Cure Or Curse?
Ready or not, the Satan security tool is coming April 5
By Clinton Wilder and Jason Levitt
Issue date: April 3, 1995
Satan: Is it a powerful, easy-to-use security tool, or your worst security nightmare? It may be both, and it will be available free to anyone who wants to grab it off the Internet as of April 5. And it's stirring up as much fear as its namesake.
Satan--which is an acronym for Security Administrator Tool for Analyzing Networks--is software designed to report security weaknesses in networked computer sites. Satan gets into a site the same way an in truder would, from a host that is not part of the site's local area network.
The comprehensiveness of the product could prove a godsend to administrators who rarely have the time to monitor all the security and virus warnings that are periodically dispatched. By running this one application, an administrator could learn of myriad security holes and have an opportunity to repair them. And the fact that the software mimics an intruder provides a truer vision of how secure a system is from outside attack.
The Dark Side
But for that very same reason, Satan also makes it much easier to learn how to break into a system. It holds the promise of making systems more secure, but that presumes that a site's administrators run Satan--and act on its results--before an unauthorized hacker does. And the decision by the Satan developers to offer this product for free via the Internet is frightening many administrators and information technology executives.
"It would probably be a valuable t ool, but it certainly concerns me that others could look in on our networks," says Scott Barrett, senior VP of information services and operations support at Blockbuster Entertainment Group in Fort Lauderdale, Fla. "With a free product, it's going to be the guys with extra time on their hands who will be out hacking and playing with it."
The program's designers say that the software does not damage systems that it probes, but merely checks to see if security holes exist and reports back its findings. But even if running Satan cannot damage a system, a skilled programmer could modify Satan to be intrusive, as the product will be distributed with complete source code. Built into Satan is knowledge of the best-known network security holes and the product can easily be modified to hunt for new security flaws when they become known. (For a hands on review of Satan click here)
Bigger Concerns
Satan co-developer Dan Farmer--who until recently served as t
he network security czar at Silicon Graphics Inc. (SGI) in Mountain View, Calif.-acknowledges the potential for nefarious applications, but insists that a tool that provides data on the vulnerability of a network to administrators is valuable and positive.
The potential for abuse "is a natural consequence of that information," says Farmer, who left Silicon Graphics by mutual agreement March 20.
SGI officials said Satan contributed to Farmer's departure. "We've invested heavily in network security in this company, and we didn't agree that a product of this sort should be distributed in an indiscriminate way," says Bill Kelly, Silicon Graphics VP of business development. "We think instead it should go to network administrators in a controlled fashion."
Satan is set to make its debut at a time when network security is among IT's top concerns. A recent InformationWeek survey of 100 large user sites showed that 71% considered network security one of their highest priorities. And of those users, 61% said they were using no automated security applications at all.
Easy Access
One of the reasons the software is raising strong concerns is its ease-of-use capabilities. The fear is that, while many security analysis products already exist, the Satan graphical user interface is so easy to use that less experienced hackers could use it.
"One of its insidious aspects is the very user-friendly Mosaic interface," says Donn Parker, of SRI International, a research firm in Menlo Park, Calif. "A lot of hackers who don't have technical skills will be able to use it."
Some security experts say the additional risks posed by Satan are minimal. "Any self-respecting hacker's tool kit already has all the tools that Satan has, without the nice graphical front end," says Marcus Ranum, an engineering manager at Internet firewall developer Trusted Information Systems Inc. in Glenwood, Md.
"For network and systems administrators, I think it will be useful," says Ranum. "The people who ar e scared of it are the people who've had their heads in the sand" about security risks that already exist, Ranum says.
Just how much hacker damage Satan might ultimately cause won't be known until after the product is released. But the program named for Lucifer has already rekindled the fiery clash between corporate security risks and free information in cyberspace, and those flames are certain to keep burning.
This Week's Issue
Technology Whitepapers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
