Slashdot Mirror

← Back to Stories (view on slashdot.org)

Startup Prepares Cracker Attack Emulator

Posted by Zonk on from the cracker-in-a-box dept.

Startup.Blog writes "A startup company MuSecurity is shipping a product that emulates multitude of known attacks and integrates the security checks into quality assurance processes. The company 'will soon begin selling a new vulnerability assessment product that lets technology vendors and enterprise developers test their products with known hacker techniques, allowing them to fix bugs before products are put into use.'"

29 of 106 comments (clear)

  1. So what? by komodo9 · · Score: 4, Insightful

    How is this anything new? There is open source (and closed) that has been available for a while that does this.
    --
    United Bimmer - BMW Enthusiast Community

    1. Re:So what? by Fred_A · · Score: 5, Funny

      We people in the industry even have a name for this technology. It is called a user.

      --

      May contain traces of nut.
      Made from the freshest electrons.
    2. Re:So what? by HermanAB · · Score: 3, Funny

      For a Windoze box, it is called 'Plug Into Teh Interweb'. This test runs for about 20 minutes.

      --
      Oh well, what the hell...
    3. Re:So what? by gbobeck · · Score: 4, Funny

      Your testing tool must be outdated. With a new Windows XP box the test now takes 10 minutes or less.

      --
      Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
    4. Re:So what? by cp.tar · · Score: 2, Interesting

      I'm sorry to say, but it takes less.

      It takes less than is necessary to download a firewall and an anti-virus program, which was something I had to do recently. Unimaginable fun.

      --
      Ignore this signature. By order.
    5. Re:So what? by plover · · Score: 3, Funny

      Could you be thinking of ... hmm ... I don't know, maybe ... SATAN??!!?!

      --
      John
  2. REALLY, REALLY important /sarcasm by AKAImBatman · · Score: 5, Insightful

    Mu Security would not say whether the product will be hardware- or software-based, but more details will be revealed in March, Furgerson said.

    That's not very helpful. If we're talking a tool to check for security flaws already patched against, what good is that? Just keep your systems up to date. On the other hand, if we're talking about things like buffer-overflow checkers, then why not use an existing product?

    This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:REALLY, REALLY important /sarcasm by antifoidulus · · Score: 3, Insightful

      It seems as if they are trying to automate what companies pay experts a lot of money to do already: attack software from every concievable angle. The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts, and I personally doubt they can do it. If it's worth anything, it will probably just end up becoming another tool of the trade. Though, as always, time will tell.

      --
      Monstar L
    2. Re:REALLY, REALLY important /sarcasm by Tim+C · · Score: 4, Funny

      This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.

      In my experience, that's still a pretty big niche.

      --
      It's official. Most of you are morons.
    3. Re:REALLY, REALLY important /sarcasm by vux984 · · Score: 2, Interesting

      So pay the experts for the really creative stuff and get the robot to do the 'basic' drudge work. Once your product has passed the robot then have the experts look at it.

      If it doesn't get passed the robot then you just saved a bunch of money by not bothering the expensive experts. If it does get passed the robot, then hopefully the so-called experts will no what its already passed and will focus their expensive time on being 'creative'.

      We generally let our compilers proof-read our code for errors before we have it peer-reviewed. This could be the same thing. No point in wasting someones time to find flaws that the machine can find on its own.

  3. Satan/Santa by fatphil · · Score: 5, Insightful

    ... and several other ones already axist.

    I'd say that the only interesting thing about this announcement is an opportunity for geeks to analyse this new product and see if it contains any ripped off GPL'ed code.

    FP.

    --
    Also FatPhil on SoylentNews, id 863
  4. In other news... by Anonymous Coward · · Score: 5, Funny

    cracker sues Startup over piracy of cracker's trade secrets via emulation.

  5. This is nothing new by possible · · Score: 4, Informative

    I read about this a couple days ago and spent some time on the company's site looking for an explanation of what they are doing that is so new. The answer I came up with is "Nothing". There is no information on their websites about specifc products or services. Looks like another snake-oil security startup.

    There are other companies and even some academic groups (PROTOS from the University of Oulu, to name one) who have been doing real things in this area for years. There are also companies that take a source-code centric approach.

    For several years now, there have been products that check for whole classes of vulnerabilities in applications. Such approaches are not limited to just known vulnerabilities in existing apps -- they check for common programming or configuration errors in custom applications as well. They are making it sound like checking for these things before systems go into production is a new concept. That's the whole point of security auditing.

  6. Tip: by DrEldarion · · Score: 4, Funny

    While most crackers are pretty harmless, saltines are going to give you the most problem. Keep an eye out for Ritz as well, as I've personally had issues with keeping those out of my system.

    1. Re:Tip: by LordPhantom · · Score: 2, Funny

      Hmm.... Chris Rock might have a few things to say about "crackers". Now back to your regularly scheduled topic.

  7. What about.. by SocialEngineer · · Score: 4, Insightful

    Does it call fed up employees who are just looking for someone to talk to, exploiting the conversation and getting valuable information necessary to break into the network? :)

    Cool concept, but I wonder about how effective it'll be without good admins who know how to watch logs, set up honeypots when necessary, and train employees to shut up. Still, it could have it's uses.

    --
    "Better to be vulgar than non-existent" -Bev Henson
  8. MuSecurity.. by JWSmythe · · Score: 5, Funny


        "MuSecurity. We hack you first, so the hackers don't have to."

        "Pre-root your box for only $19.95"

        "Want a bot net? Have you own today!"

        Oh, testing for exploits, not actually exploiting the box.. hehe.

    --
    Serious? Seriousness is well above my pay grade.
    1. Re:MuSecurity.. by ozmanjusri · · Score: 5, Funny

      "MuSecurity. We hack you first, so the hackers don't have to."

      So they're a division of Sony, are they?

      --
      "I've got more toys than Teruhisa Kitahara."
  9. Oh great, more "red queen"... by venomkid · · Score: 4, Insightful

    More "keeping up with the hackers" nonsense. How about we just leave nothing permitted that we don't already know is legit?

    There's money to be made in treating cancer, but not curing it. And this is the IT equivalent.

    --
    vk.
  10. When crackers attack by Bill_Royle · · Score: 2, Funny

    For those of you that want to emulate a cracker attack, I cannot recommended highly enough any of the ABBA albums out there. Turn that on amongst any non-crackers, and you will know rapidly how well things will hold up.

    There are limits to this type of stress-testing, though - playing any "Rocky" movie will likely cause excessive bleeding from your ears. There's no reason to go overboard when cracker-testing.

  11. Juniper Staff by Anonymous Coward · · Score: 3, Interesting

    Almost all the staff is ex-Juniper. Talk about running off with corporate assets

  12. Known attacks by MichaelSmith · · Score: 3, Insightful

    Its the unknown ones you really have to worry about.

    --
    http://michaelsmith.id.au
  13. Maybe it's Da Fuzz? by PGillingwater · · Score: 4, Informative
    Without bothering to RTFA, it seems to me that they're not really talking about a library of known attacks like Nessus or EEye, but rather are discussing something like an automated tool that generates hundreds of thousands or even millions of potential attack vectors, similar to Spike or Scratch. For a nice roundup of Fuzzing links, check here. Note that Mu security is already listed.


    N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

       

    --
    Paul Gillingwater
    MBA, CISSP, CISM
    1. Re:Maybe it's Da Fuzz? by Slashcrap · · Score: 2, Insightful

      N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

      It's also a nice letter from the ancient Greek alphabet which means literally "mu".

  14. Headline should read: by EVil+Lawyer · · Score: 3, Funny

    Slashdot Editor Duped by Guerilla Marketer

  15. Re:Emulator or the real thing? by fatphil · · Score: 3, Informative

    It's a good question, however there is a simple answer.

    There are at least 2 parts to each exploit. One is the route in (a buffer overrun, for example), and the other is the payload. You can test vulnerability by using the same route in, but with a harmless, or simply information-gathering payload. Other alternatives can include a patching payload.

    FP.

    --
    Also FatPhil on SoylentNews, id 863
  16. Funny Company Name by dozer · · Score: 2, Interesting

    MuSecurity looks like MicroSecurity (picture the little-mu greek character in front). Or, in ISO units, "very little security". Strange choice for a name.

  17. ISEAGE project by Bender0x7D1 · · Score: 2, Informative

    As mentioned previously, this sort of thing is being/has been done. One project I am familiar with is the Internet-scale Event and Attack Generation Environment (ISEAGE) project at Iowa State University.

    Its webpage, has an overview of the project and documentation on its architecture and implementation. I think one of the key aspects of the project can be found in the overview: "Unlike computer-based simulations, real attacks will be played out against real equipment."

    ISEAGE is approaching security from a real-world perspective, using real world devices. Sure, your software/hardware might be secure when the attacks are played against it; but is it secure when those attacks when there are dozens of attacks occuring simultaneously? What about when it is being hit by thousands of requests, or is under a DDoS attack? What happens when devices decide to start breaking the protocols, or the rules? What happens if a device physically fails? What is the effect of a device overheating during a DDoS attack? How do you simulate this/test for this other than hooking it up and hammering it with a DDoS attack?

    This is the kind of information that is needed to prevent or mitigate an attack, but can't be found by reading code or running a scanner. How did the US figure out how to build rockets? We built some, they blew up, and better ones got built. The real world isn't the same as a lab.

    --
    Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
  18. Re:Hacker, not cracker by hkb · · Score: 2, Insightful

    No, you are confused. Crackers are/were people who break software copy protection. This is how it's always been. I guess you weren't around "back then", or you were living in some other reality different from the planet Earth's.

    This is why 2600 is called the hacker quarterly, why Defcon is a hacker convention, why Phrack is called Phrack (Phreaking/hacking), and so on.

    It has never been the way you describe, never.

    --
    /* Moderating all non-anonymous trolls up since 2004 */