[This was originally published on Hacker News Network (HNN) and mirrored on attrition.org.]
You trust the security experts. Their books and articles about security are often the bibles of System Administrators. Their one paragraph biographies tell you of their ten to twenty years doing network security. They take on impressive titles of neat sounding companies they secure. Why is it these experts often give you the absolute worst advice that could cross your ears?
Time and time again, security ‘experts’ casually recommend that you use or deploy a package like the SATAN security scanner to test your network for vulnerabilities. While few references to SATAN will claim it is the end all solution to computer security, the mere fact people ever recommended the tool is absurd. More disturbing is that over four years after it is released, some continue to reference it in a serious manner.
Before I continue, I’d like to qualify and assure you this is not a rant against SATAN’s (or any other tool’s) authors. The attention and hype that propelled SATAN into the media spotlight is no fault of theirs. Rather, other security ‘experts’ and/or media outlets cried wolf before it was released and helped create the “demise of the internet” as it was once called. This article will focus on SATAN as an example, simply because of the label it received from so many. Please keep in mind that SATAN is a forefather to most of the commercial scanners you are familiar with. So time progresses and people realize the futility of recommending a utility never designed for intensive and thorough auditing, right? Of course not.
Instead of researching options more suitable for these books and articles, many security professionals dutifully recommend SATAN, COPS, Tiger and other out of date utilities. The question is why? Regardless of the answer, it isn’t a good enough reason. Security experts have an ethical obligation to recommend viable and solid solutions to their readers and customers. Each and every time they don’t, they further validate weak utilities as a method for securing your network. Days after auditing your network with these tools, their network falls victim to an intruder and they can’t figure out why.
SATAN was last released as version 1.1.1 on March 20, 1995. Obviously, network security concerns move at the speed of light. Any security audit tool not updated hours ago is already behind the times. So how can so many security professionals continue to recommend such an old and outdated tool? The only answer that comes to mind is the concept of being Politically Correct. The media told the masses this was a serious tool and should be regarded as a legitimate network auditing tool. Who would want to go against the grain and say otherwise? No one apparently.
Media and mainstream press put SATAN on a pedestal of unseen heights. As a result, several security professionals are still looking up and not seeing the scanner for what it is. Every day that passed with no qualified individuals speaking up, the more it lent to what the media had already said. Four years later, this is the first article to my knowledge that is doing that.
Who’s on the Bandwagon?
If you haven’t read many security articles, you may not have run across a reference to SATAN. In case you haven’t, lets look at a few of the many media outlets, security professionals and others who tell you to use it.
It started in 1995 with a wave of articles and press frenzy surrounding the tool’s release. To this day, articles still seem to latch onto the idea SATAN is a viable tool for network security. In 1995, an Oakland Tribune article said:
"It's like randomly mailing automatic rifles to 5,000 addresses. I hope some crazy teen doesn't get a hold of one."
More recently SATAN has popped back up in more articles. James Glave quoted a Microsoft spokesperson on the use of SATAN in his article “Back Orifice a pain in the..?” (27). In April, Kevin Reichard wrote about the tool in his article “Network Security” (28).
Many popular and respected magazines have run articles suggesting the use of SATAN. Among them are Linux Journal (1), Info Security News (2), Security Advisor (3) and Information Security (An ICSA Publication) (4). Most disturbing is that most of the publicly available security magazines each push SATAN onto their readers at one point or another. These are the so-called experts, the people that should know the program does little for today’s networks. Yet as late as September 1998, three years since SATAN’s last release, they are still doing it.
Visit your local bookstore and you will be lucky to find more than five or ten security books. Over the past five years over one hundred books focusing on security have crossed these shelves. Interestingly enough, a healthy percentage each make the misplaced recommendation of SATAN as a valuable auditing tool. Worse, the idea of using such outdated and inferior tools has crossed beyond the realm of security books. A few of these books you may have seen are Practical Unix & Internet Security (5), UNIX System Administrator’s Companion (6), Halting the Hacker (7), and Internet Besieged (8). Recently, O’Reilly released an entire book devoted to using SATAN to protect your networks. (9) To a degree, this release gave the ultimate validation to the tool’s ability to protect your network. Are these books unworthy of attention? No. I would hazard they are being politically correct.
To keep on the bandwagon of overhype and undue attention, several security advisories have been released to prepare the net for this tool. One issue remains unresolved though. Why have few advisories followed the various SATAN advisories warning users of other utilities that are far more dangerous to their organization? In 1995 we were flooded with advisories from every response team or security group out there. CERT CA-95:06 (10), CIAC F-19 (11), CIAC F-20 (12), CIAC F-21 (13), CIAC F-23 (14), CIAC F-24 (15), SMS 00130A (16), NASIRC (17), Assist 95-11 (18), Assist 95-19 (19), and Auscert AA-95.03 (20) are just a few of the security advisories warning us of the impact of SATAN.
With all of the news articles, books, security advisories and other miscellaneous hype, how could anyone go against the grain and jump off the bandwagon?
Satan is as Satan Does
Giving these various doomsday media outlets the benefit of the doubt, we could at least expect them to talk to knowledgeable professionals. That leads to two more questions. First, why didn’t they do just that? Second, why are some security professionals writing articles recommending it? Some might argue that since it has a point and click graphical user interface, it is easy for the novice admin. I certainly don’t buy that. Considering it takes a UNIX host, Perl, x-windows and other resources that are not the easiest to setup, expecting novice admins to use it is not logical.
Martin Freiss (author of ‘Protecting Networks with SATAN’) writes in his introduction about the extent of SATAN protecting your network:
"Naturally, SATAN cannot detect every security vulnerability. In particular, there are security problems in the transfer protocols of the Internet and intranets.. True security can be achieved only if all dangers are known, including those that SATAN cannot detect.."
Based on these words, I think it fair to say that those people familiar with the tool realizes its limits. Most security professionals when asked if there is an end all be all solution to network security, will answer no such beast exists. On the other hand, they will also tell you that no one tool will be the ‘demise of the internet’ like some claimed.
Technically speaking, why shouldn’t these organizations and people be recommending SATAN? Let’s examine what the program does in the way of vulnerability checking on a remote host. The following list is taken from the documentation.
- NFS file systems exported to arbitrary hosts
- NFS file systems exported to unprivileged programs
- NFS file systems exported via the portmapper
- NIS password file access from arbitrary hosts
- Old (i.e. before 8.6.10) sendmail versions
- REXD access from arbitrary hosts
- X server access control disabled
- arbitrary files accessible via TFTP
- remote shell access from arbitrary hosts
- writable anonymous FTP home directory
First thing we notice is that it scans for ten whole vulnerabilities. Thinking back to the start of this year alone, you should be aware that over one hundred vulnerabilities have been brought to light on the Internet. So the sheer percentage of vulnerabilities doesn’t quite cut it. Commercial competitors of SATAN like ISS and Cybercop pride themselves and attempt to gain market share based on the high number of vulnerabilities they scan for (over 500).
Since numbers are often misleading, lets look at some real world examples of why SATAN is not a good recommendation. If you are tasked to deal with network security and you run any flavor of UNIX, you are probably aware of the hundred or so vendor based security advisories for your platform of choice. Some of the more recently exploited vulnerabilities:
- ToolTalk (rpc.ttdb): Detailed in NAI Advisory #29 (23)
- Statd (rpc.statd): Detailed in SMS Advisory #186 (24)
- Calender Manager (rpc.cmsd): Detailed in SMS Advisory #188 (25)
- Cold Fusion (WinNT): Several problems covered in many advisories (26)
- wu-ftpd, named (DNS), pop (mail), imap (mail), nisd, autofsd, and more.
Comparing the list of vulnerabilities being widely exploited on the Internet today with the list of vulnerabilities SATAN checks for, we can see it does one thing quite well. It falls short. For you NT administrators, seek help elsewhere.
Insult to Injury
Yes, it gets worse. Not only does the program fall short in assisting with network security analysis, it poses a serious threat to your network security in ways that didn’t previously exist.
As outlined in CERT CA-95:07 (21), there is a “Password Disclosure” issue with SATAN 1.0, fixed in version 1.1. CIAC F-22 (22) covers another vulnerability that allows unauthorized users to execute commands and gain root access through SATAN. Marc Heuse later posted to Bugtraq regarding SATAN and other widely used security tools having /tmp race conditions allowing unauthorized users to create or overwrite any file on the system. This last vulnerability was found in SATAN 1.1.1, the last version released. No further revisions have been forthcoming so the issue has not been fixed.
So What’s the Solution?
So if tools like SATAN are antiquated, what is a viable freeware solution? Like most tools, there are always alternatives. In the past few years, a more current tool based on SATAN’s foundation has arisen, called SAINT (30). As of August 19, 1999, SAINT version 1.4 was released adding more features and security checks that address current security concerns. Among these are checks for well known NT security holes, Operating System fingerprinting, as well as several new Unix vulnerabilities. The continued development and community effort to support this product has turned it into a much better foundation for testing network security than many other tools like it. Due to its active development and continued support for detecting new vulnerabilities, this seems like a great alternative to recommending outdated tools. When possible, don’t rely on canned tools at all. They will never come close to the ability and instinct of a qualified security consultant.
A few dozen clichés come to mind as a way to wrap up this article. I think I have sufficiently shown that everyone from the media to security experts continue to quote SATAN as a way to defend your network. Because the tool has not been updated in several years, it is far behind the times in addressing network security issues. On top of it not being adequate by any stretch of the imagination, it poses further risk to your machines. Despite all this, the recommendation to use inferior technology still comes pouring in.