There have been a few stories about Windows 7, even one about Windows 7 UAC before and now it’s officially on sale I’d expect there to be many more.
As always malware and mass infections is a numbers game so the bad guys will always target the most popular and prolific operating systems to increase their [...]

RATS – Rough Auditing Tool for Security – is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and [...]

This is great news, especially for open source tool developers. Deep packet inspection is an extremely niche area and requires great expertise (and a lot of R&D of course).
I hope a new project can spawn from this, it has many interesting applications. I think it’d be a good addition to Wireshark and IDS projects like [...]

AVG used to be THE anti-virus software a few years ago, especially with it being the first major vendor offering a free solution for home users.
If you asked any techie back in 2002 which AV should you use, the answer would invariably be AVG free (or perhaps Panda).
After that AVG just got bloated, slow and [...]

We’ve only mentioned one HIDS before, that was OSSEC HIDS, so I thought I’d do some updates on the others.
Samhain has always been one of my favourites, before that of course I was using Tripwire like everyone else.

The Samhain open source host-based intrusion detection system (HIDS) provides file integrity checking and logfile monitoring/analysis, as well [...]

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It’s comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Usage
Graudit supports several options and tries to follow [...]

Trafscrambler is an anti-sniffer/IDS LKM(Network Kernel Extension) for OSX, licensed under BSD.

Features

Injection of packets with bogus data and with randomly selected bad TCP cksum or bad TCP sequences
Userland binary(tsctrl) for controlling trafscrambler NKE
SYN decoy – sends out number of SYN pkts before the original SYN pkt
TCP reset attack – sends out RST/FIN pkt with bad [...]

GFI LANguard is a product that has been around for a LONG time, I remember using it way back at version 3 or 4 and it was always my choice of platform if I was auditing a Windows based network.
Especially internal Windows LAN setups with a domain, for Linux I always felt there were better [...]

A spate of bugs have popped up recently in quite a few of the major anti-virus brands, some are old bugs which have just been made public and some are apparently new bugs – just discovered. Nothing too serious it seems (no remote takeover vulnerabilities) mostly just crashes and annoyances.
Included are Symantec’s Norton Anti-virus, Kaspersky [...]

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can [...]

Microsoft is in the news again, but this time for holding back on something security related.
It seems like they want to have some extra time for development, and well perhaps some business related factors come into play too.
A lot of Windows networks use ISA (as it used to be called) – in the future it’ll [...]

A bit of an update to the conficker worm that is supposedly scheduled for new updates and instructions today wednesday 1st. April 2009 and that nobody except for the bad guys knows what those instructions would be. Fyodor has rolled out a new nmap beta release to the nmap scripting engine that enables it [...]

Finally Microsoft is doing something proactive and perhaps even slightly ahead of the game, a real game-change for the security community.
They have released a new AND open-source tool to make debugging easier, it gives developers a lot of help during the release cycle to build more secure software. Mostly because it takes the legwork and [...]

For those of you who are not familiar with DShield (where have you been? under a rock?) it’s a Cooperative Network Security Community. Basically what that means is they collect firewall logs and map out the trends.
Like when there was a worm going around that bruteforced SSH2 you could see a spike in port 22 [...]

FlowMatrix is Network Anomaly Detection and Network Behavioral Analysis (NBA) System, which in fully automatic mode constantly monitors your network using NetFlow records from your routers and other network devices in order to identify relevant anomalous security and network events.
In addition, the new release of FlowMatrix, (ver.0.9.62 and later) supports Network Applications Behavior Analysis. This [...]

I saw a relevant paper published today by an individual that claims the comparison was ordered by a penetration testing company (a company which remains unnamed).
The vendors were not contacted during or after the evaluation.
Testing Procedure
The author tested 13 web applications (some of them containing a lot of vulnerabilities), 3 demo applications provided by the [...]

This project’s goal is to create a “best practices” web application penetration testing framework which users can implement in their own organizations and a “low level” web application penetration testing guide that describes how to find certain issues.

Version 3 of the Testing Guide was released in last month in December 2008, the project was part [...]

