Weekly Security Tools Digest
2001/01/05 to 2001/01/11

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include Mindterm SSH, SSL Proxy, BIND, Tcpdump and Linux Kernel.

Auditing and Intrusion Monitoring tools include Snort, Nessus, Integrit, SAINT, SARA, LIDS and 14 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include Fireparse, Knetfilter, FwLogWatch, Zorp, IPtables and 9 other  tools.

Tools for Linux/Unix/Cross Platform include Linux Trustees, Secure FTP, Anomy mail sanitizer and 10 other tools.

Tools for Windows includes Tiny Personal Firewall, FPortNG, HouseCall and Advanced Password Generator.


General Tools

SSH

Mindterm SSH
http://www.mindbright.se/mindterm

A v1.99pre3 binary (demo) available.

SSL

SSLproxy is a transparent proxy that can translate between encrypted and unencrypted data transport on socket connections. It also has a non-transparent mode for automatic encryption-detection on NetBIOS.
• Remark: this is a new tool in the Tool Digest but the version is one year old and does not seem to be updated on a regular basis.

 

BIND 9.1.0b3
Internet Software Consortium
http://www.isc.org/products/BIND

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.
• Changes: BIND 9.1.0b3 is the third beta release of BIND 9.1.0. It fixes a number of bugs in 9.1.0b2 and improves query performance, particularly on multiprocessors.

 

Tcpdump 3.6.1
Laurence Berkeley Laboratory Network Research Group
http://www.tcpdump.org

Tcpdump is an advanced tool for network monitoring and data acquisition. It is one of the most well-known sniffers/network utilities for Unix.
• Changes: release of the version 3.6 of Tcpdump. This new version includes a lot of fixes and enhancements: cleaned up documentation. Promisc mode fixes for Linux, IPsec changes/cleanups. Alignment fixes for picky architectures. Removed dependency on native headers for packet dissectors. Removed Linux specific headers that were shipped. Libpcap changes provide for exchanging capture files between systems. Save files now have well known PACKET_ values instead of depending upon system dependant mappings of DLT_* types. Support for computing/checking IP and UDP/TCP checksums. Updated autoconf stock files. IPv6 improvements: dhcp (draft-15), mobile-ip6, ppp, ospf6. Added dissector support for: ISOCLNS, Token Ring, IGMPv3, bxxp, timed, vrrp, radius, chdlc, cnfp, cdp, IEEE802.1d, raw-AppleTalk. Added filtering support for: VLANs, ESIS, ISIS. Improvements to: print-telnet, IPTalk, bootp/dhcp, ECN, PPP, L2TP, PPPoE. Specific to HP-UX 11.0: find the right dlpi device. Specific to Solaris 8: IPv6 works. Specific to Linux: added support for an "any" device to capture on all interfaces. Security fixes: buffer overrun audit done. Strcpy replaced with strlcpy, sprintf replaced with snprintf. Look for lex problems, and warn about them.

 

Linux-2.4.0
http://www.kernel.org

New stable version 2.4.0 of Linux Kernel. The latest beta version of the Linux kernel is 2.3.99-pre9.

 


Auditing and Intrusion Monitoring Tools

Snort v1.7
Martin Roesch & many others
http://www.snort.org

What is snort? Snort is a lightweight network intrusion detection system, capable of performing  real-time  traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much  more. Snort  uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine  that  utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
• Changes: New stable release including the following enhancements: Dynamic rules (rules that can turn on other rules) added. Statistical Anomaly Detection preprocessor added. TCP stream reassembly preprocessor added. XML output plugin added. Database plugin enhanced, supports Oracle DB now. IP defragmentation preprocessor is 100% functional now on all platforms. HTTP decode preprocessor can now detect IIS/UNICODE attacks. Four new detection plugins(react, reference, fragbits, tos). Three new command line switches (-L, -I, -X). Improved packet printout code. Rules language now supports IP address lists. Arbitrary/user configurable action types now available. Snort now dumps packet statistics to console/syslog when prompted with a SIGUSR1. Updated documentation
• Updated Ruleset - by Jim Forster. The current current release ruleset has been updated as well as the individual downloads. A flexresp set for some of the rule bases will also be added within the coming days: look for those later this week. The new set could be downloaded from http://www.snort.org/snort-files.htm#Rules.

