Posts by Jen Ellis

10 min Security Nation

Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year

With 2020 finally coming to a close, the Security Nation podcast team shares their top highlights from throughout the year.
4 min Security Strategy

Help Others Be "Cyber Aware" This Festive Season—And All Year Round!

Are you tired of being the cybersecurity help desk for everyone you know? This blog is for you!
6 min Public Policy

Internet of Things Cybersecurity Regulation and Rapid7

Over the past few years, the security of the Internet of Things (IoT) has been a consistent focus in policy circles around the world.
7 min Government

What's Happening With Markups for the IoT Cybersecurity Improvement Act of 2019?

In recent weeks, the House and Senate have drafted versions of the IoT Cybersecurity Improvement Act of 2019. Here are are thoughts.
2 min Podcast

(Re)Introducing Rapid7’s Podcast, Security Nation

This week, we are re-launching Rapid7’s podcast, Security Nation. The new, re-imagined podcast will focus on showcasing people and projects that are advancing security in their own ways.

8 min Public Policy

The IoT Cybersecurity Improvement Act of 2019

In this blog post, we will walk through the newly introduced IoT Cybersecurity Improvement Act of 2019 and describe Rapid7's position on it.

4 min Linux

Patching CVE-2017-7494 in Samba: It's the Circle of Life

With the scent of scorched internet still lingering in the air from the WannaCry Ransomworm [http://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained] , today we see a new scary-and-potentially-incendiary bug hitting the twitter news. The vulnerability - CVE-2017-7494 [https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-7494] - affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto standard for providing Wind
1 min Public Policy

Rapid7's Position on the U.S. Executive Order on Immigration

On Friday, January 27th, 2017, the White House issued an Executive Order entitled, “Protecting The Nation from Foreign Terrorist Entry into The United States. [https://www.whitehouse.gov/the-press-office/2017/01/27/executive-order-protecting-nation-foreign-terrorist-entry-united-states] ” As has been well-publicized, the Order suspends some immigration from seven Muslim-majority countries — Syria, Yemen, Sudan, Somalia, Iraq, Iran and Libya — for 90 days, halts the refugee program for 120 days,

5 min Research

Research Report: Vulnerability Disclosure Survey Results

When cybersecurity researchers find a bug in product software, what's the best way for the researchers to disclose the bug to the maker of that software? How should the software vendor receive and respond to researchers' disclosure? Questions like these are becoming increasingly important as more software-enabled goods - and the cybersecurity vulnerabilities they carry - enter the marketplace. But more data is needed on how these issues are being dealt with in practice. Today we helped publish

6 min Government

Vulnerability Disclosure and Handling Surveys - Really, What's the Point?

Maybe I'm being cynical, but I feel like that may well be the thought that a lot of people have when they hear about two surveys posted online this week to investigate perspectives on vulnerability disclosure and handling. Yet despite my natural cynicism, I believe these surveys are a valuable and important step towards understanding the real status quo around vulnerability disclosure and handling so the actions taken to drive adoption of best practices will be more likely to have impact. Hopef
13 min Public Policy

12 Days of HaXmas: Political Pwnage in 2015

This post is the ninth in the series, "The 12 Days of HaXmas." 2015 was a big year for cybersecurity policy and legislation; thanks to the Sony breach at the end of 2014 year, we kicked the new year off with a renewed focus on cybersecurity in the US Government. The White House issued three legislative proposals, [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] held a cybersecurity summit, and signed a new Executive Order, all before the end of February. The OPM br
3 min Haxmas

12 Days of HaXmas: Rapid7 Gives to You... Free Professional Media Training (Pear Tree Not Included)

Ho ho ho, Merry HaXmas [/tag/haxmas/]! For those of you new to this series, every year we mark the 12 days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year we're kicking the series off with something not altogether hackery, but it's a gift, see, so very appropriate for the season. For the past couple of years, I've provided free media training at various security conferences, often as part of an I Am The Cavalry [https://www.iamthecavalry.org/] track,
5 min Public Policy

New DMCA Exemption is a Positive Step for Security Researchers

Today the Library of Congress officially publishes its rule-making for the latest round of exemption requests for the Digital Millennium Copyright Act (DMCA).  The advance notice of its findings [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-27212.pdf] revealed some good news for security researchers as the rule-making includes a new exemption to the DMCA for security research: “(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or

