Slashdot Mirror


Son of SATAN? Weighing Security Software's Risks

ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.

18 of 128 comments (clear)

  1. Y'know by FrYGuY101 · · Score: 5, Insightful

    I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.

    Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.

    --
    "If we let things terrify us, life will not be worth living."

    - Seneca
    1. Re:Y'know by David+Hume · · Score: 5, Insightful

      I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.

      Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.


      I think the concern may be that the widespread, no-cost dissemination of tools like this decrease the costs and barriers to entry to malicious hacking. Many (if not most) of the script kiddies who may wind up using this and similar tools couldn't possibly "create their own." Simlarly, many (if not most) would not purchase, or even be pirate, commercial tools.

      Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. The prediction is that, like lock picks, the use and possession of software security tools may in the future be licensed and regulated. Just as the unlicensed possession and use of "burlar tools" is in some jurisdictions criminal, we may get to the point that the unlicensed use or possession of "software entry" tools is regulated and licensed.

      Please don't misunderstand; I am not suggesting that this ought to occur, or that I want it to occur. I am simply suggesting that as a pure matter of fact it may occur.

  2. SATAN -> SAINT by stonebeat.org · · Score: 5, Funny

    The common wisdom in the security world is that easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet.
    The Metasploit Project and its founder, HD Moore, hope to change that perception.


    I thought changing the name from SATAN to SAINT, fixed that perception. I mean, how many attackers wanna use a tool called "SAINT", no matter how good it is.

  3. Many insightful comments... by Anonymous Coward · · Score: 5, Funny

    Please read my comments which I posted here. Thanks! :)

  4. Sure, but ... by s20451 · · Score: 5, Insightful

    There's no substitute for a secure box. But what's lost on a lot of people is that security through obscurity is only bad if it's your only security method. True security doesn't mean that you paint a bull's eye on your forehead and taunt the crackers to come after you.

    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.

    --
    Toronto-area transit rider? Rate your ride.
    1. Re:Sure, but ... by FrYGuY101 · · Score: 5, Insightful

      Conversely, if cracking tools like this are widely available, authors will be somewhat forced to at least use them to test before they release insecure software.

      Saying that these tools in and of themselves being widely available is a bad thing I'm still not sold on. Yes, Script Kiddies can now possibly attack a system in a manner which they would not have been able previously, but sysadmins can also do the same, and then secure whatever holes appear as a result, meaning that not only can the script kiddie not get in, but a Black-hat can't use that avenue either. That is why these tools exist, after all.

      --
      "If we let things terrify us, life will not be worth living."

      - Seneca
  5. For the /. crowd by Prince+Vegeta+SSJ4 · · Score: 5, Funny
    the original SATAN being released

    When was Bill Gates Arrested?

    1. Re:For the /. crowd by Mateito · · Score: 5, Funny
      When was Bill Gates Arrested?

      1977

  6. What's the controversy? by awkScooby · · Score: 5, Insightful
    Is the question, "should tools exist which allow system administrators to scan their boxes for known holes?" That's an easy one to answer: YES.

    A quick glance through my log files shows that someone is scanning my boxes. Not distributing scanning tools just makes it a one sided battle (with us admins on the loosing side). Not knowing about a hole does not mean that the hole doesn't exist. So, I think that it's far better to make a level playing field, and let hackers and admins have equal opporunity for knowing the status of a box. Sure, some people won't check their systems, but that's a lost cause no matter what.

  7. Re:This could be a good tool if.... by justMichael · · Score: 5, Insightful
    Although, I don't have a thing someone would want to hack.
    If you have a box that is online 24/7, you have something that, to someone is worth hacking.

    Whether they use to DDoS or as a spam relay or whatever else they may want it for, owned zombies are owned zombies.
  8. To use the gun analogy: by normal_guy · · Score: 5, Insightful

    Companies that create software to exploit security vulnerabilities in common software in order to get commandline access to any system don't kill systems. Script kiddies do.

    --

    Linux: Free if your time is worthless.
  9. It's a dual edge sword by Anonymous Coward · · Score: 5, Insightful

    Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...

  10. Its Simple... by trp642 · · Score: 5, Insightful

    If guns are outlawed, only outlaws will have guns...

    If security scanning tools are outlawed, only outlaws will have security scanning tools...

  11. Leveling the field by Anonymous Coward · · Score: 5, Interesting

    Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.

    I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.

    If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.

    Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.

  12. Re:What commercial tools? by daveaitel · · Score: 5, Informative
    There are in fact commercial tools that allow you to run exploits and include shellcode. For example:

    This one.

    Dave Aitel
    Immunity, Inc.

  13. I'm the one you fear is going to be using this by Anonymous Coward · · Score: 5, Interesting

    I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.

    While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!

    It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.

    I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.

    I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?

    If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.

  14. Re:Don't kid yourselves... by Adriax · · Score: 5, Insightful

    Funny, when this exact argument is being used against kazaa and the like, everyone throws up their arms in protest, claiming it still has legit uses.

    I don't use this or kazaa, no reason, but I sure as hell wouldn't want to see either shot down just because they ave illegal uses along with legal ones (once that happens, how long till computers themselves are heavily restricted, if not banned because someone claims it's "painfully obvious computers are the tools of criminals and terrorists").

    --
    I don't suffer from insanity, I enjoy every minute of it!
  15. Full Disclosure vs. Security Through Obscurity by Glamdrlng · · Score: 5, Insightful
    If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.


    I disagree. If those tools are available to whitehats then security professionals can run them in lab environments and develop countermeasures like Layer 7 firewall filters and IDS rules. Furthermore, if I'm aware of an exploit that's serious enough of a risk, I have the option of killing a port on the firewalls until the risk has been mitigated. But I can't do any of those things if I'm not aware of the vulnerability andif don't know how the tool works. Not only that, but if these cats have made good on their promise to communicate with IDS vendors about ways to detect metasploit in action, then I honestly don't see how someone could make a more benign tool. I haven't seen anything on snort.org yet, but then again I'd imagine many of the exploits run by metasploit already have signatures available.

    Security professionals are inherently disadvantaged compared to blakhats. They have more time on their hands, and they have more numbers. At the end of the day, if security professionals don't have access to tools like this, then we're at even more of a disadvantage.
    --

    Yes, my only tool is a hammer. And you're starting to look like a nail.