Security Tools More Harmful Than Helpful?

soblasted writes "With the recent 2.0 release of the Metasploit Framework, people are wondering if security tools like it do more good than harm. This article attempts to answer the question. The legitimate use of the framework is for security researchers to use in exploit testing and development.It will run on any OS with Perl, and includes a CLI and web GUI, along with many ready to run exploits and payload modules. With HP also developing systems to preemptively attack their own networks, has this become acceptable?" This issue reminds me of the first release of SATAN and the uproar it caused.

re: metasploit

[brennz]

Metasploit is similar to Core Impact.

I'll gladly add this to my tools, without any cash outlay.

Want more security tools?

Re:Patching is a faulty security paradigm

[gtall]

It will not be the one of the few things M$ actually innovated. I learned about capability based architectures back in 1976 and I believe they were "innovated" in the '60's, but security wasn't such a problem back then. Here's a url for 1980's article. You can pick up the trail there:

http://portal.acm.org/citation.cfm?id=850709&dl= AC M&coll=portal

Re:We need these tools and we need them automated!

[RedLaggedTeut]

Why 192.168.123.43 is trying to send 300 emails an hour ?

Really easy answer: he is running an email list.

Why a large number of IP addresses are trying to access port 3250 on 192.168.123.33 ?

Well, because 192.168.123.33 is not the wrongdoer but because someone is faking IP packets replies to which all go back to 192.168.123.33.
Or maybe 192.168.123.33 is running filesharing on that port, which he should well be allowed to do on a decent network.

I guess you could handle all this by having white-lists of hosts that are allowed to do things that the admin considers weird, but without the automation the initial poster spoke of, I think the admin will not be able to maintain a decent service.

Compare this to the first Web servers to be run: An admin could easily have considered these evil bandwidth hogs, and stifled innovation by blocking them.

Other Useful Utilities

[Inhibit]

NMAP Port scanner from insecure.org

SATAN the aformentioned Security Admin Tool for Analyzing Networks.

TripWire for checking when someone's trying to access your system, and stopping them.

Shorewall a relatively easy to set up firewall-in-a-box for Linux.

Re:Patching is a faulty security paradigm

[dossen]

I don't know what MS are aiming for, but there is lots of work on Linux and elsewhere on putting the data in memory pages that are not executable.

Anyone remember "Satan Inside"?

[freelunch]

This issue reminds me of the first release of SATAN and the uproar it caused.

That was a great uproar and a good package. Dan Farmer sure took some flak for that one. He lost a good security gig with SGI as I recall.

But one of the coolest parts of the kit was the postscript file that featured an Intel-like logo that read "Satan Inside".

I had great fun printing those on self-adhesive transparency material and widely distributing..

A quick search turned up one of many sources for the postscript:

Satan Inside

Re:Patching is a faulty security paradigm

[Octorian]

Actually, Solaris has had support for this feature for some time, and OpenBSD now has it as well. It works by making the stack marked as non-executable memory, and stops normal buffer overflow attacks dead in their tracks.

However, a system with this is still exploitable. It is just much harder. One writeup on this can be found
here.