Printer-friendly

Ethical Hacking Made Simple: Satan's Legacy

By Jason Levitt

It was both a scary and revolutionary concept when it hit the cover of InformationWeek in April 1995. Now, six years later, it's easy to see that the release of Satan (Security Analysis Tool for Auditing Networks), a free software package that allowed anyone the opportunity to test a network's security using the same techniques hackers were using, was really the birth of an era in network security awareness. Satan was scary, both because it revealed the processes that hackers were using to probe networks for weaknesses, and because it revealed, in practice, that many Internet sites were vulnerable to attack.

Satan was the first example of a network security scanner, an application that's now a standard part of any security analyst's toolkit. Using a security scanner to test a network in the same manner that a villainous hacker would--in an attempt to pinpoint weaknesses--is a practice commonly referred to as "ethical hacking." In the six years since the release of Satan to the public, ethical hacking has become standard practice among security administrators and a brisk business for security software vendors, but when Satan was released, it wasn't so obvious that this would be the outcome.

Since its authors, Dan Farmer and Wietse Venema, distributed Satan as source code, all of the hacker techniques were provided to the public in a form that could be easily redeployed in other applications. Distributing Satan was, in effect, handing over to the villainous rabble of the hacker underground the beginnings of a well-designed tool for finding, and possibly exploiting, weaknesses in networks. There were strong arguments against distributing Satan for exactly those reasons, but in the rapidly growing distributed computing world of the Internet, with TCP/IP everywhere, it was pretty clear that in the long run security holes weren't going to get fixed unless everyone knew about them. In any case, it was obvious to security professionals at some larger sites that villainous hackers already knew these exploits, and that many sites were vulnerable.

Today, it's hard to imagine not having tools for ethical hacking. Network security scanners, such as those reviewed in the Jan. 8 issue of InformationWeek's sister publication, Network Computing (http://www.networkcomputing.com/1201/1201f1b1.html), are the modern commercial offspring of Satan. For the most part, they're powerful, easy to use, and have in-depth reporting facilities. (Interestingly, an open-source security scanner, the Nessus Security Scanner, got the top nod in the review, besting several closed-source commercial contenders.) The flip side of ethical hacking is that villainous hackers have improved their tools as well. It's pretty easy to find a convenient Windows application for any well-known security exploit, as well as helpful utilities for port scanning and packet flooding.

As the recent rash of high-profile Web-site defacements illustrates, sites are as vulnerable as ever to break-ins. Ethical hacking is a prime defensive maneuver that every site should consider undertaking to evaluate the quality of network security. Thanks to Farmer and Venema, it's pretty easy to do these days.

Note: I consider Farmer and Venema's 1993 paper, "Improving the Security of Your Site by Breaking Into It", to be the introduction to ethical hacking.

E-mail To A Friend | Printer-Friendly | Send Us Your Feedback

Home | This Week's Issue | AuthorITies Archives | Resource Centers | Research

Lou Bertin: The Observer Lou offers a view of the good, the bad, and the bizarre developments in the technology business	Charles Pelton: Eye On IT Charles explores IT management issues and strategies that business and technology managers face.	Stuart Johnston: Redmond Watch As our eyes and ears in Redmond, Stuart gives his perspective on the latest events at Microsoft.	Rusty Weston: Matter Of Fact Rusty explores the facts and figures behind business technology.

---