Security tool more harmful than helpful?

 By Robert Lemos CNET News.com April 8, 2004, 

  The common wisdom in the security world is that easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet. The Metasploit Project and its founder, HD Moore, hope to change that perception.

Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

On Wednesday, the project released an updated design framework to the Metasploit tool, which allows security experts to check computers on their networks and identify those vulnerable to newly released flaws. The updated framework, known as Metasploit Framework 2.0, enables people to create standardized plug-ins for the tool so that they can legally hack into computers by manipulating the latest security holes. The tool already has 18 exploits and 27 different possible payloads. Overall, the tool could help administrators find and patch systems vulnerable to a new flaw, thereby blocking a would-be intruder from breaching a company's network security, according to Moore. "This is a good research tool," Moore said, noting that some 30 percent of Metasploit beta testers are security consultants who seek to plug holes in their clients' networks. Other companies are using the tool proactively to detect flaws in their applications. "There is a large software company that has...rolled the Metasploit stuff into their (quality assurance) testing," he said. Such a tool, however, could also become an online attacker's friend, automating the detection of vulnerable servers so that even a person with little technical knowledge could break into a computer, security researchers maintain. A recent report by market research firm Forrester into software security threats found that attacks "explode after unscrupulous hackers build scripted versions." Many critics agree, saying such exploit-testing scripts--which turn a highly technical vulnerability into code that can be run with a few commands--allow far too many people to become online attackers. "There will be about 10 academics and serious researchers who may find this interesting and about 10,000 kiddies who will blow each other's virtual brains out, with enterprise security folks caught in the middle," said Peter Lindstrom, the director of research for security consultancy Spire Security. However, Metasploit does allow savvy network administrators to play on the same level as malevolent hackers, said Stephen Northcutt, director of training and certification for The SANS Institute, which teaches security and network administration. In particular, the tool saves them from having to spend a lot of time on coding. "There is a natural concern that the tool will be used for malevolent purposes. But attackers are already developing exploits by hand, so this doesn't actually change anything," Northcutt said. "It is an iterative step in the development of shell code exploits, just as virus factory software was a step in the development of that flavor of malware." Even Moore agrees that the project's wares will make exploiting vulnerabilities easier. However, he also maintains that the tool will be invaluable to system administrators to demonstrate that their networks are vulnerable and so gain the corporate resources necessary to patch their systems. "The problem today is that many organizations do not patch systems until a working exploit is released," Moore said. "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." In fact, companies have created similar tools--and programs that use similar technologies--to do just that. Two security companies, Immunity and Core Security Technologies, have created their own network attack program to aid consultants who find vulnerable systems for a living. And in February, Hewlett-Packard announced that it had developed an automated attack tool that would create benign exploits to test a network's digital immune system. To help defend against malicious use, Metasploit is putting signatures into its software to help the makers of defensive security products detect attacks generated via the tool. Moore also points out that anyone can already buy such a product from a handful of security companies. However, he acknowledges that the widespread use of such software may make some network administrators' jobs harder. "If (you are) a system admin that only patches boxes, of course you aren't going to want to see any new exploit code," Moore said. But that doesn't mean the problem is going away, he added. "We can do anything we want to curb exploit releases--make it illegal in America--but they will still get released," he said.