Network News

X My Profile
View More Activity

DefCon Day 2: Patching Your Hacker Toolkit

Defconlogo_2_1LAS VEGAS, July 30 -- New research released at the DefCon conference suggests that not only is it important to apply patches to fix security flaws in commonly used computer software, but that patch installation is important for the very tools hackers and security professionals frequently use to break into (or test the security of) computer networks.

According to new findings by the venerable hacker ninjas known as the Shmoo Group, some of the most popular tools used by hackers and security professionals to infiltrate and test the security of targeted networks contain serious flaws that defenders could use to turn the tables on hackers.

Metasploit, a sort of Swiss Army knife of free attack software that automates the search for systems vulnerable to dozens of known software flaws, contains a critical vulnerability that could allow a person defending a network being probed by the Metasploit toolkit to seize control over the machine doing the actual probing. Same goes for "Canvas," another tool widely used by penetration testers and Black Hat hackers alike. (Canvas is a product sold by the folks at ImmunitySec, one of several companies I wrote about recently that pays hackers who find security flaws in commercial software.)

The Shmoo guys also found major flaws in Kismet, one of the most widely used tools for finding unsecured wireless computer networks. "It's time to download the latest patches for your 'sploits folks," Shmoo Group member Brian Caswell said yesterday at a Defcon briefing. "If you are thinking about using Kismet here at DefCon folks, don't, because you will get owned."

In my wanderings in and out of the various DefCon briefings yesterday, I saw dozens of people using Kismet to compete in the conference's war driving and capture the flag competitions, and plenty of those folks were still using the software after the Shmoo Group's talk was finished. I'm guessing quite a few of those guys are now wishing they'd attended that talk.

By Brian Krebs  |  July 30, 2005; 5:17 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: DefCon Night 1: Team Kegbot
Next: Leaving Las Vegas: So Long DefCon and Blackhat


Yeah, and they are dragging their feet on working with the authors so that patches can be made. Real nice, guys. At least Mike Lynn was trying (albiet in vain) to get Cisco to cooperate before spilling his guts. These guys dropped bombshells on the authors and so far haven't much bothered to help clean up the mess. I've lost a lot of the great respect I had for the Shmoo.

Posted by: ShmooFooey | August 3, 2005 1:22 PM | Report abuse

Oh please. A little early to start sniping, isn't it? Shmoo is an east-coast based group, and I know I'm just getting over the jetlag from the trip myself. (And they may not have left Vegas on the Monday after the con like I did.)

Besides, the vulns aren't hard to find (at least, two of the Kismet ones aren't, I haven't looked that hard for the rest of 'em.) They did a pretty good job of hinting where they were. I'm sure they'll send the relevant info to the authors as soon as they get their bearings back.

We're the _hacker_ community. Are we really going to start crying foul when someone points out _our_ security weaknesses? Are we going to start demanding "fair disclosure" or early warning about our own oversights? It's time to eat our own dog food, folks. Day-zero applies to us more than it should ever apply to Microsoft or Cisco.

Posted by: infosuck | August 4, 2005 9:40 AM | Report abuse

So because they are on the East Coast, they couldn't be bothered to send an email to the authors before they left? Did they write their presentation on the plane?

There's no excuse for it and you know it. They didn't release this info after trying in vain to get patches written, they decided to be cowboys and strut their stuff - and stunts like this are the whole reason why there is such a debate over how and when it is acceptable to release vulnerability info.

Posted by: ShmooFooey | August 4, 2005 2:21 PM | Report abuse

Bigg up to Shmoo for showing that authors of hacking tools do not practice what they preach.

It is embarassing that hacking tool authors can not even write secure code themselves ...

Hallelujah Brother!

Posted by: P | August 4, 2005 4:14 PM | Report abuse

"These guys dropped bombshells on the authors and so far haven't much bothered to help clean up the mess. I've lost a lot of the great respect I had for the Shmoo."

Um... no they didn't. The actually said they had informed all the software authors, however not all of them had a chance to fixed the issues at the time of the conference. So before you go and accuse them of something maybe you should get your facts straight. Also, its important to note that they did not relase the exploit for the vulnerabilities yet.

Posted by: Anonymous | August 4, 2005 5:20 PM | Report abuse

Not according to the author I spoke with, they didn't. He's pretty pissed, as a matter of fact. He's even sent them emails and hasn't gotten much back. I didn't mention it because I did not (and have not) secured an OK from him to discuss it. But trust me, Shmoo is not being responsible about this, at least in this case.

Posted by: ShmooFooey | August 5, 2005 12:59 PM | Report abuse

Hmm. Brian does claim to have mailed us a patch, but I didn't get it. Regardless, whatever. They turn out not to be bugs. So big molehill over nothing.

Posted by: email | August 11, 2005 12:00 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company