Security Tools More Harmful Than Helpful?

soblasted writes "With the recent 2.0 release of the Metasploit Framework, people are wondering if security tools like it do more good than harm. This article attempts to answer the question. The legitimate use of the framework is for security researchers to use in exploit testing and development.It will run on any OS with Perl, and includes a CLI and web GUI, along with many ready to run exploits and payload modules. With HP also developing systems to preemptively attack their own networks, has this become acceptable?" This issue reminds me of the first release of SATAN and the uproar it caused.

Duh

Any tool can be used incorrectly.

Run ping -f to the wrong host and it's a DDoS attack, not a test of simple dropped packets

run apache's tester, 'ab' to the wrong host and it's a DDoS attack, and not a test of a webserver

run X to the wrong host and it's a , not a

Security tools = trouble? Yes/No

[192939495969798999]

Of course, any time you release a tool that can be used for good or evil, there will be people that use it for good and those who use it for evil. I would much rather at least have the tools exist than be stuck when some evil person creates a supervirus using a tool they stole because we can't get that tool publicly.

Securty Tools

[kpogoda]

It will be a mojor help to both the administrators and the hackers. But this is not a readical change from the current situation. Hackers and Crackers already employ many of the same tools for troubleshooting and other less legitimate purposes.

eye for an eye

[irokie]

i think the point made in the article that "this toold allows admins to play on the same level as the attackers" is a very valid point and should be paraded out in front of anyone who says "but this will only cause more attacks by making the attackes easier for the attackers to execute"
newsflash; even the l4m0r-est script kiddie has a plethora of tools like this (most of which are usually loaded with trojan's and the like).
giving admins legit, supported and just plain better tools means that admins have the ability to check their systems' vulnerability easily. and an admin equipped with a tool for automating exploits has a better chance of stumbling across an exploit no one has found yet, because he hasn't spent all night checking for vulnerabilities earlier.

The debate...

[Alioth]

The debate is almost pointless. If there's complex software, and that complex software has bugs, it is inevitable that exploits and exploit kits like the one in the story will be written.

Railing against them won't make them go away - maybe the author(s) of this particular tool will give up, but there are plenty of other authors who will inevitably write something similar anyway.

Patching is a faulty security paradigm

[ehack]

The whole test/patch paradigm is wrong, regarding security: The patches can only be issued when the problem becomes visible, which is doubtless too late for many out there. Also, a significant fraction of users are unskilled, or simply leave their machines unattended, and cannot patch in time.

Sadly, security problems were already better dealt with by Unix when it was designed, more than thirty years ago, than by Windows now, but the large number of Linux boxen that get rooted shows that the Unix model is now hopelessly out of date. It is time to catch up on the basic issues, separate the programs from the data more effectively, provide PCs with effective data backup,
and maybe freeze some essential functionality in firmware so that it cannot be overwritten.

Re:Patching is a faulty security paradigm

[Vancorps]

This is what MS is attempting to do with XP Service Pack 2

They are entering the game where all memory must be flagged as executable or not-executable when allocated. Great step in the right direction.

Also, I don't have any servers apps that have data in the same location. Exchange and Active Directory are all stored on a RAID 5 while the operating system is only mirrored. We have an image of the operating system which is fully working and we only bother to backup the array. Occasionally we will check the OS's integrity with Tripwire and if it passes then we create a new image and store it along side the old image just in case the unforeseeable happens.

There are ways to deal with these issues, I'd say Linux and Windows following the exact same patching model, the only difference is there are a lot more people developing patches for Linux. Speaks well for OSS but education is still a problem, for whatever the reason many Linux users and worse, admins don't know shit about designing a secure and reliable environment.

As for the firmware idea, I believe that is where the industry is headed. It is a good idea but it does restrict the capabilities of a system while also having a very large margin for error. I can imagine a new install of an OS would require several firmware updates to get the required interface to work, and what if you installed the wrong firmware? It's like an Intel board today, if you want to upgrade the firmware there are so many pre-reqs its often a pain in the ass and worse yet, its a requirement because your backplane will keep dying without it. I think its best just to create a secure model for which to install. Force people to store programs and data in a different location and with different permissions.

Re:Patching is a faulty security paradigm

[Tassach]

Sendmail is still full of holes. Sendmail 8.11.7 was released just over a year ago (30 Mar 2003). In that year there have been no less than 5 critical bugs discovered including 2 remote root exploits and a DOS vulnerability.

I got sick of playing whack-a-mole with Sendmail's bugs and switched over to postfix in that year there has been only one bug discovered in postfix -- a DOS vulnerability. AFAIK, Postfix has NEVER had a remote root exploit.

Security is HARD to get right. Postfix was designed from the ground up with security in mind by one of the leading experts in the field of computer security, and it still occasionally has problems. OpenBSD is reviewed line-by-line for security problems by some of the most anal-retentive programmers in the world, and it still has an occasional hole. Programs like sendmail, where security is a poorly-implemented afterthought, can never be trusted.

Security tools == good

[Ckwop+Johnson]

The bad guys are becoming a corporate force (due to the requirement for Spam Bots)..

Now we have a choice of making security testing products that might be used by the bad guys to break into other people's networks or we can let the bad guys develop these tools anyway and leave ourselves with a harder job in testing security.

I think the tradeoff is worth it.

Simon.

Renaming the tools of the trade

[ehack]

I suggest remote backup instead of file-sharing. And remote security testing instead of cracking. Makes it sound like you are doing a company a favor when you remotely test their security, or determine their bandwith limitations.

