Security Tools More Harmful Than Helpful? 116
soblasted writes "With the recent 2.0 release of the Metasploit Framework, people are wondering if
security tools like it do more good than harm. This
article attempts to answer the question. The legitimate use of the framework is for security researchers to use in exploit testing and development.It will run on any OS with Perl, and includes a CLI and web GUI, along with many ready to run exploits and payload modules. With HP also
developing systems to preemptively attack their own networks, has this become acceptable?" This issue reminds me of the first release of SATAN and the uproar it caused.
Duh (Score:5, Insightful)
Run ping -f to the wrong host and it's a DDoS attack, not a test of simple dropped packets
run apache's tester, 'ab' to the wrong host and it's a DDoS attack, and not a test of a webserver
run X to the wrong host and it's a , not a
Wrong (Score:1, Offtopic)
Re:Wrong (Score:1, Interesting)
Unfourtunately, your comment was unfairly modded down.
Re:Duh (Score:5, Funny)
Re:Duh (Score:2)
Re:Duh (Score:1)
Remember, as a geek it is youre duty to use the right Acryonynms and use them in the right places.
Re:Duh (Score:1)
Re:Duh (Score:1)
DDoS distributed from a single computer.
Seems right to me.
You also have the phenomenon of a single task thrashing.
Re:Duh (Score:1)
Wikipedia [wikipedia.org] recently encountered something similar. To stem abuse, they've been scanning for and blocking open proxies. Unfortunately, this was seen as abuse [wikipedia.org].
What, no link, CowboyNeal? (Score:5, Funny)
Re:What, no link, CowboyNeal? (Score:2)
Security tools = trouble? Yes/No (Score:5, Insightful)
Airlines learnt that one a little while ago. (Score:5, Interesting)
Does that stop us using Airplanes ? No, because their usefulness far outweighs the occasional terrorist attack.
Same with petrol (gasoline), hammers, screwdrivers, cars etc. etc. etc.
A false sense of security is worse than no security at all. At least with no security, you know you don't have any ...
Re:Airlines learnt that one a little while ago. (Score:1)
Re:Security tools = trouble? Yes/No (Score:1)
Security tools == trouble? Yes/No
That's SANTA to you! (Score:4, Interesting)
They thought of everything... or thought they had... until they found themselves in the middle of a storm of controversy.
Ahh... those were the good old days
Re:That's SANTA to you! (Score:1)
Securty Tools (Score:4, Insightful)
Leveling the field (Score:5, Insightful)
I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.
If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.
Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.
Re:Securty Tools (Score:2)
A tool like this is great. Every tech-ops/sysadmin guy I know is way overworked and has way too many problem spaces to address (versus most developers which struggle with just learning a different language much l
First release of Satan (Score:5, Funny)
Re:First release of Satan (Score:1)
It's a dual edge sword (Score:5, Interesting)
Re:It's a dual edge sword (Score:2)
Re:It's a dual edge sword (Score:1)
Cracker, dude. In this case/context it's called a cracker.
Do you want RMS to send you a letter [catb.org] too?
Re:It's a dual edge sword (Score:2, Funny)
Re:It's a dual edge sword (Score:2)
double, as in: I can remember when a dual-speed CD-ROM reader was the best you could buy.
duel
fight between two, as in: Microsoft and Netscape are in a duel for browser dominance.
Dual as in two edges to said sword.
Whether said sword is used in a duel is irrelevant.
eye for an eye (Score:5, Insightful)
newsflash; even the l4m0r-est script kiddie has a plethora of tools like this (most of which are usually loaded with trojan's and the like).
giving admins legit, supported and just plain better tools means that admins have the ability to check their systems' vulnerability easily. and an admin equipped with a tool for automating exploits has a better chance of stumbling across an exploit no one has found yet, because he hasn't spent all night checking for vulnerabilities earlier.
The debate... (Score:5, Insightful)
Railing against them won't make them go away - maybe the author(s) of this particular tool will give up, but there are plenty of other authors who will inevitably write something similar anyway.
Re:The debate... (Score:2)
Man, stupid wrong memes. Does NOBODY remember Prof. Dijkstra?
Most software is designed for mathematically trivial problems, which solutions can be mathematically prooven. There is *NO EXCUSE* for bugs, other then being a not so good math guy, and thus a mediocre programmmer. He, I dont program.
peace
"/Dread"
Re:The debate... (Score:2)
Re:The debate... (Score:2)
That's an overly simplistic summary. That's like saying that a building is a trivial set of nails in pieces of wood, or just a bunch of bricks with mortar.
Most software is designed for millions or trillions of mathematically trivial problems, and a large percentage of those problems have numerous variables. Can you imagine mathematicallly proving trillions of calculations?
Re:The debate... (Score:2)
The pieces taken in isolation may be trivial, but such as "Is it the right building? In the right place?" are not. The nail may support the pieces of wood it is nailed into, but what about supporting everything that the wood supports?
Disktra's comment is that most software is designed only to the level of the trivial. He makes no assertion that there is anything trivial about an assemblage
Patching is a faulty security paradigm (Score:4, Insightful)
Sadly, security problems were already better dealt with by Unix when it was designed, more than thirty years ago, than by Windows now, but the large number of Linux boxen that get rooted shows that the Unix model is now hopelessly out of date. It is time to catch up on the basic issues, separate the programs from the data more effectively, provide PCs with effective data backup,
and maybe freeze some essential functionality in firmware so that it cannot be overwritten.
Re:Patching is a faulty security paradigm (Score:5, Insightful)
They are entering the game where all memory must be flagged as executable or not-executable when allocated. Great step in the right direction.
Also, I don't have any servers apps that have data in the same location. Exchange and Active Directory are all stored on a RAID 5 while the operating system is only mirrored. We have an image of the operating system which is fully working and we only bother to backup the array. Occasionally we will check the OS's integrity with Tripwire and if it passes then we create a new image and store it along side the old image just in case the unforeseeable happens.There are ways to deal with these issues, I'd say Linux and Windows following the exact same patching model, the only difference is there are a lot more people developing patches for Linux. Speaks well for OSS but education is still a problem, for whatever the reason many Linux users and worse, admins don't know shit about designing a secure and reliable environment.
As for the firmware idea, I believe that is where the industry is headed. It is a good idea but it does restrict the capabilities of a system while also having a very large margin for error. I can imagine a new install of an OS would require several firmware updates to get the required interface to work, and what if you installed the wrong firmware? It's like an Intel board today, if you want to upgrade the firmware there are so many pre-reqs its often a pain in the ass and worse yet, its a requirement because your backplane will keep dying without it. I think its best just to create a secure model for which to install. Force people to store programs and data in a different location and with different permissions.Re:Patching is a faulty security paradigm (Score:1)
If MS really is doing the same thing to memory managment(a set of permissions for code in memory)It will be one of the few things that MS actually innovated. It will also be a huge boon to security buffer overflows. Kill off Outloo
Re:Patching is a faulty security paradigm (Score:2)
This explains their approach [microsoft.com]
Re:Patching is a faulty security paradigm (Score:2)
Re:Patching is a faulty security paradigm (Score:2)
Re:Patching is a faulty security paradigm (Score:2)
Re:Patching is a faulty security paradigm (Score:2)
Re:Patching is a faulty security paradigm (Score:4, Informative)
http://portal.acm.org/citation.cfm?id=850709&dl
Re:Patching is a faulty security paradigm (Score:3, Informative)
Re:Patching is a faulty security paradigm (Score:3, Informative)
However, a system with this is still exploitable. It is just much harder. One writeup on this can be found
here [kernsh.org].
Re:Patching is a faulty security paradigm (Score:1)
Thank you guys I did a double take with MS innovating, but I am glad that they are staying true to form.
Re:Patching is a faulty security paradigm (Score:1)
Recalling from memory the last hundred or so security patches released by MS for Windows 2000 in the last few years, I'd hazard that about 75% of the holes were buffer-overflow patches. That still leaves a lot of other vulnerabilities.
Re:Patching is a faulty security paradigm (Score:2)
Re:Patching is a faulty security paradigm (Score:4, Insightful)
I got sick of playing whack-a-mole with Sendmail's bugs and switched over to postfix [postfix.org] in that year there has been only one bug discovered in postfix -- a DOS vulnerability. AFAIK, Postfix has NEVER had a remote root exploit.
Security is HARD to get right. Postfix was designed from the ground up with security in mind by one of the leading experts in the field of computer security, and it still occasionally has problems. OpenBSD is reviewed line-by-line for security problems by some of the most anal-retentive programmers in the world, and it still has an occasional hole. Programs like sendmail, where security is a poorly-implemented afterthought, can never be trusted.
Re:Patching is a faulty security paradigm (Score:1)
Patching is a reality. As long as software evolves and develops, patches will be a reality.
The number of boxes that get rooted are proportional to the number of unprotected, badly-run boxes and always will be. It's easy to sweep your arm and declare things unsuitable, but this proves and solves nothing.
Re:Patching is a faulty security paradigm (Score:1)
Re:Patching is a faulty security paradigm (Score:2)
If you had any experience with BSD or Debian you would know that all it takes is a sensible package installation and update tool, and a sensible and user respectful approach to design (e.g., NOT including bug fixes and enhancements along with security updates).
Security tools == good (Score:2, Insightful)
Now we have a choice of making security testing products that might be used by the bad guys to break into other people's networks or we can let the bad guys develop these tools anyway and leave ourselves with a harder job in testing security.
I think the tradeoff is worth it.
Simon.
Metaploit Going Down (Score:5, Funny)
Re:Metaploit Going Down (Score:2)
We should force
Then we can
Re:Metaploit Going Down (Score:2)
AntiDot (Score:2)
Re:Metaploit Going Down (Score:2)
Sean
Renaming the tools of the trade (Score:4, Insightful)
Re:Renaming the tools of the trade (Score:2)
One of my favorite examples involves my usual practice of building a lot of debug hooks into code that I write. When it's to be turned into a deliverable, I always had a problem that the people paying for the work didn't want debug hooks in the final product. Now, you and I know that when you install it in a customer's machine and it doesn't work right, that's when you really need those debug hooks, but most m
I think it's pretty simple (Score:5, Insightful)
Writing and releasing these tools is the only way to establish certainty. Certainty that, if a hole can be detected, you can. And certainty that everyone else can, so you MUST patch it. No more guessing that it will be alright and being wrong.
Abuse does not justify banning (Score:4, Insightful)
In the final analysis there are always ways to abuse things and cause harm with them. That doesn't justify preventing their legitimate use. All the more so if their legitimate use actually makes their abuse all the more difficult.
Re:Abuse does not justify banning (Score:1, Funny)
I insist we ban fire axes. Misusing innocent tools for hacking is intolerable.
Potential Abuse == Evil Product Mentality (Score:5, Funny)
Historically there are so many other examples, such as lockpick kits which are illegal in many states and countries, or are requiring licenses to use. Let's not forget the old Napster, or Kazaa or any other similar P2P, due to misuse, free use P2P is generalized into a piracy movement alone.
Which reminds me of a joke- A man is at his house during prohibition in the backcountry, when a sheriff comes by and notices that he has all the equipment laid out to make moonshine. Immediately the sheriff arrests the man, citing that having the materials to make moonshine is equivalent to having the contraband itself, though he saw no liquor on the premise. The arrested man takes a long pause, thinks about the situation, and states- "Well, I guess you should arrest me for rape too then, I got all the tools for that crime also!". Embarassed, the sheriff released the man.
Re:Potential Abuse == Evil Product Mentality (Score:2, Insightful)
Yeah, okay. I realise it's just a joke. The thing is, you can make assumptions about what people are going to do with their equipment. Sometimes these assumptions are valid, sometimes they're not. Each case is different, and should be decided at the time on its own merits.
Re:Potential Abuse == Evil Product Mentality (Score:1, Troll)
We need these tools and we need them automated! (Score:5, Interesting)
My solution would be an automated quarantine system, which would quarantine a system ones it is found compromised or vulnerable. Quarantine means in this case that the internet traffic is redirected to a specific page and there the user will find an explanation and a solution. Other traffic, like VOIP and TV over IP should run uninterrupted. (This could be realized for instance by having VOIP and TV on separate VLAN's or by allowing certain IP-adresses)
This system has to be automated. The reasons for automation are:
1. You cannot expect a networkadmin to continuously monitor 7500 to 50.000 connections.
2. Vulnerabilities are many and a system you've just checked by hand could easily be vulnerable the next day, because somebody installed a new piece of software with some old problems. (One can expect people to install a vulnerable version of winamp on a daily basis! Just think of all the cd's in comptermagazines that carry a version of Winamp)
3. Warhol worms are fast! Within fifteen minutes almost all vulnerable connections will have been infected. If the vulnerability was already known, the system should have been quarantined. If it is unknown, it should be able to disconnect 5000 infected systems immediately once it knows how to detect the vulnerability/worm.
