As we travel in this land of Information Security, each of us searches for the quintessential free lunch. For the nominal price of a drink, you are permitted to devour today’s food dejour and thusly remain alive to fight another fire. Growing up in the San Francisco Bay Area, one cannot help be influenced by the area’s history. Rudyard Kipling wrote of San Francisco,

No man rose to tell me what were the lions of the place. No one volunteered any sort of conveyance. I was absolutely alone in this big city of white folk. By instinct I sought refreshment, and came upon a barroom full of bad Salon pictures in which men with hats on the backs of their heads were wolfing food from a counter. It was the institution of the "free lunch" I had struck. You paid for a drink and got as much as you wanted to eat. For something less than a rupee a day a man can feed himself sumptuously in San Francisco, even though he be a bankrupt. Remember this if ever you are stranded in these parts.

Influenced by the history, technology and people of the area, I bring you Free Lunch. A regular column posted here on the nCircle blog, we intend to highlight information security free tools. No doubt some of these products will reside in the same shelf as the day old bread, but others may surprise, perhaps even delight.

FAQ / Ground Rules

Why are you doing this?
We all have the same goal – to get the job done with as few resources. I’m in IT and Information Security and thus a real world subscriber. I feel like sharing my pain and joy with you.

Does the product need a specific shareware, freeware or other license?
Free Lunch contains the important word, free. Ideally, the items reviewed should have a GPL or Creative Commons license allowing commercial and non-commercial entities unrestricted usage.

How can I submit my product, idea, etc for the free lunch menu?
I provide no guarantee that your idea will be used or that your email will even be read. Nonetheless, the best way to submit your idea is to email freelunch shift key + 2 ncircle.com.

Where can I enjoy the free lunch?
Check out the category archive on my blog.

Are free lunches limited to software?
Not at all. I’m open to learning and using all sorts of tools, software, hardware, processes and methodologies. Hint: software, which doesn’t work well on FreeBSD, OSX or XP probably won’t be looked at.

On what areas do you rate products?
Currently, the free lunch will cover feature sets, ease of use, documentation and community vibrancy.

Are these ratings an endorsement of nCircle?
Absolutely not. As with all information posted to the nCircle blog, the opinions expressed are solely the opinions of the poster and should not be construed to represent nCircle or its management.

Product Information

	Name:	Cacti
	Version:	0.8.6j
	Website:	http://cacti.net
	Category:	Network Graphing
	Date:	1-Jan-07

Cacti is the natural progression of the free network graphing tool. Many of us remember Tobi Oetiker’s MRTG - Multi Router Traffic Grapher. (Try saying that 10 times fast.) The basic concept – use SNMP to query your routers and switches every 5 minutes, shove that into a data format and use tools like GD to make pretty graphs. MRTG was later improved upon by RRDTool and RTG . The downside to these tools has always been the complexity of configuration and setup. Enter Cacti.

From the Cacti website, “Cacti is a complete network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality.” To boil it down into the most simplistic setting, Cacti gives you a PHP web interface for configuration, maintenance and viewing of your RRDTool graphs.

At first, I was a bit confused. You’d think that anyone who spent years using MRTG would enjoy a web interface. Not always the case. Not all of the user interface was entirely predictable. One must realize that you need to follow the intended steps to actually get a graph. These include device addition, ensure data is queried correctly, graph addition and then graph management. Though, once you get the hang of it, the results are sweet. I have to imagine there is slick trick to adding 100 or more devices and graphs without performing some 1000 clicks, but that trick has eluded me so far.

Installation and configuration was fairly easy. That process was further made simple by use of a FreeBSD port and moderately well done documentation. The supporting community of Cacti is vibrant. The Cacti forums support most of the community aspect. Forums are great for idea exchange, but make it hard for newcomers to find the golden nuggets. For example, many people have developed add on scripts, templates and plug-ins. All of these can be found with a few hours of forum searching, but what cacti lacks is a centralized and managed repository for its contributors.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

By far the most useful feature of Cacti is its ability to import third party contributions. Talk about a free lunch. As is with many well-loved free tools, the community does its part to extend the product’s reach by developing add-on components. These are generally specific graph types people have developed to solve real world problems in their own organization.

Overall, I like Cacti and would recommend it to all my friends. If you’ve got an extensive MRTG, RRDTool or RTG system already humming along, then you probably have very little reason to make the switch. Cacti is licensed under the terms of the GPL.

Enjoy the Free Lunch.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive. Remember, this is not an endorsement by nCircle. Please see my FAQ.)

Product Information

	Name:	Request Tracker
	Website:	http://www.bestpractical.com/rt
	Category:	Ticketing System
	Date:	16-Feb-07

Request Tracker, or better known simply as RT, is touted as an enterprise grade ticketing system. In the world of free ticketing systems, most of us only really have 2 options left – OTRS and RT. RT is a perl based and uses your favorite SQL database. On the front-end, it can take advantage of either mod_perl or FastCGI. Like most ticketing systems, it has a number of ways to create, update and manipulate tickets. Its front-end is a web-based system using Perl Mason for HTML construction. Other input methods include email and userland binaries.

Speaking of Perl and Mason, this is perhaps RT’s biggest downside. Perl for HTML construction isn’t the fastest or most popular thing on the market. However, RT does have some nice features we’ve come to expect from enterprise ticketing systems. Inbound emails generate new tickets and subsequent correspondences are nicely threaded accordingly. The built-in system comes with a business logic implementation method calls ‘Scrips’. Here one can perform basic to moderate ticket manipulation and automatic email correspondence based on predefined conditions and actions.

The extensibility and customization of RT isn’t too bad, nor is it necessarily fun. Thankfully, the system was developed with an object-oriented mindset. Hence its fairly straight forward to overload function calls and alter the UI. Best Practical, which appears to be the consulting arm of RT’s author, Jesse Vincent, also provides a few add on modules. These include a FAQ manager type of knowledge base and an incident response tool. Outside of these modules, the asset tracker add-on from a third party rounds out the best of RT. Combine the base RT with asset tracking and you have an instant ITIL service desk tool.

Installation of RT is par for the course. First, get your software installed – webserver components, a databases, perl and a ton of PMs. From there it’s an expected set of steps from database schema, config files and base setup via the web UI. The security configurations of user access control and custom fields can at times be a bit confusing. Best to create yourself a few test accounts with various permissions and run a full set of tests before going into production.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

The community around RT has been pretty stable and active for a few years. The basic rt-users email list ranges from 300 to 600 messages a month. The online installation docs are in wiki format. Despite the fact that I despise install docs in wiki format, the wiki users are actively contributing.

Personally, I’ve been a user of RT for many years and always recommend it as an option when looking at ticketing systems. My one suggestion is to realize that Perl Mason is slow, so allow for enough horse power and be ready to do some FastCGI tweaking. RT is licensed under the terms of version 2 of the GNU GPL.

Enjoy the Free Lunch.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive. Remember, this is not an endorsement by nCircle. Please see my FAQ.)

Product Information

	Name:	OCTAVE
	Website:	http://www.cert.org/octave/
	Category:	Methodology
	Date:	15-Mar-07

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)

No, I'm not talking about the musical term or the GNU language for solving numerical computations. Operationally Critical Threat, Asset, and Vulnerability Evaluation is a self-directed assessment methodology for security risk management. Isn't that a mouth-full? I can hear someone yelling Bingo! right now based on all the key jargon words that sentence contained.

First developed back around 2003, the work to develop OCTAVE was sponsored by the DOD and took place at Carnegie Mellon University. As best as I can tell we owe this body of work to Christopher Alberts, Audree Dorofee, James Stevens and Carol Woody.

What's special about OCTAVE is that its entirely self-directed and is not technology dependent. The method assumes that those persons internal to the organization are much better apt to perform a risk assessment than a third party. Today we still see many organizations outsourcing their risk assessments, but compared to 2003 today's numbers are much less. OCTAVE is intended to focus on strategy and process and less on technical tools. Where other evaluations focus on technology, OCTAVE focuses on security practices.

This is starting to sound all too familiar. Today it's a common theme to focus on best practices and common configurations than how do vendor x, y or z score my webservers. This might be why not too many people know of or use OCTAVE. Those who read about the approach took important lessons back to the office. They used the key learnings to implement their own self-directed methodologies and metrics. Unfortunately, very few technical risk management vendors partnered with these methodologies. OCTAVE never really had a large following or a developing community. Nonetheless it's fair to say that its core components are still very important and live on today.

This leads me to the difficulty of placing a score on OCTAVE. As usual I try to apply a rating in terms of Features, Ease of Use, Documentation and Community. OCTAVE is funny tool in that it just doesn't fit well into these categories, but giving it a low rating would be an injustice. I've learned a lot about risk assessments from OCTAVE and I encourage others to read and learn.

OCTAVE is a registered trademark and use of the documents are each subject to their own restrictions. None of the restrictions should avoid you from using the tools provided, but saying its open source like that of the GPL would be misleading.

Enjoy the Free Lunch.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)

OSSEC is an open source host based intrusion detection system. The website states, "It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response." That is a mouthful.

Regardless of your opinion of a HIDS and IDSes in general, OSSEC probably covers at least one item on your I need that checklist. You may have log analysis tools already, but maybe lack host integrity checking. If you like the functionality of open source trip wire, but need centralized reporting and data gathering, then OSSEC is for you.

System integrity checking is one area that highlights OSSEC's architecture. One can choose to run in a client/server or standalone design. The agent is a slimmed down server install and doesn't listen on any ports. In classic client style, it active opens connections to the server when needing to communicate data. Communications occur over UDP 1514. Traffic is compressed and encrypted using Blowfish with 192 bits. Agents are authorized into the server using a pre-shared key, which also acts as the encryption key. In the case of host integrity checking, one no longer needs to store the integrity database on the server. Compared to other integrity checkers that store the database on a non-writable medium (very laborious) or in a risky obfuscated partition, OSSEC uses the client/server architecture to store data on server. The client sends snapshots to the server where in turn the integrity delta is calculated. Adding to OSSEC's security design is it's chroot by design. A vanilla install from source sets up a few users to run the separate processes and ensures that all the processes chroot themselves. This is a nice added benefit lacking in many open source products.

OSSEC does provide other features, which include log analysis, a Windows registry checker, rootkit detection, a robust alerting system and active response actions. There is too much in this product to cover in the regular monthly Free Lunch, but lets hone in log analysis for a moment. Log analysis is an important requirement for security monitoring. OSSEC ships with a ton of prebuilt log rules. During runtime, it monitors all the system logs and can be modified to monitor fewer or more log files in a few simple configuration statements. Logs are processed by a speedy engine, which attempts to match rules stored in XML files. The XML definitions are robust, allowing for options such as alert level, regular expression matching, process lookup, IP correspondence and over 25 other directives. One word of caution, learn how to write your own rules. This is especially important when needing to ignore log events. By default, all log lines will match something and send an alert. Great by design, as you'd rather be alerted by default. However this can be frightful at first when the storm of email alerts comes thundering at your inbox.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

Enough about the features lets quickly cover ease of use, documentation and community. After a few hours of tinkering, the system became easy to use and understand. Configuration directives are stored in simple to read and understand configuration files. Install was a breeze, though running upgrades are generally a better test of the install process. We'll have to wait for the next version and see. Documentation was adequate if you already have an idea as to what is going on. We would have liked more macro level discussions. Topics like deployment best practices and overall architecture design would be a nice addition. The community around OSSEC is hard to gauge. We noticed the mailing lists active and many references to OSSEC on the Internet, however the Wiki site seems ominously quite. This dichotomy leads one to believe that there aren't many active developers. Though we need to point out there are more than a dozen developers and contributor names on the OSSEC website. By all accounts, we don't think OSSEC is going away soon, but users should spend more time giving back.

OSSEC is licensed under the terms of version 2 of the GNU GPL.

Enjoy the Free Lunch.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)

The onslaught of bots and spammers gave birth to a new tool to differentiate human from android. Alan Turing would be proud to see just how much technology we have devised. One such technology is that of the CAPTCHA - it's the text and numbers graphic we need to input in order to sign up for a service or make a comment at a blog. ReCAPTCHA takes this technology to solve more than one problem.

On May 24th 2007, Carnegie Mellon announced a new method to improve its methods of transforming written text into its digitized form. ReCAPTCHA's motto "Stop Spam. Read Books", describes it best. The idea is simple and elegant. Using the familiar CAPTCHA system, it presents the user both a known and unknown CAPTCHA graphic. The user, not knowing which is which, enters the text for both. If the user correctly solves the CAPTCHA then the CMU system gives a high probability to the letters in the unknown picture. While digital scanners and OCR have advanced, there are still cases where humans are needed to translate graphics into text. ReCAPTCHA is one method to solve this problem.

Besides helping out the CMU book digitization project, ReCAPTCHA has a unique technical upside - nothing is stored on your server. Many of the existing CAPTCHA systems require a server-side process to generate and store graphics. Instead ReCAPTCHA uses a public/private key system with client-server architecture to track challenges and tokens.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

Overall, ReCAPTCHA is an interesting implementation of CAPTCHA systems. While its use may not be directly apparent in your security architecture, consider using it anywhere you want to increase the likelihood of there being a human at the other side of the conversation. nCircle recently implemented ReCAPTCHA on our blog and I'd recommend others to do the same.
Enjoy the free lunch.

Additional Resources

What is CAPTCHA how does ReCAPTCHA work

ReCAPTCHA API documentation

ReCAPTCHA and CMU Press Release