Cyber criminals are scum, hacking into systems large and small to steal money and information or sometimes just to prove that they can. But luckily, among the slews of thieves trying to worm their way into supposedly secure systems, there is at least one good guy, one “white hat hacker.”
In 2013, 7 percent of U.S. organizations lost at least $1 million dollars to cyber crime, with 19 percent losing between $500,000 and $1 million, according to a survey by Pricewaterhouse Coopers. In addition to causing financial losses, cyber attacks can lead to costly lawsuits for businesses if customers’ personal information is lost. Protecting businesses and consumers from cyber crime is the primary goal of Metasploit, an exploit-finding and fixing tool created by H.D. Moore, Chief Research Officer at Rapid 7 in Austin.
Moore created Metasploit in 2004 when he was 23 years old. He describes Metasploit as an adaptable vulnerability-finding tool for anyone working with IT. Essentially, Metasploit serves as a reference to fix known security breaches in thousands of pieces of software and hardware. This compilation of bugs and their patches allows users to know potential dangers in certain programs and devices in advance. Once a patch for an issue has been released, Metasploit tests the fix and then updates its logs. The company also works with manufacturers to help test their products and create fixes before the items even ship.
Over the last 11 years, Moore has watched his project become the go-to method for finding and squashing vulnerabilities. Currently, developers across the globe use Metasploit, from government agencies and researchers, to IT workers and students.
“Metasploit is an open-source Lego kit for security testing,” Moore says. “We look at it as being the ‘proof in the pudding’ on whether or not you actually fixed a security issue.”
While typical cyber security tools are built for single purposes, finding and fixing one issue at a time, Metasploit’s open-source nature makes it an invaluable tool for companies that use numerous different technologies. Metasploit lists vulnerabilities on a large number of platforms, from mobile devices to AIX and big iron servers – something Moore feels is possible only due to the open-source environment. Currently, Metasploit contains more than 2,000 fixes and has received input from 480 collaborators.
“You have to have such deep expertise to test so many different systems,” Moore says. “It can’t just be one person, so it makes much more sense to make it collaborative.”
In fact, most of the modules on Metasploit have come from outside the company, although Moore still works on the project every day. Frequently, IT workers submit bugs to Metasploit, and Moore’s team then works with the bugged product’s vendor to fix the breach.
To keep open source Metasploit operating in the early days, Moore generated income by teaching security classes at $2,000 per student, per day. Then in 2009, Rapid 7 bought Metasploit. Today, Moore is the Chief Research Officer for Rapid 7.
In his role as CRO, one large bug Moore recently found involved Texas’ natural gas pipelines. Through Metasploit, Moore found that gas pipelines are completely vulnerable to cyber attack. Because the devices that show the pipeline flow rates are connected via modems, a cyber criminal could give the pipelines a “purge” command from a cell phone at any time, causing the line to ignite. Moore contacted the Texas Railroad Commission, which sent alerts to pipeline operators in Texas to warn them of the issue. That’s pure white hat hacking.
Finding Potential Threats
When asked where the biggest areas of concern for cyber security are, Moore is quick to discuss universal plug and play devices. By connecting multiple devices and requiring a way through firewalls, many UP&P devices were created with glitches that leave users vulnerable.
Moore says there are three UP&P libraries in use, and none of them have been audited.
“It turns out some of the code was written in the early 90s, and it hasn’t been updated,” Moore says. “There are more than 16 million exploitable devices out there.”
He is currently testing these libraries and has found numerous vulnerabilities, including an entire large country where all cable users are running the same, exposed cable box.
Moore’s suggestion to make devices as secure as possible is to stop ignoring software updates. He says people often neglect to update devices that are used less often or aren’t as persistent with update reminders, such as printers and gaming systems.
While desktop systems used to be incredibly vulnerable, large software vendors have responded swiftly, making these devices more difficult to penetrate. But with this evolution, other new technology has opened up even more pathways for exploitation, such as cloud storage, mobile devices and Flash and Java programs.
Businesses that offer Bring Your Own Device (BYOD) policies are also putting themselves at risk of cyber attack, Moore says. Any device that can be jailbroken can be exploited, and that includes all iPhones and Android devices. Jailbreaking a phone involves opening up locked file systems to modification, and this allows easy access for hackers by disabling the phone’s security software.
Moore warns that webcams and video conference systems can often be manipulated by hackers once they are linked to another office, allowing someone to look at anything in an office equipped with a camera.
“Consumers are becoming increasingly paranoid for good reason, and the vendors just don’t care enough,” Moore said.
The Future of Cyber Security
Moore has two pieces of advice for avoiding cyber attacks: First, don’t ever trust antivirus software. It simply doesn’t work.
Second, and most important to businesses, is to enact an application whitelisting plan if possible. This allows a company to whitelist every application used within the organization. It’s not an easy process, but it prevents employees from accidentally downloading malware. Programs and applications on the whitelist are allowed to run and if it’s not on the list, it’s blocked.
Rapid7 offers a product that monitors a company’s logs to flag any software that is new or unusual, which is a tool Moore sees more companies using in the future. Moore’s business offers products for free to public institutions based in small counties or cities that lack the funding for proper system maintenance. The company also provides products that monitor phone connections to track patterns and notice unusual behavior that may signal when a device has been manipulated.
“Right now, Rapid 7 is targeting not only prevention and detection, but also incident response and helping organizations with small staffs to get initial triage done and see if you need to call in the big guns,” Moore said. “We are working to get solutions to everyone from small to big.”
Moore says that most companies don’t even have a cyber security person on staff, which is one of Rapid 7’s goals – providing security services to companies in need.
Students coming out of universities with programming degrees have basically spent their academic careers focused on learning whatever programming language is most in demand, Moore says. To encourage better cyber security, he’d like to see universities develop stronger programs that cover the practical side of vulnerability and students learn the more challenging C programming versus the easier Java.
At Rapid 7, Moore plans on following wherever the risks are headed, which could be further into the mobile space or cloud providers.
Becoming a White Hat Hacker
Completely self taught, Moore bounced around between every high school in Austin, getting kicked out of all of them before finally graduating from Gonzalo Garza
Independence High School. He says he was a terrible student, but he was inspired to build his own computer and teach himself programming in his free time. In his teen days, Moore rejoiced in hacking and manipulating systems, such as radio towers around Austin, or the lights inside of various stores. But after seeing his friends fall into trouble with the law, he decided to use his talents to help people by creating Metasploit.
His determination paid off in 2009 when Rapid 7 acquired Metasploit and brought Moore on board. Moore’s offices expanded from 2,000 to 50,000 square feet, and his staff has increased from 23 employees to more than 50, allowing Moore to continue to provide security services to companies while still maintaining his original open-source vision, working to keep consumers safe and tech providers honest.
“Every time a new vulnerability came out, companies were trying to get me fired,” Moore says. “There were vendors who didn’t like what I was doing, exposing their vulnerabilities, which is exactly why I was doing it.”