Many many years ago, at a company which now only lives on in name, I enjoyed life working under TK as a Unix Admin. Sitting side by side at terminals, we instinctively gained shared knowledge of each other’s eccentric idiosyncrasies. Have you ever sat at the big hash prompt contemplating the next move and discovered an uncanny desire to type something, anything? Obviously, logged in as root while typing random commands is a “bad thing”. Most people would say, “step away from keyboard”. Instead, I had this horrible addiction to continuously type ls. Over and over again. When working with TK, I noticed he suffered from the same affliction, but his vice of choice was to type sync. Compared to my ls, at least in his case, running sync had a general positive outcome. Wouldn’t you know it, today, I too am afflicted with the sync-itis.

The term sync means so much more than that of `man sync`. Synchrony, synchronicity, synchronize, synchronization – actions, events, people, thoughts happening at the same time or in harmony. Running an IT organization is so much more about in harmony with the organization than looking out for oneself or ones own department. The customer is your company. Align your gears with company cogs and surprisingly, good things happen.

In setting the stage for the sync blog, I leave you with this quote…

I am the wisest man alive; for I know one thing, and that is that I know nothing. – Socrates

As we travel in this land of Information Security, each of us searches for the quintessential free lunch. For the nominal price of a drink, you are permitted to devour today’s food dejour and thusly remain alive to fight another fire. Growing up in the San Francisco Bay Area, one cannot help be influenced by the area’s history. Rudyard Kipling wrote of San Francisco,

No man rose to tell me what were the lions of the place. No one volunteered any sort of conveyance. I was absolutely alone in this big city of white folk. By instinct I sought refreshment, and came upon a barroom full of bad Salon pictures in which men with hats on the backs of their heads were wolfing food from a counter. It was the institution of the "free lunch" I had struck. You paid for a drink and got as much as you wanted to eat. For something less than a rupee a day a man can feed himself sumptuously in San Francisco, even though he be a bankrupt. Remember this if ever you are stranded in these parts.

Influenced by the history, technology and people of the area, I bring you Free Lunch. A regular column posted here on the nCircle blog, we intend to highlight information security free tools. No doubt some of these products will reside in the same shelf as the day old bread, but others may surprise, perhaps even delight.

FAQ / Ground Rules

Why are you doing this?
We all have the same goal – to get the job done with as few resources. I’m in IT and Information Security and thus a real world subscriber. I feel like sharing my pain and joy with you.

Does the product need a specific shareware, freeware or other license?
Free Lunch contains the important word, free. Ideally, the items reviewed should have a GPL or Creative Commons license allowing commercial and non-commercial entities unrestricted usage.

How can I submit my product, idea, etc for the free lunch menu?
I provide no guarantee that your idea will be used or that your email will even be read. Nonetheless, the best way to submit your idea is to email freelunch shift key + 2 ncircle.com.

Where can I enjoy the free lunch?
Check out the category archive on my blog.

Are free lunches limited to software?
Not at all. I’m open to learning and using all sorts of tools, software, hardware, processes and methodologies. Hint: software, which doesn’t work well on FreeBSD, OSX or XP probably won’t be looked at.

On what areas do you rate products?
Currently, the free lunch will cover feature sets, ease of use, documentation and community vibrancy.

Are these ratings an endorsement of nCircle?
Absolutely not. As with all information posted to the nCircle blog, the opinions expressed are solely the opinions of the poster and should not be construed to represent nCircle or its management.

Product Information

	Name:	Cacti
	Version:	0.8.6j
	Website:	http://cacti.net
	Category:	Network Graphing
	Date:	1-Jan-07

Cacti is the natural progression of the free network graphing tool. Many of us remember Tobi Oetiker’s MRTG - Multi Router Traffic Grapher. (Try saying that 10 times fast.) The basic concept – use SNMP to query your routers and switches every 5 minutes, shove that into a data format and use tools like GD to make pretty graphs. MRTG was later improved upon by RRDTool and RTG . The downside to these tools has always been the complexity of configuration and setup. Enter Cacti.

From the Cacti website, “Cacti is a complete network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality.” To boil it down into the most simplistic setting, Cacti gives you a PHP web interface for configuration, maintenance and viewing of your RRDTool graphs.

