• July 28th, 2010
  • 1

Better is not good enough

Posted by Sheldon Malm in General, Penetration Testing, Vulnerability Research, Web Application Security

In July 2009 I posted to the Rapid7 blog that the future is friendly.  In that post, I talked about how we, as vendors and service providers, have not fulfilled our promises to protect our customers, feed the community, and catalyze change.  I admitted that we need to be better, committed that we will be better, and announced to you that it starts now.  Now that we’ve reached the end of July 2010, it seems like an appropriate time to reflect on that optimism, reflect on our commitment, and reflect on the state of our industry.

Life’s been busy at Rapid7 over the last year, and we’ve been laser-focused on fulfilling these promises.

Within our own products and services, we’ve started to move the ball forward.  We’ve greatly expanded our detection coverage, speed, and accuracy in NeXpose.  We’ve expanded the scope and maturity of our Professional Services team, broadening the penetration testing, technical assessment, and engagement practices of our folks out there on the road every day.  We acquired the Metasploit project and provided dedicated resources to the community-based framework, released the first commercial version with Metasploit Express, and brought critical intelligence from the penetration testing discipline into NeXpose with Exploit Exposure.  We delivered a free version of NeXpose to the community with NeXpose Community Edition.  All of this has been done to deliver more capability and to make security more accessible to more people by making it easier to use and affordable.  These are important first steps, and while we are extremely proud of the work that our people have done in delivering this value, they are just that: first steps.

On a personal level, my responsibilities have expanded from Security Strategy to include Strategic Alliances.  This has not only proven to be a personally enriching experience; it has been an important move for Rapid7 to keep our partner strategy focused on collaborations that add value beyond revenue growth for the company.  Our strategic alliances are driven from the core values that I communicated on the blog just over a year ago: to better protect our customers, to better feed the community, and to catalyze change.  We’ve engaged in some important partnerships and collaborations as a result, and we’ve declined a number of opportunities that were not focused on these core values.  We are not trying to become a malware detection company.  We are not trying to become a narrow-focused MSSP.  We are not trying to become a SIEM vendor.  We will continue to be the fastest growing, most innovative Vulnerability Management and Penetration Testing company in our industry because that is the value that customers look for us to provide. 

This focus and relentless execution have brought business benefit to the company, with much more awareness about Rapid7 in the market, 117% growth in Sales in the first half of 2010 over the same period last year, top tier ranking in the latest Gartner Market Scope, recognition as a leader in the latest Forrester Wave, and increased adoption of our open source and community offerings that have far exceeded our expectations.  When you do the right things at the right time for the right reasons with the right collaborations, you achieve success.  This is the basis of our success to date, and this is the basis of our strategy moving forward.

We’ve seen change happening on many fronts, and the expansion of community-based collaboration has never been so vibrant.  The launch, community participation, and viral growth of the Security B-Sides conference series is a perfect example of how the community can come together to provide immediate value.  Within a single year, B-Sides has established itself as an important forum for information exchange and personal connection alongside recognized conferences like BlackHat, DEFCON, RSA, SECtor, and others.

We’ve seen some changes from our competitors as well.  There is revitalization in the penetration testing technology space that is exciting to see.  People have acknowledged that Vulnerability Management and Penetration Testing solutions must converge for the value of proactive security to grow.  We’d like to think that our activities are a small part of why the competition is re-investing in their value proposition, although they have a long way to go in making penetration testing solutions affordable.  The truth is, they now have no choice – there is an affordable, best-in-class solution available and competition in this sense brings benefits to customers and community. 

The competitive response in the Vulnerability Management space has not been as encouraging.  We’ve seen some vendors ignore these important steps forward, while others continue to release check-the-box features in response.  When we released Exploit Exposure, 1 vendor posted a web page with 12 month top 10 patch rankings, another is working to emulate the feature, and the rest of the pack released crickets back into the wild along with updated press releases about integrations that have existed and have been virtually neglected for years.   We’ve seen one vendor release a limited iteration of our remediation report, with no apparent efforts to raise the quality and precision of the underlying detection that makes remediation-based reporting so valuable.  The others are still without this capability, seemingly missing the point that making security affordable means reducing vendor costs AND cost of operation.  We’ve expanded the value of our mobile solution for consultant laptops, with no notable updates to competitors’ mobile solutions and one competitor who is still unable to deliver a mobile form factor.  We firmly believe that we are still not doing a good enough job at Rapid7, and this lack of compelling competitive response is unacceptable to us as members of our industry and community.   We are continuing to press forward, and we genuinely hope that competitors will step up as the bar continues to be raised.

One of the most significant areas of investment for us is in web application security.  We have always been significantly ahead of our Vulnerability Management competitors in this regard, with highly scalable web application scanning capabilities delivered from the NeXpose core application and support for AJAX, and Web 2.0 technologies.  Despite this market leadership, we are not satisfied with using this group as our yard stick.  Today, I am pleased to announce that Rapid7 has officially launched our global Center of Excellence for Web Security with the addition of Andres Riancho as Director of Web Security along with collaboration and Rapid7 sponsorship of the w3af open source project.  As you may know, Andres is the founder of the open-source w3af project, an extensible Web Application Attack and Audit Framework that finds and exploits web application vulnerabilities.

I’m excited about what this means for our company, for our technical solutions, for w3af, and for the value that we can create for customers and the community from this partnership.  Andres and w3af are a perfect fit for Rapid7, expanding the capabilities of NeXpose and our research discipline, supporting the convergence of Vulnerability Management and Penetration Testing/Exploit frameworks, expanding the dynamic nature of solving a dynamic security problem, and providing another important proof point that collaboration between commercial vendors and open source community is the only way to drive meaningful and lasting change. 

As has been the case over the last year, you will see various responses from our competitors.  Many will ignore it and hope it goes away.  It will not.  Others will renew marketing efforts on their existing solutions to divert from their lack of R&D investment.  One competitor has responded with a legacy Network VA approach to the web application problem, providing an inventory of the technologies within web applications.  None of these responses add value to solving the dynamic security problem and they will need to do better just as we need to do better.

If you haven’t worked with w3af, I encourage you to visit http://w3af.sourceforge.net/ to see the great work that Andres and the contributing community have done to date.  Andres will remain the project owner of w3af, accelerating the expansion of its capabilities and maintaining the project as open source.

I’d like to thank Andres for his contributions to our industry and community, and for agreeing to join the Rapid7 family.  I’d like to thank customers for continued support of Rapid7 and for your valuable feedback on how we can make our products and services better for you.  Finally, I’d like to thank the community for your cautious optimism following the Metasploit acquisition, your support in adopting our free and open source solutions, and for your tireless efforts in moving the state of security forward.

I firmly believe that we collectively have started to drive change.  We are on the right path and we have a lot of work ahead of us.  I believe that we will be even better one year from now, and I’m just as certain that it still won’t be good enough.  That’s the journey that drives our passion for everything we do and we couldn’t do it without you.  We hope you feel the same way.


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 22nd, 2010
  • Comments Off

Cheer and Pwning in Las Vegas

Posted by HD Moore in Community, General, Penetration Testing

Rapid7 and the entire core Metasploit team are headed to Las Vegas next week for Black Hat USA, Security B-Sides, and Defcon 18. The full schedule of events is listed below, make sure you drop by Booth #64 at Black Hat to take a shot at the Race to Root contest, where the winners will receive hacker lust-worthy prizes.

July 26th-27th, 2010 — HD Moore will be hosting the training session, “Tactical Exploitation”, at Black Hat USA. This course is taught in conjunction with Attack Research and walks through the process of compromising a “secure” network by combining information leaks with design weaknesses.

July 27th, 2010 — Joshua “Jabra” Abraham will be hosting the training session, “Pentesting with Perl”, at Black Hat USA, which will focus on streamlining tasks during a penetration testing assessment and demonstrating how to improve existing tools as well as create new tools.

