Son of SATAN? Weighing Security Software's Risks
ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.
I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.
Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.
"If we let things terrify us, life will not be worth living."
- Seneca
This could be a good tool if admins actually used it (or some tool to look for holes) and patched the holes and watched their security. But, I have only worked at one place that has done this and the others were under the impression they didn't have to do it very often.
Those hacking into systems will love this tool though. I'm gonna go home tonight and check my network out. Although, I don't have a thing someone would want to hack.
Evolution or ID?
The common wisdom in the security world is that easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet.
The Metasploit Project and its founder, HD Moore, hope to change that perception.
I thought changing the name from SATAN to SAINT, fixed that perception. I mean, how many attackers wanna use a tool called "SAINT", no matter how good it is.
Consensus is good, but informed dictatorship is better
Its too bad we can't moderate editors as being -1 Redundant
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool?
I don't care who has what exploit^H^H^H^H^H^H^Htesting tool, or what knowledge about hacking. It's a better "real-world" way to test your security anyway.
Keep your stuff patched, because you never know where, when, how or by whom the next attack is going to come from.
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Please read my comments which I posted here. Thanks! :)
Lets look back a couple days at the same story
Evolution or ID?
There's no substitute for a secure box. But what's lost on a lot of people is that security through obscurity is only bad if it's your only security method. True security doesn't mean that you paint a bull's eye on your forehead and taunt the crackers to come after you.
If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.
Toronto-area transit rider? Rate your ride.
When was Bill Gates Arrested?
A quick glance through my log files shows that someone is scanning my boxes. Not distributing scanning tools just makes it a one sided battle (with us admins on the loosing side). Not knowing about a hole does not mean that the hole doesn't exist. So, I think that it's far better to make a level playing field, and let hackers and admins have equal opporunity for knowing the status of a box. Sure, some people won't check their systems, but that's a lost cause no matter what.
Companies that create software to exploit security vulnerabilities in common software in order to get commandline access to any system don't kill systems. Script kiddies do.
Linux: Free if your time is worthless.
Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...
If guns are outlawed, only outlaws will have guns...
If security scanning tools are outlawed, only outlaws will have security scanning tools...
Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.
I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.
If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.
Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.
I thought us Mac users were the "religious zelots", and Bill Gates was the devil. Now you are telling me Windows is the blessed OS, and I'm a tool of SATAN? I'm going to have to take a course on the theology of computing to keep this all straight.
Yeah, I guess I'm funny like that.
Hmmmmm....
Berto
Some sleepy thoughts before I crash...
This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".
A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.
This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.
Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.
However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.
However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.
This headline apparently written by the Church Lady
"Open the pod by doors, Hal" > "I'm afraid I can't do that, Dave" sudo "Open the pod bay doors, Hal" > alright
In open source world people blame the author because the code may not come from a corporate entity but an individual.
This one.
Dave Aitel
Immunity, Inc.
A hole scanner just finds holes. It's a hacking tool if used by a hacker, a security tool if used by an admin... the only diffence is what the user intends on doing after the hole is discovered.
I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.
While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!
It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.
I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.
I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?
If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.
Funny, when this exact argument is being used against kazaa and the like, everyone throws up their arms in protest, claiming it still has legit uses.
I don't use this or kazaa, no reason, but I sure as hell wouldn't want to see either shot down just because they ave illegal uses along with legal ones (once that happens, how long till computers themselves are heavily restricted, if not banned because someone claims it's "painfully obvious computers are the tools of criminals and terrorists").
I don't suffer from insanity, I enjoy every minute of it!
Another site I visit frequently, Slashdot, covered this a few days back. You can view their coverage on the same article here.
Oh, wait...
________________________________________________
suwain_2
Anytime anyone says you don't need security information/tools they're making money and you're getting the shaft. The argument "hackers could use this" translates to "our product is insecure and our admins are lazy". Security auditing is necessary in any network you'd like to be reasonably secure.
Religion is a gateway psychosis. -- Dave Foley
Is it possible this will create a new breed of mega elite hackers that don't need to know much about the inner workings of computers to hack, they can just run automated tools to do it for them? Maybe we can call them script-kiddies or something? What's that you say, they already have these? OH!
Of course these tools are good, the script kiddies already have k-rad tools from CodC and what-nots. News flash: many admins already use actually HACKER tools to try and find 'sploits on their pwn machines!
I remember when I was a youngin and to be classified at all as a hacker you had to have at least _some_ knowledge of machine code. Ahh, those were the days..
Mod +5 Drunk
I disagree. If those tools are available to whitehats then security professionals can run them in lab environments and develop countermeasures like Layer 7 firewall filters and IDS rules. Furthermore, if I'm aware of an exploit that's serious enough of a risk, I have the option of killing a port on the firewalls until the risk has been mitigated. But I can't do any of those things if I'm not aware of the vulnerability andif don't know how the tool works. Not only that, but if these cats have made good on their promise to communicate with IDS vendors about ways to detect metasploit in action, then I honestly don't see how someone could make a more benign tool. I haven't seen anything on snort.org yet, but then again I'd imagine many of the exploits run by metasploit already have signatures available.
Security professionals are inherently disadvantaged compared to blakhats. They have more time on their hands, and they have more numbers. At the end of the day, if security professionals don't have access to tools like this, then we're at even more of a disadvantage.
Yes, my only tool is a hammer. And you're starting to look like a nail.
The original SATAN was introduced by Dan Farmer back in 1995.
The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.
Is this sig nificant?
The anti-gun lobby is doing just that right now.
Conformity is the jailer of freedom and enemy of growth. -JFK
I haven't really used nessus or metasploit, but what is the difference between the two?
Also, binoculars should be banned because they just help terrorists look for physical security vulnerabilities.
We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.
If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.
Cracking tools are and will be widely available. How effective were the courts at stopping the spread of DeCSS? Tools already exist. They will either be written or pirated, and passed around on IRC. You can't stop them from existing. You can use them yourself, for your own benefit.
Attempting to get rid of widely available free tools that white hats could use to their benefit so that black hats won't have them isn't Security through Obscurity. It's Secruity through Wishful Thinking.
The only reasonable way to go forward with security is that your machine must be secure in spite of the existence of cracking tools. The best way to do this is to use the tools yourself, not to try to prevent them from existing. "Outlaw cracking tools, and only outlaws will have cracking tools" may be cliche, but poor prose can still be true.
The enemies of Democracy are
The story really was toned to stir the pot. the tool is a great help to those of us in the infosec community whose jobs it is to SECURE networks. Other tools like CANVAS (and a host of others I can't think of right now) do the same thing and most aren't even open source. Any one can run Nessus but the biggest issue with any vuln Scanner is *false positives*. This tool allows verification of vulnerability.
Rob I want you to apologize to HD Moore and go sit in the corner and think about what you've done.
(crap there goes my karma)
I remember in highschool back in 94. He was an SGI programer then. I had a friend who had a SCO box( shudder) and hacked the perl script so it could run.
He released it to help Irix system admins secure their networks. SGI having their heads up there butts, fired him believing security through obscurity was the most effective measure. After all he now made Irix insecure??
Irix remained the most unsecure Unix for many years untill managment made a recent change.
Nmap is hell of alot more powerfull now and there are many clones.
Satan is a relic of old and I just looked at some of the screenshots via a search on google. I thought it was really awesome in 94, but its quite primptive today.
http://saveie6.com/