Posts tagged Authentication

3 min InsightIDR

InsightIDR Now Supports Multi-Factor Auth and Data Archiving

InsightIDR is now part of the Rapid7 platform. Learn more about our platform vision and how it enables you to have the SIEM solution you've always wanted.

8 min Vulnerability Disclosure

Multiple vulnerabilities in Wink and Insteon smart home systems

Today we are announcing four issues affecting two popular home automation solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive credentials securely on their associated Android apps. In addition, the Wink cloud-based management API does not properly expire and revoke authentication tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for potentially sensitive security controls such as garage door locks. As most of these issues have not yet been addres

5 min Authentication

R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)

This post describes three security vulnerabilities related to access controls and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze fixed all three issues by May 6, 2017, and user action is not required to remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these vulnerabilities: * R7-2017-07.1, CWE-284 (Improper Access Control) [https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote attacker can enumerate through MAC addr

2 min Authentication

Better Credential Management for Better Vulnerability Results

Often the first time the security team knows that credentials have expired is when their scans start to return dramatically fewer vulnerabilities. We all know getting credentialed access yields the best results for visibility. Yet, maintaining access can be difficult. Asset owners change credentials. Different assets have different frequencies for credential updates. Security teams are often left out of the loop. Between the original scan run time, the time it takes the security team to pinpoi

2 min Metasploit

Metasploit Framework Valentines Update

Valentines day is just around the corner! What could be a nicer gift for your sweetie than a bundle of new Metasploit Framework updates? The community has been as busy as ever delivering a sweet crop of sexy exploits, bug fixes, and interesting new features. Everyone Deserves a Second Chance Meterpreter Scripts have been deprecated for years [https://github.com/rapid7/metasploit-framework/pull/3812] in favor of Post Exploitation modules, which are much more flexible and easy to debug. Unfortuna

3 min Authentication

Under the Hoodie: Actionable Research from Penetration Testing Engagements

Today, we're excited to release Rapid7's latest research paper, Under the Hoodie: Actionable Research from Penetration Testing Engagements [https://www.rapid7.com/info/under-the-hoodie], by Bob Rudis [https://twitter.com/hrbrmstr], Andrew Whitaker [https://www.linkedin.com/in/drewwhitaker/], Tod Beardsley [https://twitter.com/todb], with loads of input and help from the entire Rapid7 pentesting team. This paper covers the often occult art of penetration testing, and seeks to demystify the proce

7 min Haxmas

The Twelve Pains of Infosec

One of my favorite Christmas carols is the 12 Days of Christmas [https://www.youtube.com/watch?v=oyEyMjdD2uk]. Back in the 90's, a satire of the song came out in the form of the 12 Pains of Christmas [https://www.youtube.com/watch?v=h4NlR5KQLQ8], which had me rolling on the floor in laughter, and still does. Now that I am in information security, I decided it is time for a new satire, maybe this will start a new tradition, and so I am presenting, the 12 Pains of Infosec. ----------------------

3 min Authentication

Avoiding Default Fail

As the Internet of Things (IoT) quickly flood into the market place, into our homes and into our places of employment, my years of pen testing experience and every research project I spin up reminds me IoT has weak defaults -- especially default passwords, which will be the undoing of all of us. You would think after pointing out the issues with default password for years most of us would learn to start changing those passwords before deployment. Unfortunately that's not the case. I think we

6 min Breach Response News

NCSAM: You Should Use a Password Manager

October is National Cyber Security Awareness month and Rapid7 is taking this time to celebrate security research. This year, NCSAM coincides with new legal protections for security research under the DMCA [/2016/10/03/cybersecurity-awareness-month-2016-this-ones-for-the-researchers] and the 30th anniversary of the CFAA - a problematic law that hinders beneficial security research. Throughout the month, we will be sharing content that enhances understanding of what independent security research

4 min Nexpose

InsightIDR & Nexpose Integrate for Total User & Asset Security Visibility

Rapid7's Incident Detection and Response [https://www.rapid7.com/solutions/incident-detection/] and Vulnerability Management [https://www.rapid7.com/solutions/vulnerability-management.jsp] solutions, InsightIDR [https://www.rapid7.com/products/insightidr/] and Nexpose [https://www.rapid7.com/products/nexpose/], now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigation

2 min Authentication

800 Million Compromised Credentials Were Exposed This Month. Were You Notified?

In our previous post on third party breaches [/2016/06/01/if-employee-passwords-get-compromised-by-third-party-breach-does-your-system-make-a-sound] , we talked about the risk of public compromised credential leaks providing attackers with another ingress vector. This August, InsightIDR [https://www.rapid7.com/products/insightidr/?CS=blog], armed with knowledge from a partner, identified a “Very Large Credentials Dump”. Very large? Over 800 million compromised credentials [https://www.rapid7.com

2 min Authentication

Credential Status in Reporting Data Model

The new version of Reporting Data Model (1.3.1) allows Nexpose [https://www.rapid7.com/products/nexpose/] users to create CSV reports providing information about credential status of their assets, i.e. whether credentials provided by the user (global or site specific) allowed successful login to the asset during a specific scan. Credential Status Per Service The new Reporting Data Model version contains fact_asset_scan_service enhanced with the new column containing the information about creden

6 min Metasploit

Pentesting in the Real World: Group Policy Pwnage

This is the third in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] Bac

3 min Metasploit

Pentesting in the Real World: Capturing Credentials on an Internal Network

This is the second in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] As

2 min Authentication

Passwords and the Devolution of Computer Users

This is a guest post from our frequent contributor Kevin Beaver [/author/kevinbeaver]. You can read all of his previous guest posts here [/author/kevinbeaver]. Recently, I wrote about my thoughts on why we feel like we have to force short-term password changes in the name of “security.” [/2016/04/28/why-do-we-keep-forcing-short-term-password-changes] Since that time, Microsoft made an announcement to step in and help set its users (and itself) up for success [https://blogs.technet.microsoft.com