Re: SATAN ATTACKS EVERYWHERE

[cklaus () iss net (Christopher Klaus)]

> > Hey, are we still here?? Looks like we survived the numerous attacks 
> > from hordes of hackers armed with SATAN with the only desire
> > to pillage and pilfer everyone's networks.  The Internet has survived
> > another mega hype negative story!  
> >
> > For some reason, I really can't see tons of hackers using SATAN for several
> > reasons:
>
> 0. SATAN was never designed to be a tool to exploit security problems
>    on other sites.

You missed my point and obviosuly missed all the news coverage that this tool
would be the new tool for hackers to abuse Internet.

> I have never seen a "real" Unix system with 16 meg total memory (phys.
> memory and swap space). I'm not talking about your poor PC running
> linux or something like that...

Well, in the US, the fastest growing number of machines getting
on the Internet, would probalby be the typical PC machines, especially
with all the slip/ppp account ISPs.  If SATAN was going to be
the tool that every hacker would use, then I would think it would
atleast run on most of those machines.  Again, my point was that the mass
media was wrong.


> > 2. It requires installing other packages like perl.  Most hackers aren't
> > able to run anything unless it's a no brainer script.  "Gee the bad thing
> > is we've been hacked and someone used SATAN, the good thing is that we
> > got perl5 and a web browser installed." 
>
> Perhaps you are talking about wannbe-hackers that are trying to break
> into other systems (crackers). Hackers (in the original term people
> with deep knowledge about computers) won't have problems installing
> perl... Every normal sys-admin is able to install perl - it's one
> of the easiest to install packages that are available.


The basis for my statements was why i didnt think hackers (the mass media term for crackers or wanna-be crackers).  I 
would think most admins could install
perl.  I would hope so.

> > Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted
> > to point out (contrary to News Media) that SATAN is not the tool that
> > will shut down the Internet.
>
> Hmm. My very personal opinion is that you not tried to be objective
> nor did you read the full documentation and understood the principles of
> SATAN.

You obviously missed my whole point.  Im not slamming SATAN as a product. 
I recommend everyone use it.  I just don't think SATAN is as great a danger
to the Internet as the media portrays.  Obviously, a few sites are
going to get hit by SATAN, but I doubt it is anywhere as big as the media
has portrayed it.

> > On a side note,  I have released ISS 1.3 which is available on ftp.iss.net
> > /pub/iss/iss13.tar.gz which includes many more checks than what SATAN
> > has specified.  Also, it doesn't require installing any other 
> > outside packages, is in C, and doesn't require large amounts of ram 
> > nor disk space. 
>
> Ok. Let's check.
>
> 1. Includes more checks?
>    This is not a problem. The main goal of the current release of
>    SATAN was to bring out the package right now so it can't be stopped,
>    to get feedback for bug-fixes and (later) add more tests.
>
>    It would be interesting to see new versions of ISS as soon as new
>    checks are being shipped with SATAN. So why haven't you released
>    this iss version with more tests before?

Because posting exploit code for new bugs is in my opinion not the best
situation for the Internet. I think it helps to make the code available
but under more controlled circumstances.  I think that is the biggest complaint
with SATAN, is that it was control-free. 

> 2. Doesn't require installing other packages?
>    Oh - nice. How will it work on my Solaris 2.x machine (out of the box)
>    that has no C-compiler?

Well, then you can't run very many publicly available packages, including
ISS or SATAN. Have a friend compile it for you, I guess.

> SATAN also includes another very important part (missing in ISS):
> the "web of trust". By using this you can "get the whole picture" instead
> of highliting only single problems. This part isn't yet powerful enough
> but the authors are still working especially on this topic.

The commercial version of ISS does all the trust hosts/users analysis.
I do not plan on releasing another free ISS version, unless another 
serious bug appears in the code which I am almost certian I have removed
all such bugs. If someone else wants to add their own code/checks to ISS,
I'll happily put it on ftp.iss.net along with the other ports. 

ISS 1.21 had a big bug that could cause it to scan unspecified networks,
and I felt it was worthwhile to make sure that I released a fixed version
for such a volatile and possibly liable-causing bug. 

> Another point: You first said that satan is huge, requires additional
> packages, etc. and than said that your product is better in this
> categories. Also you said because of the disadvantages of SATAN in
> this points crackers won't use it. Later on you are advertising your
> tool... Who should use it? The crackers or the sysadmins?

Administrators obviously should use it.  Crackers have their own tools anyways.
Just wanted to point out that programs have been available on the Internet
that could be abused like SATAN, long before SATAN was released.  I did
not quite get the mass hysteria over SATAN (other than the neato name).

> You completly ignored the very good documentation of SATAN! Also

Great.  Check out my Security FAQes I make available on http://iss.net/iss
They provide a very clear checklist of things for an admin to follow
to make sure their network is safe.  If you did follow that checklist,
ISS, SATAN, and any other scanner would be useless for your network.

> Also I don't think that Dan and Wietse are those guys who are
> thinking: first we release a small package for public use and than
> (after getting feedback and imporving the product) don't give the
> results of the feedback back to the community

All vulnerability checks and feedback I was given was placed in the freeware
version.  ISS 2.1 is a completely re-written product with very little
of the original code. 

Well, I was developing ISS in my spare time 4 years ago.  And I was using
it for my own personal use.  I talked with others, such as Alec Muffett
and convinced me to release it for Usenet.  No problem.  

After getting flooded with a lot of mail saying what a useful tool, etc,
there would be only one way to really turn it into a very powerful and useful
tool and make sure that it wasn't being abused each time I added a new
check, and that was to go go commercial.  That way, I do not have to worry
about a lawsuit  (Im sure you haven't missed the talks about SATAN and the
great possibility that Mr. Farmer will get sued.) and also, allow me to work
on the product full time.  So, going commercial for me was the right decision,
just wanted to point out, my releasing initial versions of ISS was not
some sneaky marketing strategy.  I look at it as the same way as TIS did
their firewall toolkit. 

I will be announcing ISS 3.0 soon and it has many dangerous checks in it.
And by having it commercial, I do not have to worry about it being abused
or being sued.  Nor have I heard of a single case where ISS 2.1 has been
found to be used by crackers, because I took special precautions
to limit ISS scans to particular networks and hosts.

Cheers,
Christopher

-- 
Christopher William Klaus       Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc.         Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071
========================< http://iss.net/~iss >=========================