RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify –with-expat-lib and –with-expat-include options to configure so that it can find your installation of the library and header. Expat can be found here.

You can download RATS here:

Source Code: rats-2.3.tar.gz
Windows Binary: rats-2.3-win32.zip

Or read more here.

I hope a new project can spawn from this, it has many interesting applications. I think it’d be a good addition to Wireshark and IDS projects like Snort.

http://opendpi.org/

Deep packet inspection (DPI) hardware can identify an astonishing array of protocols passing across the Internet—up to and including protocols that are rare even to us in the Orbiting HQ (Gadu-Gadu? Manolito? Feidian?). But if you’ve ever wondered just how this can be done, and done at wire speed, wonder no more: Europe’s leading DPI vendor has open-sourced a version of its traffic detection engine.

OpenDPI.org is the new home for ipoque’s open source project; anyone interested can take a look at the code or contribute patches. The goal in this case, though, isn’t so much about crowdsourcing product development but about easing consumer fears about DPI technology.

Klaus Mochalski, CEO of ipoque, explains that “transparency was important for us from the beginning. The lack of transparency from the vendors’ side is widespread in the DPI business. Our thoughts are a bit different and that is why we decided to push this project.”

It can identify a whole range of weird and wonderful protocols including those you’ve never heard of.

The free version is basically a watered down of the commercial product, it’s slow, doesn’t come bundled with some fancy supercomputer grade hardware and can’t handle encrypted transmissions.

I think it will be useful too for people building open source router systems to manage traffic, do traffic shaping and general QoS with much more accuracy (rather than relying on port classification).

The OpenDPI engine, released under the LGPL license, differs from ipoque’s commercial scanning engine in its high-priced DPI hardware. The open-source version is much slower and (more importantly) doesn’t reveal ipoque’s methods for identifying encrypted transmissions. DPI vendors all claim high levels of success at identifying such traffic based on the flow patterns and handshake signatures common to protocols like BitTorrent and Skype, even if they cannot crack the encryption and examine the content of those transmissions.

ipoque apparently wants to convince people that its detection code doesn’t store or examine the actual content being transmitted. The company made the same point in a white paper released last week. “DPI as such has no negative impact on online privacy,” it says. “It is, again, only the applications that may have this impact. Prohibiting DPI as a technology would be just as naive as prohibiting automatic speech recognition because it can be used to eavesdrop on conversations based on content.

Although DPI can be used as a base technology to look at and evaluate the actual content of a network communication, this goes beyond what we understand as DPI as it is used by Internet bandwidth management—the classification of network protocols and applications.”

I hope they keep developing the project, or some other folks in the Open Source community step up and turn it into a full blown development fork.

That would be great, harness the existing technology and improve on it.

Because let’s face it, any commercial company releasing an Open Source branch of their software has no incentive to make it that great lest it get better than the stuff they are selling.

Source: Ars Technica

If you asked any techie back in 2002 which AV should you use, the answer would invariably be AVG free (or perhaps Panda).

After that AVG just got bloated, slow and their signature files became very weak missing a lot of nasty infections, I had to fix so many PCs running AVG that were infected up the ass with all kind of malware.

People starting recommending other like Avast!, Avira and BitDefender which also offer free use versions for home use.

AVG is putting an emphasis on increased speed with a revamp of its free and paid for security suites.

The latest revamp – AVG 9.0 – boasts 50 per cent faster speed and increased ease of use. Improvements in speed have been achieved by skipping the scan of files already marked as safe in future scans unless the file structure changes. The approach also offers claimed improvements of ten to 15 per cent for boot times and memory usage, respectively.

The firewall module in AVG 9.0 has also been redesigned to be less intrusive (ie fewer ‘Do you want to allow this application online’ questions) alongside tighter integration with the anti-malware scanner that forms the core of the product. This anti-malware scanner makes greater use of behaviour-based, cloud-based and white-listing technologies.

I haven’t tested AVG 9.0 yet as the free version isn’t being released until later this month, but if it stands up to their claims it could be a good product.

Speed and bloat is definitely something they need to work on along with a more accurate scanning engine and complete signature files.

Let’s hope it’s not all just hype.

AVG Free 9.0 will be available mid-October. Details of the features are being held back until then, but expect to see a cut-down product based on the same engine but without a firewall and other bells and whistles. Based on past form, AVG free will offer an anti-malware scanner alongside LinkScanner safe search technology.

