Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SATAN ATTACKS EVERYWHERE
From: cklaus () iss net (Christopher Klaus)
Date: Sun, 9 Apr 1995 20:13:48 +1494730 (PDT)




Hey, are we still here?? Looks like we survived the numerous attacks 
from hordes of hackers armed with SATAN with the only desire
to pillage and pilfer everyone's networks.  The Internet has survived
another mega hype negative story!  

For some reason, I really can't see tons of hackers using SATAN for several
reasons:

0. SATAN was never designed to be a tool to exploit security problems
   on other sites.

You missed my point and obviosuly missed all the news coverage that this tool
would be the new tool for hackers to abuse Internet.

I have never seen a "real" Unix system with 16 meg total memory (phys.
memory and swap space). I'm not talking about your poor PC running
linux or something like that...

Well, in the US, the fastest growing number of machines getting
on the Internet, would probalby be the typical PC machines, especially
with all the slip/ppp account ISPs.  If SATAN was going to be
the tool that every hacker would use, then I would think it would
atleast run on most of those machines.  Again, my point was that the mass
media was wrong.


2. It requires installing other packages like perl.  Most hackers aren't
able to run anything unless it's a no brainer script.  "Gee the bad thing
is we've been hacked and someone used SATAN, the good thing is that we
got perl5 and a web browser installed." 

Perhaps you are talking about wannbe-hackers that are trying to break
into other systems (crackers). Hackers (in the original term people
with deep knowledge about computers) won't have problems installing
perl... Every normal sys-admin is able to install perl - it's one
of the easiest to install packages that are available.


The basis for my statements was why i didnt think hackers (the mass media term for crackers or wanna-be crackers).  I 
would think most admins could install
perl.  I would hope so.


Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted
to point out (contrary to News Media) that SATAN is not the tool that
will shut down the Internet.

Hmm. My very personal opinion is that you not tried to be objective
nor did you read the full documentation and understood the principles of
SATAN.

You obviously missed my whole point.  Im not slamming SATAN as a product. 
I recommend everyone use it.  I just don't think SATAN is as great a danger
to the Internet as the media portrays.  Obviously, a few sites are
going to get hit by SATAN, but I doubt it is anywhere as big as the media
has portrayed it.

On a side note,  I have released ISS 1.3 which is available on ftp.iss.net
/pub/iss/iss13.tar.gz which includes many more checks than what SATAN
has specified.  Also, it doesn't require installing any other 
outside packages, is in C, and doesn't require large amounts of ram 
nor disk space. 


Ok. Let's check.

1. Includes more checks?
   This is not a problem. The main goal of the current release of
   SATAN was to bring out the package right now so it can't be stopped,
   to get feedback for bug-fixes and (later) add more tests.

   It would be interesting to see new versions of ISS as soon as new
   checks are being shipped with SATAN. So why haven't you released
   this iss version with more tests before?

Because posting exploit code for new bugs is in my opinion not the best
situation for the Internet. I think it helps to make the code available
but under more controlled circumstances.  I think that is the biggest complaint
with SATAN, is that it was control-free. 


2. Doesn't require installing other packages?
   Oh - nice. How will it work on my Solaris 2.x machine (out of the box)
   that has no C-compiler?

Well, then you can't run very many publicly available packages, including
ISS or SATAN. Have a friend compile it for you, I guess.


SATAN also includes another very important part (missing in ISS):
the "web of trust". By using this you can "get the whole picture" instead
of highliting only single problems. This part isn't yet powerful enough
but the authors are still working especially on this topic.

The commercial version of ISS does all the trust hosts/users analysis.
I do not plan on releasing another free ISS version, unless another 
serious bug appears in the code which I am almost certian I have removed
all such bugs. If someone else wants to add their own code/checks to ISS,
I'll happily put it on ftp.iss.net along with the other ports. 

ISS 1.21 had a big bug that could cause it to scan unspecified networks,
and I felt it was worthwhile to make sure that I released a fixed version
for such a volatile and possibly liable-causing bug. 


Another point: You first said that satan is huge, requires additional
packages, etc. and than said that your product is better in this
categories. Also you said because of the disadvantages of SATAN in
this points crackers won't use it. Later on you are advertising your
tool... Who should use it? The crackers or the sysadmins?

Administrators obviously should use it.  Crackers have their own tools anyways.
Just wanted to point out that programs have been available on the Internet
that could be abused like SATAN, long before SATAN was released.  I did
not quite get the mass hysteria over SATAN (other than the neato name).


You completly ignored the very good documentation of SATAN! Also

Great.  Check out my Security FAQes I make available on http://iss.net/iss
They provide a very clear checklist of things for an admin to follow
to make sure their network is safe.  If you did follow that checklist,
ISS, SATAN, and any other scanner would be useless for your network.


Also I don't think that Dan and Wietse are those guys who are
thinking: first we release a small package for public use and than
(after getting feedback and imporving the product) don't give the
results of the feedback back to the community

All vulnerability checks and feedback I was given was placed in the freeware
version.  ISS 2.1 is a completely re-written product with very little
of the original code. 

Well, I was developing ISS in my spare time 4 years ago.  And I was using
it for my own personal use.  I talked with others, such as Alec Muffett
and convinced me to release it for Usenet.  No problem.  

After getting flooded with a lot of mail saying what a useful tool, etc,
there would be only one way to really turn it into a very powerful and useful
tool and make sure that it wasn't being abused each time I added a new
check, and that was to go go commercial.  That way, I do not have to worry
about a lawsuit  (Im sure you haven't missed the talks about SATAN and the
great possibility that Mr. Farmer will get sued.) and also, allow me to work
on the product full time.  So, going commercial for me was the right decision,
just wanted to point out, my releasing initial versions of ISS was not
some sneaky marketing strategy.  I look at it as the same way as TIS did
their firewall toolkit. 

I will be announcing ISS 3.0 soon and it has many dangerous checks in it.
And by having it commercial, I do not have to worry about it being abused
or being sued.  Nor have I heard of a single case where ISS 2.1 has been
found to be used by crackers, because I took special precautions
to limit ISS scans to particular networks and hosts.

Cheers,
Christopher

-- 
Christopher William Klaus       Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc.         Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071
========================< http://iss.net/~iss >=========================



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault