Slashdot Mirror
Security Tools More Harmful Than Helpful?
soblasted writes "With the recent 2.0 release of the Metasploit Framework, people are wondering if
security tools like it do more good than harm. This
article attempts to answer the question. The legitimate use of the framework is for security researchers to use in exploit testing and development.It will run on any OS with Perl, and includes a CLI and web GUI, along with many ready to run exploits and payload modules. With HP also
developing systems to preemptively attack their own networks, has this become acceptable?" This issue reminds me of the first release of SATAN and the uproar it caused.
Any tool can be used incorrectly.
Run ping -f to the wrong host and it's a DDoS attack, not a test of simple dropped packets
run apache's tester, 'ab' to the wrong host and it's a DDoS attack, and not a test of a webserver
run X to the wrong host and it's a , not a
You know, you'd think that a google search for "satan" wouldn't be all that helpful for us noobs. Guess I was wrong!
Of course, any time you release a tool that can be used for good or evil, there will be people that use it for good and those who use it for evil. I would much rather at least have the tools exist than be stuck when some evil person creates a supervirus using a tool they stole because we can't get that tool publicly.
stuff |
Heh... my favorite part of the whole SATAN thing was they included the script to change every reference to SANTA in case you were offended.
:P
They thought of everything... or thought they had... until they found themselves in the middle of a storm of controversy.
Ahh... those were the good old days
Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
It will be a mojor help to both the administrators and the hackers. But this is not a readical change from the current situation. Hackers and Crackers already employ many of the same tools for troubleshooting and other less legitimate purposes.
Do subsequent versions of Satan have fewer vulnerabilities? ie resistance to garlic, silver, crosses, upright pentagrams, white witches, holy water, Billy Graham etc?
My hyperlinks aren't worth the paper they're printed on.
Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...
i think the point made in the article that "this toold allows admins to play on the same level as the attackers" is a very valid point and should be paraded out in front of anyone who says "but this will only cause more attacks by making the attackes easier for the attackers to execute"
newsflash; even the l4m0r-est script kiddie has a plethora of tools like this (most of which are usually loaded with trojan's and the like).
giving admins legit, supported and just plain better tools means that admins have the ability to check their systems' vulnerability easily. and an admin equipped with a tool for automating exploits has a better chance of stumbling across an exploit no one has found yet, because he hasn't spent all night checking for vulnerabilities earlier.
and if you see me strut, remind me of what left this outlaw torn...
The debate is almost pointless. If there's complex software, and that complex software has bugs, it is inevitable that exploits and exploit kits like the one in the story will be written.
Railing against them won't make them go away - maybe the author(s) of this particular tool will give up, but there are plenty of other authors who will inevitably write something similar anyway.
Oolite: Elite-like game. For Mac, Linux and Windows
The whole test/patch paradigm is wrong, regarding security: The patches can only be issued when the problem becomes visible, which is doubtless too late for many out there. Also, a significant fraction of users are unskilled, or simply leave their machines unattended, and cannot patch in time.
Sadly, security problems were already better dealt with by Unix when it was designed, more than thirty years ago, than by Windows now, but the large number of Linux boxen that get rooted shows that the Unix model is now hopelessly out of date. It is time to catch up on the basic issues, separate the programs from the data more effectively, provide PCs with effective data backup,
and maybe freeze some essential functionality in firmware so that it cannot be overwritten.
This is not a signature.
The bad guys are becoming a corporate force (due to the requirement for Spam Bots)..
Now we have a choice of making security testing products that might be used by the bad guys to break into other people's networks or we can let the bad guys develop these tools anyway and leave ourselves with a harder job in testing security.
I think the tradeoff is worth it.
Simon.
Who needs Metaploit when all you really need is an article on the front page of /.? I was looking around the page before it was posted to /. and as I was nearing completion of the downloads, I noticed things begin to choke. "Ahhh....", I thought to myself, "Must be on /." Now with a total of 25 or so posts it's coming to a screeching halt. We really have to come up with a way to warn webmasters when their site is going to be linked from /.
But why is the rum gone?
I suggest remote backup instead of file-sharing. And remote security testing instead of cracking. Makes it sound like you are doing a company a favor when you remotely test their security, or determine their bandwith limitations.
This is not a signature.
I think it's pretty simple. Those meaning harm are going to write exploits/sniffers/etc. They might even share them, but you bet they will try to keep them out of the hands of the white hats. This means that if you write a tool and release it to the public, you benefit the white hats, while giving the black hats what they already had. Even in the case where bsack hats didn't have an equivalent piece yet, they will at worst be on par with the rest.
Writing and releasing these tools is the only way to establish certainty. Certainty that, if a hole can be detected, you can. And certainty that everyone else can, so you MUST patch it. No more guessing that it will be alright and being wrong.
Please correct me if I got my facts wrong.
Over the years how many people have used hammers, axes, etc to cause harm to other people? Where I live there was just recently a fire fighter who chopped up his girlfriend with his fire axe (normally very useful in saving lives).
In the final analysis there are always ways to abuse things and cause harm with them. That doesn't justify preventing their legitimate use. All the more so if their legitimate use actually makes their abuse all the more difficult.
