QUESTION & ANSWER

H.D. Moore speaks about Metasploit Project deal, Release 3.3

By Neil Roiter, Senior Technology Editor, Information Security magazine 17 Nov 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

What kind of reaction has the Metasploit community had to the Rapid7 deal? What are your fans saying?
H.D. Moore: For the most part, people who use the framework are happy about it. They key things are that the license doesn't change and that our development methodology doesn't change. We had a couple folks bring in some hard questions on the internal core development group, asking, 'Why would I work to enrich Rapid7's pockets?' The result of all the discussion was, well it really wasn't that much of a community project either. Going back to 2006, Metasploit was being run as an LLC. We had commercial training; we paid for a lot of our costs that way. And there really only were only a few core folks involved in the main development process.

You've just released Metasploit Framework 3.3, a full year after 3.2. What's new and improved?
Moore: Nearly everything. We've added something like 120 new exploits, 100 new auxiliary modules, and almost every payload has been rewritten. The executable generator can now actually inject itself into existing binaries, so nearly all the antivirus signatures that previously blocked things like Metasploit-generated binaries no longer work. We now support Windows 7, Vista 64-bit, and 64-bit in general as both a target platform and as an attacking platform. We fixed tons and tons of bugs to make things more stable. We added a lot of new ways to embed payloads into a lot of different things. You can now put a payload into a Word document, into a Visual Basic script to make it persistent. Basically, we're going after a lot of scenarios all at the same time.

Talk about the evolution of Metasploit since the project was founded in 2003. How has the threat environment changed and how has Metasploit changed with it?
Moore: If you look at the exploit coverage of Metasploit from 2003 moving forward, you'll see a shift towards client-side exploits and, even more recently, going from client-side exploits to third-party, lesser known software packages. So, as Windows becomes slightly more secure, as Linux distributions are making defaults more secure, disabling services, folks have really had to stretch to find other ways in. And that means going after things like antivirus products, third-party backup services, things that would be overlooked in a pen test.

The Rapid7 acquisition presents an opportunity to marry vulnerability assessment and pen testing. What's the value of integrating these technologies?
Moore: It depends on your audience. A lot of folks in enterprise IT want to do vulnerability assessment and that's it. They don't want to do exploits. A lot of folks on the pen-testing side don't want to run a vulnerability scanner because it's too noisy and they're trying to come in quiet, stealthy when they're doing a test. There is a middle ground. There are folks who want to do a full-blown vulnerability test, and then verify what's exploitable. These are the folks who want to figure out which one of the vulnerability reports they're looking at to work on first. So for vulnerability prioritization, I really see the combination of vulnerability assessment technology and pen-test tools as being the gold standard.

What can we expect to see as a result of the acquisition a year from now?
mOORE: At some point we'll try to do more integration between the vulnerability assessment and pen-testing products. In terms of whether there will be a commercial version of Metasploit, we're still tossing that around. We're pretty sure there will be some sort of commercial support soon. In terms of commercial products, we haven't set anything in stone. The idea now is to keep everything we're working on now free, keep under the BSD license, and that precludes a lot of commercial options. We're really focused on where we can add value, where can we improve everything we have today.

Tags: Threat and Vulnerability Management,  Platform and OS Security Management,  Secure Coding and Application Programming,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat and Vulnerability Management Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results How to set your baseline with host integrity monitoring software A closer look at Internet Explorer 8 security features Security architects fear savvy botnet attacks, IPv6 security issues Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul Secure Coding and Application Programming Improving software with the Building Security in Maturity Model (BSIMM) SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks Metasploit Project acquired by vulnerability management firm Rapid7 Will Web application firewalls (WAFs) catch most security vulnerabilities? Microsoft's five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary