Better The Devil You Know?

"If someone were to take advantage of the vulnerability in your system, they could literally shut down your business, either taking information and giving it to a competitor or altering information or just erasing it."

A program which some say has the potential of wreaking havoc with computer systems worldwide, dubbed "Satan" (Security Admin-istrator Tool For Analysing Networks), is being made available free of charge to the public.

You can find information on this Unix program (and the code itself) at this Internet address ftp.win.tue.nl in /pub/security /satan.tar.z.

The program was designed by San Francisco security expert Dan Farmer and a security programmer at the Netherlands University of Eindhoven, Wietse Venema.

Billed by its creators as a tool "to help system administrators," Satan is design-ed to locate security flaws in a computer system and report them back to a user. Farmer and Venema say the program recognises several common networking-security problems and reports them without actually exploiting them.

"For each type or problem found, Satan offers a tutorial that explains the problem and what its impact could be. The tutorial also explains what can be done about the problem: correct an error in a configuration file, install a bugfix from the vendor, use other means to restrict access, or simply disable service," say the authors.

But according to its critics, the Satan program, by seeking out sites with improperly configured or non-existent "firewalls" (security systems that prevent unauthorised access), could put information into the hands of anyone seeking to break into it.

Silicon Graphics was reportedly so concerned on hearing that Farmer intended to release the program to the public, that they terminated his position there, (San Francisco Examiner).

The release of Satan has caused some concern in security circles. Harry Bruestle, Deputy Program Manager for the Computer Security Technology Center, part of the US Energy Depart-ment at Lawrence Livermore Lab in Livermore, California, told the San Francisco Chronicle, "If someone were to take advantage of the vulnerability in your system, they could literally shut down your business, either taking information and giving it to a competitor or altering information or just erasing it."

However, Peter Sommer, Security Analyst at the London School of Economics, told infoHIGHWAY that the programmers are "making all sorts of claims that it (Satan) can identify security holes. Unfortunately the computer security industry is full of hype products."

Said Sommer, "There has obviously been a lot of debate on the Internet that this is a device that will get immediately abused by hackers. But I think one has to point out that all a hacker has to do is to collect all the CERTs (Computer Emergency Response Team lists), downloadable from CERT.ORG and there is a full and complete list of holes in various operating system platforms, every conceivable flavour of Unix that one has ever heard of. Unix hackers look up CERT advisories anyway, so this product is probably trying to create these in a useful fashion."

Anyone can download Satan now, with-out registering a name, free of charge. The program was released on 5th April, 1995.

In anticipating the release of Satan, Livermore Labs created a counter-Satan program called Courtney, which warns that Satan is trying to analyse a systemís security. This is also available on the Internet.

Livermore Labs home page is at http://www.sccsi.com/lsli/lsli.homepage.html, where you will also find a lot more useful pointers to security sources around the Internet.