Startup Prepares Cracker Attack Emulator

Startup.Blog writes "A startup company MuSecurity is shipping a product that emulates multitude of known attacks and integrates the security checks into quality assurance processes. The company 'will soon begin selling a new vulnerability assessment product that lets technology vendors and enterprise developers test their products with known hacker techniques, allowing them to fix bugs before products are put into use.'"

So what?

[komodo9]

How is this anything new? There is open source (and closed) that has been available for a while that does this.
--
United Bimmer - BMW Enthusiast Community

Re:So what?

[komodo9]

Erm, I mean open and closed source software. Nessus for example.
--
United Bimmer - BMW Enthusiast Community

Re:So what?

[Fred_A]

We people in the industry even have a name for this technology. It is called a user.

Re:So what?

[HermanAB]

For a Windoze box, it is called 'Plug Into Teh Interweb'. This test runs for about 20 minutes.

Re:So what?

[gbobeck]

Your testing tool must be outdated. With a new Windows XP box the test now takes 10 minutes or less.

Re:So what?

Links to homepages & other misc crap belong in sigs where I can ignore them. What has a BMW website got to do with penetration testing? Goatse would have been more appropriate.

Re:So what?

[cp.tar]

I'm sorry to say, but it takes less.

It takes less than is necessary to download a firewall and an anti-virus program, which was something I had to do recently. Unimaginable fun.

Re:So what?

So another company is going to scan my network with nessus. Wonderful. Because, you know, VeriSign and the three dozen other companies which already provide this service don't run nessus quite as well as these new guys will.

Re:So what?

[42Penguins]

As funny as it is, it just doesn't seem realistic to me. Maybe I'm at the wrong intraweb...
In the last 5 years on Windoze 2000 + xp, I've been pwned exactly 0 times, same as my BSD box. Of course, the firewall, firefox, and not being a dumbass certainly help.

Re:So what?

[Rahszhul]

firewall, firefox

... No doubt that the two fire's are creating enough light to scare away any slightly tanned hacker's hide.

Re:So what?

[HermanAB]

Your firewall/router/little blue box, typically runs Linux. Have you considered that this firewall doesn't have a firewall to hide behind?

I'll believe in Microsoft security once Cisco/HP/Whoever starts to sell Windows based firewall appliances.

Re:So what?

[plover]

Could you be thinking of ... hmm ... I don't know, maybe ... SATAN??!!?!

A karma whore is me.

[heinousjay]

So if you hook this up to a Windows box, does it blow up like the androids on the old Star Trek?

Re:A karma whore is me.

[Crazyscottie]

So if you hook this up to a Windows box, does it blow up like the androids on the old Star Trek?

If by "blow up," you mean BSOD, then I'd say your chances are pretty good. Then again, who knows... with Vista's Red SOD and all, we might uncover new levels of crashing. ;-)

REALLY, REALLY important /sarcasm

[AKAImBatman]

Mu Security would not say whether the product will be hardware- or software-based, but more details will be revealed in March, Furgerson said.

That's not very helpful. If we're talking a tool to check for security flaws already patched against, what good is that? Just keep your systems up to date. On the other hand, if we're talking about things like buffer-overflow checkers, then why not use an existing product?

This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.

Re:REALLY, REALLY important /sarcasm

[antifoidulus]

It seems as if they are trying to automate what companies pay experts a lot of money to do already: attack software from every concievable angle. The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts, and I personally doubt they can do it. If it's worth anything, it will probably just end up becoming another tool of the trade. Though, as always, time will tell.

Re:REALLY, REALLY important /sarcasm

[Tim+C]

This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.

In my experience, that's still a pretty big niche.

Re:REALLY, REALLY important /sarcasm

[onedotzero]

True, but how many companies can afford these experts? Assuming they charge (partly) by time spent on trying to crack a site, presumably not many small to medium-sized companies will pay for a full range of techniques.

In which case, an updateable boxed package may be something they would find value in. If they pass that and still get cracked, then perhaps it would be time to call in the big boys.

Presumably this kind of tool is also part of the toolset of security experts? I don't know, but it seems like it would be a logical starting point.

--
onedotzero
thedigitalfeed.co.uk

Re:REALLY, REALLY important /sarcasm

[vux984]

So pay the experts for the really creative stuff and get the robot to do the 'basic' drudge work. Once your product has passed the robot then have the experts look at it.

If it doesn't get passed the robot then you just saved a bunch of money by not bothering the expensive experts. If it does get passed the robot, then hopefully the so-called experts will no what its already passed and will focus their expensive time on being 'creative'.

We generally let our compilers proof-read our code for errors before we have it peer-reviewed. This could be the same thing. No point in wasting someones time to find flaws that the machine can find on its own.

Re:REALLY, REALLY important /sarcasm

[jayloden]

The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts [...]

...or just cheaper.

Re:REALLY, REALLY important /sarcasm

[charlesnw]

And I just saved a bunch of money by switching to Geico... uh I mean using
Flawfinder.

Re:REALLY, REALLY important /sarcasm

[netnull]

I've seen the technology and it's impressive. It's intended for vendors to detect break points in their products. The fuzzing and mutation engine can really be relentless. The reporting is nice, particularly if you tie the console of the ToE into the mu box so that you can see any error messages side by side with their cause. Those vendors serious about securing their products should give this a look. You allude to the fact that experts do this type of testing, but once user-friendly automated tools come onto the market we will both an improvement in security, as well as a rise in attacks. Another difference is that this technology breaks boxes without finese. Finding exploitable logic errors without trashing the box will still be in the realm of experts.

Satan/Santa

[fatphil]

... and several other ones already axist.

I'd say that the only interesting thing about this announcement is an opportunity for geeks to analyse this new product and see if it contains any ripped off GPL'ed code.

FP.

Re:Satan/Santa

[ABCC]

Virii and cracks are often released as GPLed code, so anything that includes a neutered version of those would be a GPL violation. Sounds a bit like a publicity disaster waiting to happen, and it's proof that the GPL is a viral license :P

Re:Satan/Santa

[fatphil]

The publicity disaster will be when some crackers hack this company's website, and pw|\|x0R (is that how you spell it?) it.

(Or just some good old fashioned DNS poisoning at the root servers - if that's good enough for RSA.com, it's good enough for these guys.)

Re:Satan/Santa

[ABCC]

well, publicity means reaching the general public imho. i was thinking of something along the lines of open-sores/gpl=filthy red commies licence/windows>linux stories you see on pcworld.

In other news...

cracker sues Startup over piracy of cracker's trade secrets via emulation.

Re:In other news...

Don't you really mean... .... we now can use enterprise cracker software stolen from crackers that sponge off hackers that steal information from systems that are allegedly protected by the anti-virus companies that intentionally miss rootkits that are placed by intellectual property companies that fight to allow Betamax to copy movies then create DRM hardware to fight piracy with technology as does government to fight terrorists by spying on our computers to protect your interests which includes information that is supposedly private but breaks the 4th since information is not property except to the RIAA and friends that argue you are stealing their property unless you buy from Itunes and when fill your 40 GB Ipod that would never be realistically used for any other reason but bootleg music that you downloaded using Bitorrent that's open source but Bram says shouldn't be used for illegal downloading though RMS wrote GNU and suggests information should be free.

Com'mon that made complete sense.

This is nothing new

[possible]

I read about this a couple days ago and spent some time on the company's site looking for an explanation of what they are doing that is so new. The answer I came up with is "Nothing". There is no information on their websites about specifc products or services. Looks like another snake-oil security startup.

There are other companies and even some academic groups (PROTOS from the University of Oulu, to name one) who have been doing real things in this area for years. There are also companies that take a source-code centric approach.

For several years now, there have been products that check for whole classes of vulnerabilities in applications. Such approaches are not limited to just known vulnerabilities in existing apps -- they check for common programming or configuration errors in custom applications as well. They are making it sound like checking for these things before systems go into production is a new concept. That's the whole point of security auditing.

Re:This is nothing new

[zopf]

Yeah, this all sounds suspiciously (or at least auspiciously) similar to EEye's Retina scanner, etc. It's all been done before.

