Ethical hacking has become a major trend in the IT world. But how easy it is for developers to perform penetration test? BackBox creator Raffaele Forte, in an exclusive conversation with Jagmeet Singh of OSFY, reveals the secrets of a pentrest distro and how it can be a helpful tool for the hacker community.
How did you get the idea to develop BackBox Linux distribution?
The idea came about six years ago. It emerged when all the penetration testing distributions were relatively stable such that the time one had to spend to configure and setup the tool was greater than the actual usage of the tool for pentest activity. I felt the necessity to create a penetration testing distribution with all its tools ready to be run for my own usage.
In the beginning, it was simply an ISO of my running OS, kind of backup that I constantly kept updated. One day I decided to share the first version of BackBox Linux online for those who had similar needs. Then something I would not have ever expected happened. More and more enthusiasts started using BackBox and began to participate in the project as a community. Shortly after that, thanks to our continuously growing community, BackBox became one of the most popular pentest distros worldwide.
What are the security issues that can be addressed through BackBox distro?
With the first release of BackBox Linux (May 2010), the idea was to build an OS to perform ideally common penetration testing and vulnerability assessment on web applications and networks. However, over the years, we extended our focus to cover new areas of interest brought up by the community. We started introducing in 2011 the “Forensic” category and thereafter, we continued our support for mobile analyses. We also kept on entering new categories by adding tools for malware analyses. Currently, we are working on IoT (Internet of Things) and automotive security and are proud to announce that BackBox Linux is used by world-renowned automotive makers IT security teams.
How can a Linux distribution be a solution to secure operations on both the IoT and automotive space?
Vehicle’s infotainment systems are merely computers running customised version of usual OSes, as for instance Linux or Windows. What changes is just the environment that entails using different tools and techniques for usual objectives, only in a different context. For this reason, one can make use of a distro like ours that spares the tester the time it takes to install and configure all the necessary tools to secure such systems.
BackBox is claimed to be designed with an aim to achieve maximum performance and minimum consumption of resources. Please elaborate how is this possible?
Honestly, what we have been doing does not seem something unbelievable to me. Whoever uses BackBox can experience its smoothness without giving up on stability and efficiency. Since the beginning, we have been working hard on choosing the most appropriate components, spacing from kernel to graphic ambient and from system configuration to pre-installed tools. Back then when almost everyone praised the beauty of GNOME or KDE, we praised the efficiency of XFCE which, indeed, eventually became Debian’s default windows manager. So we look for the optimal trade-off between user experience and smoothness, providing a mesmerising interface without wasting valuable resources.
How are you maintaining the community for BackBox Linux?
Our community is the essence of our project. As I often say, BackBox would not exist without its community. Our Team attempts to gather as many suggestions as possible from our users. We frequently meet on our communication channels and discuss ideas on our forum. Also, we have members taking care of public relations, who handle the repository and provide support to our users. The kernel of our team is well structured in the way to handle every request that we receive.
This year, we have additionally decided to register our no-profit organisation officially. So soon we will welcome official subscriptions for our new constituency organisation. Our ultimate aim is to promote the culture of IT Security exclusively using the free open source software. We are also planning to organise international conferences and different initiatives in the future.
Who are the prime users of BackBox Linux?
It is hard to say. But we are well aware that BackBox is being used by students and professionals, government agencies and hacktivists including white and black hat ones.
Penetration tests and security assessments are highly necessary for ethical hackers. How can BackBox Linux be the perfect pentest solution?
BackBox offers an all-in-one solution for ethical hacking activities at various levels. We aim to provide a stable OS while keeping it up to date with the latest security requirements. To this aim, we continuously search for the best of open source tools to include them into our repositories.
Furthermore, we have been working on BackBox Cloud that is our own cloud platform. This is mostly designed for professionals and enterprise solutions — those who want to have their hands on a cloud instance penetration testing Linux distribution. It provides all you need to access your instance of BackBox is an internet connection and whatever device you may have with you.
Once logged in, the remote machine is fully at your disposal for your usual needs as if it were physically with you. Besides, you can spawn, kill or upgrade your virtual machine whenever you may want to.
How is BackBox Linux different from Kali Linux?
BackBox and Kali are running under different umbrellas. While our project is entirely free and open-source, exclusively maintained by its own community, Kali has a different position in the same regard. Kali is a distribution supported by a company which treats cyber security primarily as a business.
BackBox and Kali are also different under their technical aspects. For us, the primary focus is to provide a system that includes all those essential tools which every security expert and pentester will certainly avail of. It does not make any sense to add hundreds of tools not even maintained anymore by their own developers, or have an almost identical scope. There is no point of creating a pentest distro and throw its random tools for that purpose there are repositories.
However, I would also like to clarify that the BackBox community never sees Kali (or any other pentest distro) as a competitor. This is not what we aim. We just want to offer something at its best rate, something owned by a community. On the contrary, diversity is the very essence and beauty of Linux distributions. The users can choose the project they feel closer to their needs or feels more familiar with.
Is open source the key to the success of penetration testing solutions in today’s world?
Without a doubt. Hackers Community creates brand new valid software every day that in a short time gain popularity and get improved by other enthusiasts and ultimately becoming essentials. It is no coincidence that even important commercial tools originate from open source projects.
As computers are no longer limited to desktops and notebooks, can we access the features of BackBox Linux on a Raspberry Pi or an Android smartphone?
We know that BackBox is compatible with ARM platform and some people are using it. But specifically, in relation to Raspberry Pi and Android, we do not think there is such demand or necessity from the public yet to embark over them. I admit that there are questions raised by the community itself about such developments. However, being BackBox a community-based project, we do not have sufficient resources to allocate yet. As soon as we notice that there are enough demand and necessity, I am sure we will have no troubles to build BackBox for Raspberry Pi and Android platforms.
Why should one opt for ethical hacking as a career today?
As for any job, one needs to figure whether cybersecurity is among his interests or not. Working as ethical hackers can be incredibly satisfying. The time is changing swiftly, and competent ethical hackers will be more and more required in a fully interconnected reality where everything can be hacked (or manipulated) from power plants to vehicles or even electro-domestic appliances. IoT is coming.
However, keep in mind that being an ethical hacker requires curiosity, passion and a lot of commitment; one cannot simply become an ethical hacker overnight.
What are your thoughts on the evolution of security testing and hacking in the recent past?
I think the real revolution in the information security area has yet to come. We have not witnessed yet the radical upheavals such as the complete review of the techniques used in the past. The penetration testing activities toward classic targets (web app, mobile devices and networks) always involve the usage of advanced tools. But with the advent and progression of cloud computing, the devices such as notebook or PC desktop are going to be outclassed and ultimately vanished. In the next coming years, I reckon we will assist hardware solutions (or appliances) built ad-hoc for new attacking topologies.