Related Links

Top 5 Stories


SP Toolkit illustrates the dangers inherent in many security audit tools

19 January 2012

The purpose of a security audit is to check security defenses. A primary method of achieving this is to use ethical hackers to try to break the security and locate the weaknesses.

There is an inherent problem with this: the very same tools used by white hat hackers to test security can be used by black hat hackers to break security. Audit tools are often dual-purpose weapons. Now a new and different tool has emerged: the SP Toolkit.

SP Toolkit doesn’t audit traditional data security defenses. It doesn’t attempt to test the strength of passwords or firewalls. Instead it is designed to test and improve users’ resilience to phishing attacks. Many security experts believe that few people will avoid falling for concerted and determined spear-phishing, and since this is emerging as the method of choice for the launch of advanced persistent threat (APT) attacks, it is a serious issue for all companies.

Carl Leonard from Websense Security Labs noted today that 11,000 email addresses were publicly shared across Twitter in just 24 hours. “By publicly tweeting your email, you’re connecting it with your name, location and information on your social graph. Criminals can exploit this wealth of information by directing waves of highly targeted phishing attacks at individuals or businesses, masquerading as users’ friends or associates to encourage them to click on malicious links.”

It is this easy attitude to personal data and trust that SP Toolkit seeks to address. The basic idea here is similar to other audit tools: users’ resilience is tested by trying to defeat it. The result, SP Toolkit, is what it says: a simple phishing toolkit. Security admins use the toolkit to quickly and easily develop phishing attacks against their own staff. Those who succumb clearly need additional security awareness training.

The morality of developing a tool that can be used to break security is debatable. However, the fact remains that phishing is a serious weak spot that cannot be defended by traditional security means; and this tool exists. The result is that security admins will need to take more concern over the awareness of their users because of SP Toolkit, but could choose to do so with the help of SP Toolkit.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×