At first, I was a bit confused. You’d think that anyone who spent years using MRTG would enjoy a web interface. Not always the case. Not all of the user interface was entirely predictable. One must realize that you need to follow the intended steps to actually get a graph. These include device addition, ensure data is queried correctly, graph addition and then graph management. Though, once you get the hang of it, the results are sweet. I have to imagine there is slick trick to adding 100 or more devices and graphs without performing some 1000 clicks, but that trick has eluded me so far.

Installation and configuration was fairly easy. That process was further made simple by use of a FreeBSD port and moderately well done documentation. The supporting community of Cacti is vibrant. The Cacti forums support most of the community aspect. Forums are great for idea exchange, but make it hard for newcomers to find the golden nuggets. For example, many people have developed add on scripts, templates and plug-ins. All of these can be found with a few hours of forum searching, but what cacti lacks is a centralized and managed repository for its contributors.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

By far the most useful feature of Cacti is its ability to import third party contributions. Talk about a free lunch. As is with many well-loved free tools, the community does its part to extend the product’s reach by developing add-on components. These are generally specific graph types people have developed to solve real world problems in their own organization.

Overall, I like Cacti and would recommend it to all my friends. If you’ve got an extensive MRTG, RRDTool or RTG system already humming along, then you probably have very little reason to make the switch. Cacti is licensed under the terms of the GPL.

Enjoy the Free Lunch.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive. Remember, this is not an endorsement by nCircle. Please see my FAQ.)

Earlier this month the Internet saw a newsworthy Trojan called Peacomm. It spurred gasping headlines such as “Storm Worm hits 1.6 million PCs” and “Storm worm still on botnet-building patch” and “Storm virus gathers pace”. I got a request to do a press interview on this Trojan. My response was, no kidding, a large laugh out loud. Why would I take such a quixotic view? The virus just wasn’t a contending threat to enterprise networks. The threat delivered itself in a spam email with as an .exe attachment. I can’t think of a single enterprise where this wouldn’t be automatically caught.

After the press frenzy dwindled I had a chance to do some more research. I wanted to find the answer to why this Trojan got so much attention. It turns out that since all of our antivirus vendors have yet to adopt a standard risk metric, it takes but one vendor to make a virus newsworthy. I might also note that just one of the major AV vendors distinguish threats differently for enterprises and consumers. Here is a recap of how AV vendors classified the Peacomm Trojan:

Symantec
Name: Trojan.Peacomm
Severity: 3
Severity ratings are given as 0 to 5 bars

TrendMicro
Name: TROJ_SMALL.DSI
Overall Risk Rating: Low
Risk ratings can be: Very Low, Low, Medium, High

F-Secure
Name: Small.DAM
Radar Alert: Level 2
Radar Alerts include: None, Level 3, Level 2, Level 1 where Level 1 is a “Worldwide epidemic of a serious new virus”

McAfee
Name: Downloaders-BAI!M711
Corporate User: Low-Profiled
Home User: Low-Profiled
Risk levels can be: Low, Medium, High, Critical

Sophos
Name: Troj/Dorf-Fam
Prevalence: High
Note: Sophos uses a prevalence rating, not really a risk rating.

For the most part the AV teams did rate this as a rather low threat. I really haven’t determined why this Trojan garnered so much news. Though, I did learn 2 things:

1) The rating systems among vendors for AV threats is a learning experience among itself.
2) Only one of the vendors, McAfee, specifically provides separate ratings for corporate and home users.

So whats the point? The point is, don’t trust a media frenzy to make a risk assessment. You’ll have to do that on your own. When it comes to determining the risk of a virus, you’ll have to decide to rely on a single vendor, or try and make heads of the varying metrics provided. Hrmm, sounds like AV risk assessments are just like all other risk assessments.

As reported on CNET.

Apparently, Skype plans to partner with trusted security vendors to somehow make their product fit into the realm of security compliance needs. I like Skype and think it has huge advantages for some people. However, its another example technology going in front of corporate security needs. I'd welcome a Skype client that I could monitor, configure and centrally manage. Until then, keep it away from my networks.

To all those people in the nCircle office laughing right now. I see you using Skype at the office. Don't think I don't know. :-)