HD Moore has a matter-of-fact way of talking that belies his uncanny ability to draw the public eye. In just the past month, the 25-year-old Texan, who started the open source Metasploit Project in 2003, made headlines for promising to release a new bug for the Internet Explorer Web browser each day in July. By the end of July, he was in the news again: releasing a Web-based tool that uses the Google search engine to locate malicious programs.
InfoWorld Senior Editor Paul Roberts caught up with Moore, who is also director of security research at BreakingPoint Systems, to talk about Metasploit, project management, and full disclosure.
Why did you launch Metasploit in the first place?
In 2003 there was ... a doldrum in the security area. A lot of the people who were active publishers of information got jobs or decided to do something else. At the same time, private companies started to hoard security information, so people started saying, "Why should I give this information away when I can sell it to iDefense?" Metasploit was about creating a toolkit and a framework for developing new exploits quickly, allowing people to cut through the boilerplate stuff and develop something new.
How did you grow the project to where it is now?
Knowledge spread mostly by word of mouth. People would say, "That's cool." [Metasploit lead developer] Spoonm ... e-mailed us and said, "Your software sucks." And I was like, "OK, why don't you rewrite it?" So he did. In the exploit community, you've got to appeal to ego. Make it a challenge. That's what they live for. As a project manager, it's my job to say, "OK. How can we do better?" One reason that Metasploit has done so well is that there's no holier-than-thou attitude.
What should enterprise IT staff know about Metasploit?
I'm always wary of recommending Metasploit for use in a company, because your employer may have rules that forbid the use of programs like this. I think it can be a nice way to follow up after a third-party vulnerability assessment. The company you hire should be able to prove that the vulnerabilities they've discovered are real. Not just say, "Oh, I found 20 bugs -- fix them." Tools like Metasploit can verify that, by running an exploit and seeing if it works. Unlike public exploits, you can also be sure that [Metasploit] isn't installing back doors.
You caught heat for releasing a new IE vulnerability every day in July, as if you were aiding and abetting the enemy.
That comes with territory. Any time you supply information to anybody, you've got to supply it to everybody. We saw this a couple years back, where CERT was allowing some customers to purchase vulnerability information in advance, then someone took that information and generated an exploit from it. Partial disclosure never works. You just end up catering to special groups that you deem trustworthy enough to have access. If I make something public, it's not just to a group that I consider trustworthy.
You recently unveiled a Google-based malicious code locator, akin to the one security firm Websense said it developed. What was behind that?
Websense made [searchable malicious code] sound like a massive risk, but every example we found using Google, you could get anywhere else. Some of these were really old archives that were posted on public mailing lists. But there were some interesting examples. We did a search for any executable and downloaded around 400GB of binaries. There were around 2,300 samples and 125 matched a known [malware] signature. Around 50 or 100 were malware that was not detected by anti-virus software.
In recent months, we've seen a number of undiscovered (zero day) exploits for Word, Excel, and Powerpoint. What are your thoughts on that trend?
There's definitely a trend toward releasing zero-days. I know of five or six zero-day exploits that are being privately traded right now. These are cases where the vendor is not being told on purpose. You've probably heard of TippingPoint's Zero Day Initiative and the iDefense [now VeriSign] program to buy exploits. Well, there's also a massive group of buyers in back of them that will pay 10 to 15 times as much. We don't know who they are, but the rumor is they're funded by "three letter [acronym]" agencies in the United States.
- +
How to Get Real About Strategic Planning 04/02/2008 12:50:59
Everyone agrees that having a strategic plan for IT is a good thing but most CIOs approach the process with fear and loathing. In fact, the majority of CIOs (and the enterprises they work for) are faking it when it comes to strategic planning. Isn't it time we all got real?Oh, it must be nice to be the CIO of a FedEx or a GE or a Credit Suisse. Places where IT and the business are so tightly aligned you can barely tell the two apart. Where corporate leaders understand that IT is a strategic asset and support it as such
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Email Archiving 101—Customer Case Study
Achieving the impossible: Unlimited application scalability
Wireless LANs: Is my enterprise at risk?
Mimosa™ NearPoint™ for Microsoft® Exchange Server: Email Archiving 101
CRM your salespeople will love
Delivering the Power of Choice with Microsoft Dynamics CRM
Email Archiving Implementation: Five Costly Mistakes to Avoid
Security Inside Out
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Mitel Launches Simpler Unified Communications 2008-11-19 17:40:00+11
Symantec Security Products Shine in In-Depth Protection Reviews 2008-11-19 13:01:00+11
Digital Sense opens first stage of the world’s largest data centre complex in Brisbane 2008-11-19 13:00:00+11
RightNow Technologies Delivers RightNow November ’08 Plus New On Demand Enterprise Contact Centre Package 2008-11-19 12:00:00+11
Valorem uniquely deploys RSA SecurID for remote workforce management 2008-11-19 10:16:00+11
Security Inside Out
A security breach has the potential to impact your bottom line, damaging reputation, customer loyalty and profitability. Managing security risks in today's environment requires a framework that extends beyond traditional network perimeter measures to protect applications, middleware, and data infrastructures. Read on to discover how you can create an enterprise security framework to protect your business.
Buying Guides
Latest Products
Buying Guides
