Paranoid Penguin - Seven Top Security Tools

Simply installing more software won't make your systems more secure. But with these seven packages, you can learn to set up a security policy and test that the other software on your system complies with it.
Fuzzing with Paros

Before we leave the realm of security validation checking, let's consider Web application security. Web applications constitute the single largest area of growth both in Internet-accessible services and in externally exploitable system vulnerabilities. So how do we test the security of our Web applications?

You might think that Nessus is a good start, and it is, but mainly for generic Web dæmon security. Most of what Nessus tells us about Web services applies to the server dæmon itself, such as Apache, not to the actual Web content it serves up. It doesn't tell us whether our custom Web applications do proper input validation, whether they're vulnerable to cross-site scripting vulnerabilities, whether they're vulnerable to fuzzing attacks (in which expected parameters are altered or fuzzed) and so forth. That's where tools like Paros come in.

Paros (Figure 2) is a free tool released under the Clarified Artistic License, and it's written in Java. You need the Java Runtime Environment installed in order to use Paros. You can download both Paros' executable JAR file and its complete source code from www.proofsecure.com.

Figure 2. Paros is a free tool for testing Web applications.

Paros works on a principle common to the new generation of Web security tools. You run it as a local proxy on your scanning workstation, and all the interaction between your local browser and the target Web server is brokered by the security tool. In this way, you can capture an outbound query, alter or fuzz it and then send it along to the server. For example, suppose your Web application uses a form with pull-down menus, and you want to make sure that the application is validating input properly. With Paros, you could replace pull-down menu options arbitrarily with random strings—blozzle instead of monday—and see that query's effect on the application.

Paros also supports several scanning-type features, such as directory traversal. Although the JRE can be taxing on older systems, overall Paros is a flexible and user-friendly tool. Furthermore, being Java-based, it's cross-platform. I've also used it on several different flavors of Windows.

Paros isn't the only free fuzzing proxy. I also should mention Dave Aitel's SPIKE Proxy. It too acts as a local proxy but has the ability to run automated fuzzing attacks based on things it learns about the target site by watching you interact with it. SPIKE has the added advantage of being written in Python, which means much less CPU and memory overhead than Paros requires.

F.I.R.E.

I'm closing my little survey with a forensics tool: William Salusky's F.I.R.E., the Forensics and Incident Response Environment. It's unpleasant to contemplate, but no matter how careful and proactive you are, you may nonetheless someday experience a system compromise. If you do and you want to understand how and why, F.I.R.E. can help.

F.I.R.E. is a single CD-ROM Linux distribution geared toward analyzing compromised systems and recovering data from them. You can use it either by rebooting the compromised system with the F.I.R.E. CD-ROM or by mounting the CD-ROM in a running but feared-compromised Linux system and running tools directly off the CD. The latter technique is useful particularly when you don't trust the system's binaries, as when you fear they've been replaced by rootkit or trojaned versions, but can't take the system off-line just yet.

Besides analysis, F.I.R.E. makes it easy to copy data from the compromised system to other hosts on your network. F.I.R.E. also includes the X Windows System and a variety of both command-line and X-based security tools (including Nmap and Nessus). You can use F.I.R.E. to transform an ordinary Windows laptop into an awesome penetration-testing juggernaut. And at no extra charge, F.I.R.E.'s major functions can be accessed from a menu system comprehendable even by those of us who aren't full-time computer forensics specialists. You can learn all about and obtain F.I.R.E. at fire.dmzs.com.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Another security tool

Anonymous's picture

Hello All

I would like to present another free security tool. It is called ZeroDayScan - it is a free web security scanning service. No installation is required. Just type in the name of the server and it will be scanned in a matter of minutes. Here is a project url: Zero Day Scan - Free Web Security Scanner

Best regards,
ZeroDayScan Team

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix