When Open Source Security Turns on You

If you're not careful, open can be a four-letter word for your network security.

Exploits that rely on or are generated by open source security tools are on the rise, security experts say, as more and more of these tools become readily available. But this isn't a new phenomenon -- it all started a few years ago when the notorious SATAN tool brought out the dark side of open-source security technology. Open source security tools today are getting more powerful, so they're not only more helpful to enterprises but also to potential attackers.

"Open source security is a double-edged sword: It's great because you can change and modify it to meet your needs, but it could also be used by bad guys," says Tony Howlett, president of Network Security Services and author of the book "Open Source Security Tools."

There are plenty of open source security tools that hackers can deploy, but security experts say among the ones with the most potential for damage are the Metasploit Project, nmap, nessus, Cain & Abel, Ettercap, and niktu.

Jeff Ballard, Unix systems manager for the University of Wisconsin-Madison's Computer-Aided Engineering Center, says he's seen evidence in his logs of Metasploit-based attack attempts on his network. Metasploit comes in an open-source platform for developing, testing, and using exploit code (it also comes with ready-made exploits).

"Metasploit automates a myriad of attacks, and it's in a more easily digestible format," says Ballard, who notes it's tough to tell if this and other such projects are helping or hurting security. "Unfortunately, they are strong tools for bad guys. But they would also be helpful to the good guys if they would use them."

The trouble with Metasploit is you may not know you're being attacked with it. "If you're using an automated penetration tester, Metasploit is automating a manual exploit on a certain vulnerability you have. All you sense is you've been hacked, and you have no ability to track if [something was] done through Metasploit," says Sean Kelly, business technology consultant for Consilium1. "If you're running an IDS, you might be able to identify what hack tool is being used against it."

HD Moore, lead developer for The Metasploit Project, says Metasploit can definitely be abused, but that's the nature of open source code. "Your average intruder uses any exploit that works, regardless of quality or content," he says. And Metasploit levels the playing field between attackers and defenders by providing "clean exploits" and payloads that systems admins can test on their own systems before someone else hits them, he says.

Nmap (a port scanner) is, meanwhile, harmless on its own but is commonly used by attackers to efficiently gather lots of information on what you're running, Kelly says. "It shows what's out there and what they can go after." So it can scan for personal firewalls or vulnerabilities, he says.

The University of Wisconsin's Ballard says he regularly refers to nmap to see what's on his network and what's listening to it. "I use it as a starting point -- why we are running this service, why this port is open," he says. "You can use nmap and these other freely available tools to help proactively tighten up your network."

Other security experts agree that the only way to protect yourself against an open source security tool gone bad is to run it regularly yourself so you stay one step ahead of an attack. "The best defense is to use these tools," says Howlett. "Run these tools against your network so you can see what others [could] see."

Nessus is a Unix vulnerability scanner that looks for operating system holes, and Cain & Abel is a password cracker that was recently upgraded with a faster table lookup technology that uses less processing to crack passwords and simplifies the process, says Network Security Services' Howlett. And tools like Ettercap, a sniffer that traverses switched LANs, can be used against you, too.

But are open source security tools any more dangerous than commercial ones? That depends. Dave Marcus, security research and communications manager for McAfee's Avert Labs, says open source security tools are easier to exploit because they are openly available and you can reconfigure them. "Security tools are easily used against any organization anyway," Marcus says. "You can use closed source tools for the same reasons."

Metasploit's Moore says it's the nature of the beast. "Open source tools are abused more often due to their availability and cost, but this is the price we pay for having free access to them in the first place."

Joseph Foran, IT manager for FSW, which runs a mostly open source shop, including open source security tools, says he's not worried about the tools he runs being used against him. "We live on open security tools -- nmap, Ethereal, and Snort, for instance," he says. "And I worry about those tools as much as closed-source tools being pirated and misused."

And times have changed: In the good old days of Internet resource-sharing, researchers would develop their security tool and if they wanted to make some money, they would typically then commercialize it. Today, black hat types are typically lured away by criminals who need their technology to launch identity theft, a much more lucrative venture, says Howlett.

Howlett says the bad guys more and more will likely go underground. "The more serious attack tools will go underground for identity-theft groups."

— Kelly Jackson Higgins, Senior Editor, Dark Reading