Son of SATAN? Weighing Security Software's Risks 128
ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.
Y'know (Score:5, Insightful)
Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.
Sure, but ... (Score:5, Insightful)
If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.
Re:Sure, but ... (Score:5, Insightful)
Saying that these tools in and of themselves being widely available is a bad thing I'm still not sold on. Yes, Script Kiddies can now possibly attack a system in a manner which they would not have been able previously, but sysadmins can also do the same, and then secure whatever holes appear as a result, meaning that not only can the script kiddie not get in, but a Black-hat can't use that avenue either. That is why these tools exist, after all.
Re:Sure, but ... (Score:4, Insightful)
I suspect the concerns (which I personally don't agree with) are that: (a) for every sysadmin who is trying to protect "his" system (while performing other tasks) there are numerous script kiddies who are trying to break into his system; and (b) particularly given the economy, and shrinking corporate IT budgets, the script kiddies have far more time on their hands. The question one might ask is, Who does the no-cost and low-barrier dissemination of the tool most empower?
The alternatives are not necessarily limited to no dissemination. Some might argue for taking steps to try to limit dissemination of the tools to the "good guys" -- even is such steps would be imperfect.
Further, if we are concerned about the externalities caused by 24/7 connected broad band home users who are unknowingly spewing spam, well, 24/7, we might have to recognize that few if any of them will ever use such tools to protect their systems, while the script kiddies will surely use such tools to hack them.
Of course, the counter-argument re: home users is that "surely" somebody (Microsoft????) will use the tool to test the underlying software... and "surely" the home users will download the resulting patch.
Re:Sure, but ... (Score:3, Interesting)
It's also worth saying that that each sysadmin has to make sure that each of his boxes is fully patched, and all the software, infrastructure and daily maintainence of them is carried out.
A kiddie only has to find one flaw to penetrate a system - maybe even in a system the admin didn't know about, or which is looked after by somebody else.
Re:Sure, but ... (Score:1)
Any kiddie worth 1/2 his, or her, bragging rights would have long ago downloaded one of the commercial applications that does pretty much the same thing.
Re:Sure, but ... (Score:2)
Good. If enough SKs hack enough boxes, perhaps people will start to patch early and often, or MS will start releasing more secure software, or people who don't patch will get too scared and stay of
Re:Sure, but ... (Score:1)
this [dmzs.com]?
They've both been around for some time now.
Is it just that they haven't been written about on ZDNet?
Full Disclosure vs. Security Through Obscurity (Score:5, Insightful)
I disagree. If those tools are available to whitehats then security professionals can run them in lab environments and develop countermeasures like Layer 7 firewall filters and IDS rules. Furthermore, if I'm aware of an exploit that's serious enough of a risk, I have the option of killing a port on the firewalls until the risk has been mitigated. But I can't do any of those things if I'm not aware of the vulnerability andif don't know how the tool works. Not only that, but if these cats have made good on their promise to communicate with IDS vendors about ways to detect metasploit in action, then I honestly don't see how someone could make a more benign tool. I haven't seen anything on snort.org yet, but then again I'd imagine many of the exploits run by metasploit already have signatures available.
Security professionals are inherently disadvantaged compared to blakhats. They have more time on their hands, and they have more numbers. At the end of the day, if security professionals don't have access to tools like this, then we're at even more of a disadvantage.
Re:Sure, but ... (Score:3, Informative)
If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.
There are a number of things wrong with your last statement. The biggest is that most people don't patch at all, and if they do, it is often only after some news media has reported major exploitation going on in the wild.
Another thing is that software companies don't release patches unless th
Security through wishful thinking. (Score:5, Insightful)
Cracking tools are and will be widely available. How effective were the courts at stopping the spread of DeCSS? Tools already exist. They will either be written or pirated, and passed around on IRC. You can't stop them from existing. You can use them yourself, for your own benefit.
Attempting to get rid of widely available free tools that white hats could use to their benefit so that black hats won't have them isn't Security through Obscurity. It's Secruity through Wishful Thinking.
The only reasonable way to go forward with security is that your machine must be secure in spite of the existence of cracking tools. The best way to do this is to use the tools yourself, not to try to prevent them from existing. "Outlaw cracking tools, and only outlaws will have cracking tools" may be cliche, but poor prose can still be true.
Re:Security through wishful thinking. (Score:1)
Debating the restriction of security tools reminds me of debates over private firearm ownership in the United States:
When guns are outlawed, only outlaws will have guns.
Flames aside, would you want your ability to legitimately defend yourself restricted?
Re:Security through wishful thinking. (Score:2)
Our security forces will protect everyone!