 

Nessus
Renaud Deraison
http://www.nessus.org

Testers needed. Nessus 1.0.7 will be released shortly. If you have some time, download the CVS version and let me know if you encounter any problem with it.

 

Integrit 1.05.00-beta
Ed L. Cashin
http://integrit.sourceforge.net
http://sourceforge.net/projects/integrit

Integrit is an alternative to file integrity verification programs like Tripwire and aide. It helps you determine whether an intruder has modified a computer system. Integrit's major advantages are a small memory footprint and simplicity. It works by creating a database that is a snapshot of the most essential parts of your computer system. You put the database somewhere safe, and you can then use it to make sure that no one has made any illicit modifications to the computer system. In the case of a break in, you know exactly which files have been modified, added, or removed.
• Changes: the new program i-viewdb (in the aux directory) can be used to view Integrit databases. Big bugfix: the strcpy in options.c's do_rule was the reason for dmalloc and Boehm gc's complaints about smashed objects, it has been changed to memcpy. This version includes other small bug fixes. The debugging and memory leak checking have become configure options. This new release now includes a comprehensive human-readable format documented in manpage.

 

SAINT 3.1.3 beta 1
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.
• Changes: this new version checks for vulnerabilities in Oracle Internet Application Server, IMail mail server, BEA WebLogic server, bftpd, Sun Cluster Monitor service and MDaemon mail server. It has been modified to compile on PPC/Linux.

 

SARA 3.3.2
Advanced Research Corporation
http://www-arc.com/sara

Security Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.
• Changes: added two ReportWriter formats (by subnet and by vulnerability), improved network connectivity to client, fixed problems with custom configuration management, added minor FTP and Web checks, added Sendmail EXPN/VRFY tests IAW with Network Computing report, added Sendmail DECODE/DEBUG tests, added test for writable ftp/pub directory IAW NC guidelines, added http.sara tests for more IIS samples and Coldfusion IAW NC and added additional tests for ColdFusion in accordance with NC

 

Vlad 0.7.5
Razor Security
http://razor.bindview.com/tools/vlad/index.shtml

VLAD the Scanner is an open-source security scanner that checks for the SANS Top Ten security vulnerabilities commonly found to be the source of a system compromise. It has been tested on Linux, OpenBSD, and FreeBSD. It requires several Perl modules to run (see the README for more details).
• Changes: numerous entries added to the CGI scanner database.

 

TcpSpy 1.5
Tim J. Robbins
http://box3n.gumbynet.org/~fyre/software

TcpSpy is a Linux administrator's tool that logs information about incoming and outgoing TCP/IP connections: local address, remote address and, probably the most useful feature, the user name. The current version allows you to include and exclude certain users from logging - this may be useful if you suspect one of the users on your system is up to no good but do not want to violate the privacy of the other users.
• Changes: new version 1.5 released. This new version includes a better debugging support, a faster rule engine, comparison of executable filenames, support for multiple rules and a bunch of bug fixes and minor tweaks.

 

Gnome Service Scan 0.6
Joe Roback
http://feynman.mme.wilkes.edu/~xNetTools/gnome_service_scan

Gnome ServiceScanner is a multi-threaded network scanner that takes 2 IP address's and scan all the IP in between them on a given PORT to see if that service is available.

 

FreshMeat

LIDS 0.9.1 - Devel: 1.0.4 for 2.4.0
Xie Hua Gang and Biondi Philippe
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.
• Changes: the new development version 1.0.4 for 2.4.0 (for kernel 2.4) has been released. This new version adds inherit option when config file acls, adds exec_domain from lids 0.9.11, adds configuration support to multi-platform and fixes bugs from version 0.9.11.

