It provides automatic STRIDE classification a very simple DREAD calculator and few minor utilities. Direct links to WAST 2.0 Threat Classification, Secure Java Development Guidelines and OWASP Tools are also part of the package.

Requirements

• .NET Framework 3.5 (Service Pack 1)
• Visual Studio 2008
• Windows Platform

You can download CodeCrawler here:

CODECRAWLER_2.5_RELEASE.zip

Or read more here.

GreenSQL Architecture

GreenSQL works as a reverse proxy for MySQL connections. This means, that instead of connecting TO THE MySQL server, your applications will connect to THE GreenSQL server. GreenSQL will analyze SQL queries and then, if they’re safe, will forward them to the back-end MySQL server.

New Changes

In this version, GreenSQL provides native support for PostgreSQL (http://www.postgresql.org) databases for the very first time. In fact, GreenSQL is the only database firewall (Open or Closed Source) available for the protection of the many PostgreSQL databases currently in use.

GreenSQL 1.2 merges the GreenSQL-Console package into the GreenSQL-FW. The GreenSQL-Console will no longer be released as a separated package. During the installation process, you will be able to choose whether or not to install the console.

You can download GreenSQL v1.2 here:

greensql-fw-1.2.2.tar.gz

Or read more here.

Of course there is Koobface and it’s many variants which have been propagating all kinds of spam through Facebook wall posts and messages.

I’m glad someone is offering a solution for free, yes they benefit from it too by being able to gather data on Facebook activity and the quantity of malicious posts occurring on Facebook.

Security vendor Websense if offering Facebook users and businesses a new free ‘firewall’ service that monitors their pages for malicious posts, links and spam.

Defensio 2.0 checks all posts to Facebook in real time against Websense’s ThreatSeeker Network, a database of problem URLs, before deciding whether to categorise a post as malicious or unwanted. This also draws from data gathered by US ISP Radialpoint and URL shortening service bit.ly before performing further heuristic analysis as a final check.

If a bad post is detected, the system logs and informs the user who makes the final decision. As with the original Defensio system – acquired a year ago when Websense bought the company of the same name – it can also monitor web pages for rogue posting, pre-emptively blocking those it deems unwanted.

“We are seeing real threats to Facebook such as Koobface,” said Websense senior research manager, Carl Leonard.

It seems to work on a ‘moderation’ model so if the software detects any suspicious automated messages/links or other dodgy activity it will block the post/message and allow the user to approve/deny the request.

But then it’s only going to be effective if take-up is good amongst the non-tech savvy users where the problems tend to be a lot more common.

Sadly this seems highly unlikely as only people who read sites like this will know about it, unless it get’s heavily promoted on Facebook..but then you have to contend with ad-blindness problems.

According to Leonard, an advantage of Web 2.0 monitoring was that it gave security companies a way of following criminals inside the otherwise closed world of social media, something that many security vendors can’t yet do. “We can have visibility into threats on these social networks, and have a fantastic feed of information that can benefit all our customers,” he said.

Leonard was not able to say when or if the monitoring might be available other social media sites or feeds such as twitter, where rogue behaviour can be difficult to spot.

The service is free for anyone with fewer than 50,000 posts per month, and for companies with 15 employees of less. For professional sites or sites with larger volumes of posts, the service starts at $5 (£3) per month, per site.

It’s free for most people, I’d imagine very few companies are making 1500 posts per day! Even if you need to pay it’s pretty cheap.

I hope to see more initiatives from companies like this, and ideally someone working with Facebook themselves to increase pro-active security measures on the site.

Obviously that’s not their first priority and with the recent brouhaha about their new privacy terms and default settings..you should be concerned about what information of yours they intend to utilise.

Source: Network World

Managing, archiving and monitoring logs and SNMP traps for a whole network can be a bit of a logistical nightmare, that’s where products like this come in. Commonly they are known under the umbrella term Business Intelligence Systems or more specifically Log/Event Management.

Installation is easy enough as per usual with GFI software, configuration will be a little more complex depending on the architecture of your network. If you have any problems however you can download the user manual here – esm8manual.pdf [PDF]. Do note you will require a local or remote instance of MS-SQL for events archiving. You can download and use MS-SQL 2005 Express Edition (which is free).

