[ISN] Security tool more harmful than helpful?

From: InfoSec News (isn@private)
Date: Fri Apr 09 2004 - 01:07:26 PDT

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-15"

    http://news.com.com/2100-7349_3-5187776.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    April 8, 2004
    
    The common wisdom in the security world is that easy-to-use scripts to
    circumvent security--called "exploits"--are a threat to the Internet.
    
    The Metasploit Project and its founder, HD Moore, hope to change that
    perception.
    
    On Wednesday, the project released an updated design framework to the
    Metasploit tool, which allows security experts to check computers on
    their networks and identify those vulnerable to newly released flaws.  
    The updated framework, known as Metasploit Framework 2.0, enables
    people to create standardized plug-ins for the tool so that they can
    legally hack into computers by manipulating the latest security holes.  
    The tool already has 18 exploits and 27 different possible payloads.
    
    Overall, the tool could help administrators find and patch systems
    vulnerable to a new flaw, thereby blocking a would-be intruder from
    breaching a company's network security, according to Moore.
    
    "This is a good research tool," Moore said, noting that some 30
    percent of Metasploit beta testers are security consultants who seek
    to plug holes in their clients' networks. Other companies are using
    the tool proactively to detect flaws in their applications. "There is
    a large software company that has...rolled the Metasploit stuff into
    their (quality assurance) testing," he said.
    
    Such a tool, however, could also become an online attacker's friend,
    automating the detection of vulnerable servers so that even a person
    with little technical knowledge could break into a computer, security
    researchers maintain.
    
    A recent report by market research firm Forrester into software
    security threats found that attacks "explode after unscrupulous
    hackers build scripted versions." Many critics agree, saying such
    exploit-testing scripts--which turn a highly technical vulnerability
    into code that can be run with a few commands--allow far too many
    people to become online attackers.
    
    "There will be about 10 academics and serious researchers who may find
    this interesting and about 10,000 kiddies who will blow each other's
    virtual brains out, with enterprise security folks caught in the
    middle," said Peter Lindstrom, the director of research for security
    consultancy Spire Security.
    
    However, Metasploit does allow savvy network administrators to play on
    the same level as malevolent hackers, said Stephen Northcutt, director
    of training and certification for The SANS Institute, which teaches
    security and network administration. In particular, the tool saves
    them from having to spend a lot of time on coding.
    
    "There is a natural concern that the tool will be used for malevolent
    purposes. But attackers are already developing exploits by hand, so
    this doesn't actually change anything," Northcutt said. "It is an
    iterative step in the development of shell code exploits, just as
    virus factory software was a step in the development of that flavor of
    malware."
    
    Even Moore agrees that the project's wares will make exploiting
    vulnerabilities easier. However, he also maintains that the tool will
    be invaluable to system administrators to demonstrate that their
    networks are vulnerable and so gain the corporate resources necessary
    to patch their systems.
    
    "The problem today is that many organizations do not patch systems
    until a working exploit is released," Moore said. "The bottom line is
    that exploits are not only useful but are (also) required for many
    types of legitimate work."
    
    In fact, companies have created similar tools--and programs that use
    similar technologies--to do just that. Two security companies,
    Immunity and Core Security Technologies, have created their own
    network attack program to aid consultants who find vulnerable systems
    for a living. And in February, Hewlett-Packard announced that it had
    developed an automated attack tool that would create benign exploits
    to test a network's digital immune system.
    
    To help defend against malicious use, Metasploit is putting signatures
    into its software to help the makers of defensive security products
    detect attacks generated via the tool.
    
    Moore also points out that anyone can already buy such a product from
    a handful of security companies. However, he acknowledges that the
    widespread use of such software may make some network administrators'
    jobs harder.
    
    "If (you are) a system admin that only patches boxes, of course you
    aren't going to want to see any new exploit code," Moore said. But
    that doesn't mean the problem is going away, he added. "We can do
    anything we want to curb exploit releases--make it illegal in
    America--but they will still get released," he said.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Fri Apr 09 2004 - 02:22:05 PDT