Better Hacking tools = Good or Bad?

Viewing 7 reply threads
  • Author
    Posts
    • #3427
      timmedin
      Participant

      I saw this on the metasploit blog and I wanted to get your view on the subject. I understand the counter argument, but I think having this available for the average admin to use is a good thing. Too bad people don’t use it more.

      da said…
      I’m sure you don’t need any more pats on the back. *pat*. Phenominal work.

      I probably had a conversation with you regarding this already, but I’m still interested in your thoughts on the subject…

      How concerned are you about ‘lowering the bar’ required to succesfully hack. The better/more well armed script kiddie is the obvious concern, but I envision a new army of ‘security consultants’ armed with a new tool to make them appear competent.

      I don’t have a firm opinion regarding this, but its a subject I’ve been pondering. Obviously you are comfortable with releasing the tool (and the many thanks for doing so), but do you have concern regarding the moderately gifted fifth grader that doesn’t have a sense of porportion or consequences using such tools?

      On a side note, I daydreamed a bit today of new movie hacking sequences , spiffy 3d interfaces, of servers moving from a fuzzed appearance to one visually indicating their vulnerabilities, etc…

      Perhaps the upside can (and should?) be that your ‘average IT person’ may be expected to use such tools to mitigate obvious risk, leaving actual security professionals to do more difficult risk-assesments and work that requires analysis.

      /ramble

      d a

      5:39:00 PM 
      hdm said…
      Once network administrators are comfortable with “hacking” their own servers using exploit tools (Metasploit, Impact, Canvas), the security consultants will have to try a little bit harder to justify their rates. My view is that by making exploit technology easy to use and understand, we create a legitimate need for tools that would otherwise be considered harmful. The last thing we need is a law banning exploit development.

    • #22483
      KrisTeason
      Participant

      I agree with HD Moore on the subject hands down. By releasing tools like Metasploit which the majority can use it definitely lets network administrators use it to attempt to penetrate their own network and defend from these threats. As far as the typical script kiddie being able to use this tool, it’s a pretty straight forward tool, especially the GUI. The tool is powerful but has some outdated exploits, then again they update it pretty often and it’s easy to import them over into the framework. Though this exploit framework does open the eyes of network administrators I can’t say that it opens the eyes to the extent of Core Impact being freely and readily available for download to anyone (Wouldn’t we get owned?). This guy should definitely ease up off his back cause I think it’s guys like The Metasploit Team that make these tools available and simple to use that opens the eyes to businesses, makes them see, “This frameworks out holding these exploits, lets run it against our network see if we could break in”. I’m just glad to see the tools useful and free. I also agree with him 100% on the last thing we need to do is ban exploit development cause without proof of concept code being available on sites like Milw0rm how are companies going to learn to fix their vulnerabilities? Sure you could say rely on better practice and a better approach to secure programming when writing software but seriously, exploits are developed daily. Of course sites like milw0rm & metasploit attract script kiddies but it’s that very reason that companies need to broaden their security. No large business/company wants to get owned by some 12 year old on his parents laptop using a live cd. I think the framework is powerful in a sense depending on how you use it with various tools (such as how we saw Ryan Linn use the import db option in msfconsole to import the information from the Nessus Scan he ran in http://www.ethicalhacker.net/content/view/227/24/). Sure a user could download the Metasploit Framework, but how far could you actually get with it from the outside? Good topic timmedin.

    • #22484
      unsupported
      Participant

      let me paraphrase Michael Gregg from the Exam Prep CEH.  Script kiddies are like a series of furious shot gun blasts and true hackers are like a well placed shot in the night.  Basically, give a script kiddie a tool and they will make a lot of detectable noise while using it.  Letting these automated tools get in the hands of unskilled script kiddies should not be of much concern because, as security professionals we should have protected ourselves and our companies from the hurd of elephants.

      In response to giving the tools to Admins, nothing will replace the skills of a security expert.  Admins may be able to use the tools to spot check their systems, but in order to properly plan and protect they still need us.

      Just my quick two cents.

    • #22485
      timmedin
      Participant

      Your opinions reflet my thoughts exactly.

      When it comes to exploit development I can’t even comprehend that one being illegal. That just blows my mind (silly Germany).

    • #22486
      unsupported
      Participant

      @timmedin wrote:

      Your opinions reflet my thoughts exactly.

      When it comes to exploit development I can’t even comprehend that one being illegal. That just blows my mind (silly Germany).

      From what I read those whacky Germans took a broad brush stroke to paint the laws.  It’s like trying to end war by outlawing anger.

    • #22487
      NickFnord
      Participant

      Chris gates had blog post about this last year in october:

      http://carnal0wnage.blogspot.com/2008/10/thoughts-on-why-we-need-exploit-code.html

      I responded there.  he raises an interesting point about proving to managment or non-techies that a certain thing is vulnerable – it’s ok for someone to say “I think we have a security issue we need to spend x to fix it” but it’s much more effective to say “we have a security problem – here, let me demonstrate how I can break into the network and compromise your computers. “

      here’s my response:

      NickFnord wrote:
      Unfortunately this is a human problem. Comparing it to physical security; if I buy a very expensive lock for my house I’ll believe it is secure and would probably have been told as much by the locksmith I bought it from. If someone then tells me that it can be easily bypassed or opened, I will require proof of the fact before I believe it. I’ll require it even more because someone I respect has already told me it is secure.