July 28th, 2010 — Join Rapid7 at Booth #64 of the exposition area of Black Hat USA for the Race to Root contest, where contestants race against the clock to discover and gain access to a target network. This is a timed event where the winners will receive hacker lust-worthy prizes. Contestants will have a chance to try Rapid7’s commercial products, including Metasploit Express and NeXpose Enterprise.

July 28th, 2010 — Starting at 1:30pm, Jonathan Cran will be hosting a series of demos entitled “Automating Metasploit and AutoLab” in the Black Hat Arsenal area of the Black Hat conference. These demos will focus on the myriad ways to automate Metasploit and how to quickly extend it to assist with common penetration testing tasks. At Security B-Sides, Joshua “jabra” Abraham will present on “Fierce v2“, the latest version of his DNS assessment tool at 5pm.

July 28th, 2010 — Rapid7 will be hosting a mega-party at the Palms hotel, this will run from 9:00pm to at least 2:00am and in the words of Michael Burns, “This is gonna make our RSA bash look like a day at church”. This party is invite only and has already reached capacity.

July 29th, 2010 –Head to Security B-Sides at 10:00am to catch HD Moore, along with Jack Daniel, Dennis Fisher, and Josh Corman for the “InfoSec Speed Debates“. This is immediately followed by James “egypt” Lee’s talk on “Beyond R57“, which focuses on his recent research around PHP post-exploitation. After James speaks, HD Moore will present on “Fun with VxWorks“, a deep-dive into the vulnerability landscape of the VxWorks platform followed by a live demonstration of exploiting a widely-deployed commercial product. Following HD’s demo, Tod Beardsley will commandeer the B-Sides Lightning Talk space to release the next version of PacketFu, the network packet crafting library for Ruby.

July 29th, 2010 — Rapid7 will announce the winners of the “Race to Root” contest at Booth #64 in the exposition area of the Black Hat conference. Winners will receive seriously awesome prizes.

July 30th, 2010 — The Metasploit team will head to Defcon 18 to catch some talks. Check Twitter and IRC for an impromptu Metasploit community meetup sometime during the day.

July 31st, 2010 — At 2:00pm, HD Moore will present on “Fun with VxWorks” during the Skytalks at Defcon 18. This talk will focus on exploiting the VxWorks platform and include some theory crafting on possible ways to compromise the Mars Rovers (VxWorks-based robots with a 20-minute ping time).

July 31st, 2010 — The Metasploit team can be found wandering around the last day of Defcon 18. The CTF winners will be announced and we are all rooting (hah) for our own Joshua “jduck” Drake and James “egypt” Lee.

Tags: , , , , ,
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 19th, 2010
  • Comments Off

Metasploit Express v3.4.1 Released!

Posted by HD Moore in Exploits, General, Penetration Testing

Metasploit Express 3.4.1 was released on July 15th, 2010. This release adds 16 new exploits, an overhauled module browser, island-hopping support, brute force support for FTP and HTTPS, enhanced import and export functionality, and improvements to the online update system, including support for HTTP proxies. This release fixes over 100 bugs. Full details of this release can be found in the online release notes. Existing customers can download the new release from the Rapid7 Customer Center. We also offer free trial evaluations as well.

The screenshot below highlights the new session option for island-hopping:


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 19th, 2010
  • Comments Off

July Patch Tuesday Roundup

Posted by Suzanne Dickson in Patch Tuesday, Security Best Practices, Vulnerabilities

The highlight of Microsoft’s security bulletins is the fix for Microsoft’s online help vulnerability (MS10-042) identified by Google security researcher, Tavis Ormandy, which could allow an attacker to take control of a computer by luring a computer user to a malicious Web site.

