There is an inherent problem with this: the very same tools used by white hat hackers to test security can be used by black hat hackers to break security. Audit tools are often dual-purpose weapons. Now a new and different tool has emerged: the SP Toolkit.
SP Toolkit doesn’t audit traditional data security defenses. It doesn’t attempt to test the strength of passwords or firewalls. Instead it is designed to test and improve users’ resilience to phishing attacks. Many security experts believe that few people will avoid falling for concerted and determined spear-phishing, and since this is emerging as the method of choice for the launch of advanced persistent threat (APT) attacks, it is a serious issue for all companies.
Carl Leonard from Websense Security Labs noted today that 11,000 email addresses were publicly shared across Twitter in just 24 hours. “By publicly tweeting your email, you’re connecting it with your name, location and information on your social graph. Criminals can exploit this wealth of information by directing waves of highly targeted phishing attacks at individuals or businesses, masquerading as users’ friends or associates to encourage them to click on malicious links.”
It is this easy attitude to personal data and trust that SP Toolkit seeks to address. The basic idea here is similar to other audit tools: users’ resilience is tested by trying to defeat it. The result, SP Toolkit, is what it says: a simple phishing toolkit. Security admins use the toolkit to quickly and easily develop phishing attacks against their own staff. Those who succumb clearly need additional security awareness training.
The morality of developing a tool that can be used to break security is debatable. However, the fact remains that phishing is a serious weak spot that cannot be defended by traditional security means; and this tool exists. The result is that security admins will need to take more concern over the awareness of their users because of SP Toolkit, but could choose to do so with the help of SP Toolkit.