3 min
Metasploit
Metasploit Wrapup: Dec. 22, 2017
Even with the year winding down to a close, activity around Metasploit has been
decidedly “hustle and bustle”. Some cool new things to talk about this week, so
sit back and dig in!
For Your iOS Only
If you’ve been wanting to run Meterpreter under iOS, then this bit is for you!
While Mettle has technically worked on iOS
since February, @timwr
has added official Metasploit Framework support
2 min
Protecting Your Web Site from the Doubleclick XSS Vulnerability
Advertising largely supports free content on the Internet, and many significant
sites rely on DoubleClick for Publishers (DFP), Google’s advertising platform
for publishers to monetize their traffic. Unfortunately for the AdOps world, DFP
has been hosting cross-site scripting (XSS)-vulnerable ads since 2015! Ouch.
You’re writing compelling content for your readers and using Google ads to pay
the bills. Google has tools for you, and you’ve just found out that these tools
could compromise your
4 min
Detection and Response
Prepare for Battle: Let’s Build an Incident Response Plan (Part 4)
This is not a drill. In this final installment, read our recommendations for handling a real incident. Whether opportunistic or targeted, here's what you should be thinking about.
3 min
Public Policy
NIST Cyber Framework Updated With Coordinated Vuln Disclosure Processes
A key guideline for cybersecurity risk management now includes coordinated vulnerability disclosure and handling processes. This revision will help boost adoption of processes for receiving and analyzing vulnerabilities disclosed from external sources, such as researchers.
18 min
Vulnerability Disclosure
R7-2017-25: Cambium ePMP and cnPilot Multiple Vulnerabilities
Summary of Issues
Multiple vulnerabilities in Cambium Networks’ ePMP and cnPilot product lines
were discovered by independent researcher Karn Ganeshen
, which have, in turn, been addressed by the
vendor. The affected devices are in use all over the world to provide wireless
network connectivity in a variety of contexts, including schools, hotels,
municipalities, and industrial sites, according to the vendor
.
These issue
3 min
GDPR
MDR and GDPR: More than a lot of letters
With 2018 now well in our sights, the countdown to the General Data Protection
Regulation (GDPR). is most definitely on. Articles 33 and 34 of the GDPR
require organizations to communicate
personal data breaches when there is a high risk of impact to the people to whom
the data pertains. GDPR security requirements and breach notification go
hand-in-hand, for obvious reasons. In the words of the European Commission
Working Party 29 (the group who are ta
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Dec. 15, 2017
I Read the News Today, Oh Boy
As we near the end of the year we must express appreciation for the Metasploit
community as a whole. Each contribution is valuable, be it an exploit for the
latest vulnerability, documentation, spelling corrections, or anything in
between. Together we shape the future of Metasploit. The Metasploit community
really surprised us this time around, as the latest release brings five new
exploit and two new auxiliary modules.
Hey! You! Get Off of My Cloud
Zenofex
3 min
Incident Response
Prepare for Battle: Let’s Build an Incident Response Plan (Part 3)
Now, it’s time for the fun stuff. While an incident response plan review may feel like practicing moves on a wooden dummy, stress testing should feel more like Donnie Yen fighting ten people for bags of rice in Ip Man
2 min
Public Policy
FCC Repeals Net Neutrality: What Now?
[Update 05/16/18: The US Senate passed a resolution
, led
by Sen. Ed Markey, to reject the FCC rule that repealed net neutrality. Rapid7
supports the resolution and other efforts to effectively reinstate net
neutrality safeguards.]
This week, Rapid7 hosted an event with Massachusetts’ Edward J. Markey and a
number of Boston’s technology and business leaders to protest the likely repeal
of net neutrality. Our CEO, Corey T
4 min
Rapid7 Perspective
Attention Humans: The ROBOT Attack
What’s the ROBOT Attack?
On the afternoon of December 12, researchers Hanno Böck, Juraj Somorovskym and
Craig Young published a paper, website, testing tool, and CTF at robotattack.org
detailing a padding oracle attack that affects the way
cryptography is handled on secure websites. ROBOT, which stands for Return Of
Bleichenbacher's Oracle Threat, details a weakness in the RSA encryption
standard known as PKCS#1v1.5 that can ultimately allow an attacker to learn a
secur
4 min
GDPR
Creating a Risk-Based Vulnerability Management Program for GDPR with InsightVM
The General Data Protection Regulation’s (GDPR)
deadline in 2018 is rapidly
approaching, and as companies prepare for GDPR compliance
, they’re facing a struggle that’s plagued
every security program for years: how to quantify that nebulous, scary thing
called “risk.” GDPR compliance
specifically talks about “risk” several times in its guidelines, particularly in
Arti
5 min
IT Ops
6 Best Practices for Effective IT Troubleshooting
System monitoring and troubleshooting
can
be a time-consuming and frustrating activity. It’s not unusual for IT folks to
spend hours finding and fixing a problem that could have been resolved in 10
minutes had better troubleshooting tools and processes been in place.
Improving IT troubleshooting and monitoring doesn’t need to be an expensive
undertaking. Many times it’s just a matter of implementing a few company-wide
2 min
Patch Tuesday
Patch Tuesday - December 2017
No big surprises from Microsoft this month
, with 70% of the 34 vulnerabilities addressed being web browser defects. Most
of these are Critical Remote Code Execution (RCE) vulnerabilities, so
administrators should prioritize patching client workstations. It doesn't take
sophisticated social engineering tactics to convince most users to visit a
malicious web page, or a legitimate but
2 min
Application Security
The Magic Behind Managed Application Security Services
When I was younger, one of my favorite gifts was a magic kit. My dad did magic
tricks with cards and rope, and whenever I asked how he did it, he’d say, “A
magician never tells his secrets.” Part of why I loved that gift so much is I
got to be the magician—and I got a glimpse of the secrets.
Whenever I spend time with the Managed Application Security team at Rapid7, I
feel like I did when I was younger: excited to learn about how the magic works.
Here are some of the secrets I’ve learned.
Appl
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Dec. 8, 2017
Have you ever been on a conference call where you really wished you could take
command of the situation? With Metasploit Framework and the new Polycom HDX
exploit, you can (if given permission by the owner of the device, that is)! If
teleconferencing isn't your target's style, you can also pwn correspondence the
old-fashioned way: through a Microsoft Office exploit. Be it written or video,
we here at Rapid7 know you value other people's communication!
After another Python module and the Mac r