Slashdot Mirror
Missing Open Source Security Tools?
Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security constantly changing, this begs the question, what open source security tools are missing? What commercial security tools have no viable open source alternatives? When securing/testing/exploring networks (home or enterprise), what security tools/applications/functionality are lacking (or non-existent) in the open source world?"
Are we searching around for a project to start? The best stuff comes when you're scratching your own itch.
You are not a beautiful or unique snowflake -- but you could be if you got off your ass.
Ya, but when I actually use beg the question properly people won't know wtf I'm talking about and think I'm an idiot when in fact they are the idiots!
But I let it go cause I hate those stupid losers still whining about how hacker used to mean a guy who played with model trains at MIT or something...
I am constantly trying to improve the security of my home network, and the available tools are pretty powerful. My biggest problem has been to find powerful reporting tools. I use iptables as a firewall, tripwire for intrusion detection, etc. But it's not always easy to see what's going on in the system. Tripwire produces decent reports; but there is no easy way (afaik) to get a list of intrusion attempts, network traffic, port scans, etc. Sure, the information is in the logs - but the log information is hard to parse and often not as complete as it should be.
Under capitalism man exploits man. Under communism it's the other way around.
A ton of tools are available for nix boxes, take a look at the live cd security distros. Tons of perl scripts or .c files. infosec geeks don't need fancy GUI's we need little scripts that can be piped or molded for different needs. look at all the tools that have been ported to win32 from linux/bsd like hping, nmap, nessus, ethereal, netcat, nemesis, datapipe, fport, lcrzoex, snort, etc. It's the closed source guys who need to get cracking. Look at Foundstone all they do is port stuff cause the win32 crap sucks. OSS tools are the ones leading the pack on this front. That being said perhaps Snort could be a bit easier/less prone to false positives, I couldn't grasp it completly until getting a book on it.
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
To my knowledge there is no, or perhaps very limited, support for the WPA standard. Granted, this isn't a tool, but it's security related.
http://www.gentoo.org/proj/en/hardened/
Who cares if it's common? Common people are stupid, cow-like beasts who couldn't entertain an original thought if their lives depended on it.
Enforcing proper usage keeps the language from degrading to a form where it can no longer express complex ideas, as common people are incapable of formulating such ideas.
Virus scanners are for people who want to leave security holes open and then get information about the damage.
No, they're for the people who don't trust that every security hole is known of first by the white-hats.
Is your system secure? Are you sure? What abotu 5 minutes before you applied that last ssh update? Wouldn't a virus / trojan / root kit scanner give you one more level of assurance?
facial-recognition & biometric stuff to identify suspects in your building
background-check software for individuals.
burglar alarm systems, for homes and businesses (requires some hardware)
timed-safe software (requires some hardware)
xray & metal-detectors & chemical-sniffers for airports (requires lotsa hardware)
Oh, you mean computer stuff. C'mon guys, just quit using outlook to browse prOn from computers inside your firewall; and close off ports you don't need.
Something that lets us intergrate, collect, and correlate what the other great tools . . . find.
Pipes and regular expressions?
KFG
Most open source project focus on utility, not on appearance. The most powerful tools are often the simplest ones (in appearance). However, the ability to visualize and/or put a user-friendly interface is usually a good next step. Some may call this approach the "Microsoft dumbing down" approach, since it is Microsoft who usually put deceptively simple user-interface in front of a much more complex and powerful tool.
However, that doesn't mean these tools couldn't benefit from good visual front ends (and I'm sure people will point out there are plenty). Human's ability to make sense of well designed visual information (a la Edward Tufte) cannot be understated.
I also seem to recall reading a slashdot story a long while back about Infineon (I think) that had a hardware sniffer that is able to reconstruct TCP/IP traffic/session/connections that are captured, and it recognized hundreds of protocols/applications.
Bring all of that together: open source software being able to visually display security information in a meaningful way, using some kind of open standard like, say, OpenGL. Adding more to the existing foundation tools that we already have, that's where some contribution can be useful.
But that's just what I think, by no means do I think it's the best answer.
I guess you don't know the proper use of begs the question either, nor do the mods.
The question it begs is are open source security tools really great?
#5 is a Windows-only deficiency, but the rest aren't. I mentioned Antivirus software 3 times because I think it's at least 3 times as important as the others. As more and more (read: dumber and dumber) people migrate to non-Windows platforms, viruses and malware are going to start to be more of a problem for those of us on Better Platforms.
All's true that is mistrusted
We need security/monitoring tools which our Mom's can operate and understand.
As much as I admire the clam folks, it's just not there yet.
AV is something that could really benefit from an open, distributed development model if we could find the right precautions to take. If users could report and characterise malicious attacks as they happen, I think we could start to offer an alternative to the big AV company's virus dictionaries (sort of like wikipedia compared to britannica).
Obviously this would not be an easy thing to set up well (consider the. We would need some sort of "karma" like system that would reward reporting users for correctly identifying malicious software and punish them for incorrectly identifying it.
The other thing it would require is a client that could profile and find signatures for the malicious processes/files, and some trust mechanism for these signatures to be put into a central database. Again, this would lead to some interesting security dilemmas but I don't think it's anything insurmountable.
All's true that is mistrusted
I've yet to find an open source tool that can show a "matrix" graph of source and destination talkers by MAC/IP/IPX name in realtime as found in Sniffer.
Do you want a network monitoring system, or a sniffer?
Even if I needed such a feature, I'd never expect it to be in Ethereal (and I use tcpdump/Ethereal daily, but not for graphs).
If I needed (offline) graphs, I'd use netflow probes and collector. If I needed realtime stats, I'd use iptraf (well, I do use both of those anyway).
However, I never needed to have a realtime graph within a sniffer, and even if I am Ethereal developer, I'd tell you something nasty if you requested such feature, considering how many more things come before 'graph' in a sniffer.
Missing opensource security stuff - realtime graphs?
Sad...
I bet a lot of people would have enjoyed using that excuse in English class. Can you imagine an editor at the NY Times letting this slip by? In a comment by somebody who doesn't know better, sure, let it go.
Languages evolve, but that fact is too often used as a cop-out for being too lazy to learn correct use of a language. As it is now, "begs the question" is used incorrectly on the front page of Slashdot, a large news site. The editors should know better and hopefully after being scolded, they learn. Unlike people who scoff at corrections because "English changes."
Forensics is still shrouded in mysticism and secret handshakes in the both the open and closed source worlds. EnCase is fantastic, but the cost is prohibitive, the other commercial products cater to law enforcement, efectively killing the divorce investigators and legal business use. The ones who will sell to anyone are not worth their exorbitant prices.
Autopsy/Penguin Sleuth Kit is great, but it has a long way to go to match the ease of use and reporting capabilities of EnCase.
The OS Forensic packages are labors of love to fix short commings or customize the tools for specific tasks. We need a OS Forensics Army Knife.
I want to be able to know what the recently fired employee was doing so I can make a case to the Legal Dept. There are many reasons to terminate an employee that do not "rise to the level" of prosecution, but certainly can result in Civil proceedings. I don't want to have to have a Windows box laying around for the eventuality of digging into ex-employee misdeeds.
I can also think of instances when "trusted" people jump ship unexpectedly, like when a senior developer resigns to take a position at a competitor. Wouldn't you like to be able to dig deep into the unallocated clusters of his HD?
I was blown away by the Fluke Network Analysis Tools.
Given enough time, everything could be replicated with FLOSS, but nobody has. Somebody should....
-- I care not for your foolish signatures.
I second that motion.
Granted Niksun's NetVCR is basically a glorified tcpdump with a pretty interface, but it's also a functional interface. Sure you can preach "use the command line" all you want but you'd be underestimating the value of being able to present simplified data to the rest of the IT department that usually rings your phone, or visits your cubicle, or sends you and email every time some site can't do their work because their circuit is too slow.
Sure, give me an open source tool that I can put on an OC3, with a simple interface, that offers easy-to-interpret data for the non-network crew, but also has the ability to dump all the traffic for {some IP} at midnight a week ago....and I'll be a happy man!
Well DARPA is Defense ADVANCED RESEARCH Projects Agency, which means that they work on advanced research (or fantasy land as you call it). I'm not sure you know what DARPA has cooking in their labs, but it is light years beyond a simple Knoppix CD.
It's a little more complicated than that - keep in mind that you can unlink() files you don't own, so long as they're immediately inside of a directory you have write access to.
Obviously you don't do security for a large network.
.
,but with that little scratch on the side with '58 Porsche grease in it?
No, no. That's not how it goes. If you take that approach people are likely to take it as a personal attack rather than a reasoned argument. To avoid such confusion it's best to proceed like this:
I ask, "Pipes and regular expressions?" (you dropped my question mark and replaced it with a period)
Then you say, "No, that won't do it, because. . . (and then you insert your argument here)
Otherwise people might think you're just being a jerk.
Now, I don't necessarily mind if people here and there think I'm being an intellectual jerk, or even an ignorant jerk (because, Lord knows, now and again I am an ignorant jerk), but I might feel bad if someone considered me just a jerk. So I can empathize with you being in a position where someone might think that of you.
Sure, that's like saying a magnifying glass can be used to find your lost class ring in the playground. Sure it will work, but extreme under-kill and a waste of time.
Wouldn't it be great if you could use pipes and regular expressions to find lost things? That would be sooooooooooo sweet, because (this is where I insert my argument) they're like a perfect multi-lens device of infinately variable focal length and aperature, hooked up to a spectrograph , a mass spectrograph, a lath, a mill, a tap and die set, a forge, a. .
So there you are, in a playground in Central Park, NYC, and you suddenly realize your class ring is missing. You aren't sure where you lost it either. Let's say you know it had to be someplace on Manhatten. You zoom the lens out to encompass Manhatten, set the aperature appropriately, and turn on the spectrograph.
Then ask it to show you all the rings. And it does!
"Oh, shit," you say to yourself. "Look, only show me the rings with a garnet in them."
No, that didn't do it, there's still a pile of them too big to go through. Ok, how about all the gold rings with a garnet? Gold rings with a Garnet from the High School of the Performing Arts? Damn, that many? Ok, how about one of those
Bingo! There it is in a cab up in East Harlem.
See? Not like a magnifying glass at all, but an entire suite of logical tools and set theory manipulators that can be combined in any way that suits your fancy to return any logical result you want.
I was once having dinner with some friends and one of them, who happens to be a network tech, asked one who happens to be a professor of Chemistry, "Why has Organic Chemistry effectively become a required course for a medical degree? Does a doctor really need to know Organic Chemistry? What would they possible actually use it for?"
The Chemistry professor responded, "Well, a biochemist would obviously need and use Organic Chemistry, but if you just mean a practicing medical doctor, no, they don't need it and will never use it."
"Well," asked the net tech, " why do you make them learn it then?"
"We don't make them learn it to learn Organic Chem." replied the professor. " We make them learn it to learn deductive reasoning in a domain of applied set theory. It's to teach them diagnosis."
And network security is a diagnostic field requiring deductive reasoning in a domain of applied set theory.
Maybe we should make CS majors take Organic Chemistry.
Or maybe we should just make them take math with a certain focus on logic and set theory and apply same against the computer (a mathmatical logic machine) network. Then maybe they could use general purpose logical tools to construct their own specific case tools, instead of being restricted to the domain of premade tools that often don't even fit their network situation (since every large network is unique in its structure and logic, and thus no outsider can know the sets, or the possible set of logical prepositions).
KFG