Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Startup Prepares Cracker Attack Emulator 106

Startup.Blog writes "A startup company MuSecurity is shipping a product that emulates multitude of known attacks and integrates the security checks into quality assurance processes. The company 'will soon begin selling a new vulnerability assessment product that lets technology vendors and enterprise developers test their products with known hacker techniques, allowing them to fix bugs before products are put into use.'"
This discussion has been archived. No new comments can be posted.

Startup Prepares Cracker Attack Emulator

Comments Filter:
  • So what? (Score:4, Insightful)

    by komodo9 ( 577710 ) on Monday January 30, 2006 @01:33AM (#14596639) Homepage
    How is this anything new? There is open source (and closed) that has been available for a while that does this.
    --
    United Bimmer - BMW Enthusiast Community [unitedbimmer.com]
  • So if you hook this up to a Windows box, does it blow up like the androids on the old Star Trek?
    • So if you hook this up to a Windows box, does it blow up like the androids on the old Star Trek?

      If by "blow up," you mean BSOD, then I'd say your chances are pretty good. Then again, who knows... with Vista's Red SOD and all, we might uncover new levels of crashing. ;-)
  • Mu Security would not say whether the product will be hardware- or software-based, but more details will be revealed in March, Furgerson said.

    That's not very helpful. If we're talking a tool to check for security flaws already patched against, what good is that? Just keep your systems up to date. On the other hand, if we're talking about things like buffer-overflow checkers, then why not use an existing product?

    This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.
    • by antifoidulus ( 807088 ) on Monday January 30, 2006 @01:52AM (#14596683) Homepage Journal
      It seems as if they are trying to automate what companies pay experts a lot of money to do already: attack software from every concievable angle. The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts, and I personally doubt they can do it. If it's worth anything, it will probably just end up becoming another tool of the trade. Though, as always, time will tell.
      • True, but how many companies can afford these experts? Assuming they charge (partly) by time spent on trying to crack a site, presumably not many small to medium-sized companies will pay for a full range of techniques.

        In which case, an updateable boxed package may be something they would find value in. If they pass that and still get cracked, then perhaps it would be time to call in the big boys.

        Presumably this kind of tool is also part of the toolset of security experts? I don't know, but it seems
      • So pay the experts for the really creative stuff and get the robot to do the 'basic' drudge work. Once your product has passed the robot then have the experts look at it.

        If it doesn't get passed the robot then you just saved a bunch of money by not bothering the expensive experts. If it does get passed the robot, then hopefully the so-called experts will no what its already passed and will focus their expensive time on being 'creative'.

        We generally let our compilers proof-read our code for errors before we
      • The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts [...]
        ...or just cheaper.
      • I've seen the technology and it's impressive. It's intended for vendors to detect break points in their products. The fuzzing and mutation engine can really be relentless. The reporting is nice, particularly if you tie the console of the ToE into the mu box so that you can see any error messages side by side with their cause. Those vendors serious about securing their products should give this a look. You allude to the fact that experts do this type of testing, but once user-friendly automated tools co
    • by Tim C ( 15259 ) on Monday January 30, 2006 @02:35AM (#14596790)
      This thing is going to have to be pretty darn impressive to actually find a niche other than people who don't know any better.

      In my experience, that's still a pretty big niche.
  • Satan/Santa (Score:5, Insightful)

    by fatphil ( 181876 ) on Monday January 30, 2006 @01:36AM (#14596647) Homepage
    ... and several other ones already axist.

    I'd say that the only interesting thing about this announcement is an opportunity for geeks to analyse this new product and see if it contains any ripped off GPL'ed code.

    FP.
  • by Anonymous Coward on Monday January 30, 2006 @01:41AM (#14596657)
    cracker sues Startup over piracy of cracker's trade secrets via emulation.
    • ...crackers' IP cannot be properly protected by law (DMCA) and patents.
      The *only* way to protect virusses, spyware and other malware effectively from these kind of companies is through trusted computing [wikipedia.org], people. Go figure!
      • Wait...

        Are you saying I can prevent a virus from getting on antivirus programs' lists?

        • Hmm. My comment was actually intended as a joke.
          But seriously, if trusted computing ever takes off, in that it completely and ultimately limits users from peeking inside software (which I personally doubt) even malicious software will be below the radar. That's like a rootkit that a user cannot technically (or legally) detect, modify, remove, etc.

          Now your question basically translates as: will anti-virus companies behave as "user", or will they force, reverse-engineer or bypass TC layers in the OS?
  • This is nothing new (Score:5, Informative)

    by possible ( 123857 ) on Monday January 30, 2006 @01:42AM (#14596660)

    I read about this a couple days ago and spent some time on the company's site looking for an explanation of what they are doing that is so new. The answer I came up with is "Nothing". There is no information on their websites about specifc products or services. Looks like another snake-oil security startup.

    There are other companies [rapid7.com] and even some academic groups (PROTOS from the University of Oulu, to name one) who have been doing real things in this area for years. There are also companies [coverity.com] that take a source-code centric approach.

    For several years now, there have been products that check for whole classes of vulnerabilities in applications. Such approaches are not limited to just known vulnerabilities in existing apps -- they check for common programming or configuration errors in custom applications as well. They are making it sound like checking for these things before systems go into production is a new concept. That's the whole point of security auditing.

    • They are making it sound like checking for these things before systems go into production is a new concept.

      You make it sound like hyperbole in marketting is something outrageous and previously unheard of.

      It's a company, fer crissake. If it were an academic research group making out that they had invented a new concept, then that would be different and your criticism would be more valid.

      If their product has no technical novelty, then your remarks should be directed at Slasdot editors for accepting it as New
    • Yeah, this all sounds suspiciously (or at least auspiciously) similar to EEye [eeye.com]'s Retina scanner, etc. It's all been done before.
  • by account_deleted ( 4530225 ) * on Monday January 30, 2006 @01:50AM (#14596677)
    Comment removed based on user account deletion
  • What about.. (Score:5, Insightful)

    by SocialEngineer ( 673690 ) <invertedpanda.gmail@com> on Monday January 30, 2006 @02:02AM (#14596711) Homepage

    Does it call fed up employees who are just looking for someone to talk to, exploiting the conversation and getting valuable information necessary to break into the network? :)

    Cool concept, but I wonder about how effective it'll be without good admins who know how to watch logs, set up honeypots when necessary, and train employees to shut up. Still, it could have it's uses.

  • by JWSmythe ( 446288 ) <jwsmythe@noSPam.jwsmythe.com> on Monday January 30, 2006 @02:04AM (#14596717) Homepage Journal

        "MuSecurity. We hack you first, so the hackers don't have to."

        "Pre-root your box for only $19.95"

        "Want a bot net? Have you own today!"

        Oh, testing for exploits, not actually exploiting the box.. hehe.

       
  • by venomkid ( 624425 ) on Monday January 30, 2006 @02:09AM (#14596733)
    More "keeping up with the hackers" nonsense. How about we just leave nothing permitted that we don't already know is legit?

    There's money to be made in treating cancer, but not curing it. And this is the IT equivalent.
  • by Bill_Royle ( 639563 ) on Monday January 30, 2006 @02:18AM (#14596756)
    For those of you that want to emulate a cracker attack, I cannot recommended highly enough any of the ABBA albums out there. Turn that on amongst any non-crackers, and you will know rapidly how well things will hold up.

    There are limits to this type of stress-testing, though - playing any "Rocky" movie will likely cause excessive bleeding from your ears. There's no reason to go overboard when cracker-testing.
  • Other news (Score:1, Funny)

    by Anonymous Coward
    In other news, the shares of the security company raised after it was leaked that Microsoft ordered dozens of vulnerability checkers.
  • Man beats MuSecurity by throwing his computer out of the office window, successfuly proving it cannot stop hackers against completely breaking the security. Movie clip at 11.
  • Juniper Staff (Score:3, Interesting)

    by Anonymous Coward on Monday January 30, 2006 @02:38AM (#14596795)
    Almost all the staff is ex-Juniper. Talk about running off with corporate assets
  • Known attacks (Score:4, Insightful)

    by MichaelSmith ( 789609 ) on Monday January 30, 2006 @02:50AM (#14596817) Homepage Journal

    Its the unknown ones you really have to worry about.

    • Well, as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know
  • for the RoboAdmin! Yes! You can have your very own fully automated system administrator, and now New and IMPROVED with automated security checks! If you ever need help with your IT issues, simply chat with the RoboAdmin chat bot and you will start feeling better in no time!
  • In Soviet Russia, product emulates YOU!!
  • Maybe it's Da Fuzz? (Score:5, Informative)

    by PGillingwater ( 72739 ) on Monday January 30, 2006 @03:58AM (#14596929) Homepage
    Without bothering to RTFA, it seems to me that they're not really talking about a library of known attacks like Nessus or EEye, but rather are discussing something like an automated tool that generates hundreds of thousands or even millions of potential attack vectors, similar to Spike or Scratch. For a nice roundup of Fuzzing links, check here. [scadasec.net] Note that Mu security is already listed.


    N.B. mu is a nice Japanese Zen word which means emptiness of mind, or literally "nothing."

       

  • So what's with this "cracker" in the headline? And "cracker-in-a-box" is a Saltine.

    Please stop trying to kidnap the English language. C'mon, Geeks are supposed to be efficient: "Cracker" already means too many other things to effectively assume a new mantle, especially one already being served in the global media with "hacker." Yes, we're all sad that we benign computer hobbyists have to call ourselves "benign computer hobbyists" instead of the far more edgy-danger-cool "hacker" as we could for about a w
  • When I read the headline I thought this had something to do with saltines.
  • by EVil Lawyer ( 947367 ) on Monday January 30, 2006 @04:53AM (#14597033)
    Slashdot Editor Duped by Guerilla Marketer
  • I demand that you provide more details of this revolutionary software product so that I may purchase 10,000 copies forthwith.

    Lesson to Slashdot advertisers: why buy an ad, when you can just keep submitting stories about some blog entry that promotes your product until eventually one of them sticks?

  • Comment removed based on user account deletion
  • If this carries out attacks just as the real thing, isn't this the real thing and not an emulator? (I haven't RTFA of course)
    • It's a good question, however there is a simple answer.

      There are at least 2 parts to each exploit. One is the route in (a buffer overrun, for example), and the other is the payload. You can test vulnerability by using the same route in, but with a harmless, or simply information-gathering payload. Other alternatives can include a patching payload.

      FP.
  • Anyone else notice the ripped off Google Maps image on the 'Contact Us [musecurity.com]' page without credit?

    A company that doesn't give credit where credit is due doesn't deserve money.
  • Funny Company Name (Score:3, Interesting)

    by dozer ( 30790 ) on Monday January 30, 2006 @07:33AM (#14597380)
    MuSecurity looks like MicroSecurity (picture the little-mu greek character in front). Or, in ISO units, "very little security". Strange choice for a name.
  • we don't need emulators to crack... Signed, a Cracka (aka "user")
  • NASCAR race post-race fights between fans (crackers) of different drivers. 'nuff said.

    IronChefMorimoto
  • Jeff Forristal did a really good analysis [secureenterprisemag.com] of source code instection tools at Secure Enteprise Magazine [secureenterprisemag.com].
  • "Instead, Mu Security's product performs a thorough and methodical analysis along the many lines of inter-dependencies that exist among protocols. Understanding how to create the right type and set of mutations needed to systematically expose potential vulnerabilities in highly interconnected applications and systems - identifying both existing and "day zero" threats - is a key part of Mu Security's breakthrough in determining the security readiness of such a wide range of systems. Marrying such capabilitie
  • ISEAGE project (Score:3, Informative)

    by Bender0x7D1 ( 536254 ) on Monday January 30, 2006 @11:17AM (#14598958)
    As mentioned previously, this sort of thing is being/has been done. One project I am familiar with is the Internet-scale Event and Attack Generation Environment (ISEAGE) project at Iowa State University.

    Its webpage [iastate.edu], has an overview of the project and documentation on its architecture and implementation. I think one of the key aspects of the project can be found in the overview: "Unlike computer-based simulations, real attacks will be played out against real equipment."

    ISEAGE is approaching security from a real-world perspective, using real world devices. Sure, your software/hardware might be secure when the attacks are played against it; but is it secure when those attacks when there are dozens of attacks occuring simultaneously? What about when it is being hit by thousands of requests, or is under a DDoS attack? What happens when devices decide to start breaking the protocols, or the rules? What happens if a device physically fails? What is the effect of a device overheating during a DDoS attack? How do you simulate this/test for this other than hooking it up and hammering it with a DDoS attack?

    This is the kind of information that is needed to prevent or mitigate an attack, but can't be found by reading code or running a scanner. How did the US figure out how to build rockets? We built some, they blew up, and better ones got built. The real world isn't the same as a lab.
  • Why does Slashdot continue with fruitless attempts to revise history by using the term "cracker"? It's not "cracker" and never has been. NEVER.

    Just face it, there are criminal hackers, and there are ethical hackers. The same as there are criminal locksmiths (eg thieves) and ethical locksmiths.

    If you want to try and change the term, at least don't lie about it and flame people when they quite rightly correct you.
    • Why does Slashdot continue with fruitless attempts to revise history by using the term "cracker"? It's not "cracker" and never has been. NEVER.

      I think you're confused. In the beginning, there were "hackers" and there were "crackers". "Hackers" were geeks who built, tested, used, and otherwise understood the inner workings of things. Linus is a hacker. He wanted an OS for the PC that didn't suck, and used his knowledge to build a true hacker OS.

      "Cracker" refers to someone who breaks into things, usually
      • Actually, cracker used to only refer to people who "cracked" games and other software. Hacker has always had dual meaning.

        It's simple: You hack systems, you crack software. Try and find old references to "cracking a system" vs. "cracking software", you won't.
      • by hkb ( 777908 )
        No, you are confused. Crackers are/were people who break software copy protection. This is how it's always been. I guess you weren't around "back then", or you were living in some other reality different from the planet Earth's.

        This is why 2600 is called the hacker quarterly, why Defcon is a hacker convention, why Phrack is called Phrack (Phreaking/hacking), and so on.

        It has never been the way you describe, never.
    • I for one prefer Saltines (though cheesits are pretty good too).

  • ...was took a script kiddie, and then replaced the kiddie part with more script.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A black panther is really a leopard that has a solid black coat rather then a spotted one.

Working...