No, but a couple of red-shirts will die trying...

... followed by the words, "He's dead, Jim."

Sorry, that was too easy. :)

Tip:

[DrEldarion]

While most crackers are pretty harmless, saltines are going to give you the most problem. Keep an eye out for Ritz as well, as I've personally had issues with keeping those out of my system.

Re:Tip:

[LordPhantom]

Hmm.... Chris Rock might have a few things to say about "crackers". Now back to your regularly scheduled topic.

Re:Tip:

[gbobeck]

Graham Crackers can be a real bitch too.

What about their site...

[bassgoonist]

If we all go visit their site at once will they see it as a DDOS? :-p This is a cool idea, doesn't seem terribly novel to me though.

They spelt the name wrong!

[oztiks]

How the hell are crackers and skiddies going to know what the company is about if they dont spell it ... mU53ur1+y

What about..

[SocialEngineer]

Does it call fed up employees who are just looking for someone to talk to, exploiting the conversation and getting valuable information necessary to break into the network? :)

Cool concept, but I wonder about how effective it'll be without good admins who know how to watch logs, set up honeypots when necessary, and train employees to shut up. Still, it could have it's uses.

It's just a company making a product

[Morgaine]

They are making it sound like checking for these things before systems go into production is a new concept.

You make it sound like hyperbole in marketting is something outrageous and previously unheard of.

It's a company, fer crissake. If it were an academic research group making out that they had invented a new concept, then that would be different and your criticism would be more valid.

If their product has no technical novelty, then your remarks should be directed at Slasdot editors for accepting it as News For Nerds. The company seems to be offering another competing product in this market. And that surely is A Good Thing.

MuSecurity..

[JWSmythe]

    "MuSecurity. We hack you first, so the hackers don't have to."

    "Pre-root your box for only $19.95"

    "Want a bot net? Have you own today!"

    Oh, testing for exploits, not actually exploiting the box.. hehe.

Re:MuSecurity..

[ozmanjusri]

"MuSecurity. We hack you first, so the hackers don't have to."

So they're a division of Sony, are they?

Oh great, more "red queen"...

[venomkid]

More "keeping up with the hackers" nonsense. How about we just leave nothing permitted that we don't already know is legit?

There's money to be made in treating cancer, but not curing it. And this is the IT equivalent.

Re:Oh great, more "red queen"...

Only on Slashdot could something like this be considered "insightful."

You don't understand the first thing about security. Sad.

Wheel v3.0 stable

[theelemur]

Sounds like a vuln scanner. y0 spoonm :)

When crackers attack

[Bill_Royle]

For those of you that want to emulate a cracker attack, I cannot recommended highly enough any of the ABBA albums out there. Turn that on amongst any non-crackers, and you will know rapidly how well things will hold up.

There are limits to this type of stress-testing, though - playing any "Rocky" movie will likely cause excessive bleeding from your ears. There's no reason to go overboard when cracker-testing.

Other news

In other news, the shares of the security company raised after it was leaked that Microsoft ordered dozens of vulnerability checkers.

Hot off the press..

[js92647]

Man beats MuSecurity by throwing his computer out of the office window, successfuly proving it cannot stop hackers against completely breaking the security. Movie clip at 11.

Juniper Staff

Almost all the staff is ex-Juniper. Talk about running off with corporate assets

Known attacks

[MichaelSmith]

Its the unknown ones you really have to worry about.

Re:Known attacks

[mmjb]

Well, as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know

Did anybody else...

...read the title as: 'Startup Prepares Cracker Jack Emulator'?

Just another module....

[Bananatree3]

for the RoboAdmin! Yes! You can have your very own fully automated system administrator, and now New and IMPROVED with automated security checks! If you ever need help with your IT issues, simply chat with the RoboAdmin chat bot and you will start feeling better in no time!

This proves that...

[Tune]

...crackers' IP cannot be properly protected by law (DMCA) and patents.
The *only* way to protect virusses, spyware and other malware effectively from these kind of companies is through trusted computing, people. Go figure!

Re:This proves that...

[cp.tar]

Wait...

Are you saying I can prevent a virus from getting on antivirus programs' lists?

Re:This proves that...

[Tune]

Hmm. My comment was actually intended as a joke.
But seriously, if trusted computing ever takes off, in that it completely and ultimately limits users from peeking inside software (which I personally doubt) even malicious software will be below the radar. That's like a rootkit that a user cannot technically (or legally) detect, modify, remove, etc.

Now your question basically translates as: will anti-virus companies behave as "user", or will they force, reverse-engineer or bypass TC layers in the OS?

Re:This proves that...

[cp.tar]

Well, whatever happens, when 'trusted computing' takes off, I will most certainly not trust it.

Obligatory...

[kvonk]

In Soviet Russia, product emulates YOU!!

Maybe it's Da Fuzz?

[PGillingwater]

Without bothering to RTFA, it seems to me that they're not really talking about a library of known attacks like Nessus or EEye, but rather are discussing something like an automated tool that generates hundreds of thousands or even millions of potential attack vectors, similar to Spike or Scratch. For a nice roundup of Fuzzing links, check here. Note that Mu security is already listed.

N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

   

Re:Maybe it's Da Fuzz?

[Slashcrap]

N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

It's also a nice letter from the ancient Greek alphabet which means literally "mu".

Re:Maybe it's Da Fuzz?

[Cally]

Woof! Woof!

crackers

damn white people, always hacking computers. we black folk, don't have none.

Story Sez "Hacker;" Submitter Summary sez "Hacker"

[RobotRunAmok]

So what's with this "cracker" in the headline? And "cracker-in-a-box" is a Saltine.

Please stop trying to kidnap the English language. C'mon, Geeks are supposed to be efficient: "Cracker" already means too many other things to effectively assume a new mantle, especially one already being served in the global media with "hacker." Yes, we're all sad that we benign computer hobbyists have to call ourselves "benign computer hobbyists" instead of the far more edgy-danger-cool "hacker" as we could for about a week-and-a-half in 1994, but time -- and language -- marches on.

Seriously. Get over it. You're embarrassing the rest of us.

Need... More... Sleeep.....

[Stephen+Maturin]

When I read the headline I thought this had something to do with saltines.

Biggest threat^D^D^Dcustomer ?

And I bet their biggest customer is .ro eh ? Does it also come with a copy protection ?

Headline should read:

[EVil+Lawyer]

Slashdot Editor Duped by Guerilla Marketer

Is this new?

[harris+s+newman]

I thought there were a variety of products out there, some GPL'd that will do this same thing. Think nagios...

QUICK! HOW DO I GIVE THEM MY MONEY?

[Rogerborg]

I demand that you provide more details of this revolutionary software product so that I may purchase 10,000 copies forthwith.

Lesson to Slashdot advertisers: why buy an ad, when you can just keep submitting stories about some blog entry that promotes your product until eventually one of them sticks?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Emulator or the real thing?

[noidentity]

If this carries out attacks just as the real thing, isn't this the real thing and not an emulator? (I haven't RTFA of course)

Re:Emulator or the real thing?

[fatphil]

It's a good question, however there is a simple answer.

There are at least 2 parts to each exploit. One is the route in (a buffer overrun, for example), and the other is the payload. You can test vulnerability by using the same route in, but with a harmless, or simply information-gathering payload. Other alternatives can include a patching payload.

FP.

Ripped off Google Maps

[Hextreme]

Anyone else notice the ripped off Google Maps image on the 'Contact Us' page without credit?

A company that doesn't give credit where credit is due doesn't deserve money.

Re:Ripped off Google Maps

Note the link on the page ' Map' points to http://maps.google.com/maps?q=1153+Bordeaux+Drive, +sunnyvale,+ca&spn=0.030960,0.060176&hl=en

Hardly covert
Don't you have any more noteworthy to critique?

pump & dump

looks like a pump & dump.

Re:Story Sez "Hacker;" Submitter Summary sez "Hack

100% agreed. In this headline it is particularly moronic, as one is misled to believe this is a tool for people developing copy protection.

Funny Company Name

[dozer]

MuSecurity looks like MicroSecurity (picture the little-mu greek character in front). Or, in ISO units, "very little security". Strange choice for a name.

How about this thought?

The staff are the most important assets a corporation can have. Sadly (for the corporation), staff has free will, rights to exist, rights to apply their skills..

    - AND -

the right to start working other places.

Re:How about this thought?

Your post is confrontational, and yet you don't disagree.

pffft...

[p_cyde]

we don't need emulators to crack... Signed, a Cracka (aka "user")

They've had cracker attack emulators for years...

[IronChefMorimoto]

NASCAR race post-race fights between fans (crackers) of different drivers. 'nuff said.

IronChefMorimoto

Please people

I'd prefer the term "Caucasian" or "White person." The term "cracker" is so insensitive. You clods.

Good article on source code inspectors

[hal9000(jr)]

Jeff Forristal did a really good analysis of source code instection tools at Secure Enteprise Magazine.

Re:A chair flew by...

Enough of the fucking ballmer chair jokes.

Im no Microsoft fan but for fuck sake give it a rest.
It was funny at first but god damn it its so lame.

moron

Please RTFA

[powers_722]

"Instead, Mu Security's product performs a thorough and methodical analysis along the many lines of inter-dependencies that exist among protocols. Understanding how to create the right type and set of mutations needed to systematically expose potential vulnerabilities in highly interconnected applications and systems - identifying both existing and "day zero" threats - is a key part of Mu Security's breakthrough in determining the security readiness of such a wide range of systems. Marrying such capabilities to a platform approach allows such analysis to be comprehensive, efficient, and repeatable. The net result is that Mu Security's solution has already uncovered multiple day zero vulnerabilities in every system analyzed."

http://www.musecurity.com/

ISEAGE project

[Bender0x7D1]

As mentioned previously, this sort of thing is being/has been done. One project I am familiar with is the Internet-scale Event and Attack Generation Environment (ISEAGE) project at Iowa State University.

Its webpage, has an overview of the project and documentation on its architecture and implementation. I think one of the key aspects of the project can be found in the overview: "Unlike computer-based simulations, real attacks will be played out against real equipment."

ISEAGE is approaching security from a real-world perspective, using real world devices. Sure, your software/hardware might be secure when the attacks are played against it; but is it secure when those attacks when there are dozens of attacks occuring simultaneously? What about when it is being hit by thousands of requests, or is under a DDoS attack? What happens when devices decide to start breaking the protocols, or the rules? What happens if a device physically fails? What is the effect of a device overheating during a DDoS attack? How do you simulate this/test for this other than hooking it up and hammering it with a DDoS attack?

This is the kind of information that is needed to prevent or mitigate an attack, but can't be found by reading code or running a scanner. How did the US figure out how to build rockets? We built some, they blew up, and better ones got built. The real world isn't the same as a lab.

Re:ISEAGE project

---> Insert response containing castle/swamp/fire/monty python here <---

Hacker, not cracker

[hkb]

Why does Slashdot continue with fruitless attempts to revise history by using the term "cracker"? It's not "cracker" and never has been. NEVER.

Just face it, there are criminal hackers, and there are ethical hackers. The same as there are criminal locksmiths (eg thieves) and ethical locksmiths.

If you want to try and change the term, at least don't lie about it and flame people when they quite rightly correct you.

Re:Hacker, not cracker

[Lxy]

Why does Slashdot continue with fruitless attempts to revise history by using the term "cracker"? It's not "cracker" and never has been. NEVER.

I think you're confused. In the beginning, there were "hackers" and there were "crackers". "Hackers" were geeks who built, tested, used, and otherwise understood the inner workings of things. Linus is a hacker. He wanted an OS for the PC that didn't suck, and used his knowledge to build a true hacker OS.

"Cracker" refers to someone who breaks into things, usually with malicious intent. If an attacker installs a rootkit on your webserver, you have been cracked, not hacked.

In the recent years the mass media morons have blurred the line, and the word "cracker" virtually doesn't exist. Now there's good (white hat) hackers and bad (black hat) hackers. Even that is starting to change, with words like "penetration testing" starting to redefine the white hats.