AVG’s business model relies on selling into small business and getting a percentage of consumer users of its free product (perhaps around two per cent) to upgrade. The consumer end of this equation is severely threatened by Microsoft Security Essentials launch.

Recommendations from tech savvy friends were one of the main reasons consumers latched onto AVG in the first place. AVG lost a lot of goodwill in this area with the traffic-spewing fiasco that attached to version 8.0 of its security scanner.

Secondly, irrespective of the technical merits of its product, AVG is facing off against Redmond’s marketing muscle while at the same time hunting for a new chief executive.

Microsoft Security Essentials is definitely a huge entry barrier for them and they will need to push hard to gain back a decent market share. There are some extremely good AV products out there now and a lot more choice for consumers.

Plus of course the big fat behemoths are still out there bundling their software with OEMs (Symantec, McAfee etc).

We shall see if it stands up to the tests of real world use.

Source: The Register

Samhain has always been one of my favourites, before that of course I was using Tripwire like everyone else.

The Samhain open source host-based intrusion detection system (HIDS) provides file integrity checking and logfile monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

It has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is a multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

Features

• PCI DSS Compliance
• File integrity checks
• Host integrity monitoring
• Logfile monitoring/analysis
• Log facilities
• Integration with other systems / Active response

You can download Samhain here:

samhain-current.tar.gz

Or read more here.

Not only that, from the other aspects of the survey it seems UK is generally lacking in cybersecurity awareness and education with people not deleting dodgy files and a large percentage of people not using any kind of protection at all.

Brits are lax at updating their security software, compared to their European counterparts, says PC Tools. Worldwide research by the security firm revealed that a third of Brits never update their security software, compared to just five percent of German and seven percent of French web users.

Nearly one in ten Brits also admitted they don’t use any form of security software when surfing the web, compared to five percent of French and four percent of Germans. The UK is also lagging behind when it comes to deleting files sent from unknown sources. Just one percent of Brits will delete files sent by email, instant messenger or social networking sites compared to two percent of French web users and nine percent of Germans.

With auto-updates and software prompting you to up date I don’t know why it’s such a big problem, I would hazard a guess that it’s to do with the lack of Broadband penetration in UK.

There’s still a huge number of people using dial-up which makes it very cumbersome to update software, especially with file sizes getting bigger and bigger.

PC Tools said that 41 percent of all respondents use just one or two passwords across all the sites they visit online, while eight percent admitted to having just one password for all their online account. Of that eight percent, over half were French, while 35 percent were Brits and just 16 percent were German.

Michael Greene, vice president of product strategy, PC Tools, said: “While consumers are generally security conscious, they are not yet security savvy. The increased use of the internet among consumers is providing a lucrative market for cybercriminals and we are seeing more and more sophisticated techniques that lure consumers into clicking on malicious links or downloading malicious files”.

Over three quarters of Brits have some form of security software installed on their PC, compared to the global average of 57 percent. Worryingly, 53 percent of Brits also said they only act on a security alert if something strikes them as particularly dangerous.

From the stats, the average for those having some kind of security software installed is trumped by the Brits – but if they don’t update isn’t it useless.

And with 41% of people using only 2 different passwords for ALL online sites..that doesn’t bode well for anyone who gets hit with a targeted attack.

Source: Network World

Especially internal Windows LAN setups with a domain, for Linux I always felt there were better choices – but as far as Windows went LANguard was my choice.

Fairly recently GFI released version 9 of their scanner (overview here) with improvements to the scanning engine and the interface (including the monitoring dashboard which gives you a good heads-up of the scan results).

One of the big positives for me with LANguard was the ability to detect patch levels and automatically roll out patches over the network. This makes it a very comprehensive solution, the recent versions also include checks to ensure 3rd party software such as Anti-virus solutions are also up to date (full features here).

It’s as easy to install and get up and running as ever, if you do have any issues the Installation Guide is here [PDF].

Getting started with a scan is as easy as clicking 1 button, the interface has been simplified from what I remember and it’s a lot more attractive than it used to be. In fact it’s simple enough that non-security IT folks could use it without much problem.

After a scan is complete you have a choice to Analyze or Remediate. The Analysis section will give you fairly detailed instructions on any vulnerabilities found (including a vulnerability level) and full system information including shares, patch levels and so on.

The Remediate section will inform you of missing patches and allow you to apply these. Other than the standard MS patches and service packs you can also deploy 3rd party applications and uninstall rogue software.

