work, research on information leakage of this kind has been conducted by many organizations.

The National Security Agency (NSA) in the USA refers to this type of threat by the covername TEMPEST, and this term is now in general use.

Page 36: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Fragment Overlap AttackA TCP/IP attack that is possible because IP allows packets to be broken down into fragments for more efficient transport across various media. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten.

http://baishui.info/orelly/networking_2ndEd/fire/ch04_02.htm

An attacker can construct a packet with acceptable headers in the first fragment but then overlap the next fragment so that it also has headers in it.

Since packet filters don't expect TCP headers in non-first fragments, they won't filter on them, and the headers don't need to be acceptable.

The figure on the right shows examples of overlapped fragments.

Page 37: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Honey pot Programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack.

http://stankiewicz.free.fr/Wikka/wikka.php?wakka=HowtoHoneypot

A Honeypot allows you to capture and analyze suspect activities. For example, assume you have an ADSL connection, with only one public IP address. The ISP modem is configured to perform a network address translation (NAT) on all incoming packets (destination: public IP address) to the private honeypot address.

The Honeywall is connected to the Vmnet0 interface which is bridged to the eth0 device. It is also connected to the Vmnet1 interface like the honeypot. This configuration allows us to have an independent network between the two virtual OS's. Vmnet2 is a host-only interface used for the Honeywall administration.

Note that the Wifi connection is outside the Honewall.

Page 38: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.
Page 39: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Protocol AttacksWhen the characteristics of network services are exploited by the attacker. Examples include the creation of infinite protocol loops which result in denial of services (e.g., echo packets under IP), the use of information packets under the Network News Transfer Protocol to map out a remote site, and use of the Source Quench protocol element to reduce traffic rates through select network paths. (a type of DoS Attack)

IRPAS (Internet Routing Protocol Attack Suite)

itrace - traceroute(1) by ICMP echo request

tctrace - traceroute(1) by TCP SYN packets

netenum - enumeration/ping-sweep tool

netmask - ICMP netmask request

protos - IP protocol scanner

hsrp - HSRP takeover tool

cdp - for sending CDP (Cisco router Discovery Protocol) messages to the wire.

igrp - for sending Interior Gateway Routing Protocol messages.irdp - for sending ICMP router discovery protocol messages.

irdpresponder - waits for IRDP requests and sends out response packets to fool clients.

ass - Autonomous System Scanner, a TCP port scanner that knows more than one protocol.

file2cable - sends out raw ethernet frames from files. http://www.ferzip.com/?p=286http://www.phenoelit-us.org/irpas/

Page 40: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Tiny Fragment AttackWith many IP implementations it is possible to impose an unusually small fragment size on outgoing packets. If the fragment size is made small enough to force some of a TCP packet's TCP header fields into the second fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter.

This attack can be used to circumvent user-defined filtering rules. The attacker hopes that a filtering router will examine only the first fragment and allow all other fragments to pass.

This attack can be prevented at the router by enforcing rules, which govern the minimum size of the first fragment. This first fragment should be made large enough to ensure it contains all the necessary header information.

http://www.ouah.org/fragma.html

Page 41: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Web BugTiny images, invisible to a user, placed on web sites in such a way that they allow third parties to track use of web servers and collect information about the user, including IP address, Host name, browser type and version, operating system name and version, and web browser cookie.

http://w2.eff.org/Privacy/Marketing/web_bug.html

Example, Two Web Bugs found on Quicken's home page www.quicken.com

<img src="http://ad.doubleclick.net/ad/pixel.quicken/NEW" width=1 height=1 border=0>

<IMG WIDTH=1 HEIGHT=1 border=0 SRC="http://media.preferences.com/ping?ML_SD=IntuitTE_Intuit_1x1_RunOfSite_Any

&db_afcr=4B31-C2FB-10E2C&event=reghome&group=register& time=1999.10.27.20.5 6.37">

The IP address of the computer that fetched the Web Bug

The URL of the page that the Web Bug is located on

The URL of the Web Bug image

The time the Web Bug was viewed

The type of browser that fetched the Web Bug image

A previously set cookie value

What Information is returned by a Web Bug ?

Page 42: Lecture 17 Security Introduction Cryptography basics Web Security and Vulnerabilities Network SecurityTools.

Terminology & Information Sources

http://www.ssimail.com/Glossary.htm

http://www.ssimail.com/Glossary.htm

http://www.sans.org/security-resources/glossary.php

http://csrc.nist.gov/publications/nistir/NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf

http://csrc.nist.gov/publications/

http://www.itl.nist.gov/fipspubs/

http://www.itl.nist.gov/fipspubs/by-num.htm

http://www.symantec.com/business/security_response/threatexplorer/

http://glossary.spamlaws.com/