Slashdot Mirror
Missing Open Source Security Tools?
Kinetic writes "There are many great open source security tools out there, Nmap, Nessus, and DSniff, just to name a few. However, with the world of security constantly changing, this begs the question, what open source security tools are missing? What commercial security tools have no viable open source alternatives? When securing/testing/exploring networks (home or enterprise), what security tools/applications/functionality are lacking (or non-existent) in the open source world?"
Also important, if you don't think anything is missing, or even if you do, what software do you use for security purposes? Anything obscure but useful or unusual uses of common software?
-Tim Louden
...what security tools/applications/functionality are lacking (or non-existent) in the open source world?
How about an open source Security Information Management System (SIMS) Description, Article .
Something that lets us intergrate, collect, and correlate what the other great tools (Nessus, Snort, Nmap) find.
These tools could "leverage" existing security tools which exist in the open source world (stuff like tripwire for example) to get cross-platform support.
You don't have to just look at security, either; A multiplatform enterprise management suite with plug-in modules for filesystem, printing, security, scheduling, and good old monitoring would be a great thing to do for free. Software that does all that costs millions of dollars, single installs for sufficiently large sites can run upwards of US$10M.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Ever since the FWTK offered a semi free toolset, the community failed to develop real free simple, stable and secure application level proxies.
There are some more now, but most have discovered bugs due to missing deffensive programming.
That was one of the reasons I started freefire.org, even when the mailing list currently is not used.
--
www.eckes.org
Yes I know there are no viruses today. That's what wargaming is for. Be prepared. It's the only way.
I use it every day all day long and could not do my job wihtout it. But I would really love a GUI better than ethereal for it. Something that implempents the more advanced features of Sniffer Pro or whatever they are calling it this week. Better searches, better ability to highlight and get data. Also the enahancement I would really like to see in tcpdump (and thus all the frontends for it) would be the ability to filter on x.x.x.x x.x.x.x in other words to be able to see traffic from or too a specific IP and another IP. This comes up in testing for me all the time. For example I want to see if a given packet is making it from my PC to a device somewhere. If that device happens to be chatty it would be nice to be able to filter it down to between it and my PC. Since I'm normally admining at least one of the devices between me and it from the same PC all the workarounds feel clunky. So not so much a new app but ways in which a good app can be improved. For example when the put the -packet_trace function in nmap it became much more useful for me than it had been and it was already da bomb.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Does thee get tempted with EtherPEG or Driftnet?
Banu
http://www3.ca.com/Solutions/Product.asp?ID=4856
Here's one I just thought of. Maybe it's been made, and maybe 16,000 people will point out why it isn't necessary or that it's built into find or emacs or something. Here goes anyway:
/
Write an app that takes a username as input and shows me all the files/directories that user can read or edit or execute. If I run it as root, it shows me All files. If run as me under my account, all of my files that that user could play with. For example:
shell% sudo fileSecurityCheck -www
will show me all files that are deleted when my webserver gets hacked.
http://www.wou.edu/~spowell/pictures/jedit.png
btw, there may be full of buffer overflow those sprintfs...
Get Knopix STD (always a copy in my backpack) A live linux distro aimed at security with up to date packages for the following areas (From the Knopix STD site) http://www.knoppix-std.org/ * authentication * encryption * forensics * firewall * honeypot * ids * network utilities * password tools * servers * packet sniffers * tcp tools * tunnels * vulnerability assessment * wireless tools Turn it into a firewall, a web server, an IDS box, a honeypot. Use it to do data recovery on an dead or locked computer, perform a vulnerability assessment, a penetration test, perform an autopsy on a compromised machine, test your incident response team. Listen to your MP3 collection and play gnugo while waiting for that nessus scan to complete.
come comment on the madness at http://slashdot.org/~phreak03/journal/
A tool for managing the various aspects of encryption on a system would be useful:
1- Setup and administration of VPNs (PPTP, IPSEC)
2- Administration of secure remote access (SSH)
3- Partition encryption
4- File encryption
5- Email encryption
YES there are bits and pieces, some distributions have more than others, but no control point for system-wide administration and enforcement that can be implemented across distributions.
Can You Say Linux? I Knew That You Could.
I haven't heard of an open source tool with the same functionality as the former Raytheon SilentRunner, now CA eTrust Network Forensics
or the similar tool Niksun
An open source tool with similar capabilities would be an excellent project
Something that can premiscuously detail a LAN. It should use netcat, nmap, ethereal and the other standards to map, in real time, you LAN traffic. It should also have the ability to intercept and decode any stream on your network.
So, let's say Billy is reading Slashdot when he's supposed to be doing data entry. You see a red (for example) line leading from Billy's box to the firewall with the line labelled "slashdot.org" and the IP address. Click on Billy's box and "zoom" to focus the GUI to Billy and right click menu to "intercept and decode" to pop-up a konqueror window that follows Billy's URL jumps and shows you what he's reading. The same would be true of mpegs he's watching or mp3s he's downloading.
Other functions would be to show all nodes in the LAN as well as OS versions, all traffic in and out of each node, and any services running per node. Servers running things like ntlogon, apache or SMB would be marked as such. A "bookmarking" type feature could also be implemented as well as a sticky-note feature for notation and easy navigation.
You could call it knetsec, but I actually like a bastardization of that... Knutsac.
put the what in the where?
Being notified that a program is trying to connect to the network can clue you in that you have been infected by a worm, virus, trojan, or spyware. Sure, Linux has relatively few malicious programs now but in the future it may become a bigger target.
Mebon
I find that sniffer pro's expert is no replacement for a real expert. On the numerous occasions I've used sniffer pro I've found that the experts are just annoying and i wrote them off as an attempt to just "wizardize" protcol analysis. It seems useful for someone who is a beginner at protocol analysis, but i've been doing it for years and haven't come across a better tool for me than Ethereal. Ethereal gives me a woody. I do agree that sniffer pro has more realtime monitoring capabilities than ethereal however. Also, etherape will show a matrix graph.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
NOT PGP/GPG!
NOT PGP/GPG!
NOT PGP/GPG!
I am looking for a tool that supports both Windows 2000/XP and Mac OS X that does on the fly encryption for removable USB memory sticks.
I know of platform-independent tools like PGP, but after decrypting, unencrypted data would sit on the thumb drive. If I was interrupted after decrypting or (more likely) forgot to encrypt the file again, unencrypted data would sit on the drive.
I know of Mac OS X's encrypted dmg files, but Windows has no way of accessing them. I would use one of the countless number of Windows-, Mac-, or Linux-proprietary third party "put your passwords here" tools for doing encrypted files, but all that I know of are platform-specific.
So what am I looking for? Something that has Windows and OS X clients that I could put on the thumb drive, along with a file of arbitrary size containing the encrypted data. After authenticating with the software, one of the following would happen:
(1) either the software mounts the encrypted file as a disk drive just like daemon-tools mounts a CD image in Windows, or OS X mounts a dmg file
(2) or the software includes a 'secure' text editor that can edit the encrypted file.
Either way, the software (1) sits on the thumb drive and (2) provides on-the-fly encryption so the data on the thumb drive is never unencrypted.
I'm willing for this to be horrifically slow as I would be storing mostly text on such a system, but supporting at least recent Windows and Mac OS X is important to me. I run Linux on servers/gateways but prefer Windows or OS X for my primary desktop/laptop machines.
I would be willing to pay for such a product, but I don't trust closed-source encryption products. Please let me know if you have heard of such a product!
Incidentally, PQI makes very very small thumb drives. Froogle for 'PQI intelligent stick.' Their USB1 model has a write-protect switch, but their USB2 model does not. (I am not affiliated but have bought, used, and liked their product.)
--
"Extra Anus Kills Four-Legged Chick" -- Headline
You think this is funny. Let me tell you a little story.
I just took this past spring a course in "Network Security". The teacher got hold of a DARPA video on computer security and played it for us at one class session.
You wouldn't believe this crap. The scenario was a country suspiciously similar to Iraq who set up a computer center with a bunch of Arab terrorist hackers and tried to drop America's infrastructure.
So, of course, the brilliant and utterly boring (all these people looked like crew-cutted Republicans, it was unbelievable) used all sort of "cutting-edge technology" (that doesn't exist and won't for another two or three decades) to defeat the evil Arabs. It ended with them tracking the evil Arabs to their lair and a bunch of Special Forces guys busting in and shooting up the place (DIE, EVIL HACKERS! DIE!).
The tech they showed involved a lot of voice-command and voice-response computer systems, all sorts of fancy graphics stuff, and of course something very much like Total Information Awareness that allowed them to know who everybody was no matter who the hell they were. They also had the ability to search out the source of any virus or hacker penetration in minutes and then commandeer the entire US infrastructure to repel the attack.
Utter bullshit - and I told the teacher so at the end of the video.
This was a DARPA "wish-list" video with absolutely no relevance to current computer security technology.
At the end of the semester, I demo'd the Knoppix STD (Security Tools Distribution) to the class. One student asked if this stuff was "all command line". I said, well, it's all servers, and the servers all run UNIX, and servers usually are administered from the command line, so, yes, most of the tools (except for stuff like Ethereal and Nessus) was command line.
It's a long way from there to DARPA's fantasy land.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Metasploit (http://www.metasploit.com) has a real neat project going. I know I use it.
We need more open source tools that act as front-ends to monitoring and operations applications, glue to sit between the 24x7 security/network operations staff and highly advanced applications and devices which are designed for engineers and architects to manage.
Your typical 24x7 staff aren't experts - so we need expert systems to make them more effective.
An example is IP Blocker where you get a system set of Perl scripts that front-end changing the border router access control list.
Many of the procedures and functions we perform to ensure security across our networks can be automated, and it is these areas that need the most work today. Another example would be a script that checks an IP address on your network against your inventory records, vulnerability databases, and other criteria to display an exhaustive history for the device as known by your organization. How many times have you got a Snort or other alert for an IP on your network which you have no idea who owns or what it does
If you want a text only version of what's up on your interface then go with IPTraf. It's ncurses-based. I think that'll do what you want. I used to leave it up on my Linux firewall/router so I could see what I was pulling down at any given moment.
.. ask if its virus patterns are.
A few friday nights back, our ClamAV started catching a little worm called W32/Zafi.b.
McAfee's DAT files to catch this one came out 2 1/2 days later, on the Monday morning (UK time).
Apart from the Nimda outbreak of 2001, this year is the only time I've seen viruses arrive at our email gateway (thanks ClamAV) before our official antivirus software updates catch them. Netsky, Bagle, and Zafi.b were all caught by ClamAV before McAfee had released DAT files for them.
I'd recommend defense in depth, using multiple virus scanners. We scan all incoming (and outgoing) emails with ClamAV, Bitdefender (free for Linux boxes), and McAfee's uvscan.
It's way too easy to fall into the mindset which says "we have antivirus software everywhere so we're safe". There will ALWAYS be a window of vulnerability between the release of a new virus and the availability of detection patterns. And don't forget that a lot of Windows viruses/worms disable any antivirus software they find running.
Phil
One argument FOR the command line as a newbie interface is here on OSNews.
It just goes to show, it's not just us old hackers who prefer the CLI...
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco