[ISN] Security tool more harmful than helpful?

[InfoSec News]

http://news.com.com/2100-7349_3-5187776.html

By Robert Lemos 
Staff Writer, CNET News.com
April 8, 2004

The common wisdom in the security world is that easy-to-use scripts to
circumvent security--called "exploits"--are a threat to the Internet.

The Metasploit Project and its founder, HD Moore, hope to change that
perception.

On Wednesday, the project released an updated design framework to the
Metasploit tool, which allows security experts to check computers on
their networks and identify those vulnerable to newly released flaws.  
The updated framework, known as Metasploit Framework 2.0, enables
people to create standardized plug-ins for the tool so that they can
legally hack into computers by manipulating the latest security holes.  
The tool already has 18 exploits and 27 different possible payloads.

Overall, the tool could help administrators find and patch systems
vulnerable to a new flaw, thereby blocking a would-be intruder from
breaching a company's network security, according to Moore.

"This is a good research tool," Moore said, noting that some 30
percent of Metasploit beta testers are security consultants who seek
to plug holes in their clients' networks. Other companies are using
the tool proactively to detect flaws in their applications. "There is
a large software company that has...rolled the Metasploit stuff into
their (quality assurance) testing," he said.

Such a tool, however, could also become an online attacker's friend,
automating the detection of vulnerable servers so that even a person
with little technical knowledge could break into a computer, security
researchers maintain.

A recent report by market research firm Forrester into software
security threats found that attacks "explode after unscrupulous
hackers build scripted versions." Many critics agree, saying such
exploit-testing scripts--which turn a highly technical vulnerability
into code that can be run with a few commands--allow far too many
people to become online attackers.

"There will be about 10 academics and serious researchers who may find
this interesting and about 10,000 kiddies who will blow each other's
virtual brains out, with enterprise security folks caught in the
middle," said Peter Lindstrom, the director of research for security
consultancy Spire Security.

However, Metasploit does allow savvy network administrators to play on
the same level as malevolent hackers, said Stephen Northcutt, director
of training and certification for The SANS Institute, which teaches
security and network administration. In particular, the tool saves
them from having to spend a lot of time on coding.

"There is a natural concern that the tool will be used for malevolent
purposes. But attackers are already developing exploits by hand, so
this doesn't actually change anything," Northcutt said. "It is an
iterative step in the development of shell code exploits, just as
virus factory software was a step in the development of that flavor of
malware."

Even Moore agrees that the project's wares will make exploiting
vulnerabilities easier. However, he also maintains that the tool will
be invaluable to system administrators to demonstrate that their
networks are vulnerable and so gain the corporate resources necessary
to patch their systems.

"The problem today is that many organizations do not patch systems
until a working exploit is released," Moore said. "The bottom line is
that exploits are not only useful but are (also) required for many
types of legitimate work."

In fact, companies have created similar tools--and programs that use
similar technologies--to do just that. Two security companies,
Immunity and Core Security Technologies, have created their own
network attack program to aid consultants who find vulnerable systems
for a living. And in February, Hewlett-Packard announced that it had
developed an automated attack tool that would create benign exploits
to test a network's digital immune system.

To help defend against malicious use, Metasploit is putting signatures
into its software to help the makers of defensive security products
detect attacks generated via the tool.

Moore also points out that anyone can already buy such a product from
a handful of security companies. However, he acknowledges that the
widespread use of such software may make some network administrators'
jobs harder.

"If (you are) a system admin that only patches boxes, of course you
aren't going to want to see any new exploit code," Moore said. But
that doesn't mean the problem is going away, he added. "We can do
anything we want to curb exploit releases--make it illegal in
America--but they will still get released," he said.