To continue with some software targeted towards security and self-protection after posting about Microsoft Baseline Security Analyzer (MBSA) and Microsoft Security Assessment Tool (MSAT) we continue with one more – Secunia Personal Software Inspector. We did write about this software way back when Secunia first came out with their Secunia Software Inspector.
There’s now 3 versions [...]

Recently we mentioned MSAT – Microsoft Security Assessment Tool and I recalled another tool which came out originally years and years ago and I’ve personally found useful in a few situations.
It’s good when you’re working on a Domain/Group Policy and you want to lock down one machine nice and tight, it can give some pretty [...]

The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations like yours assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to begin strengthening the security of your computing environment and [...]

Some interesting security industry news, it seems like Symantec is really setting itself up to be the Microsoft of the security world.
They are buying up anything and everything and merging it into the Symantec borg…things that are successful of course. Their latest acquisition is the popular MessageLabs, a good example of both cloud computing and [...]

Port Knocking came about in around 2003, but it has various weaknesses. There are plenty of implentations though (some quite advanced). Most of the problems are fixed however by fwknop!
fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop [...]

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.
psad [...]

MoocherHunter™ is a mobile tracking software tool for the real-time on-the-fly geo-location of wireless moochers and hackers. It’s included as part of the OSWA Assistant LiveCD we mentioned quite recently.’
I wanted to mention this tool separately as I think it’s very cool!

MoocherHunter™ identifies the location of an 802.11-based wireless moocher or hacker by the traffic [...]

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
This is a tool that might be useful for both penetration testers performing white box tests and system admins trying [...]

Some new statistics just came out regarding Browser Security, this is more in terms of which users are most likely to apply patches and be using the most secure version.
I would have thought Firefox would have been pretty high since the newer series prompt automatically new patches. My only guess is a lot of people [...]

You might remember a while ago we mentioned MP3 spam, which in October last year was the latest evolution in spam.
Currently there is a new type annoying mail-server owners the world over, it’s known as NDR or Backscatter Spam and involved NDRs or Non Delivery Reports (those emails you get when you send a mail [...]

ArpON (Arp handler inspectiON) is a portable handler daemon with some nice tools to handle all ARP aspects. It has a lot of features and it makes ARP a bit safer. This is possible using two kinds of anti Arp Poisoning tecniques, the first is based on SARPI or “Static ARP Inspection”, the second on [...]

Now this is a pretty interesting contest from the guys at Defcon, antivirus evasion! It’s a question that gets asked a LOT…how do I avoid AV?
There are various ways to do it and I’ll be interested to see which are used in the contest, the most elegant solutions of course get better prizes.

Security firms have [...]

HDIV (HTTP Data Integrity Validator) is a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and [...]

The Web Security Gateway is a security-centric distribution of the Apache web server, bundled with additional security modules, and configured as a front-end (reverse) HTTP proxy. The goal is to mirror most of the features of commercial web application “firewalls”, with free and Open-Source software.
The Web Security Gateway provides a configurable caching, authentication, input validation, [...]

This tool is another one on the side of protection, again for web-based applications but this time for .NET applications it’s called .NETIDS (.NET Intrusion detection System). This tool is capable of detecting on attacks on web applications and gives the developer the possibility to react. The project files include filter rules and function stubs [...]

This is pretty interesting – US, UK, Canada, Australia and New Zealand are taking part in a fictitious cyberwar as an exercise to prepare and plan for sustained cyber attacks including some of which have actually caused power outages.
I personally think it’s a great idea, I must have missed Cyber Storm I as this is [...]

The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do [...]

A UK firm Virtuity has created data protection software called BackStopp which comes with ’self-destruct’ technology based on Wi-Fi and RFID tags that starts to run as and when a laptop is moved from its designated space.
So in layman’s terms, if the laptop is moved from its permitted zone (which is set by the user) [...]

Well seen as though we were talking about breaking passwords, here’s a tool for Firefox to help you manage your more secure passwords.
Better security without bursting your brain
Password Hasher is a Firefox security extension for generating site-specific strong passwords from one (or a few) master key(s).

What good security practice demands:

Strong passwords that are hard [...]