 

MergeLog 4.1
Bertrand Demiddelaer
http://download.sourceforge.net/mergelog

MergeLog is a small and fast C program which merges and sorts http log files in 'Common Log Format' from web servers behind round-robin DNS. It has been designed to easily manage huge log files from highly stressed servers. MergeLog is distributed with ZMergeLog which supports gzipped log files.
• Changes: a new bug for empty log files has been fixed. This release includes optimizations of the new system of date comparison. The BUFFER_SIZE value has been set to 16Ko instead of 8Ko. Some clean up has been done in the critical loop and the code comments have been fixed and updated.

 

GK Log 0.8 - Devel: 0.9
Gustavo Noronha Silva
ftp://gklog.sourceforge.net/pub/gklog

GK log is a log analyzer and marker that searches a log file for patterns defined by the user, and coloring them of colors also defined by the user.
• Changes: new development version including the following modifications gklog has modules and the user is now able to choose what is the way he wants to see the results on the screen. Two new options were added to handle plugins: -P (--plugin-path) and -p (--plugin). First plugin adds, the console plugin is called with DLL just like the others will. Two functions have been added that are called from the plugin: PluginInit and LineShow. The manpage has been updated to show the new options as well as the README file to explain them.

 

IPlog 2.2.3
Ryan McCabe
http://ojnk.sourceforge.net

IPlog is a TCP/IP traffic logger capable of logging TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags, TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. It currently runs on Linux, FreeBSD, OpenBSD, BSD and Solaris.
• Changes: applied a patch from Conan Ford to enable logging the destination address when doing ident lookups. Added a pid-file command-line and config file option. Added RPM spec file from Tim Waugh. Fixed a problem with parsing C-style comments in the configuration file (reported by Brandon Zehm months ago).

 

Uptime Client 4.14 - Devel: 4.2.1.20
Alex de Haas
http://uptimes.atomicvoid.net

Uptime Client is a little program that keeps track of your uptime and sends it to a server where you can compare it to many other hosts and browse through various statistical information.
• Changes: new development version. Repaired proxy code, split of some functions from upclient.c into network.c, more strict error checking code implemented and better adherence to the specifications of the Uptimes Protocol regarding size of parameters.

 

Logplay 1.9.3
Rando Christensen
http://projects.babblica.net/logplay

Logplay is a simple system of a Perl script that runs in the background, and a FIFO which it reads from. Syslog pipes logs to the FIFO for Logplay; Logplay will then play sounds when certain customizable events happen. It has support for .wav, .au, and .mp3 formats, and can work with the speechd utility to speak out loud.
• Changes: this version includes support for .wav files, support for .au files and support for the splay package. Part of a variable in /usr/share/logplay/conf has been fixed and the conf for the wav player and mp3 player has been separated. The logplayconf has been changed as update to the new wav player thing.

 

Packet Storm

KSEC - Kernel Security Checker
Pigpen
http://www.s0ftpj.org

Ksec is a tool for FreeBSD and OpenBSD which can find an attacker by direct analysis of the kernel via /dev/mem, bypassing the hiding techniques of the intruder (kernel static recompilation/use of LKMs). KSec can find the modified syscalls from userspace, detect the promisc interfaces, find the modifications applied to a protocol and much more.

 

KSTAT - Kernel Security Therapy Anti-Trolls
Fusys
http://www.s0ftpj.org

Kstat is a tool for Linux which can find an attacker in your system by a direct analysis of the kernel via /dev/kmem, bypassing the hiding techniques of the intruder (kernel static recompilation/use of LKMs). Kstat can find the syscalls which were modified by a LKM, list the linked LKMs, query one or all the network interfaces of the system, list all the processes and much more.

 

Smonitor - Syscall Monitor
Pigpen
http://www.s0ftpj.org

Using this tool you are allowed to monitor the use of the syscalls on your system and to prevent their execution for the specified users/groups.

 

Talisker

SHADOW - Secondary Heuristic Analysis for Defensive Online Warfare
US Navy
http://www.nswc.navy.mil/ISSEC/CID

The program’s secret is simple: Unlike commercially available software that scans reams and reams of data to check for keywords that could indicate an attack, SHADOW monitors only who is sending information where. It doesn’t check the contents of the communication at all. It is freely distributed online. Like most open source programs, there is some documentation, but no official support -- although there is a huge community of programmers who have looked at the code and have written improvements and continue to tinker with the way it functions. http://www.techweb.com/wire/story/TWB19981008S0010.

 

Security Focus

Scowl CGI scanner
Melih SARICA
http://www.bilgiteks.com/itt/tools

Scowl CGI scanner scans for bugs in CGIs and currently scans for more than 400 bugs. It is possible to easily add new bugs. Very fast using threads. It warns you for hosts that return false positive answers. It runs under FreeBSD and Linux.

 

WS-Logan
Pier Carlo Chiodi
www.pierky.com

WS-Logan (WebSite - Log Analyzer) looks in log file for hacking HTTP requests and send report by e-mail. Scheduled to run periodically, it take as input web site log file and looks in them for "bad" HTTP request, used in web attack (CGI vulnerability, exploits...). WS-Logan put lines of log file containing this kind of request in a file, and then send it by e-mail.  WS-Logan is a VBS script provided within a .BAT file, that can be used in the Scheduled Task utility to run periodically, and a .TXT file, containing the "bad" string to look for. I use it on a web server I administer, set to run at 00.05 and parsing log file of previous day; it's fun to see people playing with the server! It runs under Windows 2000 and Windows NT.

 

Flatline
Case
www.c1sco.net/flatline

Flatline is a web server vulnerability scanner, beta version for Linux and BSD. Options include mass host scanning, scanning through proxies, detection evasion, quick banner grab scans, interactive mode to send specific url's. It also includes sample exploit database if a vulnerable file is found it will print a BugTraq ID or way to exploit the file. This is a semi beta release lots of new things to come.

 


Firewalls for UNIX/Linux/BSD & Cross-platform

Fireparse 2.0
Aaron D. Marasco
http://aaron.marasco.com/linux.html

Fireparse is a Perl script that emails a report of all packets that have been logged by the kernel's IPtables packet filtering subsystem. The report includes source and destination ports, direction, logged packet count, IPtables rules, and fully resolved host names (if available). The report can be formatted as plain text or as a colored HTML table. Fireparse also moves all IPtables entries from your syslog file into a second message file so that other syslog entries are more easily noticed and filtered. HTML output can also be sent to a dated file.

 

Knetfilter 2.0.2
Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the netfilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.
• Changes: new version 2.0.2 released, stable version for KDE2.

 

FreshMeat

FwLogWatch-0.1
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

FwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following modes: log summary mode, interactive report mode and Real-time response mode.
• Changes: the IP Address handling code as well as the IPchains parser (converted to flex) have been re-written. This version includes small parser and output extensions. A mode collision detection is included and the time calculation problem and warp detection has been fixed. This version supports Cisco uptime log format.

 

Zorp 0.6.0 - Devel: 0.7.11
Balazs Scheidler
http://www.balabit.hu/products/zorp

Zorp is a new-generation modular proxy firewall suite to fine tune proxy decisions with its built in script language, fully analyze complex protocols (like SSH with several forwarded TCP connections), and utilize outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol).
• Changes: new development version 0.7.11. This new development version includes a lot of minor changes. Bugfixes: fixed a HTTP0.9 bug, fixed a response parsing bug in http_split_response, fixed race condition in lib/pyconnect.c (z_py_zorp_connect_start), fixed warning in modules/plug/plug.c (plug_read_input), fixed race condition in lib/pyconnect.c (z_py_zorp_connect_start) and fixed warning in lib/pyproxy.c (z_py_zorp_proxy_new) by removing the unused buf variable. The documentation has been updated for pylib/Zorp/Zone.py, pylib/Zorp/Listener.py (ZoneListener) and pylib/Zorp/Domain.py. This version includes a new Zorp Reference Guide. The option --verbose changed from optional_argument to required_argument. modules/http/http.c has been adapted to the new logging scheme. Python modules added in modules/*/Makefile.am to EXTRA_DIST and pkgdata_DATA. Some calls have been changed and ZoneListener implemented in pylib/Zorp/Listener.

 

MonMotha's IPTABLES Masquerading Firewall 2.3.0
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewall

MonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time your IP address changes, making it perfect for users with dialup connections. Many features, such as SSH rulesets and limited flood protection, are available.
• Changes: this new release includes an option to deny specific ports from specific hosts, adds limiting to logging chains to prevent log DoSing, spiffes up comments. The "AUTH_ALLOW" and "DNS" options have been changed to to be more generic and flexible. The comments for new kernel version has been updated. The double drop setting has been removed. This release has been updated for IPtables-1.2 support. The port forwarding has been added. MAC address matching for masquerading, better per-proto behavior and new option for static NAT.


IPtables Linux Firewall  4.2d-1
Patrik Hildingsson
http://www.kurd.nu

IPtables Linux Firewall is a firewall that uses netfilter in Linux 2.4. It features easy configuration and a DMZ option, logs portscans (limited so they won't flood the logfile), and has stateful inspection, masquerading, and general NAT support.

 

IPtables 1.2
Netfilter Core Team
http://netfilter.kernelnotes.org

IPtables is the new packet alteration framework (firewall utility) for Linux 2.4. It is an enhancement on IPchains, and is used to control packet filtering, Network Address Translation (masquerading, port forwarding, transparent proxying), and special effects.
• Changes: Updates for 2.4.0 final compatibility, various IPv6 fixes, various bug fixes, eggdrop bot connection tracking, and big-endian alignment fixes. For more detailed information, please refer to http://netfilter.kernelnotes.org/changes-iptables-1.2.html.

 

FK 0.5 (devel)
Matthew Kirkwood
http://ferret.lmh.ox.ac.uk/~weejock/fk

FK is an application proxy suite designed for building IP gateways. Ultimately, the intent is to provide a free software replacement for the TIS firewall toolkit. The current version includes a simple TCP plug, two POP3 gateways, a lightweight RFC 1413 (ident) server, an FTP gateway, some log file monitoring tools, and a network/host ACL facility like netacl or tcpd. The code has been written to make writing more proxies fairly easy.

 

Ferm 0.0.12
Auke Kok
http://www.geo.vu.nl/~koka/ferm

Ferm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.
• Changes: several changes since version 0.0.9: an incredibly stupid bug created in 0.0.11 has been fixed as well as a lot of silly bugs with the policy system (uc/lc, wrong targets). This version allows empty files. The policy can now be specified as a single statement, like "chain input policy ACCEPT;", allowing policies to be shut down and opened in the process of loading. The 'reverse' option has been added. The fqdn specification has been fixed (Yannick Le Briquer) and the package now contains man page in html.

 

gShield 2.0.0
R. Gregory
http://muse.linuxmafia.org/gshield.html

gShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.
• Changes: this new version includes the following enhancement: initial conversion to IPtables, support for multiple NATs, routable support and protection, support for DMZ'd machines, sane limits for default drops, incoming icmp, MAC address filtering for administrative machines, configurable public service access, configurable client access, integrated port-forwarding and stateful tracking.

 

Authsrvpassword.pl 1.01
Peter Robinson
http://www.securegateway.org

Authsrvpassword.pl is a CGI type application that allows users to change their TIS Firewall Toolkit Or Gauntlet firewall Authsrv passwords using a browser.

