4 min
Research
This One Time on a Pen Test, Part 5: From Physical Security Weakness to Strength
During a physical social engineering penetration test, I easily got into the office with the help of a copied badge and polite employees. But would the company learn its lesson?
4 min
Research
Password Tips from a Pen Tester: Are 12-Character Passwords Really Stronger, or Just a Dime a Dozen?
On penetration tests, the three most common passwords are a variation of company name, the season/year, and a variation of “password.” But what happens if we lengthen the password requirement?
2 min
Penetration Testing
This One Time on a Pen Test, Part 4: From Zero to Web Application Admin through Open-Source Intelligence Gathering
Open source intelligence gathering (OSINT) can sometimes take a backseat to more glamorous parts of pen tests—but in this case, it saved us.
3 min
IoT
Enhancing IoT Security Through Research Partnerships
Securing IoT devices requires a proactive security approach to test both devices and the IoT product ecosystem. To accomplish this, consider setting up a research partnership.
5 min
IoT
Security Impact of Easily Accessible
UART on IoT Technology
When it comes to securing IoT devices, it’s important to know that Universal
Asynchronous Receiver Transmitter (UART) ports are often the keys to the kingdom
for device analysis when you have physical access. For example, as part of
ongoing security research and testing projects on embedded technology we own, I
have opened up a number of devices and discovered a majority of them having UART
enabled. Those with UART enabled have—in every case—provided a path to full root
access and allowed me to
3 min
Penetration Testing
Password Tips From a Pen Tester: Common Patterns Exposed
When my colleagues and I are out on penetration tests, we have a fixed amount of
time to complete the test. Efficiency is important. Analyzing password data like
we’re doing here helps pen testers better understand the likelihood of password
patterns and choices, and we use that knowledge to our advantage when we perform
penetration testing [https://www.rapid7.com/fundamentals/penetration-testing/]
service engagements at Rapid7.
In my experience, most password complexity policies require at l
2 min
InsightIDR
Rapid7 Quarterly Threat Report: 2018 Q1
Spring is here, and along with the flowers and the birds, the pollen and the
never-ending allergies, we bring you 2018’s first Quarterly Threat Report
[https://www.rapid7.com/info/threat-report/2018-q1-threat-report/]! For the
year’s inaugural report, we pulled an additional data set: significant events.
While we like to look at trends in alerts over time, there is almost never a
one-alert-per-incident correlation. Adversary actions involve multiple steps,
which generate multiple alerts, and aft
11 min
Research
Building a Backpack Hypervisor
Researcher, engineer, and Metasploit contributor Brendan Watters shares his experience building a backpack-size hypervisor.
8 min
Vulnerability Disclosure
Multiple vulnerabilities in Wink and Insteon smart home systems
Today we are announcing four issues affecting two popular home automation
solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive
credentials securely on their associated Android apps. In addition, the Wink
cloud-based management API does not properly expire and revoke authentication
tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for
potentially sensitive security controls such as garage door locks.
As most of these issues have not yet been addres
7 min
Research
Cisco Smart Install Exposure
Cisco Smart Install (SMI) provides configuration and image management
capabilities for Cisco switches. Cisco’s SMI documentation
[http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html]
goes into more detail than we’ll be touching on in this post, but the short
version is that SMI leverages a combination of DHCP, TFTP and a proprietary TCP
protocol to allow organizations to deploy and manage Cisco switches. Using SMI
yields a number of be
5 min
Authentication
R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)
This post describes three security vulnerabilities related to access controls
and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze
fixed all three issues by May 6, 2017, and user action is not required to
remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these
vulnerabilities:
* R7-2017-07.1, CWE-284 (Improper Access Control)
[https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote
attacker can enumerate through MAC addr
7 min
Research
Remote Desktop Protocol (RDP) Exposure
The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary
protocol developed by Microsoft that is used to provide a graphical means of
connecting to a network-connected computer. RDP client and server support has
been present in varying capacities in most every Windows version since NT
[https://en.wikipedia.org/wiki/Windows_NT]. Outside of Microsoft's offerings,
there are RDP clients available for most other operating systems. If the nitty
gritty of protocols is your thing, Wiki
5 min
Public Policy
Copyright Office Calls For New Cybersecurity Researcher Protections
On Jun. 22, the US Copyright Office released
[https://www.copyright.gov/policy/1201/section-1201-full-report.pdf] its
long-awaited study on Sec. 1201 of the Digital Millennium Copyright Act (DMCA),
and it has important implications for independent cybersecurity researchers.
Mostly the news is very positive. Rapid7 advocated extensively for researcher
protections to be built into this report, submitting two sets of detailed
comments—see here
[/2016/03/15/rapid7-bugcrowd-and-hackerone-file-pro-res
4 min
Public Policy
Rapid7 issues comments on NAFTA renegotiation
In April 2017, President Trump issued an executive order directing a review of
all trade agreements. This process is now underway: The United States Trade
Representative (USTR) – the nation's lead trade agreement negotiator – formally
requested [https://www.regulations.gov/docket/USTR-2017-0006] public input on
objectives for the renegotiation of the North American Free Trade Agreement
(NAFTA). NAFTA is a trade agreement between the US, Canada, and Mexico, that
covers a huge range of topics, fr
3 min
Project Sonar
Signal to Noise in Internet Scanning Research
We live in an interesting time for research related to Internet scanning.
There is a wealth of data and services to aid in research. Scanning related
initiatives like Rapid7's Project Sonar [https://sonar.labs.rapid7.com/], Censys
[https://censys.io/], Shodan [https://www.shodan.io/], Shadowserver
[https://www.shadowserver.org/] or any number of other public/semi-public
projects have been around for years, collecting massive troves of data. The
data and services built around it has been used f