Re:Y'know (Score:5, Insightful)
I think the concern may be that the widespread, no-cost dissemination of tools like this decrease the costs and barriers to entry to malicious hacking. Many (if not most) of the script kiddies who may wind up using this and similar tools couldn't possibly "create their own." Simlarly, many (if not most) would not purchase, or even be pirate, commercial tools.
Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. The prediction is that, like lock picks, the use and possession of software security tools may in the future be licensed and regulated. Just as the unlicensed possession and use of "burlar tools" is in some jurisdictions criminal, we may get to the point that the unlicensed use or possession of "software entry" tools is regulated and licensed.
Please don't misunderstand; I am not suggesting that this ought to occur, or that I want it to occur. I am simply suggesting that as a pure matter of fact it may occur.
Re:Y'know (Score:5, Informative)
RMS already made that prediction, in The Right To Read [gnu.org] (which is a really interesting read, by the way). The relevant passage:
His version of the prediction is a bit different, but it's the same idea. If you read through the entire story you will find an astonishing list of seemingly absurd predictions which are coming true one at a time. It's a bit unnerving to read, really.
Re:Y'know (Score:3, Insightful)
Like, for example, a compi
Since when were lock picks regulated? (Score:2)
Last I heard, the possession of lockpicks was generally NOT regulated - no matter what the locksmithing industry would like you to believe.
Like crowbars, the crime is possession with intent to use illegally. (Unlike crowbars, it's a l
intent to use (Score:2)
With narcotics, "intent to sell" is defined by posessing more than some arbitrary quantity defined by law.
Re:Since when were lock picks regulated? (Score:2)
Relevant portion:
So even in Canada it's legal to have lock picks, crowbars, jimmies, paperclips, stethoscopes, etc. But it's a crime to be carrying them "under circumstance
Re:Since when were lock picks regulated? (Score:2)
I moved to Canada from the United Kingdom in 1969. My father was really surprised that a Canadian hardware store sold crowbars. According to him, at that time in the UK, they were considered primarily burglar tools and thus were not available to the general public. I believe that he knew what he was talking about, since he had actually had had a UK firearms permit, also pretty difficult to acquire in those years.
YMMV. The past is a foreign country, they
Re:Since when were lock picks regulated? (Score:2)
Way off topic, but my mom was watching some movie on Lifetime last night when I got home, and I saw a brief bit of it. Basically a guy from California was driving some rich old lady all over the county in his California license-plated taxi cab. He'd taken her to some famous funeral and stuff, and was apparently quite the celebrity for it.
So he was taking her to some fancy place in Ca
Re:Y'know (Score:1)
Same argument, right?
This could be a good tool if.... (Score:5, Interesting)
Those hacking into systems will love this tool though. I'm gonna go home tonight and check my network out. Although, I don't have a thing someone would want to hack.
Re:This could be a good tool if.... (Score:5, Insightful)
Whether they use to DDoS or as a spam relay or whatever else they may want it for, owned zombies are owned zombies.
Re:This could be a good tool if.... (Score:1)
Agreed. I've been 0wnzing zombies ever since the days of Wolfenstein 3D and it is definitely an entertaining use of time.
Re:This could be a good tool if.... (Score:1)
Re:This could be a good tool if.... (Score:5, Insightful)
Hackers wouldn't know that fact until after they've hacked into your system.
Re:This could be a good tool if.... (Score:5, Insightful)
If you have outbound bandwidth, you have something a hacker wants. Once they 0wn your box, they'll install whatever application they want to run. Be it spamming, virus spreading, distributed computing, whatever... if your data is worthless, they can just delete it to get it out of their way.
SATAN -> SAINT (Score:5, Funny)
The Metasploit Project and its founder, HD Moore, hope to change that perception.
I thought changing the name from SATAN to SAINT, fixed that perception. I mean, how many attackers wanna use a tool called "SAINT", no matter how good it is.
Nothing like testing security in the real world. (Score:5, Interesting)
H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool?
I don't care who has what exploit^H^H^H^H^H^H^Htesting tool, or what knowledge about hacking. It's a better "real-world" way to test your security anyway.
Keep your stuff patched, because you never know where, when, how or by whom the next attack is going to come from.
Re:Nothing like testing security in the real world (Score:1)
For people whose livelihood doesn't directly involve keeping said stuff patched, or people whose aspirations in life aren't affixed solely to notions of uptime, this is easier said than done.
I'm sick and tired of people claiming that patching their system's software is a negligible task.
I'm also tired of people saying "I'm sick and tired of [insert unspeakably minor issue here]", but that's
Re:Nothing like testing security in the real world (Score:1)
Don't kid yourselves... (Score:1, Informative)
Re:Don't kid yourselves... (Score:5, Insightful)
I don't use this or kazaa, no reason, but I sure as hell wouldn't want to see either shot down just because they ave illegal uses along with legal ones (once that happens, how long till computers themselves are heavily restricted, if not banned because someone claims it's "painfully obvious computers are the tools of criminals and terrorists").
Re:Don't kid yourselves... (Score:1)
I get tired of people attacking the tools rather than the individuals using them for whatever purpose. It's the old "guns don't kill people, people kill people" argument. If there were no guns, someone would still find a way to do harm if they wanted. Whether you shoot me, stab me or beat me over the head repeatedly with a baseball bat, i'm still dead. Gee, lets ban all pointy or heavy things and make the world out of NERF.
Hear Hear (Score:1)
You are kidding yourself (Score:1, Informative)
Admittedly, most of these script-kiddies can't write the tools they use. But when they find a good tool they spread it around quickly. They ARE using commercial tools that have been hacked. If this particular tool seems better for their hacking than what they have, they'll use it too. Does that mean we have to take the tool out of white hats' hands because the black hats might get it
Re:Don't kid yourselves... (Score:2)
How do you know this is fact AC? Ready here's the counter argument pulled from someone's butt that carries just as much weight.
The vast, overwhelming, majority of people who download this will be using it to secure their networks.
I'm one of them.
Many insightful comments... (Score:5, Funny)
For the /. crowd (Score:5, Funny)
When was Bill Gates Arrested?
Re:For the /. crowd (Score:1)
Re:For the /. crowd (Score:5, Funny)
1977 [mugshots.org]
What commercial tools? (Score:1)
There are commercial tools that allow you to run exploits and install shellcode or deliver payloads?
I couldn't find this quote anywhere in the article...
Re:What commercial tools? (Score:5, Informative)
This one. [immunitysec.com]
Dave Aitel
Immunity, Inc.
Re:What commercial tools? (Score:1, Informative)
Re:What commercial tools? (Score:2)
Re:What commercial tools? (Score:1, Informative)
http://www.corest.com/products/coreimpact/
htt p
http://www.immunitysec.com
core impact: (i've tried v3.2 & v3.3): very well polished, lot of exploits (remote,locals,client side) (reliable exploits), full of information gathering tools. Weekly updates of exploits. nice GUI. very nice reports.
exploits are in python.
Ask for a demo, buy it or use edonkey.
metasploit (I've tried 2.0): f
What's the controversy? (Score:5, Insightful)
A quick glance through my log files shows that someone is scanning my boxes. Not distributing scanning tools just makes it a one sided battle (with us admins on the loosing side). Not knowing about a hole does not mean that the hole doesn't exist. So, I think that it's far better to make a level playing field, and let hackers and admins have equal opporunity for knowing the status of a box. Sure, some people won't check their systems, but that's a lost cause no matter what.
Re:What's the controversy? (Score:3, Insightful)
Just pretending the hole doesn't exist and wishing the scanning tool would go away isn't security... making holes go away is security.
Eliminate software identification (Score:1)
mirror (Score:3, Informative)
To use the gun analogy: (Score:5, Insightful)
Re:To use the gun analogy: (Score:1)
Shouln't that be "Security tools don't kill systems, script kiddies do"? Although I do like sound of it when turned back on the original gun analogy...
"A device created to strike a primer, causing a chemical reaction to propel a projectile (typically lead) at high velocity through a rifled cylinder, striking flesh and/or bone, and creating a high probability of systemic failure due to hydrostatic shock doesn't kill, people do."
: )
Re:To use the gun analogy: (Score:2)
Consider that the real problem here is with admins leaving machines unpatched, unconfigured (or badly configured), and generally unprotected. That would then be analagous with blaming the person getting shot for not wearing a Level III body armor with steel vitals inserts, which would be ludicrous indeed. Just a thought.
Oh, and I do support RKBA fully and I believe security scanners/toolkits are a godsend, not a menace.
It's a dual edge sword (Score:5, Insightful)
Re:It's a dual edge sword (Score:1)
What legitimate need do you have to leave a hole? That makes no sense to me at all. That's like saying "we need the DCOM RPC h
Its Simple... (Score:5, Insightful)
If security scanning tools are outlawed, only outlaws will have security scanning tools...
Re:Its Simple... (Score:4, Funny)
If security scanning tools are outlawed, only outlaws will have security scanning tools...
