Hacking tool kits, available free online, fuel growing cyberspace arms race

Ryan Linn’s hacks into corporate networks have become almost a matter of routine. On one recent morning, he woke up at his home near the Research Triangle in eastern North Carolina and walked down to an extra bedroom that he uses as an office. ¶ He sat at a workbench laden with computers, signed on to one of them and loaded a program called Metasploit. Sipping a Diet Coke, Linn typed out a few commands and casually launched an attack on a network thousands of miles away. A few seconds later, a report came back: The network had been penetrated. How would he like to proceed? ¶ Chalk up another one for Meta­sploit, an automated tool kit that makes breaking into networks almost as easy for experienced hackers as ordering food off an online menu.

Metasploit and a host of similar tools are becoming as commonplace for many hackers as Firefox and Microsoft Office are for regular computer users.

They are part of an escalating arms race in cyberspace, where millions of attacks and intrusions occur every day. By prepackaging the myriad computer commands that penetrate and exploit target networks, hackers have dramatically eased the process.

Security researchers and consultants, including Linn, use such hacking tools to identify vulnerabilities and help organizations patch them. Bad-guy hackers, known as black hats, and cyberwarriors use similar illicit kits to spy on, steal from and wreak havoc in corporate and government computers.

Metasploit and many other hacker tool kits are available free to anyone who has an Internet connection.

Linn acknowledges the irony. But he likened Metasploit and other tool kits to a “Swiss army knife” and said the positive features “far outweigh the negatives.”

“Metasploit is a tool designed for researchers and security professionals, but just like many tools there are uses for it that are illegal,” said Linn, a security consultant at Trustwave’s Spider­Labs. “We don’t outlaw screwdrivers and hammers because someone might use them for murder, though. We prosecute those people who use them illegally.”

A researcher named H.D. Moore began working on Metasploit in 2002. Moore, now 31, is the chief security officer with Rapid7, a security firm that sells a commercial version of Metasploit and helps offset the cost of maintaining the free system. A computer researcher and hacker based in Austin, Moore wanted to simplify the development of computer hacks known as exploits. To keep pace with growing numbers of criminal cyberattacks, he wanted to make security hacking, or “penetration testing,” more systematic.

Metasploit works by creating ready-made packages of computer code, known as “modules,” that can be downloaded from metasploit.com. Once they are launched, the tools can find network vulnerabilities and take control of the systems.

Metasploit also serves as something of a global clearinghouse of hacker knowledge, tools and practices. Because it is an “open source” system, it relies on contributions from experienced hackers. Its popularity has soared during the past several years. Starting with 11 exploits in 2003, Metasploit now has close to 1,000.