4. The system should preferably be scanned upon connection to the network. Time and time again.
Yes there are all kinds of problems associated with this idea. But if you have a better solution, one that doesn't require me to rely on the intelligence of the average John Doe, please do tell me.
Re:We need these tools and we need them automated! (Score:4, Interesting)
you can have a custom firmware written for popular NAT boxes. (comcast does) that allows you to shut off a customer's DMZ machine access if you detect that it is causing trouble and send it's iptables logs back to your server so you can detect a problem when it is happening instead of 3 days later.
Second yout TOS needs to read that all servers running MUST be registered with you or you shut off their connection. I.E. ip address they want it on and ports that are open and why. Mister Huang on evergreen terrace is NOT allowed to put his W2K server with IIS on the net for a webserver if he does not have all unneeded ports closed.. if they bitch, have a recording of a crying baby to play back at them... (this works with corperate IT in the NOC, Marketing droids and PHB's that are not your direct report.)
Finally, Unless they have registered a email server with you, they CANNOT send email without going through your email server... yes a few people will bitch, most wont and you will solve a large problem.
finally set up sniffing tools and actually hire competent staff at decent wage rates. you want people that will investigate why 192.168.123.43 is trying to send 300 emails an hour. or why a large number of IP addresses are trying to access port 3250 on 192.168.123.33... automated tools can be set to alert on these triggers. you need people that can understand what the alerts mean.
Re:We need these tools and we need them automated! (Score:2, Informative)
Really easy answer: he is running an email list.
Why a large number of IP addresses are trying to access port 3250 on 192.168.123.33 ?
Well, because 192.168.123.33 is not the wrongdoer but because someone is faking IP packets replies to which all go back to 192.168.123.33.
Or maybe 192.168.123.33 is running filesharing on that port, which he should well be allowed to do on a decent network.
I guess you could handle all this by having white-lists of ho
Re:We need these tools and we need them automated! (Score:1)
Or maybe 192.168.123.33 is running a closed Quake III server on a wierd port and he is hosting the game?? or possibly a custom IRC server. either way, if the customer did not NOTIFY the provider of the fact that he/she was going to run a server then it's his own fault if it get's shut down.
a simple web form to say "I'm opening and running something on port 9080" will keep mister underpaid NOC st
Re:We need these tools and we need them automated! (Score:2)
You would also have to either do 1-1 NAT for anybody running a server (making it just th
Re:We need these tools and we need them automated! (Score:1)
the key to serenity is to have all networks untrusted. assume EVERYTHING is hostile.
Re:We need these tools and we need them automated! (Score:2)
30 milliseconds later, before you even get quake loaded, the port is open, the note is available in the NOC that you have a port open for use and to disregard the flood of traffic there.
simply having the main servers communicate to the customers NAT box to open that port for them (most internet users would ball up
Re:We need these tools and we need them automated! (Score:2)
Re:We need these tools and we need them automated! (Score:3, Interesting)
Which I did, btw.
You have the AOL mentality.
You must allow the user to do whatever they want. Your network should be completely transparent to them. As far as they are concerned, they are connected to the internet.
This is what you are selling (an interent connection). If you can't do it, let someone else do it.
If you don't want to do it, let someone else do it.
If you think it can't be done... you get the picture.
If Mr. SuperCr
Re:We need these tools and we need them automated! (Score:2, Insightful)
Broadband != high bandwidth.
Broadband signalling means multiple frequencies on the media, as opposed to baseband, where there is only one. Ethernet is a baseband technology.
These sorts of misconceptions result in well-defined technical terms such as broadband being re-defined for consumers as meaning something entirely different - because consumers have been led to believe it means something else. "Define broadband please - CA" [theregister.co.uk] It's
Re:We need these tools and we need them automated! (Score:2)
Re:We need these tools and we need them automated! (Score:1)
This is Slashdot. You are in the technical world here, my friend. It is reasonable to make certain assumptions about the level of technical knowledge present - especially when you are responding to a post with a technical question in an article about a highly technical subject.
