Security Tools More Harmful Than Helpful?
soblasted writes "With the recent 2.0 release of the Metasploit Framework, people are wondering if
security tools like it do more good than harm. This
article attempts to answer the question. The legitimate use of the framework is for security researchers to use in exploit testing and development.It will run on any OS with Perl, and includes a CLI and web GUI, along with many ready to run exploits and payload modules. With HP also
developing systems to preemptively attack their own networks, has this become acceptable?" This issue reminds me of the first release of SATAN and the uproar it caused.
Any tool can be used incorrectly.
Run ping -f to the wrong host and it's a DDoS attack, not a test of simple dropped packets
run apache's tester, 'ab' to the wrong host and it's a DDoS attack, and not a test of a webserver
run X to the wrong host and it's a , not a
Of course, any time you release a tool that can be used for good or evil, there will be people that use it for good and those who use it for evil. I would much rather at least have the tools exist than be stuck when some evil person creates a supervirus using a tool they stole because we can't get that tool publicly.
stuff |
It will be a mojor help to both the administrators and the hackers. But this is not a readical change from the current situation. Hackers and Crackers already employ many of the same tools for troubleshooting and other less legitimate purposes.
i think the point made in the article that "this toold allows admins to play on the same level as the attackers" is a very valid point and should be paraded out in front of anyone who says "but this will only cause more attacks by making the attackes easier for the attackers to execute"
newsflash; even the l4m0r-est script kiddie has a plethora of tools like this (most of which are usually loaded with trojan's and the like).
giving admins legit, supported and just plain better tools means that admins have the ability to check their systems' vulnerability easily. and an admin equipped with a tool for automating exploits has a better chance of stumbling across an exploit no one has found yet, because he hasn't spent all night checking for vulnerabilities earlier.
and if you see me strut, remind me of what left this outlaw torn...
The debate is almost pointless. If there's complex software, and that complex software has bugs, it is inevitable that exploits and exploit kits like the one in the story will be written.
Railing against them won't make them go away - maybe the author(s) of this particular tool will give up, but there are plenty of other authors who will inevitably write something similar anyway.
Oolite: Elite-like game. For Mac, Linux and Windows
The whole test/patch paradigm is wrong, regarding security: The patches can only be issued when the problem becomes visible, which is doubtless too late for many out there. Also, a significant fraction of users are unskilled, or simply leave their machines unattended, and cannot patch in time.
Sadly, security problems were already better dealt with by Unix when it was designed, more than thirty years ago, than by Windows now, but the large number of Linux boxen that get rooted shows that the Unix model is now hopelessly out of date. It is time to catch up on the basic issues, separate the programs from the data more effectively, provide PCs with effective data backup,
and maybe freeze some essential functionality in firmware so that it cannot be overwritten.
This is not a signature.
I suggest remote backup instead of file-sharing. And remote security testing instead of cracking. Makes it sound like you are doing a company a favor when you remotely test their security, or determine their bandwith limitations.
This is not a signature.
I think it's pretty simple. Those meaning harm are going to write exploits/sniffers/etc. They might even share them, but you bet they will try to keep them out of the hands of the white hats. This means that if you write a tool and release it to the public, you benefit the white hats, while giving the black hats what they already had. Even in the case where bsack hats didn't have an equivalent piece yet, they will at worst be on par with the rest.
Writing and releasing these tools is the only way to establish certainty. Certainty that, if a hole can be detected, you can. And certainty that everyone else can, so you MUST patch it. No more guessing that it will be alright and being wrong.
Please correct me if I got my facts wrong.
Over the years how many people have used hammers, axes, etc to cause harm to other people? Where I live there was just recently a fire fighter who chopped up his girlfriend with his fire axe (normally very useful in saving lives).
In the final analysis there are always ways to abuse things and cause harm with them. That doesn't justify preventing their legitimate use. All the more so if their legitimate use actually makes their abuse all the more difficult.
This is some sort of convoluted question - 'do security tools make things worse'. Rather than explaining word for word why I feel its worse, I'll offer an analogy.
Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own tools, so it would be incredibly stupid for us to decide the less we know about network security, the better.
Security testing is a GOOD thing, before anyone puts a server online, they should try to hack it on a closed network first - and then they should have their smartest friends try to hack it, with any tools available. This sort of introspection would mean a whole lot more security on the net in general.
I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.
If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.
Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.
Most tools out now are duel edged swords, providing useful feature in one hand, while being able to do harm if used other than the way the designer intended. A baseball bat is just equipment for a game, until you crack somebodies skull open with it.
You only live once, so you might as well have fun before you die.
Some sleepy thoughts before I crash...
This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".
A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.
This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.
Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.
However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.
However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.
Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
...only outlaws will have guns.
Same with security tools. Restrict them because they're "More Harmful Than Helpful" and those who use them for harm will still have them, but those who use them for good won't be able to test their networks first.
I don't question for a second that they're widely abused. But banning them will only mean that network administrators can't check their own networks.
________________________________________________
suwain_2