 

Netsed 0.01b
Michal Zalewski
http://lcamtuf.na.export.pl/netsed.tgz

Netsed brings sed functionality to the network layer, allowing you to change the contents of packets travelling through your gateway on the fly, in a completely transparent manner. It features basic expressions and dynamic filtering, and cooperates with IPfwadm/IPchains transparent proxy rules to pick specific packets.

 

MFS - Modular Firewall System 0.0.1
Alexander Griesser and Christoph Pittracher
http://students.htblmo-klu.ac.at/mfs

MFS provides a commandline based IPchains configuration for administering IPchains based packet filtering on several machines by using the same or familiar config-files.

 

Security Focus

Fwall 0.1-1
StarLink
http://www.conectividade.com.br/fwall-sw.html

Using fwall, type a single command line and with little knowledge you can: create complex IPchains, Bash, Perl (and others) based firewall scripts, block or permit access to services with a single command line and select modules (plug-ins) from a menu screen to permanently activate/deactivate the firewall.

 


Tools for UNIX/Linux/BSD & Cross-platform

Linux Trustees 2.3
Vyacheslav Zavadsky
http://trustees.sourceforge.net/

The main goal of the Linux Trustees project is to create an advanced permission management system for Linux. The solution proposed is mainly inspired by the approach taken by Novell NetWare and the Java security API. Special objects (called trustees) can be bound to every file or directory. The trustee object can be used to ensure that access to a file, directory, or directory with subdirectories is granted (or denied) to a certain user or group (or all except user or group). Trustees are like POSIX ACLs, but trustee objects can affect entire subdirectory trees, while ACLs a single file.

 

RenAttach 0.16
Jem Berkes
http://www.pc-tools.net/linux

RenAttach is an e-mail filter/processor that runs from a user's .forward file (or Sendmail). It is designed to protect end users (particularly those using Windows) from malicious e-mail attachments containing viruses or Trojans. It does NOT scan specifically for viruses, but rather renames e-mail attachments so that they can not be accidentally executed. It handles both UUEncoded and Mime encoded attachments. All incoming mail is instantly, automatically filtered.
• Changes: corrected a couple "style" issues in the code, added ability to forward the filtered mail to another address, improved error handling; detects if mailers are not found on system, now can use an MTA (Sendmail) to send mail to an external address, bugfix: extensions not recognized with multiple periods in filename and made improvements to documentation (incl. installation section).

 

Pdump v0.8 - Devel 0.81
Samy Kamkar
http://pdump.org

Pdump is a raw packet sniffer and injector. It has the features of many other programs such as Tcpdump, Dsniff, and ngrep.
• Changes: new development version 0.81.

 

BFBTester: Brute Force Binary Tester 2.0B - Devel 3.0 Beta
Mike Heffner
http://sourceforge.net/projects/bfbtester

BFBTester is great for doing quick, proactive, security checks of binary programs. BFBTester will perform checks for single and multiple argument command line overflows and environment variable overflows. Versions 2.0-BETA and higher can also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names.

 

Secure FTP v1.03
Gary Cohen and Brian Knight
http://www.glub.com/products/secureftp

Secure FTP is a client package that allows for a secure connection to be made to an FTP daemon. In this release, we support connecting via the Secure Sockets Layer, or SSL. Future releases may support other authentication mechanisms (e.g. Kerberos, OPIE). This client is supported on Windows and any Unix platform where a Java 2 (or Swing) runtime environment is present. It was written in 100% Pure Java and can act as either an application or an applet. The applet version will only run under Windows at this time, but we are looking into other solutions. Since crypto is present in this product, US export restrictions are in affect. If you reside in an embargoed country you will not be allowed to use this product. Secure FTP is a joint production with the San Diego Supercomputer Center.

 

Freedom Internet Privacy Suite 2.0
Zeroknowledge
http://www.freedom.net/info/linux.html

Freedom is a flexible suite of standard features and premium services that serve to protect and secure your online privacy using sophisticated military-grade encryption. Unlike other Internet privacy solutions, Freedom gives you complete control over your personal information and online identity. The free version (Windows & Linux) includes a cookie manager, ad manager and keyword alert. The commercial version adds anonymous encrypted email and anonymous browsing and chatting ($49.95)

 

FreshMeat

TEA Total 0.4 (Devel)
Alex Holden
http://www.linuxhacker.org/tea-total

TEA Total is a collection of extremely small encryption tools. At the heart of TEA Total is the TEA (Tiny Encryption Algorithm): a fast and secure 128-bit private key algorithm which was developed and placed in the public domain by David Wheeler and Roger Needham of the Cambridge Computer Laboratory. TEA is said to be several times faster than DES, as well as being much smaller and more secure. It also isn't encumbered by any patents and the reference implementation is in the public domain.
• Changes: a lot of changes from version 0.1 (devel) to version 0.4 (devel): TEA Total now uses the block mode algorithm, TEA Total also now fully supports inter-operation between systems with both big and little endian byte orders. The file format should now be stable, and the program has been restructured internally to ease the addition of the network forwarding applets which are currently being developed. This version includes now Huffman coding (compression) support, a full set of manual pages, and an internal secure random number generator for operating systems which don't provide one for us. Also, the key generator is now an applet instead of a separate program, key generation works on OpenBSD as well as Linux, and it is possible to choose exactly which applets and extra features to build. It includes a password protected key and includes Base64 coding (ASCII Armour) support. Additionally a much more powerful command line argument parser was written, a lot of the code was restructured for easier maintenance, and it is now also available as source and x86 binary RPM packages.

 

NSA Security-enhanced Linux 200101020953 (devel)
NSA
http://www.nsa.gov/selinux

NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control architecture into the major subsystems of the kernel. It provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.
• Remark: new in the Tool Digest.

 

The Anomy mail sanitizer 1.34
Bjarni R. Einarsson
http://mailtools.anomy.net

The Anomy mail sanitizer is a filter designed to block email-based security risks, such as Trojans and viruses. It can scan an arbitrarily complex RFC822 or MIME message and remove or rename attachments, truncate unusually long MIME header fields and sanitize HTML by disabling JavaScript, etc. It uses a single-pass pure Perl MIME parser, which can make it both more efficient and more precise than other similar programs. The sanitizer has built-in support for third-party virus scanners.
• Changes: WARNING: This release modifies the output of the test cases. Your .diff files should contain lots of MIME headers (Content-Type, etc), but almost nothing else except in the uu-rfc822 case where the uuencoded output also changes. This new version includes the following changes: the "feat_fixmime" option has been added and will make the sanitizer try to output valid MIME messages even when it's input is invalid; this will convert illegally encoded multipart/* or message/* parts so they are legal and legible (8bit encoding), and will fix ambiguous boundary strings (see below). The header cleaning routine has been modified to leave clean headers on multipart parts completely unmodified, like in other parts. The bug in Base64 decoding routine has been fixed. The boundary detection code has been fixed to cope with how different mailers treat RFC822 comments within boundary strings. Ambiguous boundaries are replaced with unambiguous ones, unless feat_fixmime is disabled.

 

CryptoPadSplicer 0.4.1
Boris Wesslowski
http://www.kybs.de/boris/software.shtml

CryptoPadSplicer is a conduit for a cryptographic MemoPad replacement application for the Palm called CryptoPad. It can transfer, decrypt, and save files from a PalmPilot to a PC.

 

PacketStorm

Lomac 1.0.1
Network Associates, Inc.
http://www.pgp.com/research/nailabs/secure-execution/lomac.asp

LOMAC (Low Water-Mark Integrity Protection for Linux) is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use. Whitepaper available here. Manual available here.
• Changes: this release fixes a dentry reference counting bug on BIND operations and includes some minor documentation corrections.

