web
counter


The Duality Of Security Tools

Security tools, be them software and even hardware, can be used positively and negatively. Encryption is a fine example of the dual nature in security tools, it keeps the unauthorized, or it tries to, from viewing your data. This is good when you do it, but what if the bad guy does it to you? Recently the Crypto-Locker worm has been making it's way around. This worm encrypts all documents it can find and doesn't give you the decryption key until you pay for it. Paying the ransom seems to work, and the encryption so far seems to be good enough that it can't be cracked. Other tools that an administrator uses everyday can also have dual purposes, an inventory system is a valuable asset to the company, but it's equally valuable to an attacker. Often administration services/programs have the highest rights on every computer, so attacking through such a service or portal would be ideal for an attacker. The application is trusted, and it makes IT's job easier to push out changes to large groups or the entire organization. So too could an attacker, push out an unwelcome change to entire organization.

Knowledge and Stigmas:

Like anything in life and the security field itself, a truism is "If they want it bad enough, they are going to get it". The many tools that can be useful to an administrator can also be useful an attacker.

Tools get stigmas, bad reputations only because they are abused. Some seem more likely to be in this category, like Password Auditing Software. While it's true they can be used to gain access or crack passwords, that doesn't mean they will be by responsible persons. The tools themselves are often created in good faith, and while it's altruistic to think everyone using them is also doing so in good faith, the benefit of the doubt has to be given. Again this is the internet, it's the wild-wild-west when it comes to true motivations.

Helping someone roll out encryption software to their network may look like a legitimate claim, and we here at Xinn.org often advise folks on how to do that task. That same encryption software could secure against physical theft, or it could "brick" every laptop in the company with a demand to pay a ransom. The password auditing software could be used to gain financial data from HR Office files, or it could be used as intended to find weak passwords and be used to strengthen the posture of users passwords. It could recover a password for many other legitimate reasons as well.

How do you know who to trust?

You don't and probably never will when it comes to the internet. Some tools are so good at what they do, that it's only natural an attacker use them too. BackOrifice is a perfect example of this. BO was a wonderful administration tool, it allowed you do anything you could image to a PC from a remote terminal. Virus writers took the source code and re-purposed it for their needs. This caused AV vendors to black flag BO itself because all it's same source code was inside that virus. The tool was still a legitimate and altruistic administration tool, but got a very bad reputation as being a hacking tool when it wasn't (intended to be). Other tools get treated this way too, but I use them all day everyday, making my job as a security professional much more effective. Don't be scared to use the right tool for the job, but use that tool responsibly. Frankly most tools we use to administer, and we advise people in real life to use everyday, could wreak havoc in the wrong hands.

My last example is PowerShell. PowerShell commandlets can be abused as documented and applied in the PowerSploit project. The author created the tool to highlight the insecurities in PowerShell, and asked Microsoft to tighten up PowerShell's abilities future versions of PowerShell. Another abuse of PowerShell was even posted by a Guest Blogger on Microsoft's Technet.com. This script involved the copying of the Active Directory database without needing any 3rd party or exploit tools. The script uses Microsoft's own API's and functions to copy the data off the server an into the attackers hands. All tools have a dual purpose, and just because it's a tool that is revered or thought highly or labeled "good" by an AV vendor, does not mean it can't be abused. This goes double for tools that are already have some "hacking/exploit" label placed on them. Those tools can save an organization if used for the betterment of the security posture.