"Just because you can do something etc"
Also, don't hire elvish contractors to evaluate whether your IT systems are secure, because they will say both yes and no.
Python code has emerged that automatically searches for vulnerable devices online using Shodan.io – and then uses Metasploit's database of exploits to potentially hijack the computers and gadgets. You set this script running, it crawls the internet looking for machines that are possibly vulnerable to attack – typically due to …
And then we'll have another teen fighting an extradition to Gitmo.
Yes, it must be quite disconcerting for those with Aspergers, and their families, to watch as yet another low skilled hacker retrospectively discovers they have the condition, which will suddenly clear up five minutes after the trial ends.
If I provided evidence that some medical condition, lets call it Smallus Equipmentus, inadvertently led me to speed whenever I went near a car, and there was no cure for Smallus Equipmentus, then either society forever runs the risks associated with my speeding, or it bans me from driving until cured (effectively then, for life).
If we changed extradition law such that the reliance on an incurable condition as part of your defence would automatically result in a permenant ban from using a computer, in the case of hacking charges, a lot of these wannabe's would have to think twice before engaging in the hacking that will saddle our legal system with massive costs.
OTOH this is the open world.
If I were a Black hat I'd develop this for my personal toolkit to increase my "productivity." You'd not know I had it unless you got hold of personal development environment. You'd only be aware of it by the number of hits on the .io database and (possibly) the activity of a metasploit run if I'd hosted it on a (compromised) cloud account.
Think of it as the Black hat equivalent of constructing your own light saber.
So my suspicion* would be top grade Black hats have tools like this but they are smart enough to fly below the radar by keeping them to themselves.
*Just a deduction. I don't know any Black hats. I don't know how to talk to any and I don't know how to find them.
"As with anything, it can be used for good or bad," the security researcher added. "The responsibility is with the person using it. I am not going to play gatekeeper to information. I believe information should be free and I am a fan of open source in general."
It is important to have an open mind, but not so open that your brains fall out.
Like with Intel waiting months after being told of vulnerabilities before admitting the fault but not stopping sales of the effected hardware, vendors often wait too long before fixing problems.
Once a vendor is told a problem exists then every victim who suffers after that point is down to the vendor and people should be able to sue to any losses.
If every known hole is closed then it will take time for any new exploits to filter down to someone who is going to make them public domain like this dev has. More than enough time for the vendors to plug the holes in their sinking ships.
As the saying goes "if we don't make giant mutant firebreathing camels first then someone else will and we will be caught with our pants down"
> Once a vendor is told a problem exists then every victim who suffers after that point is down to the
> vendor and people should be able to sue to any losses.
No. The vast majority of systems that get pwned are due to known exploits for which a vendor patch exists. The fault for these lies with the stupid moron user / IT dept that did not install that patch.
I've been in hardware and software design for over 30 years; I cut my teeth on an IBM 1130 and I haven't looked back since.
I am glad these tools come out - the tools that make fuzzing easier make me a better engineer. If an IT pro is worried about how this will impact his/her company then grow the fuck up.
You either pay your staff to make secuity their full time job, or your companies stock drops. It is so easy to let yourself in the back door or even the front door in todays infrastructure, automated sploits should be the least of your worries.
With state sponsored espionage the norm these days, that Fortune 500 companies continue to farm out work to the lowest bidder if at all, I am the person that you shouldn't detest, but be glad that I exist.
Your choice - talk to me now, or see me later.
Amen to all of that, YetAnotherJoeBlow.
Know what you are doing and why you are doing it far better than anyone/anything else, and you are priceless and that makes you a valuable asset to be garnered/milked/protected/bought and brought inside systems rather than be left outside to continue to decimate them.
"As with anything, it can be used for good or bad"
It's pretty hard to invent a "good" use for this, although perhaps I'm lacking imagination. You can make that argument for Shodan and Metasploit in isolation as they can be used by ethical pen testers in a focused way, but tying them together to allow indiscriminate pwnage by the completely unskilled is hard to justify.
Although as others have pointed out, it's not hard to do this kind of scripting and within reach of even marginally skilled bad guys. I imagine if you have an exploitable system indexed in Shodan, you're pretty much toast anyway.
or if they hadn´t hoarded them all up because this really is just a major case of ¨what goes around, comes around¨ or ¨not everything that should stay in Vegas, will stay in Vegas ...¨ or ¨wouldn´t it be grand if all software was formally proven to be bug-free ...¨
Shodan has long been, if not created for the sole purpose of exploiting others.
#1 use of it, hacking web cams, #2 looking for exploitable PCs and servers, now maybe loading crypto miners.
I have had nasty conversations with Shodan from them port scanning us every day for a year. They denied it, and said they scan things at most once a month - Unless they are hired to scan - anyone can hire them to scan anyone - I hope they all get cancer and die slowly.
In Shodan's defence; one can either choose to blithely carry on, or one can use such services to identify and close holes.
The one thing you can depend upon is human fallibility when it comes to the design of complex systems. Mistakes will be made; particularly so where systems evolve. Checking back for them is just plain common sense.
The old advice to airgap systems has conclusively been proven as a non-starter. Shodan and Metasploit serve a useful service for those charged with defense. Eliminate the bloody obvious, and what's left will generally only be identified by the highly skilled and determined. Last I checked; the latter two categories are damn near impossible to block.
With minor tweaks the autosploit script is a useful, and in hindsight, bloody obvious tool in it's own right.
And yes, it's a script kiddies dream too. :-)
f**kwitted stupid s**t from happening.
And I'd suggest a lot of the time it is the f**kwitted s**t that happens.
And as the Internet_of_Trouble grows more of it will accumulate with more core builds by code monkeys despite best practice reference builds being available.
Let's be real. Patching is always going to be a thing. It's a process, not an event. Get used to it and plan to do it. The test environment and the automation you will need to acquire can (and should) pay for itself in the various other tests you can run on new hardware for security, usability and compatibility. This is Systems Administration for adults, not running round like a headless chicken.
Tell your PHBs "Either we look for the holes in our security now, or let the Black hats find them first and f**k us (and by "us" I mean your bosses) up at their convenience." Because that's about the situation.
Biting the hand that feeds IT © 1998–2019