In: Root » Computers and technology » Data security
Turn back the calendar to the early 1990s. The Internet is off the ground and running rampant in universities. CERT is up and operational. The World Wide Web is more-or-less an experiment that is creeping into Gopher's territory. Vendors are vehemently denying most security bugs, and UNIX administrators are just beginning to feel the wrath of the clever attackers. Internet security practices as we know them today are in their infancy, but the blueprints for modern day tool sets are actively being drawn up. In 1992, a computer science student named Chris Klaus was experimenting with Internet security concepts. He created a scanning tool, Internet Security Scanner (ISS), that could be used to remotely probe UNIX systems for a set of common vulnerabilities. In Chris'words: ISS is a project that I started as I became interested in security. As I heard about crackers and hackers breaking into NASA and universities around the world, I wanted to find out the deep secrets of security and how these people were able to gain access to expensive machines that I would think were secure. I searched [the] Internet for relative information, such as Phrack and CERT advisories. Most information was vague and did not explain how intruders were able to gain access to most systems. At most the information told administrators to make password security tighter and to apply the vendor's security patches. They lacked real information on how an intruder would look at a site to try to gain access. Having talked with security experts and reading CERT advisories, I started trying to look for various security holes within my domain. To my surprise, I noticed that many of machines were adequately secured, but within a domain there remained enough machines with obvious holes that anyone wanted into any machine could attack the weak 'trusted'machine and from there could gain access to the rest of the domain. Although the cynic in me is inclined to ask what has changed since then (many of Chris'observations still ring true today), ISS was one of the early, if not the first, remote vulnerability assessment scanners to be deployed en masse on the Internet. ISS looked for a few dozen common security holes and flagged them as issues to be resolved. Although a few people were nervous about the tool's obvious power in the wrong hands, most administrators welcomed it with open arms. A few years later, Dan Farmer (of COPS fame) and Wietse Venema (of TCP_Wrapper fame) authored a similar tool called SATAN (Security Administrator Tool for Analyzing Networks). SATAN essentially did the same thing as ISS, but had some advancements: a more mature scanning engine, a Web-based interface, and a wider assortment of checks. Unlike ISS, however, the pending release of SATAN became a media-crazed event. So hyped was its release that in April 1995 (the month it was officially released), TIME magazine wrote an article on it and Dan Farmer. CERT even issued an advisory on its abilities (CA-1995-06). Many people feared that the release of SATAN would bring about total chaos on the Internet. Obviously this was not the case, as SATAN's release did little more then cause traffic for a few days while people downloaded it. Since then, the vulnerability assessment scene has continued to grow and mature. Today, there are more than a dozen scanners in circulation, each with its own set of strengths and weaknesses. The fundamental concepts, however, have not changed much since the early days of ISS and SATAN.
|
|||||||||||||
Disclaimer
1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us or use the "Report this article" button on this page to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. |
|||||||||||||