9 min Public Policy

Why I Don't Dislike the Whitehouse/Graham Amendment 2713

[NOTE: No post about legislation is complete without a lot of acronyms representing lengthy and forgettable names of bills. There are three main ones that I talk about in this post: CISA – the Cyber Information Sharing Act of 2015 – Senate bill that will likely go to vote soon.  The bill aims to facilitate cybersecurity information sharing and create a framework for private and government participation. ICPA – the International Cybercrime Prevention Act of 2015 – proposed bill to extend law en
1 min Legal

Rapid7's Comments on the Wassenaar Arrangement Proposed Rule for Controlling Exports of Intrusion Software

For the past two months, the Department of Commerce's Bureau of Industry and Security (BIS) has been running a public consultation to solicit feedback on its proposal for implementing export controls for intrusion software under the Wassenaar Arrangement. You can read about the proposal and Rapid7's initial thoughts here [/2015/06/13/response-to-the-us-proposal-for-implementing-the-wassenaar-arrangement-export-controls-for-intrusion-software] . The consultation window closed on Monday, July 20th
8 min Metasploit

Wassenaar Arrangement - Frequently Asked Questions

The purpose of this post is to help answer questions about the Wassenaar Arrangement.  You can find the US proposal for implementing the Arrangement here [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf], and an accompanying FAQ from the Bureau of Industry and Security (BIS) here [http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's take on Wassenaar, and information on the comments we intend to submit to BIS, please read this companion pie
7 min Metasploit

Response to the US Proposal for Implementing the Wassenaar Arrangement Export Controls for Intrusion Software

On May 20th 2015, the Bureau of Industry and Security (BIS) published its proposal [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf] for implementing new export controls under the Wassenaar Arrangement. These controls would apply to: * systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; * software specially designed or modified for the development or production of suc
6 min Public Policy

Will the Data Security and Breach Notification Act Protect Consumers?

Last week, the House Energy and Commerce Committee published a discussion draft of a proposed breach notification bill – the Data Security and Breach Notification Act of 2015 [http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/analysis/20150312DataSecurityDraft.pdf] . I'm a big fan of the principles at play here: as a consumer, I expect that if a company I have entrusted with my personally identifiable information (PII) has reason to believe that information has be
3 min Linux

GHOST in the Machine - Is CVE-2015-0235 another Heartbleed?

CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems using older versions of the GNU C Library (glibc versions less than 2.18). The bug was discovered by researchers at Qualys and named GHOST in reference to the _gethostbyname function (and possibly because it makes for some nice puns). To be clear, this is NOT the end of the Internet as we know, nor is it further evidence (after Stormaggedon) that the end of the world is nigh. It's also not another Heartbleed. But it

8 min Public Policy

How Do We De-Criminalize Security Research? AKA What's Next for the CFAA?

Anyone who read my breakdown on the President's proposal for cybersecurity legislation [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] will know that I'm very concerned that both the current version of the Computer Fraud and Abuse Act (CFAA) [http://www.law.cornell.edu/topn/computer_fraud_and_abuse_act_of_1986], and the update recently proposed by the Administration [http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tool
10 min Public Policy

Will the President's Cybersecurity Proposal Make Us More Secure?

Last week, President Obama proposed a number of bills to protect consumers and the economy from the growing threat of cybercrime and cyberattacks. Unfortunately in their current form, it's not clear that they will make us more secure. In fact, they may have the potential to make us more INsecure due to the chilling effect on security research. To explain why, I've run through each proposed bill in turn below, with my usual disclaimer that I'm not a lawyer. Before we get into the details, I want
6 min Incident Detection

Cyber Security Awareness Month: Crisis Response and Communication

Throughout October, Rapid7 has run a series of blog posts designed to help you talk to the C-suite of your organization about security.  We've focused on why executives should pay attention [/2014/10/06/cyber-security-awareness-month-taking-it-to-the-c-level-and-beyond] , what they specifically need to focus on [/2014/10/17/cyber-security-awareness-month-data-custodianship], some ways to improve organizational security [/2014/10/28/cyber-security-awareness-month-why-your-organization-needs-secur
4 min

POODLE Unleashed: Understanding the SSL 3.0 Vulnerability

Three researchers from Google [http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html] have published findings about a vulnerability in SSL 3.0 [http://en.wikipedia.org/wiki/Transport_Layer_Security], a cryptographic protocol designed to provide secure communication over the internet. Although SSL 3.0 is nearly 15 years old, it's still used all over the place – browsers, VPNs, email clients, etc. In other words, this bug is pretty widespread. Successful ex
4 min Public Policy

Petition for Reform of the DMCA and CFAA - Why I Care, and Why I Think You Should Too.

Here's the TL;DR: Software now runs everything and all software has flaws, which means that we, as consumers, are at risk. This includes YOU, and can impact your safety or quality of life. Sign this petition to protect your right to information on how you are exposed to risk: https://petitions.whitehouse.gov/petition/unlock-public-access-research-software -safety-through-dmca-and-cfaa-reform/DHzwhzLD The petition Last weekend a petition [https://petitions.whitehouse.gov/petition/unlock-public
4 min

Cyber Security Awareness Month: Taking it to the C-level and Beyond

October is promoted as cyber security awareness month in the US [http://www.staysafeonline.org/ncsam/] and across the European Union [http://www.enisa.europa.eu/activities/stakeholder-relations/nis-brokerage-1/european-cyber-security-month-advocacy-campaign] . We're all for increasing awareness of security issues and threats, so we're in, but we know our average SecurityStreet reader likely works in information security and is already “aware.” Year round we try to provide content to help you ke
6 min Linux

Bash-ing Into Your Network & Investigating CVE-2014-6271

[UPDATE September 29, 2014: Since our last update on this blog post, four new CVEs that track ShellShock/bash bug-related issues have been announced. A new patch [http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html] was released on Saturday September 27 that addressed the more critical CVEs (CVE-2014-6277 and CVE-2014-6278). In sum: If you applied the ShellShock-related patches before Saturday September 27, you likely need to apply this new patch [http://lcamtuf.blogspo
0 min

Security Incident Notification

This week, one of the service providers we work with informed us that it was compromised and the attackers targeted Rapid7 assets. Although we are still investigating the incident, we believe that no customer data was compromised. We take customer security very seriously and will continue to share pertinent information as it becomes available.
3 min NCSAM

National Cyber Security Awareness Month: The Value of Vigilance

Today is the last day of October 2013, and so sadly, this is our last NCSAM primer blog. We're hitting on a number of potential threats in this one to help drive the core point home – users need to be vigilant, not just with regards to their physical security, but also the security of their information and the systems used to access and store it. For those that are new to this series, a quick recap – every week this month we have created a short primer piece that could be copied and pasted into
4 min NCSAM

National Cyber Security Awareness Month: Avoiding Cloud Crisis

As you'll know if you've been following our National Cyber Security Awareness Month blog series, we're focusing on user awareness.  We belief that these days every user in your environment represents a point on your perimeter; any may be targeted by attackers and any could create a security issue in a variety of ways, from losing their phone to clicking on a malicious link. Each week through October we've provided a simple email primer on a topic affecting users' security. We hope these emails

4 min Authentication

National Cyber Security Awareness Month: Basic Password Hygiene

Throughout October, we're creating basic emails you send to the users in your company to help educate them on information security issues that could affect them in the workplace. Each email provides some information on the issue itself, and some easy steps on how to protect themselves. Check out the first two posts, providing primers on phishing [/2013/10/02/national-cyber-security-awareness-month-foiling-phishing] and mobile security [/2013/10/07/national-cyber-security-awareness-month-keeping
4 min NCSAM

National Cyber Security Awareness Month: Foiling Phishing

For the past 10 years, the DHS has deemed October to be National Cyber Security Awareness Month [http://www.dhs.gov/national-cyber-security-awareness-month], and since we have a hunch that people who already work in security are aware that it's is a big issue, we thought we'd help you focus on the awareness of your users instead. In fact, we'd like to change the name to National User Awareness Month, which also neatly sidesteps that whole “cyber” thing. Why address users though? Well increasin
1 min

Join Project Sonar and #ScanAllTheThings!

… Or if scanning is not your thing, take a look at the data provided by others and share your views on what it means and what we can do about it.  Apply your learnings to your own environment – how are you exposed? Can you help other people with the knowledge you've gained?  Can they help you? This is the point behind Project Sonar [/2013/09/26/welcome-to-project-sonar] – we believe that if we work together we can achieve great things and make the internet more secure.  Unfortunately though, at
3 min Events

When Life's a Breach, Don't be a Breach Bum!

