2 min
Metasploit Weekly Wrapup
Metasploit Wrapup 4/13/18
What's Your Favorite Security Site?
When you are browsing sites on the Internet, you may notice some sites
will include your public IP address on their pages.
But what if you came across a site that also showed your IP address from your
private network range
? This might be a
little worrying , but
before you run off you check to make sure the coast is cle
3 min
Threat Intel
Threat Intel Book Club: The Cuckoo's Egg wrap-up
Last week, Rebekah Brown and I wrapped up The
Cuckoo’s Egg with book club
readers around the world. Dig through some blog archives to get a sense of how
this book club got started
and what we’ve
discussed so far
. Below
is a recap of
4 min
DevOps
How DevOps Can Use Quality Gates for Security Checks
Your team has been working at all hours to put the final touches on code for a
new big feature release. All the specs are in, the feature works as expected,
and the code is pushed to production. A few hours later, the daily security scan
runs and the alerts start piling in. What went wrong? And what do you do now?
Typically when this happens, it means rolling back the entire deployment,
retroactively fixing the bugs and vulnerabilities in the code, and a week or two
later, re-deploying. If you’
3 min
Patch Tuesday
Patch Tuesday - April 2018
Over 70 vulnerabilities have been fixed this month
, including 6 in Adobe Flash
(
APSB18-08
).
At a high level, there's nothing too out of the ordinary. Unfortunately, that
means the majority of the patched vulnerabilities are once ag
7 min
Vulnerability Disclosure
Shoring Up the Defenses Together: 2018Q1 Wrap-Up
Today (April 10, 2018) we are sharing six vulnerabilities that have been fixed
in Rapid7 products and supporting services. You won’t need to take any actions:
all of the issues have been addressed. We are disclosing these vulnerabilities
in order to be transparent, to thank those that take the time to report security
issues responsibly, and to provide a few reminders of security concerns that you
should audit for in your own organization.
Dynamically-generated web server access policies
Generat
3 min
CIS Controls
CIS Critical Security Control 13: Data Protection Explained
This is a continuation of our CIS critical security controls blog series
.
Data protection is one of the cornerstones of a solid security program, and it
is a critical function of the CIA Triad of Confidentiality, Integrity, and
Availability. Data protection, as characterized by Critical Control 13, is
essentially secure data management. What do we mean by that?
What is CIS Critical Security Control 13?
Secure data management encompasses c
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup 4/7/18
Mobile Moose
This week marked the beginning of our time in the new office. Everything got
packed up and moved: computers, chairs, Rudy’s cups, and odd soy sauce packets
in the back of the drawers. One consequence of moving to downtown Austin is that
the lunch debates take longer, with flame wars about both the best tacos and the
best barbecue.
Metasploit: Now With More Snakes!
@shellfail doubled down this wrapup; way back in
March, he wrote a guide to writing P
4 min
Metasploit Weekly Wrapup
Metasploit Wrapup 4/2/18
Spring has come again to Austin, TX, home of the Rapid7 Metasploit team. While
the season here brings pollen and allergies, it also brings fields full of
bluebonnets and folks taking pictures before they all disappear. Let's celebrate
by looking at what's popped up in Metasploit this week.
New Data Model
Last week, we landed the beginning of a new backend service for Metasploit,
dubbed 'Goliath', which creates a new abstraction between Metasploit Framework
and how it interacts with the databa
4 min
CIS Controls
CIS Critical Control 12: Boundary Defense Explained
This blog is a continuation of our blog series on the CIS Critical Controls
.
Key Principle: Detect/prevent/correct the flow of information transferring
networks of different trust levels with a focus on security-damaging data.
What Is It?
Boundary defense is control 12
of the CIS Critical
Controls and is
part of the ne
5 min
Rapid7 Perspective
Actually, Grindr is Fine: FUD and Security Reporting
On Wednesday, March 28, NBC reported Grindr security flaws expose users'
location data
, a story which ticks a couple hot-button topics for security professionals and
security reporters alike. It’s centered around the salacious topic of online
dating in the LGBT community, and hits a personal safety concern for people
using the app everywhere, not to mention the possibility of outing
3 min
Vulnerability Management
Cisco Smart Install (SMI) Remote Code Execution
What You Need To Know
Researchers from Embedi discovered
(and responsibly disclosed) a stack-based buffer overflow weakness in Cisco
Smart Install Client code which causes the devices to be susceptible to
arbitrary remote code execution
without
authentication.
Cisco Smart Install (SMI) is a “plug-and-play” confi
4 min
InsightIDR
How to detect weak SSL/TLS encryption on your network
In this blog, we break down how to detect SSL/TLS encryption on your network.
4 min
Application Security
3 Ways to Accelerate Web App Security Testing
It used to be that web application security testing
was the job of just the
security team. Today, it is becoming a much more integrative function,
especially for organizations who have adopted DevOps. Development cycles have
become shorter and features are released more frequently for companies to stay
competitive. Trouble is, with shorter development cycles, security needs a way
to keep up. After all, there’s little value in running fast
6 min
CIS Controls
CIS Critical Control 11: Secure Configurations for Network Devices
This blog is a continuation of our blog series on the CIS Critical Controls
.
We’ve now passed the halfway point in the CIS Critical Security Controls
. The 11th
deals with Secure Configurations for Network Devices. When we say network
devices, we’re referring to firewalls, routers, switches, and network IDS
setup
3 min
Metasploit Weekly Wrapup
Metasploit Wrapup 3/23/18
Adding some named pipes to everyone's favorite series of tubes
UserExistsError already added 64-bit named pipe payloads, and this week, we got
an extra-special upgrade: now Metasploit has 32-bit named pipe payloads! It may
feel wrong not setting a port, but connecting to existing network resources
feels so right!
It is the Final Countdown for GSoC!
The final deadline for Google Summer of Code applicants is March 27th, so get
your applications in now! We are honored to be a part of the progra