Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/6/2009
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail

New Tool And Managed Service 'Penetration-Test' End Users

New User Attack Framework (UAF) could eventually work with Metasploit's hacking tool, researchers say



A security researcher next month plans to release a Metasploit-style hacking tool and a managed service that lets organizations wage realistic and complex email-borne phishing attacks on their end users to gauge their risk of multilayered client attacks.

The so-called User Attack Framework (UAF) includes metrics, tracking details of the victim's actions when hit with phishing bait, and it can exploit the victim's browser, harvest his credentials, and even attack his operating system.

"There is been pen-testing of networks and applications. This is pen-testing users," says Joshua Perrymon, CEO for PacketFocus, and the author of the tool behind UAF. UAF, which is written in Ruby, is based on a tool Perrymon initially built for phishing users called Lunker.

Perrymon had planned to release Lunker as an open-source tool in September at the Open Web Application Security Project (OWASP) conference in New York, but held back at the last minute amid worries such a tool in its raw form could be abused by the bad guys after seeing how easily it duped users in beta tests with several banks and government agencies. Around 80 percent of the users in the beta tests visited the phishing Websites after receiving the malicious URLs via email, and 60 percent were duped into giving up their credentials once they got there, he says.

So Perrymon decided not to release Lunker and instead expand it into more of an overall end-user attack framework, with both a commercial tool and managed services option, as well as a bare-bones, open-source tool that wasn't as potentially lethal, he says. "I didn't feel comfortable releasing Lunker publicly because of how powerful it was. I didn't want to release it...in turnkey form with an 80 to 90 percent success rate it had," he says. "I decided to release a tool that was a commercial version and not let the tool run wild."

UAF isn't the first such service -- Intrepidus Group offers PhishMe, a Web-based service for helping companies find the weakest links in their targeted phishing defense. The service, which was announced a year ago, lets companies spear-phish their employees both for risk assessment purposes and also to educate users. The "victimized" users get instant feedback: They are redirected to educational messages and information, including a PhishMe educational comic strip and links to their corporate sites for more information.

Perrymon says UAF is different because it's a managed security service that relies on security experts to run the phony phishing attacks, and it provides metrics and reporting. "This is a user attack framework instead of a phishing attack framework," like Lunker was aimed at providing, he says. "And even though it uses email as the attack vector, there are a lot of different ways it can attack the user."

UAF could be integrated with Metasploit at some point, says HD Moore, creator of Metasploit. "A few people have been working on similar projects over the years, and I'm excited that someone is going to finally release one," Moore says. "There's a good chance we can share code and do integration on the Metasploit side as well."

UAF tracks specific details of a multilayer phishing attack, such as when a phishing email was sent; if the user clicked on it and, if so, at what time; whether the user provided his credentials; and a count of how many payloads were successful. "We don't want to make this a canned Outlook attack," he says.

The metrics data can help an organization determine how effective it was at stopping at attack, for instance, or what tricks users fell for, Perrymon says. "This is not a tool where we spoof and see if someone gives information. We want to track the whole process to help an organization apply security awareness to the problem," he says. "At the end of the day, that's what's going to protect them against these [user] attacks. Technology can't."

UAF can run on Linux and Windows, he says. The free, open-source version of UAF software is aimed at penetration testers, and doesn't contain all of the functionality of the commercial tool or managed service. "You have to use your own mail server, so we're not going to provide a way to send anonymous attacks. This gives companies that may not want to purchase it a way to test their organization in a safe manner," he says.

The commercial tool, meanwhile, will be priced around $5,000, and the managed service, from $2,500 to $10,000 per year. PacketFocus is looking for beta testers for the product and service, as well ([email protected]).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.