      An object lesson is hard to beat, and a demonstration of slipping the lock or using a bump key on it will provide the proof required as plain as day. In a way, we can compare intrusion tools and exploits to lock picks and lock bypass equipment. Do we make them illegal? No, even if there were laws restricting these tools to licensed owners (locksmiths/security professionals) it is trivial for anyone to build their own. It is infinitely more important to secure things more efficiently than it is to restrict the use of the tools to defeat the security.

      Having said that however, security (whether physical or electronic) is almost always going to be a compromise between cost and probability of intrusion. Do I buy that very expensive lock for my house and accept the fact that the intruder can just break a window? Do I put bars on my windows and accept the fact that the door can effectively be kicked in? Do I revamp the door with a metal frame, only to find that the lock can be bypassed in some obscure manner anyway? … do I hire that professional pen-tester to secure our network as best he can or do I trust our sysadmin to do his best? Do I secure my house like I do a bank vault? Do I secure my computer network like a government facility? In any case, how do I protect against an ignorant employee clicking on a flashy popup from his work computer?

      Sure, not providing ready made tools and exploits may make it more difficult for the mal-intentioned to break into things, but only in a fictional utopian society would “difficult” mean the same thing as “secure”.

    • #22488
      RoleReversal
      Participant

      I’ll agree with the general consensus, but I think the debate goes way beyond just Metasploit. The day we stop providing well written, effective tools to everyone is the day the bad guys[sup:3qaws862]tm[/sup:3qaws862] win.

      Once you outlaw something, only the outlaws will have it

    • #22489
      Ne0
      Participant

      Timm

      It all depends how  users use the tools,
      Hackers and crackers are often referred to across the world as THE big menace for e-business and the e-society. They are often painted with the same broad brush as several other groups, like virus writers, as waging a cyber war on the internet. Is this threat real or do we need more differentiation when talking about hacking? or its tools

      From our point of view hackers are the people who break into computer systems and crackers are something that you eat! In the good old days a cracker was someone who broke software copy protection code, and a hacker was someone who found holes in systems that would allow him/ her to explore other peoples systems. Since then things have changed as the use of computer systems has grown and the material kept on machines has become more valuable. The people attacking the systems have also changed.

      It is for this reason that we break down the types of ‘hackers’ into the following categories:

      The Good
      Individuals and organisations that conduct security audits and research and publishing their findings for the common good of the security industry. The people who find vulnerabilities and help fix them, and the people who develop security tools and techniques to counteract such acts in the future.

      Companies such as ourselves who test security implementations to make sure that they are true and complete and as secure as can be at any given time. This is done by examining the systems and examining software that is known to have security weaknesses, then informing the customer so that they can close the hole. Advising on new solutions and techniques that can minimize the work and effort of an hacker in the future.

      The Bad
      People who break into computer systems for criminal financial gain, espionage or politically motivated reasons. Despite what people think this does exist, and there are examples that can be found such as the famous City bank hack and the UK cash-point hack that was successfully nipped in the bud before any substantial harm was caused.

      The Ugly (the script kiddies)
      Misguided individuals, kids who have nothing better to do with their time than to take advantage of security weaknesses in order to boost their reputation. This is usually done using tools that are available on the internet. A good example of these types of people are website defacers.

      Once they have compromised the security of a site they work like graffiti artists, painting the website with their logo and publishing their achievements on websites like http://www.attrition.org. Alternatively the simple redirecting of the website to that of their competitors has the same effect.

      The Council of Europe has drafted the first international convention against cyber crime. One of the goals is to make hacking a crime and to allow the use of ‘hacker tools’ only for legitimate purposes. Will this provision foster security on the Internet?

      The simple answer is ‘No’.

      Guns don’t kill people, people kill people. The internet is out of control and people who want to hack into a system will always find a way. Currently, the most up-to-date mailing list for security problems is ‘Bugtrack’ which is mailed freely to subscribers on a daily basis (usually over 200 mails a day).

      If the type of legislation proposed by the Council of Europe were to be passed then it would make services like ‘Bugtrack’ illegal- this in turn would spell disaster for the whole security industry. This type of legislation is what is required in the Middle East region where most countries do not have appropriate laws in place to address cyber crime and fall back on laws such as the stealing or misuse of information which simply is not enough to prevent hackers from ‘having a little fun’ at all our expenses.

      Outlawing hacking tools will make it difficult for IT professionals to secure their systems. If you cannot try out the hack you cannot know if you are protected from it. It will also make education in security nearly impossible.
      Using hacking tools or anything at all to break into other peoples computers is already illegal. Making the tools themselves illegal will actually prevent people from using them legitimately.

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?