2 min
IT Ops
Using Logs for Security & Compliance: Part 1
This 3-part series explores the critical role logs play in maintaining
regulatory compliances and provides specific examples of known events to look
for an how to evaluate different compliance tools. To download the free 24-page
white paper, click here
.
--------------------------------------------------------------------------------
For organizations that need to remain compliant with specific regulatory
standards, requ
2 min
Windows
Nexpose Remote Registry Activation for Windows
The Windows Registry is a database which stores all settings for a Windows
system, e.g. hardware, software installed, Windows updates installed and
preferences for users and their applications. During normal day to day use a
standard user will inadvertently push changes into this database when they
update the system, add/remove applications and so on.
Remote Registry is a Windows service which allows a non-local user to read or
make changes to the registry on your Windows system when they are
1 min
Metasploit
Six Wonderful Years
Rapid7 has been my home for the last six years, growing from 98 people when I
joined to over 700 today. Keeping up with the growth has been both exhilarating
and terrifying. I am really proud of our Austin team, the Metasploit ecosystem,
and our leadership in security research. We care about our customers, our
employees, and our impact in the industry. Working at Rapid7 has simply been the
best job I have ever had.
We have surpassed every goal that I set when I joined in 2009. Metasploit is
thr
2 min
Vulnerability Disclosure
R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01
advisory, it became
clear that the Dropbear SSH daemon did not enforce authentication, and a
possible backdoor account was discovered in the product. All results are from
analyzing and running firmware version 1322_D1.98, which was released in
response to the ICS-CERT advisory.
This issue was discovered and disclosed as part of research resulting in
Rapid7's dis
2 min
IT Ops
Analyzing ELB Log Data
Thanks to some slick work from our engineering team, we have recently released a
lightweight python script that will allow you to pull your Elastic Load Balancer
logs from S3 into Logentries.
In this implementation, we use AWS Lambda and leverage the S3 trigger, so the
script only runs when needed.
The full documentation is available here:
https://logentries.com/doc/s3-ingestion-with-lambda/
1 min
IT Ops
Introducing a Buildbot status plugin for pushing status updates to Logentries
Buildbot is a framework for building continuous deployment and integration
systems, it is highly flexible and is written in python. It is also a mature
system which a number of large projects use e.g. Mozilla, Chromium, Python – see
trac.buildbot.net/wiki/SuccessStories
To send build status information — specifically Start, Success and Failure
states from Buildbot to Logentries — start by generating a log token from
Logentries.
4 min
Metasploit
12 Days of HaXmas: Metasploit End of Year Wrapup
This is the seventh post in the series, "The 12 Days of HaXmas."
It's the last day of the year, which means that it's time to take a moment to
reflect on the ongoing development of the Metasploit Framework, that de facto
standard in penetration testing, and my favorite open source project around.
While the acquisition of Metasploit way back in 2009 was met with some healthy
skepticism, I think this year, it's easy to say that Rapid7's involvement with
Metasploit has been an enormously positive
4 min
Metasploit
512 Days of HaXmas: Metasploit's IoT WebApp Login Support
This is the sixth post in the series, "The Twelve Days of HaXmas."
Well, the year is coming to a close, and it's just about time for the annual
breakdown of Metasploit commit action. But before we get to that, I wanted to
take a moment to highlight the excellent work we landed in 2015 in adding new
web application login support to Metasploit. After all, who needs exploits when
your password is "public" or "admin" or "password" or any other of the very few
well-known default passwords? Maybe i
3 min
Haxmas
12 Days of HaXmas: Santa makes a list and checks it twice, do you?
This post is the fifth in the series, "The Twelve Days of HaXmas."
This is the time of the year where kids and adults alike think back over the
past year, wondering which of Santa's two lists they will be on. The nice list
is reserved for those who say "please" and "thank you", brush their teeth, and
of course, those who regularly update and practice their incident response
plans.
Santa gives presents to the children on the nice list and coal to the ones on
the naughty. When the list gets chec
7 min
Haxmas
12 Days of HaXmas: What Home Alone Can Teach About Active Defense
This post is the fourth in the series, "The 12 Days of HaXmas."
As you venture from the world of defense, including protecting and monitoring
systems, into the realm of active defense, who can be your mentor? Who can make
you as cool as Frosty?
Does anyone know enough about active defense to make a movie out of it?
OF COURSE!
Macaulay Culkin is the mentor you are looking for. More precisely, Kevin
McCallister , from the
Home Alone fra
4 min
Threat Intel
12 Days of HaXmas: Charlie Brown Threat Intelligence
This post is the third in the series, "The 12 Days of HaXmas."
“Get the biggest aluminum threat feed you can find, Charlie Brown, maybe painted
pink.”
It has been a few years now since the term “cyber threat intelligence” entered
mainstream, and since then it has exploded into a variety of products, all
claiming to have the biggest, the best, the shiniest, most aluminum-est threat
feed, report, or platform. Much of the advertising and media surrounding threat
intelligence capitalizes on fear
10 min
Haxmas
12 Days of HaXmas: Advanced Persistent Printer
This post is the second in the series, "The 12 Days of HaXmas."
By Deral Heiland, Principal Consultant, and Nate Power, Senior Consultant, of
Rapid7 Global Services
Year after year we have been discussing the risk of Multi-Function Printers
(MFP) in the corporate environment and how a malicious actor can easily leverage
these devices to carry out attacks, including extraction of Windows Active
Directory credentials via LDAP and abusing the "Scan to File" and "Scan to
E-mail" features. To take
3 min
Haxmas
12 Days of HaXmas: Rapid7 Gives to You... Free Professional Media Training (Pear Tree Not Included)
Ho ho ho, Merry HaXmas ! For those of you new to this series,
every year we mark the 12 days of HaXmas with 12 blog posts on hacking-related
topics and roundups from the year. This year we're kicking the series off with
something not altogether hackery, but it's a gift, see, so very appropriate for
the season.
For the past couple of years, I've provided free media training at various
security conferences, often as part of an I Am The Cavalry
track,
8 min
Vulnerability Management
ScanNow DLL Search Order Hijacking Vulnerability and Deprecation
Overview
On November 27, 2015, Stefan Kanthak contacted Rapid7 to report a vulnerability
in Rapid7's ScanNow tool. Rapid7 takes security issues seriously and this was
no exception. In combination with a preexisting compromise or other
vulnerabilities, and in the absence of sufficient mitigating measures, a system
with ScanNow can allow a malicious party to execute code of their choosing
leading to varying levels of additional compromise. In order to protect the
small community of users who ma
2 min
IT Ops
How to Log Messages from Slack
We recently added support for unedited HTTP logging in Logentries. This means
you can send us log data via HTTPS drain (from heroku), or via any webhook you
want.
One webhook that we’ve been looking to log for a while is Slack
.
People are always chatting away on Slack, and this data might be useful some
day. You can send the data into Logentries however you want, and then worry
about what to do it when you actually need it!
First, you’ll need to