Startup Prepares Cracker Attack Emulator

Startup.Blog writes "A startup company MuSecurity is shipping a product that emulates multitude of known attacks and integrates the security checks into quality assurance processes. The company 'will soon begin selling a new vulnerability assessment product that lets technology vendors and enterprise developers test their products with known hacker techniques, allowing them to fix bugs before products are put into use.'"

So what?

[komodo9]

How is this anything new? There is open source (and closed) that has been available for a while that does this.
--
United Bimmer - BMW Enthusiast Community

Re:So what?

[komodo9]

Erm, I mean open and closed source software. Nessus for example.
--
United Bimmer - BMW Enthusiast Community

Re:So what?

[Fred_A]

We people in the industry even have a name for this technology. It is called a user.

Re:So what?

[HermanAB]

For a Windoze box, it is called 'Plug Into Teh Interweb'. This test runs for about 20 minutes.

Re:So what?

[gbobeck]

Your testing tool must be outdated. With a new Windows XP box the test now takes 10 minutes or less.

Re:So what?

[cp.tar]

I'm sorry to say, but it takes less.

It takes less than is necessary to download a firewall and an anti-virus program, which was something I had to do recently. Unimaginable fun.

Re:So what?

[42Penguins]

As funny as it is, it just doesn't seem realistic to me. Maybe I'm at the wrong intraweb...
In the last 5 years on Windoze 2000 + xp, I've been pwned exactly 0 times, same as my BSD box. Of course, the firewall, firefox, and not being a dumbass certainly help.

Re:So what?

[Rahszhul]

firewall, firefox

... No doubt that the two fire's are creating enough light to scare away any slightly tanned hacker's hide.

Re:So what?

[HermanAB]

Your firewall/router/little blue box, typically runs Linux. Have you considered that this firewall doesn't have a firewall to hide behind?

I'll believe in Microsoft security once Cisco/HP/Whoever starts to sell Windows based firewall appliances.

Re:So what?

[plover]

Could you be thinking of ... hmm ... I don't know, maybe ... SATAN??!!?!

A karma whore is me.

[heinousjay]

So if you hook this up to a Windows box, does it blow up like the androids on the old Star Trek?

Re:A karma whore is me.

[Crazyscottie]

So if you hook this up to a Windows box, does it blow up like the androids on the old Star Trek?

If by "blow up," you mean BSOD, then I'd say your chances are pretty good. Then again, who knows... with Vista's Red SOD and all, we might uncover new levels of crashing. ;-)

REALLY, REALLY important /sarcasm

[AKAImBatman]

Mu Security would not say whether the product will be hardware- or software-based, but more details will be revealed in March, Furgerson said.

That's not very helpful. If we're talking a tool to check for security flaws already patched against, what good is that? Just keep your systems up to date. On the other hand, if we're talking about things like buffer-overflow checkers, then why not use an existing product?

This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.

Re:REALLY, REALLY important /sarcasm

[antifoidulus]

It seems as if they are trying to automate what companies pay experts a lot of money to do already: attack software from every concievable angle. The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts, and I personally doubt they can do it. If it's worth anything, it will probably just end up becoming another tool of the trade. Though, as always, time will tell.

Re:REALLY, REALLY important /sarcasm

[Tim+C]

This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.

In my experience, that's still a pretty big niche.

Re:REALLY, REALLY important /sarcasm

[onedotzero]

True, but how many companies can afford these experts? Assuming they charge (partly) by time spent on trying to crack a site, presumably not many small to medium-sized companies will pay for a full range of techniques.

In which case, an updateable boxed package may be something they would find value in. If they pass that and still get cracked, then perhaps it would be time to call in the big boys.

Presumably this kind of tool is also part of the toolset of security experts? I don't know, but it seems like it would be a logical starting point.

--
onedotzero
thedigitalfeed.co.uk

Re:REALLY, REALLY important /sarcasm

[vux984]

So pay the experts for the really creative stuff and get the robot to do the 'basic' drudge work. Once your product has passed the robot then have the experts look at it.

If it doesn't get passed the robot then you just saved a bunch of money by not bothering the expensive experts. If it does get passed the robot, then hopefully the so-called experts will no what its already passed and will focus their expensive time on being 'creative'.

We generally let our compilers proof-read our code for errors before we have it peer-reviewed. This could be the same thing. No point in wasting someones time to find flaws that the machine can find on its own.

Re:REALLY, REALLY important /sarcasm

[jayloden]

The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts [...]

...or just cheaper.

Re:REALLY, REALLY important /sarcasm

[charlesnw]

And I just saved a bunch of money by switching to Geico... uh I mean using
Flawfinder.

Re:REALLY, REALLY important /sarcasm

[netnull]

I've seen the technology and it's impressive. It's intended for vendors to detect break points in their products. The fuzzing and mutation engine can really be relentless. The reporting is nice, particularly if you tie the console of the ToE into the mu box so that you can see any error messages side by side with their cause. Those vendors serious about securing their products should give this a look. You allude to the fact that experts do this type of testing, but once user-friendly automated tools come onto the market we will both an improvement in security, as well as a rise in attacks. Another difference is that this technology breaks boxes without finese. Finding exploitable logic errors without trashing the box will still be in the realm of experts.

Satan/Santa

[fatphil]

... and several other ones already axist.

I'd say that the only interesting thing about this announcement is an opportunity for geeks to analyse this new product and see if it contains any ripped off GPL'ed code.

FP.

Re:Satan/Santa

[fatphil]

The publicity disaster will be when some crackers hack this company's website, and pw|\|x0R (is that how you spell it?) it.

(Or just some good old fashioned DNS poisoning at the root servers - if that's good enough for RSA.com, it's good enough for these guys.)

In other news...

cracker sues Startup over piracy of cracker's trade secrets via emulation.

This is nothing new

[possible]

I read about this a couple days ago and spent some time on the company's site looking for an explanation of what they are doing that is so new. The answer I came up with is "Nothing". There is no information on their websites about specifc products or services. Looks like another snake-oil security startup.

There are other companies and even some academic groups (PROTOS from the University of Oulu, to name one) who have been doing real things in this area for years. There are also companies that take a source-code centric approach.

For several years now, there have been products that check for whole classes of vulnerabilities in applications. Such approaches are not limited to just known vulnerabilities in existing apps -- they check for common programming or configuration errors in custom applications as well. They are making it sound like checking for these things before systems go into production is a new concept. That's the whole point of security auditing.

Re:This is nothing new

[zopf]

Yeah, this all sounds suspiciously (or at least auspiciously) similar to EEye's Retina scanner, etc. It's all been done before.

Tip:

[DrEldarion]

While most crackers are pretty harmless, saltines are going to give you the most problem. Keep an eye out for Ritz as well, as I've personally had issues with keeping those out of my system.

Re:Tip:

[LordPhantom]

Hmm.... Chris Rock might have a few things to say about "crackers". Now back to your regularly scheduled topic.

Re:Tip:

[gbobeck]

Graham Crackers can be a real bitch too.

What about..

[SocialEngineer]

Does it call fed up employees who are just looking for someone to talk to, exploiting the conversation and getting valuable information necessary to break into the network? :)

Cool concept, but I wonder about how effective it'll be without good admins who know how to watch logs, set up honeypots when necessary, and train employees to shut up. Still, it could have it's uses.

It's just a company making a product

[Morgaine]

They are making it sound like checking for these things before systems go into production is a new concept.

You make it sound like hyperbole in marketting is something outrageous and previously unheard of.

It's a company, fer crissake. If it were an academic research group making out that they had invented a new concept, then that would be different and your criticism would be more valid.

If their product has no technical novelty, then your remarks should be directed at Slasdot editors for accepting it as News For Nerds. The company seems to be offering another competing product in this market. And that surely is A Good Thing.

MuSecurity..

[JWSmythe]

    "MuSecurity. We hack you first, so the hackers don't have to."

    "Pre-root your box for only $19.95"

    "Want a bot net? Have you own today!"

    Oh, testing for exploits, not actually exploiting the box.. hehe.

Re:MuSecurity..

[ozmanjusri]

"MuSecurity. We hack you first, so the hackers don't have to."

So they're a division of Sony, are they?

Oh great, more "red queen"...

[venomkid]

More "keeping up with the hackers" nonsense. How about we just leave nothing permitted that we don't already know is legit?

There's money to be made in treating cancer, but not curing it. And this is the IT equivalent.

When crackers attack

[Bill_Royle]

For those of you that want to emulate a cracker attack, I cannot recommended highly enough any of the ABBA albums out there. Turn that on amongst any non-crackers, and you will know rapidly how well things will hold up.

There are limits to this type of stress-testing, though - playing any "Rocky" movie will likely cause excessive bleeding from your ears. There's no reason to go overboard when cracker-testing.

Other news

In other news, the shares of the security company raised after it was leaked that Microsoft ordered dozens of vulnerability checkers.

Hot off the press..

[js92647]

Man beats MuSecurity by throwing his computer out of the office window, successfuly proving it cannot stop hackers against completely breaking the security. Movie clip at 11.

Juniper Staff

Almost all the staff is ex-Juniper. Talk about running off with corporate assets

Known attacks

[MichaelSmith]

Its the unknown ones you really have to worry about.

Re:Known attacks

[mmjb]

Well, as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know

Just another module....

[Bananatree3]

for the RoboAdmin! Yes! You can have your very own fully automated system administrator, and now New and IMPROVED with automated security checks! If you ever need help with your IT issues, simply chat with the RoboAdmin chat bot and you will start feeling better in no time!

This proves that...

[Tune]

...crackers' IP cannot be properly protected by law (DMCA) and patents.
The *only* way to protect virusses, spyware and other malware effectively from these kind of companies is through trusted computing, people. Go figure!

Re:This proves that...

[cp.tar]

Wait...

Are you saying I can prevent a virus from getting on antivirus programs' lists?

Re:This proves that...

[Tune]

Hmm. My comment was actually intended as a joke.
But seriously, if trusted computing ever takes off, in that it completely and ultimately limits users from peeking inside software (which I personally doubt) even malicious software will be below the radar. That's like a rootkit that a user cannot technically (or legally) detect, modify, remove, etc.

Now your question basically translates as: will anti-virus companies behave as "user", or will they force, reverse-engineer or bypass TC layers in the OS?

Re:This proves that...

[cp.tar]

Well, whatever happens, when 'trusted computing' takes off, I will most certainly not trust it.

Obligatory...

[kvonk]

In Soviet Russia, product emulates YOU!!

Maybe it's Da Fuzz?

[PGillingwater]

Without bothering to RTFA, it seems to me that they're not really talking about a library of known attacks like Nessus or EEye, but rather are discussing something like an automated tool that generates hundreds of thousands or even millions of potential attack vectors, similar to Spike or Scratch. For a nice roundup of Fuzzing links, check here. Note that Mu security is already listed.

N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

   

Re:Maybe it's Da Fuzz?

[Slashcrap]

N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

It's also a nice letter from the ancient Greek alphabet which means literally "mu".

Re:Maybe it's Da Fuzz?

[Cally]

Woof! Woof!

Story Sez "Hacker;" Submitter Summary sez "Hacker"

[RobotRunAmok]

So what's with this "cracker" in the headline? And "cracker-in-a-box" is a Saltine.

Please stop trying to kidnap the English language. C'mon, Geeks are supposed to be efficient: "Cracker" already means too many other things to effectively assume a new mantle, especially one already being served in the global media with "hacker." Yes, we're all sad that we benign computer hobbyists have to call ourselves "benign computer hobbyists" instead of the far more edgy-danger-cool "hacker" as we could for about a week-and-a-half in 1994, but time -- and language -- marches on.

Seriously. Get over it. You're embarrassing the rest of us.

Need... More... Sleeep.....

[Stephen+Maturin]

When I read the headline I thought this had something to do with saltines.

Headline should read:

[EVil+Lawyer]

Slashdot Editor Duped by Guerilla Marketer

QUICK! HOW DO I GIVE THEM MY MONEY?

[Rogerborg]

I demand that you provide more details of this revolutionary software product so that I may purchase 10,000 copies forthwith.

Lesson to Slashdot advertisers: why buy an ad, when you can just keep submitting stories about some blog entry that promotes your product until eventually one of them sticks?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Emulator or the real thing?

[noidentity]

If this carries out attacks just as the real thing, isn't this the real thing and not an emulator? (I haven't RTFA of course)

Re:Emulator or the real thing?

[fatphil]

It's a good question, however there is a simple answer.

There are at least 2 parts to each exploit. One is the route in (a buffer overrun, for example), and the other is the payload. You can test vulnerability by using the same route in, but with a harmless, or simply information-gathering payload. Other alternatives can include a patching payload.

FP.

Ripped off Google Maps

[Hextreme]

Anyone else notice the ripped off Google Maps image on the 'Contact Us' page without credit?

A company that doesn't give credit where credit is due doesn't deserve money.

Funny Company Name

[dozer]

MuSecurity looks like MicroSecurity (picture the little-mu greek character in front). Or, in ISO units, "very little security". Strange choice for a name.

pffft...

[p_cyde]

we don't need emulators to crack... Signed, a Cracka (aka "user")

They've had cracker attack emulators for years...

[IronChefMorimoto]

NASCAR race post-race fights between fans (crackers) of different drivers. 'nuff said.

IronChefMorimoto

Good article on source code inspectors

[hal9000(jr)]

Jeff Forristal did a really good analysis of source code instection tools at Secure Enteprise Magazine.

Please RTFA

[powers_722]

"Instead, Mu Security's product performs a thorough and methodical analysis along the many lines of inter-dependencies that exist among protocols. Understanding how to create the right type and set of mutations needed to systematically expose potential vulnerabilities in highly interconnected applications and systems - identifying both existing and "day zero" threats - is a key part of Mu Security's breakthrough in determining the security readiness of such a wide range of systems. Marrying such capabilities to a platform approach allows such analysis to be comprehensive, efficient, and repeatable. The net result is that Mu Security's solution has already uncovered multiple day zero vulnerabilities in every system analyzed."

http://www.musecurity.com/

ISEAGE project

[Bender0x7D1]

As mentioned previously, this sort of thing is being/has been done. One project I am familiar with is the Internet-scale Event and Attack Generation Environment (ISEAGE) project at Iowa State University.

Its webpage, has an overview of the project and documentation on its architecture and implementation. I think one of the key aspects of the project can be found in the overview: "Unlike computer-based simulations, real attacks will be played out against real equipment."

ISEAGE is approaching security from a real-world perspective, using real world devices. Sure, your software/hardware might be secure when the attacks are played against it; but is it secure when those attacks when there are dozens of attacks occuring simultaneously? What about when it is being hit by thousands of requests, or is under a DDoS attack? What happens when devices decide to start breaking the protocols, or the rules? What happens if a device physically fails? What is the effect of a device overheating during a DDoS attack? How do you simulate this/test for this other than hooking it up and hammering it with a DDoS attack?

This is the kind of information that is needed to prevent or mitigate an attack, but can't be found by reading code or running a scanner. How did the US figure out how to build rockets? We built some, they blew up, and better ones got built. The real world isn't the same as a lab.

Hacker, not cracker

[hkb]

Why does Slashdot continue with fruitless attempts to revise history by using the term "cracker"? It's not "cracker" and never has been. NEVER.

Just face it, there are criminal hackers, and there are ethical hackers. The same as there are criminal locksmiths (eg thieves) and ethical locksmiths.

If you want to try and change the term, at least don't lie about it and flame people when they quite rightly correct you.

Re:Hacker, not cracker

[Lxy]

Why does Slashdot continue with fruitless attempts to revise history by using the term "cracker"? It's not "cracker" and never has been. NEVER.

I think you're confused. In the beginning, there were "hackers" and there were "crackers". "Hackers" were geeks who built, tested, used, and otherwise understood the inner workings of things. Linus is a hacker. He wanted an OS for the PC that didn't suck, and used his knowledge to build a true hacker OS.

"Cracker" refers to someone who breaks into things, usually with malicious intent. If an attacker installs a rootkit on your webserver, you have been cracked, not hacked.

In the recent years the mass media morons have blurred the line, and the word "cracker" virtually doesn't exist. Now there's good (white hat) hackers and bad (black hat) hackers. Even that is starting to change, with words like "penetration testing" starting to redefine the white hats.

Back to your original point, I agree with you that it's not worth fighting over anymore. The word "cracker" is pretty much gone forever, and eventually the word hacker will mean only "bad guy", with the good guys using the new terminology to distinguish themselves from hackers.

Re:Hacker, not cracker

[dick+johnson]

I for one prefer Saltines (though cheesits are pretty good too).

Re:Hacker, not cracker

[checkitout]

Actually, cracker used to only refer to people who "cracked" games and other software. Hacker has always had dual meaning.

It's simple: You hack systems, you crack software. Try and find old references to "cracking a system" vs. "cracking software", you won't.

Re:Hacker, not cracker

[hkb]

No, you are confused. Crackers are/were people who break software copy protection. This is how it's always been. I guess you weren't around "back then", or you were living in some other reality different from the planet Earth's.

This is why 2600 is called the hacker quarterly, why Defcon is a hacker convention, why Phrack is called Phrack (Phreaking/hacking), and so on.

It has never been the way you describe, never.

Sounds to me like what they did...

[foxtrot]

...was took a script kiddie, and then replaced the kiddie part with more script.