Agnitio is a tool to help developers and Info.Sec professionals, conduct security code reviews in a consistent and repeatable way. It aims to replace the adhnoc nature of manual security code review documentation, and create an audit trail and reporting.

Two main goals drive the development of Agnitio:

1. Help further adoption of Secure Code Development

2. Bring repeatability and integrity to security code reviews

Agnitio forces a reviewer to follow a checklist for each code review. It also forces the reviewer to think about the real risk associated with a finding, in the context of the application being reviewed, rather than blanket labeling findings “high”.


BackTrack4 R2

BT4 R2 is out. One of the features that is long been awaited is the rebuild of Metasploit with SQL support, out of the box, and the new Kernel which has better 80211 stack.

Vupen security has discovered a critical vulnerability in Google Chrome. The vulnerability is caused by a memory corruption error when processing focus events, which could be exploited by remote attackers to potentially execute arbitrary code by tricking a user into visiting a specially crafted web page. Google Chrome versions prior to 6.0.472.53 are affected.

Sagan is an open-source real-time system and event log monitoring system, but with a twist. Sagan uses a "Snort" like rule set for detecting bad things happening on your network and/or computer systems. If Sagan detects a "bad thing" happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will attempt to correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system. Sagan is basically a SIEM (Security Information & Log Management) system.

Benefits of Sagan:

Open Source: Being Open-source means, you are free to adapt it to your environment and benefit from a huge community of contributors.

Fast: Sagan is developed in C and Multi threaded, so it can take advantage of multiple cores.

Snort Rulesets: SAGAN uses snort like rule-sets. So if you are familiar with Sourcefire or Snort rulesets, then you already understand SAGAN rule sets. You can also use the same snort utilities like “oinkmaster” and “pulledpork”.

Multiple output formats: Sagan supports multiple output formats, such as a standard output file log format (similar to Snort), e-mailing of alerts (via libesmtp), Logzilla support and external based programs that you can develop using the language you prefer (Perl/Python/C/etc).

Active Development: Softwink, Inc. actively develops and maintains the Sagan source code and rule sets. Softwink, Inc. uses Sagan to monitor security related log events on a 24/7 basis.


CERT in association with secret service, has researched Insider Threat Incidents across various sectors of the industry. Banking is interesting, ‘cause of the most media coverage they receive. Some of the findings that I find interesting are below:

Banking sector

Most Incidents Required Little Technical Sophistication

This suggests it is important for organizations to secure their networks from the full range of users, from persons responsible for data entry to management to system administrators. This should raise the awareness among a lot of institutions, who do not really appreciate the risk, that low-level employees with access to high-value, high-risk data can present.

How many companies, have a process in place to follow the the shredding company agent, to the truck, and ensure that all confidential information is properly shredded ?

Perpetrators Planned Their Actions

Both security personnel and those outside the typical security chain can make a difference and help stop an insider before an incident occurs or before further damage can be done. Constant security and awareness programs and education is important. This will enable, the employees to be vigilant, and encourage them to report cases, when they notice any odd behavior.

Financial Gain Motivated Most Perpetrators

An example, why credit checks are equally important. Though, a very sensitive personal area, companies and HR may want to provide programs that educate employees on financial management.

Incidents were Detected by Various Methods and People

Security awareness is important. Training managers and all staff on the business and security policies of the organization, as well as the repercussions for violating them, may enhance the organization’s overall
vigilance to insider activities. Again, not a one time deal. These programs have to provided atleast on an annual basis, ‘cause its Human nature, people need to be reminded of repercussions and benefits of security awareness.



Click here to go to the CERT site and find the documents yourself.

IE 8 cookies

Rsnake posted this interesting blog post on IE 8 Cookie behavior.

The fact that IE8 doesn’t delete cookies upon telling it to (at least in my testing) until browser shut-down isn’t just bad for usability (and ho boy is it annoying when you’re testing) but it has other interesting privacy implications. Generally I tell people not to set the same cookie more than once. That makes it harder to use old XMLHTTPRequest bugs to download the cookie (which may otherwise be protected using HTTPOnly). But what if the cookie weren’t sensitive, but rather used for tracking?

If a site sets a unique cookie and the user clears cookies in IE8, that doesn’t mean that IE8 doesn’t keep sending the cookie (it’s retained in memory) – which means the site still gets it. If the site is trying to track the user they can simply keep setting the exact same HTTP cookie with an “expires” in the future to make it persist after the browser closes and voila! Even though the user thinks they cleaned their cookies, not for a moment was the cookie removed in IE8. Could be useful for banner advertisers or companies that need to do large scale tracking of users.

China’s efforts to step up security in its critical infrastructure could mean disaster for US companies. China has begun to resurrect its 3 yr. old compliance policy Multi Level Protection Scheme (MLPS) and is now insisting that all Chinese govt. agencies and establishments must use security products that belong to local Chinese security companies. In essence, all core infrastructure should come from local Chinese companies only. Though the policy has been in place for over 3 yrs now, its being enforced only now. This could be a retaliation to US decision on not allowing Chinese takeover bids, citing security concerns.

This could affect big US players like Cisco and Juniper and others. The fear of compliance, may also knock out security companies from the Chinese markets viz., Symantec and Mcafee. Alternatively, the only way these US companies can get into the Chinese markets, is to establish a partnership with some Chinese company and have a minority stake.

China on the other hand believes their policies, will spur homegrown technology innovation in local markets and thereby reduce Chinese reliance on foreign IT markets.