Black Hat: Security expert's verdict on Oracle hacking tools

Black Hat, Las Vegas: Controversy greeted news that Metasploit would release a raft ofmodules to speed up hacksof Oracle's database management system, but some security experts believe Metasploit is offering nothing new.

Chris Anley, director of UK penetration testing firm NGS and co-author of the Database Hackers' Handbook, said Metasploit's free hacking tools had been available for years, but this was the first time so many modules had come out at once to automate the hacking process.

Anley said Oracle's database was known to be vulnerable, but Oracle had done much in recent years to close the loopholes.

Oracle users should follow the supplier's advice on how to configure the database and set up the securities, and then install the patches when Oracle released them. "The aim should be to prevent, not to cure," he said.

Anley has used Metasploit's tools to discover gaps in Oracle's defences. "It's good," he said.

He had mixed feelings about Metasploit's effectiveness. On one hand it was a good tool for system administrators and penetration testers to use to find vulnerabilities in corporate database systems. On the other, Metasploit exploited the vulnerabilities, opening the way for bad people to do massive damage.

"It is a weapon, but it is not a master key," Anley said. "If the database is properly configured and patched, firms should have nothing to worry about."

Research released at the Black Hat Conference by Microsoft showed that more than 90% of malware tries to exploit vulnerabilities for which patches have existed for two years or more. This made it imperative for firms to evaluate, test and install patches when they came out to preserve their systems' integrity.

Anley said many systems administrators were using Metasploit to bolser their requests for the money they need to keep systems up-to-date.

"Many sysadmins who ask the board for patch budget find it easier to get when they can prove their vulnerability," he said.

Anley said Metasploit also helped to level the playing field between large and small firms. Large firms had the resources and staff to throw at securing their systems, but Metasploit allowed smaller firms to find them quickly and easily with fewer skills and cost.