I think it's pretty simple

[RAMMS+EIN]

I think it's pretty simple. Those meaning harm are going to write exploits/sniffers/etc. They might even share them, but you bet they will try to keep them out of the hands of the white hats. This means that if you write a tool and release it to the public, you benefit the white hats, while giving the black hats what they already had. Even in the case where bsack hats didn't have an equivalent piece yet, they will at worst be on par with the rest.

Writing and releasing these tools is the only way to establish certainty. Certainty that, if a hole can be detected, you can. And certainty that everyone else can, so you MUST patch it. No more guessing that it will be alright and being wrong.

Abuse does not justify banning

Over the years how many people have used hammers, axes, etc to cause harm to other people? Where I live there was just recently a fire fighter who chopped up his girlfriend with his fire axe (normally very useful in saving lives).

In the final analysis there are always ways to abuse things and cause harm with them. That doesn't justify preventing their legitimate use. All the more so if their legitimate use actually makes their abuse all the more difficult.

Bad Logic

[re-Verse]

This is some sort of convoluted question - 'do security tools make things worse'. Rather than explaining word for word why I feel its worse, I'll offer an analogy.

Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own tools, so it would be incredibly stupid for us to decide the less we know about network security, the better.

Security testing is a GOOD thing, before anyone puts a server online, they should try to hack it on a closed network first - and then they should have their smartest friends try to hack it, with any tools available. This sort of introspection would mean a whole lot more security on the net in general.

Re:Bad Logic

[nacturation]

Should brightly lit streets at night be banned because they allow muggers to see us more clearly?

I think that's a poor analogy. A better one would be this: Should automated tools to check whether a house's doors are locked and alarmed be banned, given that burglars can check houses to see which are vulnerable? Especially if you consider that very few people actually use the tool to check their own house?

The ideal answer is that those tools should be made available to everyone, both for houses and for securing computer systems. If everyone used them constantly they would be very secure, at least against known attack vectors. However, how many people even know what a software vulnerability is? And those who do have some inkling, how many of those even bother to check their system? The current problem is that a very high percentage of systems are insecure and people just don't know that it's something to be concerned about. Most people see computers as being complicated TV sets. Turn it on, use it, shut it down.

Until security is effectively mandatory and in-your-face obvious and intuitive even for your grandmother, I fear the tools are being put to more use by the bad guys than the good guys.

Re:Bad Logic

[jrexilius]

I think his original assertion is valid, but the analogy is bad.

The security world is like an arms race and, just like in the real world, its helpfull to buy better weapons from allies then to spend all your productivity just on weapons (please lets not digress into politics here).

Sysadmins have limited time and many problems to deal with. These tools allow them not only to address more problems but are also helpful in lobbying for management support ($) to fix problems. By being able to document and demonstrate problems and their solutions they can more effectively guide infrastructure spending and development.

By saying their are lazy and/or undecuated sysadmins out there and that we should push towards the lowest common denominator you would do more harm then good in the macro sense..

Leveling the field

[Benm78]

Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.

I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.

If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.

Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.

Re:Potential Abuse == Evil Product Mentality

[91degrees]

Did this work for the guy who had a map of the bank, equipment to disable the alarm, a large bag, some explosives and a detonator?

Yeah, okay. I realise it's just a joke. The thing is, you can make assumptions about what people are going to do with their equipment. Sometimes these assumptions are valid, sometimes they're not. Each case is different, and should be decided at the time on its own merits.

It would be around anyway

[Eudial]

Tools like this would be around even if they were not developed in this public manner. Only this way we give the poor admins the ability to test their networks so that they don't have to learn the hard way that they needed to patch up their systems.

Duel Edge Sword

[truG33k]

Most tools out now are duel edged swords, providing useful feature in one hand, while being able to do harm if used other than the way the designer intended. A baseball bat is just equipment for a game, until you crack somebodies skull open with it.

Blah

[harikiri]

Some sleepy thoughts before I crash...

This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".

A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.

This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.

Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.

However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.

However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.

Re:Other Useful Utilities

[rob_kg]

How about http://www.insecure.org/tools.html :)

If you outlaw guns...

[suwain_2]

...only outlaws will have guns.

Same with security tools. Restrict them because they're "More Harmful Than Helpful" and those who use them for harm will still have them, but those who use them for good won't be able to test their networks first.

I don't question for a second that they're widely abused. But banning them will only mean that network administrators can't check their own networks.

Re:We need these tools and we need them automated!

[throughthewire]

I'm currently working on ideas to get real broadband (10 mbit)...

Broadband != high bandwidth.

Broadband signalling means multiple frequencies on the media, as opposed to baseband, where there is only one. Ethernet is a baseband technology.

These sorts of misconceptions result in well-defined technical terms such as broadband being re-defined for consumers as meaning something entirely different - because consumers have been led to believe it means something else. "Define broadband please - CA" It's one more way marketing continues to make life difficult for the technologists.

Please don't contribute to the problem. I stop taking people seriously pretty quickly when they use the CompUSA Salesdrone definition of a technical term, instead of the correct one.

As to your worm vector scenario, you aren't really describing anything different than what happens inside a large corporate LAN/WAN infrastructure. Use IDS software which can dynamically re-write your switch and router ACLs, educate your end-users as much as possible, and hire smart and driven sysadmins and techs who enjoy the challenge of keeping up with the black hats. Provide them with good equipment and quality caffeine.

And never sit back and relax, confident that you're secure.

Security is a process, not a product. It's an endless, arduous, thankless process. - Bruce Schneier

Spiderman rule

[drunkenbatman]

When in doubt, remember Stan Lee: with great power comes great responsibility. When you're talking about guns, security tools, money, r00t, broadband, or any form of power. The question seems to be, can you trust an individual to shoulder that responsibility, and if there are a few out there you can't trust, do you remove the power from everyone...