White Hat Web Sites - Watchguard Firebox X5500E Reference Manual

The Register
This is not the first place you'll learn of emerging threats, but when you hear of one, depend on
The Reg for the most honest, no-hype summary of the issue. Pro: Plain-English writing style is
great for IT beginners. Check out their "BOFH" series for hilariously bleak parodies of a network
administrator's life. Con: Their scathing anti-Microsoft bias can get heavy-handed. Net: If you
have to explain a new vulnerability to non-technical superiors, you'll appreciate The Register's
style.
Secunia
Pro: This list notifies on every vulnerability under the sun. Con: Secunia mostly reproduces
vendor releases, without analysis or suggested remediation for IT beginners. And did I mention
they report on everything under the sun? If you don't know Linux/Unix, you won't understand a
lot of the bulletins. Net: High volume, but all on topic (unlike FullDisclosure). Try it to see if it's for
you.

White Hat Web Sites

American cinema of the 1930s, 40s, and early 50s, with their endless stream of big-city gangsters and
singing cowboys, popularized the metaphorical idea that "good guys" wear white hats and "bad guys"
reliably identify themselves by wearing black hats. Extending the tradition today, "white hat" computer
security researchers find security holes in commercial software, but instead of telling everyone, they
first inform the manufacturer of the flaw. Then they cooperate with the manufacturer in getting the
flaw fixed before announcing their discovery to the public. We appreciate the efforts of these good
guys.
Crypto-Gram
Bruce Schneier has two gifts you rarely see in one person: he is a bona fide cryptographic expert,
and he can write in clear English. This free e-newsletter is not an alert service. Rather, Schneier's
insights on security issues will, over time, teach you how to think about security in general; for
example, how to assess whether a "cure" costs more than the risk it addresses, and how to resist
falling for a great-sounding plan that doesn't actually provide added security.
Insecure.org
Check out the online home of the well-known security researcher Fyodor, who authored nmap,
the best port scanning tool available. From this site you can download nmap and 74 other
security tools from others, many of them excellent. Insecure.org serves as a repository for
numerous other security lists which may not have an archive of their own (such as
FullDisclosure). If you don't want to fill your Favorites with every security list (BugTraq,
FullDisclosure, Pen Test, and so on), bookmark this one site and you can find them all from here.
Microsoft TechNet
IT professionals running a Windows network look here for the latest Microsoft security bulletins.
Pro: Authoritative source for Microsoft security fixes. Con: Microsoft's alerts minimize the truly
bad implications of some vulnerabilities, sometimes unfairly. Bring a suspicious mind to the part
of each alert that talks about "mitigating factors" that supposedly reduce risk. Net: If you use
Windows, you've got to visit here at least monthly.
CERT.org
This government-funded source of security advisories describes itself as "a center to coordinate
communication among experts during security emergencies and to help prevent future
incidents." Pro: CERT does an excellent job of coordinating information when vulnerabilities are
found in the most commonly-used Internet resources. Con: Because their work is "official" and
because so many vendors can have a say in CERT's advisories, this is often the last entity to issue
a security advisory. Net: Pretty much the final word on anything Internet-related and not owned
by a private vendor. A must for your arsenal of resources.
Reference Guide
White Hat Web Sites
69