Most things in the scanner can be scheduled too so for example if you want to scan outside of office ours or roll out software/patches at the weekend you can set LANguard to do that.

The dashboard is a nice addition which gives you an overview of the network security and the changes in vulnerabilities over time.

It also comes with the generic network utilities like Whois, DNS Lookup, Traceroute & SNMP Walk.

All in all I think it’s a great tool, especially for those managing Windows based networks. It makes your life a LOT easiest and it makes it easier to manage patches and software across the Domain.

It’s not a hardcore security tool, which means it also appeals to people more in the Sys Admin & Network areas of the industry. If you have any Windows machines do give it a look, perhaps start with the free version below.

You can download the latest version here:

GFI LANguard 9 Download

Pricing is done on a per-IP basis with prices starting from around $32USD per IP for a 10-24 IP block.

There is also a FREE version available here:

GFI LANguard 9 5-IP Freeware edition

They are a bit behind in the curve as they don’t have a formal security program and it’s unknown if they use secure development practices (they seem to focus more on interface design than anything else).

Something has to be done though or the next big botnet could be running on Apple machines.

A well-known security consultant says Apple is struggling to effectively protect its users against malware and other online threats and suggests executives improve by adopting a secure development lifecycle to design its growing roster of products.

“Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases,” writes Rich Mogull, founder of security firm Securosis and a self-described owner of seven Macs. “To address this lack, Apple should integrate secure software development into all internal development efforts.”

Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack. It also subjects programs to a variety of simulated attacks. Adobe Systems recently beefed up the SDL program for Reader and Acrobat following criticism about the security of those two programs.

With their fairly rapid development and pumping out of new product lines (Apple TV, Mac Mini etc) they are going to face security problems at some point.

That’s without considering the Internet connected mobile devices (iPhone, iPod touch).

Adobe has taken notice too with it’s recent spate of exploits and improved its Secure Development Lifecycle to ensure future problems are minimized.

Mogull’s suggestion was one of five he made recently to ensure company is doing everything it should to safeguard its customers.

“It’s clear that that Apple considers security important, but that the company also struggles to execute effectively when faced with security challenges,” he writes in a recent article on Mac news website Tidbits. He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java.

The suggestions came as Apple on Monday announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. Protection against clickjacking attacks, denial-of-service flaws and bugs that allow for remote code execution were among the fare.

Another suggestion from Mogull is that Apple appoint and empower a high-ranking executive to oversee security in all Apple products. The CSO, or chief security officer, would serve as the public face for Apple security as well as the internal boss who coordinates the company’s response to security incidents and development of new products that are safe.

I believe Apple is indeed need of a solid CSO, one that can implement more proactive measures against security flaws such as secure development, a dedicated response and research team for vulnerabilities and spearhead a generally more responsible organisation when it comes to security concerns.

Obviously to fit into Apple it has to be someone charismatic that can ’sell’ the benefits of Apples ‘iSecurity’ system or whatever they are gonna call it.

I’m sure they’ll find some way to spin whatever security measures they take into a marketing exercise.

Source: The Register

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box.

Technitium MAC Address Changer is coded in Visual Basic 6.0.

Features

• Support for Windows 7 RC added.
• Issues with installer program resolved.
• Most reported bugs in previous versions removed.
• Allows you to remove all registry entries corresponding to Network Adapter that is no longer physically installed on the system.
• Allows you to configure Internet Explorer HTTP proxy settings through configuration presets or command line.
• Identifies the preset applied to currently selected Network Interface Card (NIC) automatically making it easy to identify settings.
• Most known issues with Windows Vista removed.
• Changes MAC address of Network Interface Card (NIC) including Wireless LAN Cards, irrespective of its manufacturer or its drivers.
• Has latest list of all known manufacturers (with corporate addresses) to choose from. You can also enter any MAC address and know which manufacturer it belongs to.
• Allows you to select random MAC address from the list of manufacturers by just clicking a button.
• Restarts your NIC automatically to apply MAC address changes instantaneously.
• Allows you to create Configuration Presets, which saves all your NIC settings and makes it very simple to switch between many settings in just a click and hence saves lot of time.
• Allows you to Import or Export Configuration Presets to or from another file, which saves lot of time spent in reconfiguration.
• Allows you to load any Configuration Presets when TMAC starts by just double clicking on any Configuration Preset File. (*.cpf file extension)
• Has command line interface which allows you to perform all the tasks from the command prompt or you can even create a DOS batch program to carry out regular tasks.
• Displays all information you would ever need to know about your NIC in one view like Device Name, Configuration ID, Hardware ID, Connection Status, Link Speed, DHCP details, TCP/IP details etc.
• Displays total bytes sent and received through the NIC.
• Displays current data transfer speed per second.
• Allows you to configure IP Address, Gateway and DNS Server for your NIC quickly and instantaneously.
• Allows you to enable/disable DHCP instantaneously.
• Allows you to Release/Renew DHCP IP address instantaneously.

There are some famous, commercial tools available in the market from USD 19.99 to as much as USD 2499, but Technitium MAC Address Changer is available for FREE. They don’t charge for just changing a registry value! Also knowing how this works doesn’t require extensive research as some commercial tool providers claim.

You can download Technitium v5 R2 here:

TMACv5_R2_Setup.zip

Or read more here.

ScreenStamp! is basically a screen grabbing application for pen-testing and people working in forensics. The app will ask you for a location to save your screen shots to, along with a name that the program will number, allowing the user to concentrate on the job at hand as opposed to saving screen shots.

ScreenStamp! also time and date stamps the screen shot at the top right hand corner.

Where did the ScreenStamp! idea come from?

A bunch of students studying Ethical Hacking for Computer Security were carrying out an Information Gathering exercise the task of taking and saving screen shots with the clock opened and date showing was repetitive and tedious, so the group members decided that an application that would do this would be useful. After failing to find an existing application that fulfilled their needs they created one.

ScreenStamp! will not only be available to use on Windows operating systems but also Linux and Mac.

You can download ScreenStamp! here:

screenstamp_win_v1_8.zip
screenstamp_v.1.0.tar.gz

Or read more here.

Included are Symantec’s Norton Anti-virus, Kaspersky Anti-Virus 6.0, F-Prot, IBM Proventia and Clam Antivirus.

Once an occasional inconvenience, serious security bugs and vulnerabilities in anti-virus and security suite products are growing into hardy perennials. Once, running Windows anti-virus was like driving down a dual carriageway. These days, it’s more like an unpaved road.

Last week alone bought a confirmed snag with anti-virus products from Kaspersky Lab and a reported oddity with an update Norton anti-virus from Symantec. Elsewhere an allegedly long running flaw in anti-virus scanner from F-Prot was published for the first time. The Kaspersky bug had the potential to result in serious annoyance. The other bugs are less serious and individually don’t amount to much, but collectively, they’re enough to make you reach for an Ubuntu installation CD or start looking on eBay for a Mac.

First up, let’s consider a misfiring definition update for Kaspersky Anti-Virus 6.0 for Windows Workstations, which sent users into pop-up hell. It was issued on 31 March, and it wasn’t resolved until 2 April.

The worst one in my opinion is the Kaspersky problem, because it’s their own fault? How can a company with so many users, pushing out automatic updates have such poor quality control?

Pushing out an update that messes up a users machine and not fixing it for 3 days is enough to stop using a product for me.

Elsewhere reports on Norton’s support forums on Saturday (4 April) suggest a Symantec update killed right click menu on PCs running Windows Vista. We brought the thread to Symantec’s attention earlier this afternoon and wait the security giant response to the odd, not to say bizarre, reported glitch with interest.

Moving on past glitches there’s also straightforward security vulnerabilities to consider. A flaw in F-Prot involving the scanning of Zip files allegedly creates a possible method to circumvent anti-virus protection. Security researcher Thierry Zoller, who discovered the vulnerability, went public with the flaw on 2 April after F-Prot failed to act for a reported four years.

Zoller also published two other advisories last week, each covering problems with enterprise products and scanning archived files. Malicious RAR archives might make their way past IBM Proventia email security appliances, according to Zoller. He published a limited details advisory after not hearing from IBM for a month. IBM is reportedly investigating the issue.

Clam AntiVirus, the open source anti-virus toolkit for UNIX, which is used to scan email on mail gateways for Windows viruses, also had a problem with RAR files. That problem was plugged late last month but only publicised by Zoller with an advisory last week.

Even the popular Linux/UNIX solution Clam Antivirus didn’t escape testing throwing up a bug when scanning RAR files. I’m surprised AV still has such problems with RAR/Zip and compressed files.

We worked out long ago if you made a batch script to make an almost infinite loop of zip files (zip within zip within zip etc) you could bomb out the CPU totally on most AV e-mail gateways.

I hope 10 years later they aren’t still having the same problems.

Source: The Register