When Does A "Tool" Become A "Weapon"?

As with so many tools, security vulnerability detectors can be misused to exploit rather than defend.  The Metasploit Project is an extremely valuable tool and many of us in cyber security use it to research and probe for potential problems. However, a recent development which was revealed by Security Labs in India demostrates just how easily the Metasploit Framework can be used to develop malicious payloads that avoid detection by the usual Anti-Virus and Firewall software.

By installing a few extras with BackTrack 5 (another tool-set that penetration testers know well) it is possible to run a script based upon Metasploit that generates a "reverse TCP payload".  In essence, all of your Internet data is carried using a protocol called TCP/IP, where the IP part gives the "addresses" of the sender and receiver, and the TCP part ensures that the entirety of the data is reconstructed correctly once received as it is chopped up into small "packets" for transmission across the Internet.  This "reverse payload" method means that you receive the unwanted data without realising it.  Hence, it will bypass detection by the types of traps to are usually employed to capture unwanted code.

What could you do with this?  Well, imagine you could use the technique to deliver a "backdoor" to a machine. Actually, you don't need to imagine as that is exactly what was done.  All of a sudden you have the means to take over machine remotely without the user knowing, and in such a way that most users would stand very little chance of detecting the attack: certainly not using routine Anti-Virus and Firewalls software.

It's such a shame that these tools are used in this way. Or is it? Perhaps that's the very reason they exist.  After all this has shown a vulnerability and a form of attack vector that may not have been thought about by the AV and Firewall vendors.

Beware Free Software: You Might Get More Than You Bargained For

I've been preparing a lab for our Level 3 students studying Computer & Network Security.  To make the whole exercise more interesting I've been looking for a free packet sniffer that we can use to demonstrate how easy it is to capture network traffic and analyse what unwitting users are telling you about themselves.  I was interested, therefore, to see in a well known security newsletter that there was a completely free packet capture and analysis tool.  Worth a look I thought.  Afterall, free software is just what we need as an impoverished  University.

My suspicions were aroused by the fact that the URL given was a "ru" domain but surely I could be sure that this software was safe as it had been listed by a journal known by those in cyber security as quite reputable.  Well, being an old cynic I just had to double check.  Sure enough I popped the URL into McAfee Site Advisor (http://www.siteadvisor.com/) and a flurry of red crosses resulted.  The network sniffer contained a trojan (BackDoor-AZN trojan,Artemis).  So maybe being an old cynic isn't so bad after all. 

This set me to thinking.  This is actually one of the oldest tricks in the book.  However, this time it looks like it might be an attempt by hackers to use the very people attempting to thwart them to introduce malware to the networks they are meant to be protecting.  Maybe you really do get what you pay for.

So, as I say in my lectures, old cynic that I am, you should always practice your ABC:

A - Assume nothing

B - Believe noone

C - Check everything

If you are looking for a good packet analyser I suggest Colasoft's Capsa 7 or Capsa WiFi.  One is free, but cut down from the full version, and the second is time limited.  And yes I did check these before downloading  even though it was a proper commercial site,  and all I saw were green ticks.  Better safe than sorry.