The “ethical hacker toolkits” recently posted for sale on eBay appear to point to a dangerous trend: selling these types of tools — used primarily for penetration testing of applications and servers — on mainstream auction sites increases everyone's security risks.

But not everyone is concerned. “I don't get the pitch,” says Mark Loveless, the senior security architect for Vernier Networks and a white-hat hacker known as “Simple Nomad.” He and other security experts point out that the capabilities hyped in online ads for the $40 toolkits already are widely available, many of them as free downloads.

“It seems ludicrous to sell what you can essentially get online for free,” Loveless says. “You can get powerful tools for penetration testing free online, so I'm surprised that people would be willing to pay to have it assembled into a kit for them.”

Both Loveless and Alfred Huger, Symantec's vice president of security response and security services, point to the more well-known free application Metasploit as an example of a widely available “hacker” tool. Other free tools available include Nessus and the port-scanner Nmap.

Metasploit, for instance, allows the user to break into other PCs by exploiting vulnerable applications in target computers, such as web browsers and web servers, explains Huger. Moreover, a range of what Huger calls “more polished” commercial penetration testing tools is also on the market.

These tools came out of quality and assurance programs, with Q&A engineers building tools to help test software to find vulnerabilities and make software more secure, says Craig Schmugar, threat research manager, McAfee Avert Labs.

Regarding the ethics of selling these tools, Huger says, “You can break something down with the penetration software, including the hacker toolkits. It's just a tool dependent on the intent of the person using it.”

Still, McAfee's Schmugar believes that someone browsing eBay for material on hacking is probably less likely to do so for ethical or white-hat purposes.

Loveless adds, “Marketing these products as ethical hackers tools smacks of someone trying to cover his butt by making it sound like it's edgy. But it's not.”
— Jim Carr