2 min
Linux
GHOST in the Machine - Is CVE-2015-0235 another Heartbleed?
CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems
using older versions of the GNU C Library (glibc versions less than 2.18). The
bug was discovered by researchers at Qualys and named GHOST in reference to the
_gethostbyname function (and possibly because it makes for some nice puns).
To be clear, this is NOT the end of the Internet as we know, nor is it further
evidence (after Stormaggedon) that the end of the world is nigh. It's also not
another Heartbleed. But it
4 min
POODLE Unleashed: Understanding the SSL 3.0 Vulnerability
Three researchers from Google
[http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html]
have published findings about a vulnerability in SSL 3.0
[http://en.wikipedia.org/wiki/Transport_Layer_Security], a cryptographic
protocol designed to provide secure communication over the internet. Although
SSL 3.0 is nearly 15 years old, it's still used all over the place – browsers,
VPNs, email clients, etc. In other words, this bug is pretty widespread.
Successful ex
3 min
Public Policy
Petition for Reform of the DMCA and CFAA
Here's the TL;DR:
Software now runs everything and all software has flaws, which means that we, as
consumers, are at risk. This includes YOU, and can impact your safety or quality
of life. Sign this petition to protect your right to information on how you are
exposed to risk:
https://petitions.whitehouse.gov/petition/unlock-public-access-research-software
-safety-through-dmca-and-cfaa-reform/DHzwhzLD
The petition
Last weekend a petition
[https://petitions.whitehouse.gov/petition/unlock-public
3 min
Cybersecurity
National Cyber Security Awareness Month: The Value of Vigilance
Today is the last day of October 2013, and so sadly, this is our last NCSAM
primer blog. We're hitting on a number of potential threats in this one to help
drive the core point home – users need to be vigilant, not just with regards to
their physical security, but also the security of their information and the
systems used to access and store it.
For those that are new to this series, a quick recap – every week this month we
have created a short primer piece that could be copied and pasted into
4 min
Cybersecurity
National Cyber Security Awareness Month: Avoiding Cloud Crisis
As you'll know if you've been following our National Cyber Security Awareness
Month blog series, we're focusing on user awareness. We belief that these days
every user in your environment represents a point on your perimeter; any may be
targeted by attackers and any could create a security issue in a variety of
ways, from losing their phone to clicking on a malicious link.
Each week through October we've provided a simple email primer on a topic
affecting users' security. We hope these emails
3 min
Authentication
National Cyber Security Awareness Month: Basic Password Hygiene
Throughout October, we're creating basic emails you send to the users in your
company to help educate them on information security issues that could affect
them in the workplace. Each email provides some information on the issue itself,
and some easy steps on how to protect themselves. Check out the first two posts,
providing primers on phishing
[/2013/10/02/national-cyber-security-awareness-month-foiling-phishing] and
mobile security
[/2013/10/07/national-cyber-security-awareness-month-keeping
1 min
Microsoft
August Patch Tuesday
Yesterday was Microsoft Patch Tuesday, with 13 bulletins issued to address 22
vulnerabilities. Of these, only two are rated “critical”; the first of which –
MS11-057 – is the latest Internet Explorer cumulative patch. Until this one is
patched, we'd recommend limiting your use of Internet Explorer to only visiting
trusted sites and remember that it's never a good idea to click on suspect or
unknown links. If users are still concerned, they may want to consider using one
of the alternate browser
1 min
Introducing Cocktails with Customers
The title of my post today may lead you to think we're promoting yet another of
our famous parties. I'm sure it won't be long until that's the case
(particularly with the likes of BlackHat and B-Sides just around the corner),
but for today my focus is firmly on this blog. I wanted to take a couple of
minutes to introduce a new series of posts from Jen Benson on Rapid7's customer
engagement. Jen is titling this series Cocktails with Customers and if any of
our customers are in the LA area near he
1 min
Patch Tuesday
June Patch Tuesday
This month's Patch Tuesday was another biggie: 16 bulletins addressing 34
vulnerabilities across IE, Office and Windows...
Top of the list of things to watch out for are two “critical” bulletins:
MS11-050 and MS11-52. These are are effectively attacker's delight since they
are browser based, which are the most coveted exploits. They affect Internet
Explorer 6,7, and 8: and once these vulnerabilities are weaponized they will be
a significant problem as many organizations give their users admi