Slashdot Mirror

← Back to Stories (view on slashdot.org)

Python is a Hit With Hackers, Report Finds (zdnet.com)

Posted by msmash on from the closer-look dept.

After breaking into the top three most popular programming languages for the first time this month, behind C and Java, Python has also won the hearts of hackers and web nasties, according to attack statistics published this week by web security biz Imperva. From a report: The company says more than a third of daily attacks against sites the company protects come from a malicious or legitimate tool coded in Python. Imperva says that around 77 percent of all the sites the company protects, have been attacked by at least one Python-based tool. Furthermore, when the company looked at the list of tools that hackers used for their attacks, more than a quarter were coded in Python, by far the attackers' favorite tool. "Hackers, like developers, enjoy Python's advantages which makes it a popular hacking tool," the Imperva team says.

31 of 72 comments (clear)

  1. update their CoC by Anonymous Coward · · Score: 1

    Obviously, Python needs to update their Code of Conduct to exclude the web nasties from using the language to create tools to attack systems.

  2. Python advantages? by 4wdloop · · Score: 1

    or simply popularity?

    --
    4wdloop
    1. Re:Python advantages? by Narcocide · · Score: 3, Insightful

      Yea that's sortof my take on this, too. It's got a lot less to do with Python's practical usefulness and a lot more to do with how trends get set in script kiddie communities.

    2. Re:Python advantages? by 0100010001010011 · · Score: 1

      Ecosystem.

    3. Re:Python advantages? by h33t+l4x0r · · Score: 2

      He's talking about scraping apparently. These aren't real attacks IMHO. If someone is after my data I would actually prefer that they use Python because at least it will take a while.

    4. Re:Python advantages? by ArchieBunker · · Score: 1

      It's hot now but so was Perl in the 1990s.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    5. Re:Python advantages? by LostMyBeaver · · Score: 1

      He calls himself Archie Bunker...

      1) Archie bunker was already dead in the 90's from an old age related thing
      2) Even if it was young Archie, do you really think something that could make something that looks like that could ever be hot?

      I hate how no one on this damn site thinks about these things!

    6. Re:Python advantages? by jellomizer · · Score: 1

      And a large collection of solid libraries.
      Language written to be easy to code and read.
      Low barrier to begin a program.
      Cross platform.
      Support is easy to get.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. Why Python? by hparker · · Score: 1

    Python: The tool to use when you want to get things done fast.

    1. Re:Why Python? by JoeyRox · · Score: 3, Interesting

      Python is definitely the language to use when you want to get the tool developed fast, but not the best if that tool needs to run fast.

    2. Re:Why Python? by smi.james.th · · Score: 1

      True but Numba is hardly useful if you want to exploit a system. Scientific computing yes. Gaining root access no.

      --
      One thing I know, and that is that I am ignorant...
    3. Re:Why Python? by LostMyBeaver · · Score: 1

      Hmmm... I'll bite

      Ok, Python as a language can in fact be compiled... this is true. It can also be run through modern JITs. But

      I have no idea what you mean by native speed... are you suggesting that Python can be compiled into native code? Ok... great...JIT is almost always faster than compiled code if the programmer understands the JIT and can optimize towards it. This is no different than how we used to sit with profilers and C code and shaving clock cycles off of compiled code. It's far more effective with a JIT so long as the execution time is greater enough to justify the extended startup time.

      That said, No one with an education in computer science would ever suggest that Python can be fast. This is because we have this thing called Big-O which is a means of measuring and calculating the computational complexity of an algorithm.

      Python for example is plagued with a data structure infrastructure that was designed entirely for functionality and completely disregards any aspect of reduction of computational complexity. I wouldn't care if you had the worlds most amazing compiler and language, when the underlying data structures don't consider performance at all, it simply doesn't matter.

      Then there's PIP... oh no... yeh... I'm going to talk about the world's largest cesspool of code ever made. Python not only has a library to do just about anything you want... it has at least 10 that do everything you want.... none of them particularly well and almost none of them done by someone that knows the difference between a doubly linked list and an array.

      Does this mean Python is bad?

      No.. it's an amazing language for doing many things.... but

      1) Don't use it if you need performance.
      2) Don't use it if you want to keep your code clean
      3) Don't use it if you're concerned about stability
      4) Don't use it if you're concerned about security. The code audit costs would be mind boggling

      Do use it if you need to do something now, quick and plan to toss the code after.

    4. Re:Why Python? by jellomizer · · Score: 1

      Python isn’t a slacker in performance. You do need to know how it handles stuff. Such as if you are appending a string you do
      Stuff += otherstuff vs Stuff = Stuff + otherstuff
      Plus there is a big supply of well made libaries. Which may be hard for you code as well (I know, I know you are the best coder in the world, Baratte us with you exploits where you fixed some guys code who was supposed to be the expert or did a fix to the system in record time. Or how you aced some coding competition... )

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. Red programming language... by fbobraga · · Score: 1

    ... the devil, the fundamentalists, the commies, the language of terrorists! /irony

    USA nonsense all over the place...

    1. Re:Red programming language... by Tablizer · · Score: 1

      Polymorphism is gender fiddling, bannit!

      --
      Table-ized A.I.
  5. Better ban it by schitso · · Score: 1

    Thing is used for evil -> better ban said thing.

  6. Writing vs. Reading by Tablizer · · Score: 2

    Python: The tool to use when you want to get things done fast.

    Write fast, not necessarily read fast. Perl had a reputation for being quick and short to write code with, but such code had very questionable readability by somebody besides the author.

    Remember, roughly 2/3 of software cost is maintenance, not original writing. I'm not claiming Python has a problem in this area, only saying that quick/short writing of code is only part of a real-world score.

    --
    Table-ized A.I.
    1. Re: Writing vs. Reading by Tablizer · · Score: 1

      The original statement was "...get things done". It didn't define "things", so I assumed it was about general coding-related tasks, which on average has maintenance involved. If your shop/task/situation doesn't need maintenance, then it should go without saying that it doesn't need maintenance. If they meant only hacking and not general, they should not have used "things".

      I suppose I should have been clearer, but a perfectly clear statement, including all interpretation assumptions made, would probably require writing 100 times more, and put people to sleep. Whenever I tried to be as clear as possible; readers complained it was "too wordy" and ignored it. Thus, one has to balance brevity and clarity.

      --
      Table-ized A.I.
  7. Re:I like VB too by Tablizer · · Score: 2

    I'm not really sure what your point is, but remember that there is something called "VBscript" that is interpreted and was common for a while.

    --
    Table-ized A.I.
  8. Re:Under Wear is Also Hit with hackers by Opportunist · · Score: 2

    I always hack naked. When you abuse someone, you can as well do it right.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Most people can't run it... by Anonymous Coward · · Score: 1

    Unless they deliver the Python runtime along with it (which no longer makes it "just a Python script"), any Python-based malware won't do shit on anyone's machine except for servers and web developer boxes where the runtime is already there.

    Have I missed something?

  10. I don't know what tool he's talking about by h33t+l4x0r · · Score: 1

    Metasploit is the biggest one AFAIK and it's Ruby not Python.

  11. Switch to COBOL! by JoeCommodore · · Score: 1

    You know, in my extensive research, Ive found indications that HACKERS HATE COBOL, you would be really hard pressed to find a COBOL rootkit attached to an email. I think we should all switch over!

    --
    "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
  12. How do they know it's python? by smi.james.th · · Score: 1

    I may be showing my ignorance here, but unless on the target system some python thing is being exploited, how do you know what the crackers will use? I'm not aware that calling cards are left after a system has been compromised. Sockets, file reads, etc. all look the same if they're done by a python script or a compiled program.

    --
    One thing I know, and that is that I am ignorant...
    1. Re:How do they know it's python? by CODiNE · · Score: 1

      You'll mostly be able to tell with HTTP requests, the user agent header will have a default python.requests or whatever library they're using for their script. Some guys will take the time to put in a fake browser user agent, but generally you see their Python library version. If you're in a SOC you can just watch for python in the user agent and 99% of the time it'll be malicious traffic.

      --
      Cwm, fjord-bank glyphs vext quiz
    2. Re:How do they know it's python? by smi.james.th · · Score: 1

      Interesting... again, pardon my ignorance, but what does SOC mean?

      --
      One thing I know, and that is that I am ignorant...
    3. Re:How do they know it's python? by CODiNE · · Score: 1

      Security Operations Center. Like how a NOC is for network operations.

      --
      Cwm, fjord-bank glyphs vext quiz
  13. Re:For the same reason... by LostMyBeaver · · Score: 1

    Ok ... I'm currently in the process of completely rebuilding the operations department of a company who manages networks for over a million users. I've been suffering through one argument on this topic or another in meeting rooms for a year.

    "Some of the best SOAR products" followed by "I'm talking 6-digit packages here".

    If you find a SOAR product that costs that much... they aren't good to begin with. Let me justify this clearly.

    Security can only work in mass economy. That means that there must be as many sensors as possible in as many locations as possible to gather and identify actual security threats. So, if you're talking about things like IPS, e-mail security or anything else that needs to detect anything through finger printing, that means any product that costs more than maybe $5000 and doesn't have a free version as well will be utterly useless. Look at Cisco's FirePower... great products!!! Yeh!!! they have Snort and ClamAV and others which are truly amazingly good stuff.... too bad the charge so much for their products that they don't notice things like that they're running on Linux kernels that are compromised in the network stack and allow hackers to code inject to the kernel before the packet ever reached the Snort or ClamAV...

    Don't worry, running most of your fancy security tools in a virtualized environment is meaningless as well as they also typically run on Linux or FreeBSD and run inside of VMware with VMXNET3 drivers which are so compromised they're like Christmas to hackers.

    Let's also consider that "Best SOAR products" in general... I've evaluated many of them and have pockets deep enough to buy any of them that I consider useful. I then spend a massive amount of my budget in code review and performing line by line audits because those "best SOAR tools" almost always are coded to protect what's inside by have the worst security themselves.

    Consider that most of these best SOAR products don't even have the option for client certificate authentication enforcement.

    Making tools for security in Python can be fun... like "I found a security hole, let me write a small exploit to test it".

    I just switched back to bash scripting after a failed Ansible project that just was absolutely shit because Ansible is designed for script kiddies who don't actually care whether their code breaks things by accident. Then you have Ansible crap code all over the place. Cisco has now released hundreds of Ansible tasks that completely lack idempotency. And they even have entire certification tracks on how to make Python and Ansible worse.

  14. Re:Under Wear is Also Hit with hackers by CODiNE · · Score: 1

    I always hack naked.

    Looks like Sparc Flow's TTP are spreading.

    http://hacklikeapornstar.com/

    --
    Cwm, fjord-bank glyphs vext quiz
  15. Re:I like VB too by jellomizer · · Score: 1

    VB script wasn’t VB like JavaScript isn’t Java.
    VB script wasn’t nearly as nice as python is. And it only worked in Windows

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  16. Taught in schools by TJHook3r · · Score: 1

    I imagine Python is also a hit with people trying to do useful things as well, particularly things involving Raspberry Pi and automation - it's been taught in schools for the last few years as well. Nice try educators though, trying to make coding more 'cool' by writing this article!