I didn't really intend my post to be a rant, per se, but I can see wh
re: metasploit (Score:5, Informative)
I'll gladly add this to my tools, without any cash outlay.
Want more security tools [isecom.org]?
Bad Logic (Score:5, Insightful)
Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own tools, so it would be incredibly stupid for us to decide the less we know about network security, the better.
Security testing is a GOOD thing, before anyone puts a server online, they should try to hack it on a closed network first - and then they should have their smartest friends try to hack it, with any tools available. This sort of introspection would mean a whole lot more security on the net in general.
Re:Bad Logic (Score:2, Insightful)
I think that's a poor analogy. A better one would be this: Should automated tools to check whether a house's doors are locked and alarmed be banned, given that burglars can check houses to see which are vulnerable? Especially if you consider that very few people actually use the tool to check their own house?
The ideal answer is that those tools should be made available to everyone, both for houses and for s
Re:Bad Logic (Score:3, Insightful)
The security world is like an arms race and, just like in the real world, its helpfull to buy better weapons from allies then to spend all your productivity just on weapons (please lets not digress into politics here).
Sysadmins have limited time and many problems to deal with. These tools allow them not only to address more problems but are also helpful in lobbying for management support ($) to fix problems. By being able to document and de
Re:Bad Logic (Score:2)
I don't think it was a poor analogy. I mean, the point you make is another good one, and I'm not interested in starting an argument.. I've agreed with a lot of your posts in the past, and have actually modded a few of them up.
I was trying to draw a bit of a metaphor with 'knowledge' as 'light'. On a
Re:Bad Logic (Score:2)
The problem I see with the darwinian approach to security (and I agree that it's heading that way) is that in biological survival of the fittest, the unfit eventually die out from various causes and don't affect the rest of the gene pool. In computer security, the unfit computers are hijacked and used to attack the rest of the gene pool. Plus, I'd rather not see a lot of people ruined via identity theft,
Re:Bad Logic (Score:2)
I'm a big genetics freak, so this parallel you draw my attention to is really interesting. I start
It would be around anyway (Score:3, Insightful)
I've seen this happen.. (Score:1, Interesting)
Re:I've seen this happen.. (Score:2, Offtopic)
Did it ever occur to you that maybe I had typed my comment at the same time or slightly before the other one appeared?
Duel Edge Sword (Score:3, Insightful)
Re:Duel Edge Sword (Score:1)
I'm the one you fear is going to use this program. (Score:5, Interesting)
While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!
It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.
I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.
I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?
If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.
Re:I'm the one you fear is going to use this progr (Score:1)
Other Useful Utilities (Score:5, Informative)
SATAN [fish.com] the aformentioned Security Admin Tool for Analyzing Networks.
TripWire [tripwire.org] for checking when someone's trying to access your system, and stopping them.
Shorewall [sourceforge.net] a relatively easy to set up firewall-in-a-box for Linux.
Re:Other Useful Utilities (Score:2, Insightful)
Re:Other Useful Utilities (Score:2)
Don't forget Nessus [nessus.org], a vulnerability scanner similar to SATAN and SAINT.
Anyone remember "Satan Inside"? (Score:2, Informative)
That was a great uproar and a good package. Dan Farmer sure took some flak for that one. He lost a good security gig with SGI as I recall.
But one of the coolest parts of the kit was the postscript file that featured an Intel-like logo that read "Satan Inside".
I had great fun printing those on self-adhesive transparency material and widely distributing..
A quick search turned up one of many sources for the postscript:
Satan [catalog.com]
Personal Firewall (Score:1)
Blah (Score:5, Insightful)
This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".
A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.
This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.
Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.
However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.
However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.
If you outlaw guns... (Score:5, Insightful)
Same with security tools. Restrict them because they're "More Harmful Than Helpful" and those who use them for harm will still have them, but those who use them for good won't be able to test their networks first.
I don't question for a second that they're widely abused. But banning them will only mean that network administrators can't check their own networks.
These tools just help hackers (Score:4, Funny)
We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.
Spiderman rule (Score:2, Insightful)