 

Security Focus

Mod_auth_any 1.0.2
Nafees Bin Zafar
http://www.itlab.musc.edu/~nafees/mod_auth_any.html

Mod_auth_any is a runtime module for the Apache HTTP Server. Quite possibly the best webserver in the world. This module allows you to use any command line program (such as webNIS) to authenticate a user. No more having to keep AuthUserFiles in sync, or maintain some nasty database. You can even have an expect script that does ssh authentication. It runs under Linux, Solaris and UNIX.

 

Unrm v0.92
Octavian Popescu
http://hideout.art.ro

Unrm is a small Linux utility which can, under some circumstances, recover almost 99% of your erased data (similar to DOS's undelete).
• Changes: fixed a bug that allowed only 6 digits inode numbers to be dumped and added a few variables containing the common used program locations (mount,debugfs).

 


Tools for Windows

Tiny Personal Firewall build 6
http://www.tinysoftware.com/pwall_news.php 

New features have been added : new, simplified rule-wizard with many improvements ; new icons and installation dialogs ; TPF can be installed over previous installations ; DNS names and service names are displayed in status window ; rules can be temporarily disabled by unchecking checkboxes ; configuration is now saved after every modification Bugs fixed : "Unable to allocate buffer" problem fixed ; many bugs in kernel module (driver) fixed ; knownapp.txt file is no longer used

 

FPortNG 1.31
Foundstone
http://www.foundstone.com/resources/tools.html

Fport v1.31 is a powerful Windows NT/2000 intrusion detection/audit tool which reports all open local TCP/IP and UDP ports, display the services that are active on the ports, and maps the ports to their respective applications. This tools is somewhat similar to lsof for Unix. Allows sorting by application, process ID, application path, and port. Extremely useful for investigating suspected Trojans, viruses, and backdoors.

 

SecuriTeam

Achilles 0.16b
DigiZen Security Group
http://www.digizen-security.com/downloads.html

Achilles is a tool designed for testing the security of web applications. Achilles is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Achilles will intercept an HTTP session's data in either direction and give the user the ability to alter the data before transmission. For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Achilles will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server. As data is transmitted between the two nodes, Achilles decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission. It runs under Windows NT, Windows 2000 and Windows 98.
• Current Limitations: Achilles does not verify any web servers' certificates. Serving as a man-in-the-middle, Achilles is vulnerable to man-in-the-middle attacks. The current version of Achilles doesn't support host restrictions, so any user with access to the port Achilles is running on can use it as a proxy. Even though Achilles can function as a proxy server, it is highly discouraged to be used as such when not testing web applications.
• Features: full Featured Desktop Proxy Server, intercepts bi-directional HTTP and SSL sessions, logs HTTP and SSL sessions in plain text, inserts data into an editor box allowing alteration, configurable Listening Port, configurable Timeout Values, recalculates Content-Length Fields after data modification and additional buffer space allows buffer overflow testing, up to a maximum of 10,000 bytes.

 

Security Focus

HouseCall
Trend Micro
http://housecall.antivirus.com

HouseCall is a free on-line virus scanning service from Trend Micro for Exchange Server mailbox, Lotus Notes Database, and for local disk. Nothing to install; HouseCall scans for and cleans viruses over the Web through ActiveX and Java technology. As a result, the product is always up-to-date. It runs under Windows 2000, Windows 95/98 and Windows NT platforms.

 

Advanced Password Generator 2.73
Segobit Software
http://www.securityfocus.com/tools/1907

Advanced Password Generator is a application designed to generate passwords of any length and character content. Advanced Password Generator allow users to do choice random number generator, which built into this application.This feature is used to generate an extremely random seed value. Random number generators written in low-level language, and some of random number generators, which built into this application, is impossible to write in high-level language (Basic,Pascal,C++ and other). After registration user can to obtain the application with the own additional random number generator. Advanced Password Generator will create alphabetic, numeric, alphanumeric or all keyboard characters password of user-defined lengths. Password can be generated in lowercase or mixed case. All passwords can be printed. It runs under Windows 2000, Windows 95/98 and Windows NT.

 


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 11 January, 2001