Another protection for those building website and web applications, as it’s the the most common attack vector nowadays I think it’s important to be extra safe on this front.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes [...]

Another tool for the security side, good for forensics, monitoring and auditing.
Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, [...]

What Is Mod AntiTamper (AT)
AntiTamper is an Apache 2.x module that could be used to prevent some sort of url and cookie tampering.
Specifically, AT could stop a lot of those malicious bots that take advantage from search engines. Moreover, attack techniques like HTTP Response Splitting and session hijacking/fixation will be mitigated.

Is important to notice that [...]

To follow on from Whitetrash which I posted about previously, here is another tool to secure your web site or web application. Essentially it’s a very comprehensive set of rules for mod_security.
ModSecurity is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server [...]

This is a pretty neat tool for those using Squid Cache and looking for a pro-active tool for securing web acccess in their company (or house if you have a devious sibling).
The goal of Whitetrash is to provide a user-friendly and sysadmin-friendly proxy that makes it significantly harder for malware to use HTTP and SSL [...]

Just a quick note as I know many of you guys are in corporate security positions and might be looking for some of the solutions GFI offers.
They are having a Q4 promotion with up to 50% off on some of their products/services.

GFI MailEssentials – 25%
GFI MailEssentials & GFI MailSecurity Suite – 25%
GFI MailSecurity – 50%
GFI [...]

CORE GRASP for PHP is a web-application protection software aimed at detecting and blocking injection vulnerabilities and privacy violations.
As mentioned during its presentation at Black Hat USA 2007, GRASP is being released as open source under the Apache 2.0 license.
The present implementation protects PHP 5.2.3 against SQL-injection attacks for the MySQL engine, it can be [...]

The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.
This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.
CCWAPSS is focused on rating the security level [...]

XSS Warning is a extension/add-on for Firefox that filters malicious values to prevent Cross Site Scripting (XSS) attacks by malicious URLs (assuming you have Javascript enabled).

XSS Warning 0.1.8 beta protect from:

URL attack
Redirect attack
Link code injection

Compatible with Firefox: 1.5 – 2.0.0
You can install and read more about XSS Warning here:
http://www.gianniamato.it/project/extension/xsswarning/

Babel Enterprise is a systems auditing tool. Babel performs a security level check of the machine, or hardening. The check consists of a number of auditing tests that obtain a snap of the security status of each machine. The result is a security index of the system that is given after each execution. It a [...]

Sguil (pronounced sgweel) is probably best described as an aggregation system for network security monitoring tools. It ties your IDS alerts into a database of TCP/IP sessions, full content packet logs and other information. When you’ve identified an alert that needs more investigation, the sguil client provides you with seamless access to the data you [...]

More Google News this week after Google Launches Online Security & Malware Blog, now they have acquired a web security startup called GreenBorder.

Google Inc. said on Tuesday it has bought Internet security startup GreenBorder Technologies Inc., which creates secure connections to protect e-mail and Web users from malicious or unwanted computer code.
Terms of the deal, [...]

Redseal is launching a free offer next week for security consultants, pen testers and auditors.
Redseal develops a product called Security Risk Manager (SRM), it does the following – (non sales overview)

Imports firewall and router configuration files
Audits and checks them for errors, mis configurations, redundant rules, checks against best practices etc
Draws a network topography [...]

Agnitum Outpost Security Suite Pro is a step up from their Agnitum Outpost Firewall PRO
with a more wholistic look at security.
The suite also includes pre-emptive threat protection, anti-spam protection and safe-surfing.
The Software is fairly sizeable at around 36MB, you can download it here, for a 30 day free trial.

As I’ve mentioned before I think [...]

Recently GFI launched a free, online portable storage device scanner called EndPointScan.
http://www.endpointscan.com
EndPointScan, is an industry-first, free online service that allows anyone to check what devices are or have been connected to computers on their network and by whom.

Using this diagnostic tool, one can identify those areas where the use of portable storage devices could pose [...]

FSUM is a fast and handy command line utility for file integrity verification. It offers a choice of 13 of the most popular hash and checksum functions for file message digest and checksum calculation.
You can easily use FSUM with a batch wrapper to do automated file integrity monitoring, and use something like blat to email [...]

Agnitum Outpost Firewall Pro is a software based firewall I respect a lot, and used to actually use…It used to be fairly light weight, secure and had some good features the other firewalls at the time didn’t have (system file integrity checking and so on).

But nowadays with NAT routers, the need for desktop firewalls is [...]

Clustered Firewalls? What on earth next, beowulf IDS systems?

Check Point has added cluster support and more granular controls to its virtual firewall software, memorably named Check Point VPN-1 Power VSX NGX.
Virtual firewalls can now be distributed around a server cluster, with standby firewalls on alternative servers. System administrators can also shift processor power around, taking [...]

The Common Password Problem.
Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this [...]

An Austrian web site called AV Comparatives has done an ‘independent‘ test of 17 different Anti-Virus products and released the results online.
On this site you will find independent comparatives of Anti-Virus software. All products listed in our comparatives are already a selection of some very good anti-virus products. In order to get tested by us, [...]

This is a pretty cool new development, something straight out of a Tom Clancy thriller or a spy/hacker movie.
Introducing Spy Coins! People are actually being warned about picking up stray coins as they might have surveillance devices inside.

Can the coins jingling in your pocket trace your movements? The Defense Department is warning its American contractor [...]

If you are paranoid about people ARP spoofing or flooding on your network you can use ARPWatch-NG, ARPWatch-NG is a continue of the popular original ARPWatch from ftp://ftp.ee.lbl.gov/.
ARPWatch monitors MAC adresses on your network and writes them into a file, last know timestamp and change notification is included.

It can be used it to monitor for [...]

A new revision of Inprotect has just been released, 0.22.5 in order to fix bugs and implement feature requests submitted by the development team and users. Existing users are recommended to upgrade.
Inprotect is a web interface for Nessus and Nmap security scanners, released under GNU/GPL license. This version has the following enhancements:

Improved and fixed [...]

It makes sense really, the paranoia that quickly infected every corner of the ‘Western’ world had to be cashed in on by somebody, tada! The security industry of course.

During the Cold War, Canada’s National Optics Institute developed a system to detect which type of enemy tank or fighter jet was approaching. After the Soviet Union’s [...]

A useful tool for anyone working with PHP applications.
DESCRIPTION
————
FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications. Is scans PHP files mapping PHP/HTTP variables and then performs a security audit,in order to find out which of them are exploitable.
USAGE
——
php fis.php [local file] [remote file] [remote FIS ID file]

[local file]
————–
The local copy of the [...]

It’s good to see work on open source tools in the countermeasure department aswell as the attack and penetration arena.
It’s a shame since Snort and Nessus have gone semi-commercial.

I hope more people invest their time in good IDS, Firewall and IPS systems, I love things like IPCop and hope to see more products like HLBR.
HLBR [...]

This is an excellent article you might find useful covering the use of the capture command in Cisco PIX firewalls.

A vital tool to use when troubleshooting computer networking problems and monitoring computer networks is a packet sniffer. That being said, one of the best methods to use when troubleshooting connection problems or monitoring suspicious network [...]

This effort started quite a long time ago, I was just checking up to see how they were getting on, but there’s not much news of their progress.
perating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable [...]

Ah, here at Darknet we have always been a fan of Sophos and the way they operate, a very efficient company and good to see good technical products still coming out of the UK!
Another good move by them, they have decided to offer a free rootkit detection tool called Sophos Anti-Rootkit..Yah I know, not a [...]

Another good tool updated! TCPReplay suite 3.0.beta10 has been released.
For those that don’t know Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for *NIX operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. It allows you to classify [...]

Ah at last a good solid collaborative effort to identify and categorise software vulnerabilities with a solid taxonomy and good organisation!
It seems very well written too in terms that anyone familiar with software development or programming can understand.

Fortify Software, which identifies and remediates software vulnerabilities, has contributed its collection of 115 types of software security [...]

Spike is an Open Source tool based on the popular RATS C based auditing tool implemented for PHP.
The tool Spike basically does static analysis of php code for security exploits, PHP5 and call-time pass-by-reference are currently required, but a PHP4 version is coming out this week.

This tool is especially welcomed by Darknet as there aren’t [...]

We are happy to announce that the 1.2.6 (christine) release of the Basic Analysis and Security Engine (BASE) is available.

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts [...]

HoneyBOT
HoneyBOT is a Windows based medium interaction honeypot solution.

What is a Honeypot?
A honeypot is a device placed on a computer network specifically designed to capture malicious network traffic. The logging capability of a honeypot is far greater than any other network security tool and captures raw packet level data even including the keystrokes and mistakes [...]

An interesting speculative post on the forensics techniques that would most likely be used by the FBI during the investigation of the recovered Veteran’s Adminsitration laptop.
Most of them are pretty straight forwards if you have any kind of experience with digital forensics and data recovery (disaster recovery, incident response etc.)

As a former Computer Forensic Specialist, [...]

Botnets are indeed a growing problem, we’ve seen serious cases of DDoS extortion, the most recent example would be the attacks against the ‘million dollar homepage’ and the problems it caused the owner.
Botnets have been used for quite some time as spam networks and mostly for script kiddies to have DoS wars on IRC networks, [...]

Botnets and organises cybercrime is getting more prevalent, it seems it’s increasing exponentially despire crackdowns by the US governments and other organisations.
The criminals are getting more advanced, phishing scams are getting more realistic, technically trojans are getting more effective and the groups are getting really organised.

Cybercrooks are organizing better and moving to more sophisticated tactics [...]

In my opinion, the best way to keep clean of spam is simple:
The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address.
These are simply underhand tactics to get ‘active’ e-mail addresses.
Some other tips to avoid getting spammed in the first place:

1) Never use your [...]

Today sees the launch of “OneCare”, Microsofts “secrity solution”. Combining firewall, anti-virus and anti-spyware in to one handy package…. but would you trust it?
I guess many people will, and over time we will find out if its a well spent $49.99 or not, but for me? I don’t think so. Microsoft do many things, but [...]

Interesting to see this just a little while after Malaysia announced IMPACT, it’s anti cyber-terrorist task force..
IMPACT is its name, and making an impact in the battle against cyber-terrorism is its mission. Unveiled in Austin, Texas, the Malaysian initiative seeks to bring together governments and the international private sector to deal with increasing threats in [...]

Bogosec is essentially a tool for finding security vulnerabilities in source code.
BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively.

BogoSec is a source code [...]

Introduction
Anonymity is derived from the greek word ανωνυμία, meaning without a name or name-less. In colloquial use, the term typically refers to a person, and often means that the Ppersonal identity, or personally identifiable information of that person is not known.
The main question is of course, what are you trying to hide? Closely following that [...]

I know this is old, but a lot of people still don’t know about it.
It can test for up to date Mozilla, Opera and Internet Explorer flaws, exploits and vulnerabilities.

Browser vulnerabilities are a serious issue now.
You can see which vulnerabilities they test for here and the statistics of the tests results here.

Total tests finished: 739828
Tests that [...]

OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.
This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis [...]

It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).
Even [...]

Introduction
We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object.
Webmail applications use it to quickly update the list of messages in [...]

One way to defend against OS fingerprinting from tools such as nmap, queso, p0f, xprobe etc is to change the metrics that they base their analysis on.
One way to do this with OpenBSD is to use Sealing Wafter.
Goals of Sealing Wafter:
1. To reduce OS detection based on well known fingerprints network stack behavior.
2. To have [...]

I’ve seen quite a lot of discussion lately on how to ‘defend against nmap’ or how to change the properties of your TCP/IP Stack so your Windows OS appears to be something else (As in you can guess the OS from the TTL value passed back in a TCP/IP packet).
One way you can do this [...]

1. Introduction
This article describes and partly implements a method to delete or re-locate, potentially sensitive and / or incriminating information from your UNIX flavoured machine, after the sad event of your death.
An older version of this article has been published before, yet it has since disappeared from the Internet and the Google cache; hence this [...]