I love how many people, especially the media, love to generalize any product that has the potential for misuse to be a sinister product...
Historically there are so many other examples, such as lockpick kits which are illegal in many states and countries, or are requiring licenses to use. Let's not forget the old Napster, or Kazaa or any other similar P2P, due to misuse, free use P2P is generalized into a piracy movement alone.
Which reminds me of a joke- A man is at his house during prohibition in the backcountry, when a sheriff comes by and notices that he has all the equipment laid out to make moonshine. Immediately the sheriff arrests the man, citing that having the materials to make moonshine is equivalent to having the contraband itself, though he saw no liquor on the premise. The arrested man takes a long pause, thinks about the situation, and states- "Well, I guess you should arrest me for rape too then, I got all the tools for that crime also!". Embarassed, the sheriff released the man.
I'm currently working on ideas to get real broadband (10 mbit) and higher to houses and businesses (minimum of 7500 houses). One of the worries I have is how such a network can be run in a safe and secure manner. Previous experience in running a campus network has learned me, that you cannot trust the end user in doing things right. This becomes espescially true when you're planning for a door to door roll-out of 10mbit+ networks. Imagine a new worm which makes use of such networks. The amount of network traffic it can generate is amazing.
My solution would be an automated quarantine system, which would quarantine a system ones it is found compromised or vulnerable. Quarantine means in this case that the internet traffic is redirected to a specific page and there the user will find an explanation and a solution. Other traffic, like VOIP and TV over IP should run uninterrupted. (This could be realized for instance by having VOIP and TV on separate VLAN's or by allowing certain IP-adresses)
This system has to be automated. The reasons for automation are:
1. You cannot expect a networkadmin to continuously monitor 7500 to 50.000 connections.
2. Vulnerabilities are many and a system you've just checked by hand could easily be vulnerable the next day, because somebody installed a new piece of software with some old problems. (One can expect people to install a vulnerable version of winamp on a daily basis! Just think of all the cd's in comptermagazines that carry a version of Winamp)
3. Warhol worms are fast! Within fifteen minutes almost all vulnerable connections will have been infected. If the vulnerability was already known, the system should have been quarantined. If it is unknown, it should be able to disconnect 5000 infected systems immediately once it knows how to detect the vulnerability/worm.
4. The system should preferably be scanned upon connection to the network. Time and time again.
Yes there are all kinds of problems associated with this idea. But if you have a better solution, one that doesn't require me to rely on the intelligence of the average John Doe, please do tell me.
Use Adsense for Charity
Metasploit is similar to Core Impact.
I'll gladly add this to my tools, without any cash outlay.
Want more security tools?
This is some sort of convoluted question - 'do security tools make things worse'. Rather than explaining word for word why I feel its worse, I'll offer an analogy.
Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own tools, so it would be incredibly stupid for us to decide the less we know about network security, the better.
Security testing is a GOOD thing, before anyone puts a server online, they should try to hack it on a closed network first - and then they should have their smartest friends try to hack it, with any tools available. This sort of introspection would mean a whole lot more security on the net in general.
I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.
If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.
Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.
Tools like this would be around even if they were not developed in this public manner. Only this way we give the poor admins the ability to test their networks so that they don't have to learn the hard way that they needed to patch up their systems.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Does that stop us using Airplanes ? No, because their usefulness far outweighs the occasional terrorist attack.
Same with petrol (gasoline), hammers, screwdrivers, cars etc. etc. etc.
A false sense of security is worse than no security at all. At least with no security, you know you don't have any ...
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Most tools out now are duel edged swords, providing useful feature in one hand, while being able to do harm if used other than the way the designer intended. A baseball bat is just equipment for a game, until you crack somebodies skull open with it.
You only live once, so you might as well have fun before you die.
I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.
While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!
It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.
I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.
I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?
If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.
NMAP Port scanner from insecure.org
SATAN the aformentioned Security Admin Tool for Analyzing Networks.
TripWire for checking when someone's trying to access your system, and stopping them.
Shorewall a relatively easy to set up firewall-in-a-box for Linux.
You're reading Slashdot. Of course you like Linux and pc hardware
That was a great uproar and a good package. Dan Farmer sure took some flak for that one. He lost a good security gig with SGI as I recall.
But one of the coolest parts of the kit was the postscript file that featured an Intel-like logo that read "Satan Inside".
I had great fun printing those on self-adhesive transparency material and widely distributing..
A quick search turned up one of many sources for the postscript:
Satan Inside
Some sleepy thoughts before I crash...
This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".
A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.
This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.
Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.
However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.
However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.
Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
...only outlaws will have guns.
Same with security tools. Restrict them because they're "More Harmful Than Helpful" and those who use them for harm will still have them, but those who use them for good won't be able to test their networks first.
I don't question for a second that they're widely abused. But banning them will only mean that network administrators can't check their own networks.
________________________________________________
suwain_2
Also, binoculars should be banned because they just help terrorists look for physical security vulnerabilities.
We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.
When in doubt, remember Stan Lee: with great power comes great responsibility. When you're talking about guns, security tools, money, r00t, broadband, or any form of power. The question seems to be, can you trust an individual to shoulder that responsibility, and if there are a few out there you can't trust, do you remove the power from everyone...