Also as Microsoft’s July security bulletins also address vulnerabilities in Windows XP, Josh Abraham, Rapid7 Security Researcher recommends that “customers should keep in-mind that Windows XP SP2 is now end-of-life. Therefore, organizations should be verifying (if they have not done so already) that all of their systems have already been migrated to SP3. One area to double check is third-party vendor devices which may need to be replaced and/or upgraded by the vendor”

Here’s a quick take on Microsoft’s four security bulletins addressing five vulnerabilities in Office and Windows:

MS10-042  (1 vulnerability)
Help Center URL Validation Vulnerability
Rated: Critical
CVE-2010-1885
Exploit already in the wild. (Note: There is a Metasploit module for this vulnerability.)

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful,
a user must click a link listed within an e-mail message.

MS10-044  (2 vulnerabilities)
Rated: Critical

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or views a Web page that instantiates Access ActiveX controls.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Access ActiveX control vulnerability
CVE-2010-0814
Exploit – 1 (exploit code likely)

A remote code execution vulnerability exists in Access ActiveX controls due to the way that multiple ActiveX controls are loaded by Internet Explorer.  An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

ACCWIZ.dll Uninitialized Variable vulnerability
CVE-2010-1881
Exploit – 1 (exploit code likely)

A remote code execution vulnerability exists in the way that the FieldList ActiveX control is instantiated by Microsoft Office and Internet Explorer.  An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with         administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS10-043 (1 vulnerability)
Rated: Critical
Canonical Display Driver Integer Overflow
CVE-2009-3678
Exploit -2 (Inconsistent exploit likely)

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll).  Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much    more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

MS10-045 (1 vulnerability)
Rated: Important
Microsoft Outlook SMB Attachment Vulnerability
CVE-2010-0266
Exploit – 1 exploit code likely

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook.  An attacker who successfully
exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Tags:
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 05th, 2010
  • Comments Off

NeXpose Runs on WinXP – alpha

Posted by Tom Hudson in Community, General

One of the most frequent feature requests we’ve received here at Rapid7 from our community is a wider array of supported Windows platforms.  Thus far, our supported Windows platforms have been restricted to Windows Server, which clearly limits the relevance of NeXpose to many of our non-enterprise users.  For these platforms, we use the standard Windows network stack for scanning.  However, with Windows XP, Windows Vista and Windows 7, Microsoft incorporated restrictions in accessing raw sockets (see http://msdn.microsoft.com/en-us/library/ms740548(VS.85).aspx).  This put some significant limitations on performance and made scanning from these OSes unacceptably slow.

We’ve invested significant effort to retool the innards of NeXpose to overcome these restrictions and we’re very excited to announce the first fruit of this labor.  Earlier this week, we released to our NeXpose community members an alpha version of NeXpose Community Edition that will completely function on 32-bit (and 64-bit) Windows XP Professional.  We focused on this particular platform because it covers the broadest install base within the constituency of our community users.  This work, however, paves most of the way to functioning versions of NeXpose on Windows Vista and Windows 7.   So, anticipate hearing about movement on these platforms in the near future.

Response thus far has been very positive and we look forward to receiving continued feedback.  Of course, we extensively tested the product here in our labs; but community users running Windows XP represents a completely different set of use cases than enterprise users running Windows Server 2003.  The vast array of environments, protocols, and scan scenarios compelled us to rely on our partners in the NeXpose community to help us validate that the product performs as robustly as our internal testing has indicated it does.

If you’re interested in taking this alpha version of NeXpose out for a spin, or you just want to know how things are going, please take a look at our Community Wiki page dedicate to the alpha:

http://community.rapid7.com/redmine/projects/1/wiki/Windows_XP_Alpha

If you’re not already a community member and on our community mailing list, we encourage you to join and participate in the ongoing evolution of NeXpose.  Interaction with our customers and with the security community as a whole is a key factor in the continual improvement of how NeXpose assesses measurably real threats to which your technology assets are exposed.  This Windows XP alpha test is one example of where our continuing dialogue takes us.  Please keep letting us know how we’re doing; we look forward the conversation.

Tom Hudson

Technical Product Manager


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment