-
April 9th, 2004, 05:48 PM
#1
Security tool more harmful than helpful?
The common wisdom in the security world is that easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet.
The Metasploit Project and its founder, HD Moore, hope to change that perception.
On Wednesday, the project released an updated design framework to the Metasploit tool, which allows security experts to check computers on their networks and identify those vulnerable to newly released flaws. The updated framework, known as Metasploit Framework 2.0, enables people to create standardized plug-ins for the tool so that they can legally hack into computers by manipulating the latest security holes. The tool already has 18 exploits and 27 different possible payloads.
Overall, the tool could help administrators find and patch systems vulnerable to a new flaw, thereby blocking a would-be intruder from breaching a company's network security, according to Moore.
"This is a good research tool," Moore said, noting that some 30 percent of Metasploit beta testers are security consultants who seek to plug holes in their clients' networks. Other companies are using the tool proactively to detect flaws in their applications. "There is a large software company that has...rolled the Metasploit stuff into their (quality assurance) testing," he said.
Such a tool, however, could also become an online attacker's friend, automating the detection of vulnerable servers so that even a person with little technical knowledge could break into a computer, security researchers maintain.
A recent report by market research firm Forrester into software security threats found that attacks "explode after unscrupulous hackers build scripted versions." Many critics agree, saying such exploit-testing scripts--which turn a highly technical vulnerability into code that can be run with a few commands--allow far too many people to become online attackers.
"There will be about 10 academics and serious researchers who may find this interesting and about 10,000 kiddies who will blow each other's virtual brains out, with enterprise security folks caught in the middle," said Peter Lindstrom, the director of research for security consultancy Spire Security.
However, Metasploit does allow savvy network administrators to play on the same level as malevolent hackers, said Stephen Northcutt, director of training and certification for The SANS Institute, which teaches security and network administration. In particular, the tool saves them from having to spend a lot of time on coding.
"There is a natural concern that the tool will be used for malevolent purposes. But attackers are already developing exploits by hand, so this doesn't actually change anything," Northcutt said. "It is an iterative step in the development of shell code exploits, just as virus factory software was a step in the development of that flavor of malware."
Even Moore agrees that the project's wares will make exploiting vulnerabilities easier. However, he also maintains that the tool will be invaluable to system administrators to demonstrate that their networks are vulnerable and so gain the corporate resources necessary to patch their systems.
"The problem today is that many organizations do not patch systems until a working exploit is released," Moore said. "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work."
In fact, companies have created similar tools--and programs that use similar technologies--to do just that. Two security companies, Immunity and Core Security Technologies, have created their own network attack program to aid consultants who find vulnerable systems for a living. And in February, Hewlett-Packard announced that it had developed an automated attack tool that would create benign exploits to test a network's digital immune system.
To help defend against malicious use, Metasploit is putting signatures into its software to help the makers of defensive security products detect attacks generated via the tool.
Moore also points out that anyone can already buy such a product from a handful of security companies. However, he acknowledges that the widespread use of such software may make some network administrators' jobs harder.
"If (you are) a system admin that only patches boxes, of course you aren't going to want to see any new exploit code," Moore said. But that doesn't mean the problem is going away, he added. "We can do anything we want to curb exploit releases--make it illegal in America--but they will still get released," he said.
Source : http://zdnet.com.com/2100-1105_2-5187776.html
The Metasploit Project Website : http://www.metasploit.com/index.html
-
April 9th, 2004, 06:14 PM
#2
Well, that's an aging debate... ancient may be more like it. Same with guns and such, make 'em illegal... what will that do? leave innocent people vulnerable, nothing else really.
The thing is this who cares? this tool is just like the others. It's just a collection of vulnerabilities, put in by people, as soon as they can get their hands on them. So is core impact, and nessus (though maybe in a different genre slightly). There's nothing really new here. It doesn't find the vuln's and make the sploits' itself. It's just another vulnerability scanner, and from here it looks like someone's just trying to hype it.
Any objections?
Oh, thanks for the post SDK.
- Jon.
-
April 10th, 2004, 05:26 AM
#3
Junior Member
Anyone care to place a wager on how long it will take Core Security to get a law suit together?
I'm guessing that the project will have to pick up a little bit more steam before Core really gets concerned about the validity of their business model. They'll spend a few more weeks working up some crap load scheme about the project infringing on their copyright (coffee anyone or maybe a SCOne?) and then we'll find out just how committed the project's curators are.
On a side note, I don't think the project is all that dangerous. As previously mentioned, there are already a couple of products out there that accomplish similar goals. The only difference is the robust price tag. In other words - only funded crackers and cyber criminals have access to the others. Now the playing field will be leveled a bit. If they really wanted to stir up some controversy, they could have made it a web based utility.
_TOMDAQ
-
April 10th, 2004, 05:45 AM
#4
Hrm. France made it illegal. But since we don't like France hopefully the US won't do make it illegal, even if it's out of spite.
-Cheers-
-
April 11th, 2004, 10:03 AM
#5
Originally posted here by PM8228
Hrm. France made it illegal. But since we don't like France hopefully the US won't do make it illegal, even if it's out of spite.
-Cheers-
Who exactly is "WE"?
http://www.heise.de/ix/raven/Literat.../TheRaven.html
I don't see any part of this that says we all hate france.
SDK, it may be an aging debate as mentioned, but remember a debate gains age only by being relevant, I enjoyed the read.
Get some good religion from Bad Religion.
-
April 11th, 2004, 03:00 PM
#6
With the title of this thread being
Security tool more harmful than helpful?
I happen to found this site Netcrafts that allows you to find out what webserver software a site uses. check it out at http://uptime.netcraft.com/up/graph I posted this on EH aswell. Nice site I just wouldnt want my information published like that.
-
April 11th, 2004, 03:43 PM
#7
Originally posted here by UpperCell
Same with guns and such, make 'em illegal... what will that do? leave innocent people vulnerable, nothing else really.
I notice that you live in the United States, and I assume that you have your entire life. Because of this, I also assume that you've never lived in a society where guns are completely and universally illegal *cough*UK*cough*
The problem is not that of whether or not it is illegal and that people will still get it. It is one of the APPEARANCE of legality. As long as there is a possible legal reason for me to sell guns, there is no point in investigating me. To do so for everyone who owns/buys/sells guns would be impossible, time consuming, and ultimately wasteful. However, if you do it so that it is illegal no matter what, there is no investigating involved. He has them, arrest him. Yes, that system is not perfect, but its a bit better than your description would indicate.
Also, your analogy is not entirely accurate. Letting people use those things as a tool of self-defense is ultimately self-defeating. Shoot me, I shoot you back? That's the cold war stand-off mentality, and we're just now getting over that. Offense is NOT a type of defense. Its just a type of offense. Use firewalls and bullet-proof vests if you want defense. As long as the "eye for an eye," "shoot-back-defense" mentality exists, the only thing that will change is that people will stop attacking in plain sight, and adopt the use of snipers. (Many of us in the US still remember this.) It becomes a game of secrets, who strike from the farthest away, and get away with it? Defense and offense are two competley different things, and anyone that gets them mixed up will probably pay for it later.
And yes, this problem will continue to go on forever. People don't like having to use scripts for every single new exploit, having to do it all by hand on a hundred+ machines, servers, workstations, tablets, PAs, PDAs, routers, and firmware in general. Just typing a few of the examples was more work than I wanted to do.
People will continue to automate these things so that it will be easier for them to test and use these things. As long as this is done, it will be made available to other people who's uses are not so enlightened. There will always be someone of middle skill who can take the existing product, modify it, make it free or available to anyone else, and has thus opened the flood-gates to hell. It has always been this way, and will always be this way.
Before this can change, there needs to be a major change in the way we think about security, protection, and computing. Until then, this scenario will continue to exist. The prospect of the DIDs (Digital Identification) is one solution to this, and this is actually what DIDs were first invented for. Though I'm against the idea for some reasons, personally, that is, itself, a completely different issue.
-
April 11th, 2004, 07:43 PM
#8
Tools are kind of superfluous to admins, because really, they should be keeping up to date with the patches that are out ANYWAY, regardless of whether they feel they need to test for vulnerabilities.
Originally posted here by Computernerd22 I happen to found this site Netcrafts that allows you to find out what webserver software a site uses. check it out at http://uptime.netcraft.com/up/graph I posted this on EH aswell. Nice site I just wouldnt want my information published like that.
Umm, it's not being mined and published. Netcraft is a QoS info provider, they aren't doing anything illegal. You'd be surprised what you can get from a webserver with telnet or netcat:
$ echo -e "HEAD / HTTP/1.0\n\n" | nc www.kernel.org 80
HTTP/1.1 200 OK
Date: Sun, 11 Apr 2004 18:47:36 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Note this information is provided by the server, and it can be taken out if necessary.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
April 11th, 2004, 09:48 PM
#9
Another good discussion about full or partial disclosure.
http://www.antionline.com/showthread...hreadid=256592
-
April 12th, 2004, 03:03 PM
#10
[rant on]
Didn't we go through all this with SATAN and nmap when they were released? Why would we be so shocked that people who have very little understanding would think a tool could be used by both sides? Why don't they think that Windows XP or Slackware are tools of "attackers"? (they are). Then again so is computer education, mathematics, history, logic, programming, etc.. Oh.. and don't forget curiosity. Can't allow our kids to get curious about anything.
With every good thing, (e.g., e = mc(2); discovery of electricity) there can be a bad use for it (e.g., nuclear bombs, electric chair). We must swallow some of the bad if we are to get anywhere beyond rubbing two sticks together (heck, someone probably thinks those bad "attackers" will use rubbing sticks together to cause massive forest fires!)
[rant off]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|