Somehow, Dirty Harry with a pirate copies of Nmap and Satan strapped to each side of his belt just doesn't have the same testostorone rating.
But maybe they could rename Satan to "Clint".
Re:Its Simple... (Score:5, Funny)
Don't blame the tool... (Score:1, Flamebait)
Re:Don't blame the tool... (Score:3, Interesting)
Re:Don't blame the tool... (Score:3, Insightful)
The anti-gun lobby is doing just that right now.
Leveling the field (Score:5, Interesting)
I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.
If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.
Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.
and how many "bad hackers"..... (Score:1)
Remember when back orifice was released? All the people I knew personally who were running it were employed in the IT world in some manner, ie, they were societally assumed to be "whitehats".
Personally, I think "the industry" is a lot more an over-all
Suspicious Source (Score:4, Funny)
Hmmmmm....
Blah (Score:4, Informative)
This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".
A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.
This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.
Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.
However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.
However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.
Re:Blah (Score:2)
And quoth the article:
Re:Blah (Score:3, Insightful)
One of the biggest problems that we face is that the boundary between expert and uninformed observer is very blurry when it comes to technical issues.
Ignorant "experts" litter the television and radio airwaves, and have a nasty habit of publishing themselves on the internet and in print.
To a gun owner, the "guns don't kill people, people kill p
Could it beeeeee... (Score:4, Funny)
Re:Could it beeeeee... (Score:1)
[sacreledge]"Jesus saves! But Satan [sabres.com] scores on the rebound!"[/sacreledge]
What's the difference? (Score:4, Insightful)
I'm the one you fear is going to be using this (Score:5, Interesting)
While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!
It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.
I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.
I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?
If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.
Bad logic (Score:1, Insightful)
Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own
DUPE! DUPE! (Score:1, Informative)
sheesh! you guys are seriously losing it when an AC like myself can come along and whoop your sorry posting asses!
maybe Slashdot can have a new points system where proven dupes can get points taken from their posters!
Re:DUPE! DUPE! (Score:2)
It's the newest version.
Sorry, I didn't see the original. My bad.
Re:DUPE! DUPE! (Score:1)
Another Good Site (Score:4, Funny)
Oh, wait...
How to detect bullshit (Score:4, Interesting)
Security tools = Trouble? Perhaps... (Score:1, Insightful)
Oh know, will this create a new breed? (Score:4, Insightful)
Of course these tools are good, the script kiddies already have k-rad tools from CodC and what-nots. News flash: many admins already use actually HACKER tools to try and find 'sploits on their pwn machines!
I remember when I was a youngin and to be classified at all as a hacker you had to have at least _some_ knowledge of machine code. Ahh, those were the days..
relese??? (Score:1, Funny)
Where are Click and Clack with that dopeslap?
For the record... (Score:3, Informative)
The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.
Re:For the record... (Score:1)
Re:For the record... (Score:2)
My friend had a 286 or 386 with SCO Openserver. He hacked the original perl script to run Satan on it. It was fun.
What is the difference from Nessus? (Score:2, Interesting)
Re:What is the difference from Nessus? (Score:2)
Metasploit Framework is a toolkit which allows you to build modules which exploit those insecure aspects to deliver a payload.
These tools just help hackers (Score:4, Insightful)
We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.
as much as i love reading /. (Score:4, Insightful)
Rob I want you to apologize to HD Moore and go sit in the corner and think about what you've done.
(crap there goes my karma)
Nessus (Score:1)
My first lesson with hacking back in 94 (Score:3, Interesting)
He released it to help Irix system admins secure their networks. SGI having their heads up there butts, fired him believing security through obscurity was the most effective measure. After all he now made Irix insecure??
Irix remained the most unsecure Unix for many years untill managment made a recent change.
Nmap is hell of alot more powerfull now and there are many clones.
Satan is a relic of old and I just looked at some of the screenshots via a search on google. I thought it was really awesome in 94, but its quite primptive today.
Banner Ad (Score:2)
But who could afford to challenge them about it?
Re:Metadupe (Score:5, Funny)
Re:Metadupe (Score:2)
- Its too bad we can't moderate editors as being -1 Redundant
And what exactly would that accomplish?Just as you can filter by comments, you should be able to filter by articles. Allowing users to mark entire articles as redundant, flamebait, etc. would allow for this.
Re:Metadupe - Previous Comments (Score:3, Insightful)
Re:SATAN runs FreeBSD (Score:4, Funny)
Re:SATAN runs FreeBSD (Score:2)
I tried to cast the daemons out of my Linux machine, but it didn't work so well afterward...
Re:SATAN runs FreeBSD (Score:2)