Back to your original point, I agree with you that it's not worth fighting over anymore. The word "cracker" is pretty much gone forever, and eventually the word hacker will mean only "bad guy", with the good guys using the new terminology to distinguish themselves from hackers.

Re:Hacker, not cracker

[dick+johnson]

I for one prefer Saltines (though cheesits are pretty good too).

Re:Hacker, not cracker

[checkitout]

Actually, cracker used to only refer to people who "cracked" games and other software. Hacker has always had dual meaning.

It's simple: You hack systems, you crack software. Try and find old references to "cracking a system" vs. "cracking software", you won't.

Re:Hacker, not cracker

[hkb]

No, you are confused. Crackers are/were people who break software copy protection. This is how it's always been. I guess you weren't around "back then", or you were living in some other reality different from the planet Earth's.

This is why 2600 is called the hacker quarterly, why Defcon is a hacker convention, why Phrack is called Phrack (Phreaking/hacking), and so on.

It has never been the way you describe, never.

Sounds to me like what they did...

[foxtrot]

...was took a script kiddie, and then replaced the kiddie part with more script.

Re:Story Sez "Hacker;" Submitter Summary sez "Hack

The term has been around at least since the sixties.
Some of us remember past the 90s.

Before challenging an etymology, learn it.

If you're confused by the multiple meaning of phrases or words then you must have a hell of a time coding. And if you don't code, we don't care.

(score this as bait taken)

Will it protect you against top posting?

new security tool protects against top-posting on mailing lists.

http://goodluv.diaryland.com/bottompost.html the bottom post enforcer

Top 20 attacks on Windows?

Does this have anything to do with OpenBSD or Trustix Linux?

Windows, windows, windows ... oh you make me cry!

I drove the cofounder to the airport

I guess you gotta see it and talk to them. I spent a couple hours last week with Kowsik (CTO/Cofounder of Mu) and one of my engineers and I was fairly impressed. They intend it's use only in a lab environment and for the depth and speed the box has its uses. It also packages some features and reporting that are well thought out and actually mirror operational realities and convenience.

Where?

What open source software does this? Mu is selling a security appliance which does object based protocol fuzzing. What could you possibly think holds a candle to it? Spike? Peachfuzz? Ya, right. These people have power relays for automated restarting, they have target monitoring, they can play man in the middle, and it's plug and play right out of the box. It's powered by XML for god's sake. A company can buy this thing, hook their device into it, tell it which protocol it speaks, and get canned protocol stressing out of the box by pressing a button. You know what else in the world does this? nothing. Nothing Open Source, nothing closed.

You're full of shit. Post one link to an open source fuzzer which treats protocols as object encapsulations, fuzzes them, and does so with zero configuration and full target monitoring.

What were you going to say? Nmap? Nessus? Do you even know the difference between protocol stressing and vulnerability assessment?

Fucking idiots on Slashdot getting moderated up for talking out of their assholes. It never fails. Solved the "noise problem" my ass.

NO NO NO YOU ARE COMPLETELY WRONG

Despite being moderated to the lofty score of 5 INSIGHTFUL, you couldn't be more full of shit if you spent an entire weekend eating helpings of creamy poop.

Nessus, Satan, and Nmap are tools used in vulnerability assessment. The first two use security signatures to look for known software bugs and either report or exploit them.

Mu is selling a security appliance which performs protocol stressing (aka fuzzing) on a known bunch of protocols. Other products in this category are Dave Aitel's (Immunity) Spike, Peachfuzz, a bunch of secret shit by HB Gary, well... there are a whole lot of them, but the important thing is this: they all suck dick.

Now these moo clowns, they've got a nice front end, a gui, a smart fuzzing engine... the whole nine yards. There is nothing like this on the market. Nothing open, nothing closed.

Now, I've used enough profanity to get myself moderated down, and keep you moderated up. And what's awesome is that you're totally wrong, and by being wrong you've totally warped everyone's perceptions of what's actually going on here. You've created anti-news.

And it's wonderful, really, to see the moderation system in action - creating fiction, promoting lies.