“Chishiki” is Japanese for “knowledge.” e-chishiki.com aims to bring software developers, information security professionals, IT executives and other IT pros a rich body of knowledge in the form of articles, interviews, tutorials and technical discussions. Our contributors are among the biggest names in the Indian IT industry and include noted authors, educators and practitioners.
Weekly Column - Web Application Attacks
Should Tools Like Metasploit and ‘Cain and Able’ Be Banned?
Vijay Mukhi
Should Tools Like Metasploit and ‘Cain and Able’ Be Banned?
The free software and open source movement has brought about a new revolution on the Internet where users do not have to pay for software anymore. Products like the Firefox browser, the Apache Web Server, and StarOffice can be easily downloaded free of cost off the net. The Netcraft Web Server Survey for January, 2008 shows Apache ranking topmost on the web server list with more than 50% market share. Similarly, users prefer using the plain and simple Firefox browser over the highly complicated Internet Explorer. The Internet, no doubt has given birth to large-scale development of software tools that perform various tasks and the open source movement has made sure that the source code is available in public domain.
Similar to the above, there is a password recovery tool called Cain and Able which is freely available for the Windows Operating System. Though there are a zillion open source tools for password recovery, this tool is a masterpiece. The latest version as of the time of writing of this column is v4.9.10 and it has many more features than simply cracking passwords. All that is required is a download and an easy installation. A tool like Cain and Able can display all passwords and user credentials in simple text regardless of any encryption employed. It has proved to be a very useful tool for any system administrator.
As every coin has two sides to it, the use of this tool has been counterproductive. Hackers use it to steal passwords and gain entry into our secured zone. However, what is more astonishing is that Microsoft has made no great attempts to ban such tools. That’s because, if Microsoft tries to harden its operating system against such tools, most of its own programs will stop working. Hackers steal a large number of passwords today because of the easy availability of programs like this.
So, is it wise to ban such tools?
Another family of tools is exemplified by the open source project, known as “The Metasploit Framework”, which is in its second avatar today. The first one was written in Perl, and the second avatar is in Ruby, which is far more customizable. The official definition marks it to be a development platform for writing security tools and security attacks. However, it is largely used for conducting a series of attacks on the net. What’s more, there is a GUI and a web interface given to the framework to perform the exploits that come bundled with it. The framework loyalists have created a new industry that does nothing more than create more and more exploits to attack websites. If that’s not enough, they provide you with the source code of the exploits so that it can be easily customized.
Though many may want to ban such projects, there is a positive side to them as well. The system administrators have outnumbered the hackers in the use of this framework as it helps them detect the vulnerabilities in their networks. Accordingly, attacks carried out by the framework can be avoided by fixing security loopholes and the vulnerabilities in a timely manner. Also, a system administrator can build customizable tools with which he can stress test his network. The only way to test a network is to use the same tools the attackers use. So, if Metasploit can break into one’s network, rest assured that someone else will break in some day.
Then there are tools that monitor and log all computer and network activity, for example the keystroke loggers. Companies insist on installing this tool to monitor all activity for legal purposes whereas hackers install it on computers to compromise user credentials.
Let’s draw some conclusions. Nothing can be banned on the Internet. What is banned and illegal in one country is admissible in another country. With servers spread over all geographic locations, a ban on any tool or any server will fail completely.
Therefore, what is required is a global mechanism to come down on cyber crime. Today there is very little deterrent and hence people make breaking into computers a sport. A technically illiterate person calls himself a hacker by using the hacking tools on the net. These naïve hackers, called “script kiddies” like to break into computers for fun. With the availability of these tools freely on the net, we are empowering an entire generation of people to break into computers. It will not be long when a situation arises similar to the automatic virus generating programs that wrote viruses with different signatures and infected computers.
However, if there were a worldwide judgment which called for 10 years in jail for breaking into a computer, these pranks would largely stop. Furthermore, globally credit card theft and phishing should be considered a major crime and there must be severe punishment for them. There is no way one can prevent programmers from writing these tools due to their legitimate uses; what we can stop is the criminal misuse of them.
The last and the most important task is to write software that cannot be broken into. Unfortunately, it is extremely difficult to get programmers to write software that can defend itself and laugh these tools off.
