Satan's Survey

Is Satan a Good Guy?

Okay, so I'm not talking about that Satan, I'm talking about the program called Security Administrator Tool for Analyzing Networks, or SATAN for short. This program was co-authored by Dan Farmer, who some consider a top notch security research expert riding a white horse and wearing a white hat. Others consider him - well, Satan on the Internet.

Dan Farmer released Satan in April 1995. It was at once hailed by some as an important tool and reviled by others as a demonic hacker's aid. According to Farmer, the program is designed to help network administrators find and close security vulnerabilities before the hackers could exploit them. Conversely, however, SATAN is also considered an ideal tool for would-be hackers with only basic skills for infiltrating computer systems.

There are many issues associated with the program and its manner of distribution. There are also many good arguments on both sides of all the issues. This article will not explore those issues. Rather, we will look at a recent survey of Web Sites conducted by Dan Farmer using Satan. The results are alarming: Dan Farmer claims that nearly one-third of the Internet's most commonly used sites are highly vulnerable to attack, and that some of these sites contain highly confidential financial and other data.

The Survey

Farmer used Satan to scan approximately 2200 web sites, including those of banks, credit unions, government agencies and newspapers. Says Farmer, "I chose high profile and commerce-oriented World Wide Web (WWW) sites as survey participants, along with a scattering of randomly selected Internet systems to have something to compare my results with." Farmer continues, "What I found was remarkable … I determined that nearly two-thirds of these interesting hosts had serious potential security vulnerabilities - a rate about twice that of the randomly selected hosts!"

Farmer admits that this was not a scientific, statistical study, but one intended to delve into the nature of Internet security. Apparently he was quite successful at startling results to the fore. The Web Sites scanned using Satan included 50 federal government sites, 660 banks, 274 credit unions, 312 North American newspapers, 451 sex sites, and 469 "random" hosts.

The Results

Farmer found that "…nearly two thirds of the surveyed hosts have significant security problems. About a third of them can be broken into with almost no effort at all." Moreover, less than 1% of these scanned (or attacked) hosts responded to the attacker. Presumably, more knew of the attack, but this is a very small response that indicates that the likelihood is that few of the attacked hosts realized they had been scanned or attacked.

Farmer categorized host vulnerabilities as red or yellow. He defined red vulnerabilities to be those that make the site essentially wide open to any potential attacker due to known security problems that can be easily exploited. Yellow vulnerabilities are less vulnerable, but still of great concern. According to his results, 68% of banks were found with red or yellow vulnerabilities. This was slightly higher than the score for all the sites, in which 65% were red or yellow. The bottom line according to Farmer: "I estimate that approximately 3/4 of all surveyed sites could be broken into if significant force and effort were applied."

Conclusions

Whether you are a Farmer fan or detractor, it is undeniable that this survey presents important information regarding the state of Internet security. It reminds us that, as users, we must beware of what we type into our browsers and what we send across the Internet. Type at your peril, but keep an eye on the lock or key icon and do not send anything sensitive to sites that do not support secure transmission protocols. Sending information across an open link means that your message may travel through multiple hosts with red vulnerabilities, and can be read of modified anywhere along the line.

It should also remind organizations with Internet connectivity that they must beware of their own vulnerabilities. For every Dan Farmer who only identified problems, there are many who would exploit those vulnerabilities for their own nefarious purposes.