You can find an overview of the software here and a full features list here.

Once you get started you’ll need to setup the MS-SQL database before you can do anything else, so either put the details for your remote server or install the free express edition then set up the database.

After that you can select if you wish to process local computer events, selected machines or setup custom config (snmp traps/syslog). There are a lot of options in the configuration management and allows you to easily aggregate the logs/SNMP output from a whole network. It allows logging from a plethora of devices including Windows and Linux servers, Cisco devices, Juniper devices, laptops, desktops and databases.

The main screen gives you a very simple overview that the services are running correctly and the global events count with a break-down by type.

The graphing view allows you to visually see by source or globally by event classification and volume flow by hour.

The Event Browser allows you to view individual events, drill down to the details captured and sort them by status allowing you to track down problems easily and diagnose which application is causing the problem.

You can also add the free GFI EventsManager ReportPack, which enables you to generate graphical IT-level, technical and management reports based on the hardware and software events processed by GFI EventsManager.

Pricing runs as low as $45.00 per node for Servers and $4.50 per node for Workstations if you buy in bulk.

You can download the free trial here:

http://www.gfi.com/downloads/register.aspx?pid=esm

You can find the full details on GFI EventsManager here:

http://www.gfi.com/eventsmanager

It do many tests for checking security configuration issue or others good practice.

It checks many software configurations like:

• Apache
• PHP
• kernel
• MySQL
• OpenVPN
• Packages update
• snmpd
• tomcat
• user accounting
• vsftpd
• xinetd

YASAT has been tested on:

• Gentoo
• Debian
• Ubuntu
• FreeBSD
• OpenBSD

YASAT is licensed under GPLv3.

You can download YASAT here:

yasat-207.tar.gz

Or read more here.

CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies.

This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application — module-by-module — and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application’s source code where those issues were found.

The following rules are currently support by this version of the tool

• Cross Site Scripting
• SQL Injection
• Process Command Injection
• File Canonicalization
• Exception Information
• LDAP Injection
• XPATH Injection
• Redirection to User Controlled Site

System Requirements

Supported Operating Systems: Windows Vista; Windows XP

OS: XP, Vista Software: .NET Framework 2.0, Visual Studio 2005 or 2008.

You can download CAT.NET here:

CATNETx32.msi

Or read more here.

RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify –with-expat-lib and –with-expat-include options to configure so that it can find your installation of the library and header. Expat can be found here.

You can download RATS here:

Source Code: rats-2.3.tar.gz
Windows Binary: rats-2.3-win32.zip

Or read more here.

I hope a new project can spawn from this, it has many interesting applications. I think it’d be a good addition to Wireshark and IDS projects like Snort.

http://opendpi.org/

Deep packet inspection (DPI) hardware can identify an astonishing array of protocols passing across the Internet—up to and including protocols that are rare even to us in the Orbiting HQ (Gadu-Gadu? Manolito? Feidian?). But if you’ve ever wondered just how this can be done, and done at wire speed, wonder no more: Europe’s leading DPI vendor has open-sourced a version of its traffic detection engine.

OpenDPI.org is the new home for ipoque’s open source project; anyone interested can take a look at the code or contribute patches. The goal in this case, though, isn’t so much about crowdsourcing product development but about easing consumer fears about DPI technology.

Klaus Mochalski, CEO of ipoque, explains that “transparency was important for us from the beginning. The lack of transparency from the vendors’ side is widespread in the DPI business. Our thoughts are a bit different and that is why we decided to push this project.”

It can identify a whole range of weird and wonderful protocols including those you’ve never heard of.

The free version is basically a watered down of the commercial product, it’s slow, doesn’t come bundled with some fancy supercomputer grade hardware and can’t handle encrypted transmissions.

I think it will be useful too for people building open source router systems to manage traffic, do traffic shaping and general QoS with much more accuracy (rather than relying on port classification).

The OpenDPI engine, released under the LGPL license, differs from ipoque’s commercial scanning engine in its high-priced DPI hardware. The open-source version is much slower and (more importantly) doesn’t reveal ipoque’s methods for identifying encrypted transmissions. DPI vendors all claim high levels of success at identifying such traffic based on the flow patterns and handshake signatures common to protocols like BitTorrent and Skype, even if they cannot crack the encryption and examine the content of those transmissions.

ipoque apparently wants to convince people that its detection code doesn’t store or examine the actual content being transmitted. The company made the same point in a white paper released last week. “DPI as such has no negative impact on online privacy,” it says. “It is, again, only the applications that may have this impact. Prohibiting DPI as a technology would be just as naive as prohibiting automatic speech recognition because it can be used to eavesdrop on conversations based on content.

Although DPI can be used as a base technology to look at and evaluate the actual content of a network communication, this goes beyond what we understand as DPI as it is used by Internet bandwidth management—the classification of network protocols and applications.”

I hope they keep developing the project, or some other folks in the Open Source community step up and turn it into a full blown development fork.

That would be great, harness the existing technology and improve on it.

Because let’s face it, any commercial company releasing an Open Source branch of their software has no incentive to make it that great lest it get better than the stuff they are selling.

Source: Ars Technica

If you asked any techie back in 2002 which AV should you use, the answer would invariably be AVG free (or perhaps Panda).

After that AVG just got bloated, slow and their signature files became very weak missing a lot of nasty infections, I had to fix so many PCs running AVG that were infected up the ass with all kind of malware.

People starting recommending other like Avast!, Avira and BitDefender which also offer free use versions for home use.

AVG is putting an emphasis on increased speed with a revamp of its free and paid for security suites.

The latest revamp – AVG 9.0 – boasts 50 per cent faster speed and increased ease of use. Improvements in speed have been achieved by skipping the scan of files already marked as safe in future scans unless the file structure changes. The approach also offers claimed improvements of ten to 15 per cent for boot times and memory usage, respectively.

The firewall module in AVG 9.0 has also been redesigned to be less intrusive (ie fewer ‘Do you want to allow this application online’ questions) alongside tighter integration with the anti-malware scanner that forms the core of the product. This anti-malware scanner makes greater use of behaviour-based, cloud-based and white-listing technologies.

I haven’t tested AVG 9.0 yet as the free version isn’t being released until later this month, but if it stands up to their claims it could be a good product.

Speed and bloat is definitely something they need to work on along with a more accurate scanning engine and complete signature files.

Let’s hope it’s not all just hype.

AVG Free 9.0 will be available mid-October. Details of the features are being held back until then, but expect to see a cut-down product based on the same engine but without a firewall and other bells and whistles. Based on past form, AVG free will offer an anti-malware scanner alongside LinkScanner safe search technology.

AVG’s business model relies on selling into small business and getting a percentage of consumer users of its free product (perhaps around two per cent) to upgrade. The consumer end of this equation is severely threatened by Microsoft Security Essentials launch.

Recommendations from tech savvy friends were one of the main reasons consumers latched onto AVG in the first place. AVG lost a lot of goodwill in this area with the traffic-spewing fiasco that attached to version 8.0 of its security scanner.

Secondly, irrespective of the technical merits of its product, AVG is facing off against Redmond’s marketing muscle while at the same time hunting for a new chief executive.

Microsoft Security Essentials is definitely a huge entry barrier for them and they will need to push hard to gain back a decent market share. There are some extremely good AV products out there now and a lot more choice for consumers.

Plus of course the big fat behemoths are still out there bundling their software with OEMs (Symantec, McAfee etc).

We shall see if it stands up to the tests of real world use.

Source: The Register

Samhain has always been one of my favourites, before that of course I was using Tripwire like everyone else.

The Samhain open source host-based intrusion detection system (HIDS) provides file integrity checking and logfile monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

It has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is a multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

Features

• PCI DSS Compliance
• File integrity checks
• Host integrity monitoring
• Logfile monitoring/analysis
• Log facilities
• Integration with other systems / Active response

You can download Samhain here:

samhain-current.tar.gz

Or read more here.