Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Tools More Harmful Than Helpful?

Posted by CowboyNeal on from the made-too-well dept.

soblasted writes "With the recent 2.0 release of the Metasploit Framework, people are wondering if security tools like it do more good than harm. This article attempts to answer the question. The legitimate use of the framework is for security researchers to use in exploit testing and development.It will run on any OS with Perl, and includes a CLI and web GUI, along with many ready to run exploits and payload modules. With HP also developing systems to preemptively attack their own networks, has this become acceptable?" This issue reminds me of the first release of SATAN and the uproar it caused.

9 of 116 comments (clear)

  1. That's SANTA to you! by Gaewyn+L+Knight · · Score: 3, Interesting

    Heh... my favorite part of the whole SATAN thing was they included the script to change every reference to SANTA in case you were offended.

    They thought of everything... or thought they had... until they found themselves in the middle of a storm of controversy.

    Ahh... those were the good old days :P

    --
    Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
  2. Re:Wrong by Anonymous Coward · · Score: 1, Interesting

    I still think you made a good point though. There is a fine line between simple looking around for services or network testing and actual "hax0ring".

    Unfourtunately, your comment was unfairly modded down.

  3. It's a dual edge sword by drizst+'n+drat · · Score: 5, Interesting

    Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...

  4. We need these tools and we need them automated! by Raindeer · · Score: 4, Interesting

    I'm currently working on ideas to get real broadband (10 mbit) and higher to houses and businesses (minimum of 7500 houses). One of the worries I have is how such a network can be run in a safe and secure manner. Previous experience in running a campus network has learned me, that you cannot trust the end user in doing things right. This becomes espescially true when you're planning for a door to door roll-out of 10mbit+ networks. Imagine a new worm which makes use of such networks. The amount of network traffic it can generate is amazing.

    My solution would be an automated quarantine system, which would quarantine a system ones it is found compromised or vulnerable. Quarantine means in this case that the internet traffic is redirected to a specific page and there the user will find an explanation and a solution. Other traffic, like VOIP and TV over IP should run uninterrupted. (This could be realized for instance by having VOIP and TV on separate VLAN's or by allowing certain IP-adresses)

    This system has to be automated. The reasons for automation are:
    1. You cannot expect a networkadmin to continuously monitor 7500 to 50.000 connections.
    2. Vulnerabilities are many and a system you've just checked by hand could easily be vulnerable the next day, because somebody installed a new piece of software with some old problems. (One can expect people to install a vulnerable version of winamp on a daily basis! Just think of all the cd's in comptermagazines that carry a version of Winamp)
    3. Warhol worms are fast! Within fifteen minutes almost all vulnerable connections will have been infected. If the vulnerability was already known, the system should have been quarantined. If it is unknown, it should be able to disconnect 5000 infected systems immediately once it knows how to detect the vulnerability/worm.
    4. The system should preferably be scanned upon connection to the network. Time and time again.

    Yes there are all kinds of problems associated with this idea. But if you have a better solution, one that doesn't require me to rely on the intelligence of the average John Doe, please do tell me.

    --
    Use Adsense for Charity
    1. Re:We need these tools and we need them automated! by Lumpy · · Score: 3, Interesting

      Ok first. NAT boxes with all ports closed at EACH location as an absolute requirement. only a fool thinks you need a computer directly on the internet for anything but a server.

      you can have a custom firmware written for popular NAT boxes. (comcast does) that allows you to shut off a customer's DMZ machine access if you detect that it is causing trouble and send it's iptables logs back to your server so you can detect a problem when it is happening instead of 3 days later.

      Second yout TOS needs to read that all servers running MUST be registered with you or you shut off their connection. I.E. ip address they want it on and ports that are open and why. Mister Huang on evergreen terrace is NOT allowed to put his W2K server with IIS on the net for a webserver if he does not have all unneeded ports closed.. if they bitch, have a recording of a crying baby to play back at them... (this works with corperate IT in the NOC, Marketing droids and PHB's that are not your direct report.)

      Finally, Unless they have registered a email server with you, they CANNOT send email without going through your email server... yes a few people will bitch, most wont and you will solve a large problem.

      finally set up sniffing tools and actually hire competent staff at decent wage rates. you want people that will investigate why 192.168.123.43 is trying to send 300 emails an hour. or why a large number of IP addresses are trying to access port 3250 on 192.168.123.33... automated tools can be set to alert on these triggers. you need people that can understand what the alerts mean.

      --
      Do not look at laser with remaining good eye.
    2. Re:We need these tools and we need them automated! by chris_mahan · · Score: 2, Interesting

      If I had to notify my ISP every time I wanted to run a service, I would move.

      Which I did, btw.

      You have the AOL mentality.

      You must allow the user to do whatever they want. Your network should be completely transparent to them. As far as they are concerned, they are connected to the internet.

      This is what you are selling (an interent connection). If you can't do it, let someone else do it.
      If you don't want to do it, let someone else do it.
      If you think it can't be done... you get the picture.

      If Mr. SuperCracker wants to ping away, call the FBI.

      Harden your network infrastructure. If it can be easily hacked, let someone else do it...

      My point is: you're a construction worker on the information superhighway. Just because you built the bridge does not mean you can require White Trash Luann-Lee to register her Corsica on your little mile of freeway before she can play speed-demon.

      --

      "Piter, too, is dead."

  5. Airlines learnt that one a little while ago. by anti-NAT · · Score: 4, Interesting

    Does that stop us using Airplanes ? No, because their usefulness far outweighs the occasional terrorist attack.

    Same with petrol (gasoline), hammers, screwdrivers, cars etc. etc. etc.

    A false sense of security is worse than no security at all. At least with no security, you know you don't have any ...

    --
    The Internet's nature is peer to peer - 20050301_cs_profs.pdf
  6. I've seen this happen.. by vudufixit · · Score: 1, Interesting

    Norton Internet Security prevents many of my clients from using the Internet at all, even when I adjust the settings. So I have them get a hardware firewall.

  7. I'm the one you fear is going to use this program. by Sheepdot · · Score: 4, Interesting

    I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.

    While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!

    It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.

    I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.

    I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?

    If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.