Slashdot Mirror

← Back to Stories (view on slashdot.org)

Startup Prepares Cracker Attack Emulator

Posted by Zonk on from the cracker-in-a-box dept.

Startup.Blog writes "A startup company MuSecurity is shipping a product that emulates multitude of known attacks and integrates the security checks into quality assurance processes. The company 'will soon begin selling a new vulnerability assessment product that lets technology vendors and enterprise developers test their products with known hacker techniques, allowing them to fix bugs before products are put into use.'"

5 of 106 comments (clear)

  1. This is nothing new by possible · · Score: 4, Informative

    I read about this a couple days ago and spent some time on the company's site looking for an explanation of what they are doing that is so new. The answer I came up with is "Nothing". There is no information on their websites about specifc products or services. Looks like another snake-oil security startup.

    There are other companies and even some academic groups (PROTOS from the University of Oulu, to name one) who have been doing real things in this area for years. There are also companies that take a source-code centric approach.

    For several years now, there have been products that check for whole classes of vulnerabilities in applications. Such approaches are not limited to just known vulnerabilities in existing apps -- they check for common programming or configuration errors in custom applications as well. They are making it sound like checking for these things before systems go into production is a new concept. That's the whole point of security auditing.

  2. Re:A karma whore is me. by Crazyscottie · · Score: 1, Informative

    So if you hook this up to a Windows box, does it blow up like the androids on the old Star Trek?

    If by "blow up," you mean BSOD, then I'd say your chances are pretty good. Then again, who knows... with Vista's Red SOD and all, we might uncover new levels of crashing. ;-)

    --
    Just because it can't be explained doesn't mean it isn't true. Science fits into reality... not the other way around.
  3. Maybe it's Da Fuzz? by PGillingwater · · Score: 4, Informative
    Without bothering to RTFA, it seems to me that they're not really talking about a library of known attacks like Nessus or EEye, but rather are discussing something like an automated tool that generates hundreds of thousands or even millions of potential attack vectors, similar to Spike or Scratch. For a nice roundup of Fuzzing links, check here. Note that Mu security is already listed.


    N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

       

    --
    Paul Gillingwater
    MBA, CISSP, CISM
  4. Re:Emulator or the real thing? by fatphil · · Score: 3, Informative

    It's a good question, however there is a simple answer.

    There are at least 2 parts to each exploit. One is the route in (a buffer overrun, for example), and the other is the payload. You can test vulnerability by using the same route in, but with a harmless, or simply information-gathering payload. Other alternatives can include a patching payload.

    FP.

    --
    Also FatPhil on SoylentNews, id 863
  5. ISEAGE project by Bender0x7D1 · · Score: 2, Informative

    As mentioned previously, this sort of thing is being/has been done. One project I am familiar with is the Internet-scale Event and Attack Generation Environment (ISEAGE) project at Iowa State University.

    Its webpage, has an overview of the project and documentation on its architecture and implementation. I think one of the key aspects of the project can be found in the overview: "Unlike computer-based simulations, real attacks will be played out against real equipment."

    ISEAGE is approaching security from a real-world perspective, using real world devices. Sure, your software/hardware might be secure when the attacks are played against it; but is it secure when those attacks when there are dozens of attacks occuring simultaneously? What about when it is being hit by thousands of requests, or is under a DDoS attack? What happens when devices decide to start breaking the protocols, or the rules? What happens if a device physically fails? What is the effect of a device overheating during a DDoS attack? How do you simulate this/test for this other than hooking it up and hammering it with a DDoS attack?

    This is the kind of information that is needed to prevent or mitigate an attack, but can't be found by reading code or running a scanner. How did the US figure out how to build rockets? We built some, they blew up, and better ones got built. The real world isn't the same as a lab.

    --
    Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.