Tripadvisor's summer survey on beach and pool etiquette [http://tripadvisor.wordpress.com/2012/07/12/tripadvisor-beach-and-pool-etiquette-survey-results-announced/] recently revealed which antisocial behaviors most annoy vacationers. Unsurprisingly, smoking, playing music too loudly and chair-hogging all came out as being deeply unpopular. Fascinating, but why am I writing about this on a security blog you may ask? Perhaps you think I'm just jonesing for a little vacation, but those that sto
1 min

Rapid7 Finalist in 2 SC Awards Categories!

I'm very happy to report that both our product groups have been recognized as finalists in the SC Magazine Awards. Nexpose Enterprise is a finalist in the Best Vulnerability Management category, and Metasploit Pro is a finalist in the Best SME Security Solution. If you're interested in trying either of these products, you can get a free trial at: * Nexpose Enterprise trial [http://www.rapid7.com/nexposefulltrial.jsp] * Metasploit Pro trial [http://www.rapid7.com/downloads/metasploit.jsp]

1 min Metasploit

Rapid7 Supports Open Source Projects with "Magnificent7" $100,000 Fund

We're very excited to announce that Rapid7 is dedicating $100,000 to support open source projects [http://www.rapid7.com/news-events/press-releases/2011/2011-magnificent7.jsp] in the security space in 2012 in a program we're calling the Magnificent7. Essentially we're looking for open source projects that bring value to the infosec ecosystem by taking an innovative approach to addressing security challenges, and will be supporting up to seven such projects with funding in 2012. Chosen project
1 min Microsoft

August Patch Tuesday

Yesterday was Microsoft Patch Tuesday, with 13 bulletins issued to address 22 vulnerabilities. Of these, only two are rated “critical”; the first of which – MS11-057 – is the latest Internet Explorer cumulative patch. Until this one is patched, we'd recommend limiting your use of Internet Explorer to only visiting trusted sites and remember that it's never a good idea to click on suspect or unknown links. If users are still concerned, they may want to consider using one of the alternate browser
1 min Events

A Key for a Key: Rapid7 Competition

In the security industry we try to pay attention to the means available to us for securing our environment, so those checking into Caesar's Palace for Black Hat this week may notice their room key comes with a Rapid7 card, which includes a link to free trials of all our solutions. [http://www.rapid7.com/BlackHatTryIt.jsp] We've also suggested some possible uses for the card, but we know how creative you sometimes have to be to get things done in the world of infosec, so we're sure you can come u
1 min

Wall Street Journal FASTech 50

As you may have already seen, the Wall Street Journal is currently putting together its FASTech 50; a list of the 50 most innovative tech startups around.  To create a bit of buzz for this, the publication has asked the Twitter community to nominate companies for the list by tweeting as follows: "I'm nominating Rapid7 for “The FASTech 50” list of most innovative companies! http://on.wsj.com/lc42MJ #FASTech50” We'd really love Rapid7 to be included in the list and we believe that our holist
1 min

Introducing Cocktails with Customers

The title of my post today may lead you to think we're promoting yet another of our famous parties. I'm sure it won't be long until that's the case (particularly with the likes of BlackHat and B-Sides just around the corner), but for today my focus is firmly on this blog. I wanted to take a couple of minutes to introduce a new series of posts from Jen Benson on Rapid7's customer engagement. Jen is titling this series Cocktails with Customers and if any of our customers are in the LA area near he
2 min Authentication

Hello Ripper!

Yes, that's a Buffy reference. And an awesome one at that. I make no apologies for my geekery. It's also a reference to the update to John the Ripper, released today.  As you may've heard by now, the Openwall guys announced an update to their popular password cracker, with a very impressive 17% improvement in gate count for the Data Encryption Standard (DES) algorithm. Congratulations to the Openwall team and all of the open source community members who contribute their time and expertise to fu
1 min Patch Tuesday

June Patch Tuesday

This month's Patch Tuesday was another biggie: 16 bulletins addressing 34 vulnerabilities across IE, Office and Windows... Top of the list of things to watch out for are two “critical” bulletins: MS11-050 and MS11-52. These are are effectively attacker's delight since they are browser based, which are the most coveted exploits. They affect Internet Explorer 6,7, and 8: and once these vulnerabilities are weaponized they will be a significant problem as many organizations give their users admi