Cheapskate 2: The Sequel

A guide to free and essential security tools for education

A month and half ago I asked a group of higher education security officers that I know and respect to identify their five favorite free security software packages. Based on those responses, I wrote my Aug. 8 Campus Security newsletter column, A Cheapskates Guide to Free Security Software.

Responses continued to come in after the column was published. Some just echoed previous favorites, but other responses lifted "worthy of a closer look" picks to contender status. And almost a dozen new packages emerged. Hence, "Cheapskate 2: The Sequel."

The Winners Platform
With the new votes in, the winners on the platform stay the same. Nessus, a vulnerability scanner; NMAP, a port scanner; and SNORT, an intrusion detection system, continue to dominate the list of "most useful." For a complete description of these packages, see last month's column.

The New Contender: ClamAV
After the new responses came in, one package emerged that is now almost as popular as those on the winner's podium. ClamAV is an open source antivirus software toolkit for Unix and Windows operating systems and is particularly useful for e-mail virus scanning on e-mail gateways. It is distributed under the terms of the GNU General Public License and is part of Sourcefire, the maker of the popular SNORT intrusion detection product.

Versions are available for Linux, Mac OS X, and Windows operating systems. Conventional wisdom is that there are few viruses on Linux or Mac platforms, so why fret about antivirus software. But what happens if they are being used as a mail server or are forwarding mail to a Windows machine?

ClamAV has three key components: freshclam, clamscan, and sigtool. Freshclam is the tool that downloads the latest virus updates from the Internet. Clamscan is the tool that actually checks files to see if they contain a virus. And sigtool verifies the digital signature of the virus database to verify its validity.

For people who don't have a copy of ClamAV installed on their computer or just want to try it out, there is an online version of ClamAV that can be used to check small files, less than 500 KB, for malicious content. I tried it out with a couple of files that I knew to be clean and didn't get any false positives.

Prospects
Eight packages jumped from the "Worthy of a Closer Look" to "Prospect" status, and one dark horse made the jump from unmentioned. The two packages leading the pack of new competitors are:

  • Secunia Personal Software Inspector, which protects against Windows-based software vulnerabilities, was the first package to rise out of the pack to challenge the leaders. Secunia PSI is a version of Secunia's commercial product and is available to private individuals for free; more than a half million users have installed it. The commercial version, Secunia NSI, is capable of scanning remote hosts on a network and feeding the scan results in a centralized dashboard.

    Secunia PSI monitors your system for insecure software installations and notifies you when an insecure application is installed; it was not designed to determine whether a system has already been compromised. It works by looking at files on your computer, mostly .exe, .dll, and .ocs, and comparing them with information on the Secunia File Signatures engine. It can also tell you about missing security related updates.
  • Wireshark, a widely used network protocol analyzer, is available under the GNU General Public License on Windows, Linux, Mac OS X, Solaris, FreeBSD, and NetBSD. It is definitely international software, listing more than 600 contributors from across the globe.

    Functionally, Wireshark is very similar to tcpdump, but it has a graphical user interface and more sorting and filtering options (more than 80,000 filters). Training is available from Wireshark University and at Sharkfest.
Close on their heels are: Argus (network-monitoring tool), OSSEC (intrusion detection), Netflow (collecting IP traffic information), VirusTotal (online antivirus service), TrueCrypt (real-time disk encryption), and OpenSSH (encrypted communications), which were all described in last months column.

Finally, Cain and Able, a password cracker and packet sniffer for Windows-based computers, jumped from unmentioned to prospect. While some regard Cain and Able as malware, if you have a user who has lost or forgotten a password, it can be a very handy tool. (Even though I have never stolen a car, I must confess to using a coat hanger to break into my own car after locking the keys inside.) In addition to packet sniffing, Cain and Able uses dictionary attacks, brute force, and cryptanalysis via rainbow tables, along with other techniques, to recover a lost password.

New 'Worthy of a Closer Look'
With the new responses, 10 packages have been added to the "worthy of a closer look" category.

McAfee Site Advisor is a plugin for Firefox running on Windows, Mac OS X, and Linux that rates the safety of sites that appear next to search results. The ratings are based on tests run at McAfee by computers that visit millions of sites to see if they install unwanted programs, flood your inbox with spam, or create other problems.

Metasploit is designed for people who perform penetration testing and intrusion detection system signature development. The basic function of the Metasploit Framework is to allow the user to configure an exploit module and launch it at a target system.

Spamassassin was developed by the open source Apache SpamAssassin Project and uses a wide variety of local and network tests to identify spam signatures.

Flow-Tools is a collection programs by Mark Fullmer at my old shop, OARnet, and Steve Romig at Ohio State to collect, send, process, and generate reports from NetFlow data. (NetFlow was developed by Cisco to collect IP traffic information from its routers but has been adopted by other vendors as well.)

SuperScan4 is a TCP port scanner for Windows-based systems and can detect open ports on a target computer, determine services running on those ports, and run queries such as ping. It is used by both system administrators and hackers to evaluate a computer's security.

Sysinternals Suite is Microsoft's collection of Windows-based troubleshooting utilities. For example, AutoRuns shows you what programs are configured to run during system bootup or login and shows you the entries in the order Windows processes them. It has an option to locate third-party auto-starting images that have been added to your system.

Tcpdump, which works on most Unix-like operating systems, is a packet sniffer that allows the user to intercept and display packets being transmitted over a network.

dcfldd is an open source forensic tool based on dd that can create a disk image without mounting the drive and contaminating it. The major advantage of dcfldd over dd is that it supports hashing of data when disk images are created. This is useful in legal situations because it allows for verification that the contents of the image have not been modified, thus preserving the chain of evidence.

Forensic Acquisition Utilities is a collection of Windows tools useful in collecting forensic evidence. For example, one of the utilities, Netcat, can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk. Unix-based tools can be found at Open Source Forensic Tools, the parent site for Forensic Acquisition Utilities.

Helix CD is a Linux-bootable CD that will not touch the host computer in any way and will preserve forensic evidence and is designed for individuals who understand incident response and forensic techniques.

Finally, if you haven't already checked them out, don't forget the packages described in last month's "Worthy of a Closer Look" that didn't make it to contender status. Antivirus and Malware: Adware, SpyBot Search and Destroy, and Tripwire/AIDE. Encryption: GnuPrivacyGuard. Web Vulnerability Scanners: Nikto and Paros Proxy. Firewalls, Packet Filters, and other Useful Tools: Autoruns, iptables, IPFilter, Microsoft Baseline Security Analyzer, NetStumbler, and ZoneAlarm.

Featured