1 min
Metasploit
Top 2 Takeaways from the "Credentials are the New Exploits: How to Effectively Use Credentials in Penetration Tests" Webcast
This week, Christian Kirsch [https://community.rapid7.com/people/ckirsch]
enlightened us about the latest trend in attacker methodologies: Credentials. In
the webcast, "Credentials are the New Exploits: How to Effectively Use
Credentials in Penetration Tests
[https://information.rapid7.com/creds-are-the-new-exploits-registration.html?CS=blog]
", we learned why credential abuse is in vogue, and what penetration testers can
do to tackle this head on with as much efficiency and proficiency as poss
2 min
Metasploit
Feedback on Rapid7's Tech Preview Process and Metasploit Pro 4.10
By guest blogger Sean Duffy, IS Team Lead, TriNet
Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a
process they call Tech Preview. They asked me to openly share my thoughts with
the community.
Preparation and Logistics
I always enjoy working with Rapid7. Preparatory meetings and documentation made
the installation and testing process a breeze. Rapid7 was also kind enough to
extend my testing and feedback sessions when work so rudely intruded on the fun.
Zero compla
4 min
Metasploit
Hunting for Credentials: How Metasploit Pro Beat Me on the Command Line
By guest blogger Robert Jones, Information Security Manager, City of Corpus
Christi
I had the opportunity to participate in a tech preview of Metasploit Pro's new
credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight
and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority
of my time pentesting, but instead I often times I find myself using Metasploit
to educate users by showing them how I can compromise their machines. It is
incredibly compelling
2 min
Metasploit
Metasploit Pro's New Credentials Features Save Us Time in Workflows
By guest blogger Dustin Heywood, Manager, Security Assurance, ATB Financial
Recently I was invited to participate in Metasploit Pro's Tech Preview Program,
where customers are given early access to new product releases. I've taken part
in this program before and I have always loved the experience.
For those of you who haven't been involved in a Rapid7 Tech Preview program: It
starts out with a call with the customer engagement manager and the product
management team, who gave me an overview o
5 min
Authentication
Why hesitation hurts - act now to prevent costly problems later
The growing value of information and systems coupled with the shifting nature of
attackers puts a lot of pressure on security professionals to demonstrate
results. Adding to the challenge of balancing competing interests, resource
constraints and budgets is the need to figure out how to improve.
The increasing interest in compromised credentials from attackers demands our
attention. Focusing on accounts and looking for compromised credentials requires
action. The challenge is taking the right
5 min
Authentication
Why you need to let go in security to get what you want
The second part of the Party Crashers series focused on the need for us to
embrace change in order to combat the shifting nature of attackers and their
penchant for compromised credentials.
Guided by the preparation (/2014/07/29/embrace-the-c
hange-we-need-in-security-to-reap-the-benefits), our conversation is global. The
advantage to the series is the opportunity to maintain a dialogue. We shared a
lot of comments, insights, and thoughtful questions.
The series suggests a growing number of
3 min
Events
Weekly Metasploit Update: Countdown to DEFCON
Don't Be (too) Naked in Vegas
Wow, it's exactly two more weeks today until DEFCON. While Rapid7 has had a
vendor presence at Black Hat for many years (at booth #541), this year is, I
believe, the first time that we'll have a vendor table at DEFCON. I'm super
stoked about both gigs, since the Black Hat booth will give us an opportunity to
unload give away a fresh new batch of Metasploit T-Shirt Design contest
[http://99designs.com/t-shirt-design/contests/metasploit-design-contest-375195/brief]
4 min
Authentication
Why we can be optimistic in security even in the rise of compromised credentials
While use of compromised credentials in attacks isn't new, the growing trend is
cause for consideration. Adapting our mindsets and actions to the changing
nature of attackers is essential to achieving success in our efforts.
The kick-off conversation of our _Party Crashers
[https://information.rapid7.com/party-crashers.html] _Summer Series
[https://information.rapid7.com/party-crashers.html] held a few “aha moments”
and revelations. More than just looking at the changing mindset and methods of
2 min
Authentication
I've got Sunshine
Sometimes sunshine can bring a smile on a cloudy day—encouraging thoughts come
from entirely unexpected places.
One of our favorite Internet darlings is having a rough go. Someone posted an
alleged sample of the data, which was (pretty quickly) refuted by the online
marketplace.
The ever-vigilant and curious Rapid7 Labs team tore into the sample data. A
diamond in the rough is what I wish to share with you.
We all know that passwords should be hashed. (There is no real reason anyone
should ev
2 min
Authentication
Top 3 Takeaways from "9 Top Takeaways from the Verizon Data Breach Investigations Report"
Hi, I'm Kelly Garofalo – you may know me as the voice of the moderator in most
of our security webcasts. (You know, the one that tells you about how you can
snag CPE credits for joining us and sends you a nice follow-up so that you can
access more wonderful webcasts and content.) I'm excited to bring you the top
takeaways from our recent webcast, “9 Top Takeaways from the Verizon Data
Breach
Investigations Report
[http://information.rapid7.com/9-takeaways-to-verizon-dbir.html?CS=blog]”
(Essentia
4 min
Authentication
ControlsInsight: A step-by-step approach to troubleshoot missing assets
ControlsInsight retrieves data from Nexpose, so it is important to make sure
that the site is properly configured. In this blog post, we will go through a
step-by-step procedure of setting up a site configuration that will enable
ControlsInsight to report on all Windows assets. We will also go through a
scenario to troubleshoot why an asset did not make it into ControlsInsight.
Step 1: Things we need
* The list of assets to be scanned either by IP range or hostnames *
ControlsInsight c
2 min
Phishing
Stolen passwords - the no. 1 attack vector
The latest Verizon DBIR 2014 report
[http://www.verizonenterprise.com/DBIR/2014/]published last week is clearly
showing that the use of stolen credentials became the most common attack vector
in 2013. In our upcoming webcast
[http://information.rapid7.com/catch-me-if-you-can-webcast-registration.html],
Matt Hathaway [https://community.rapid7.com/people/mhathawa] and I will discuss
how user-based attacks are becoming the no. 1 "threat action" (in Verizon's
words) and how organizations can detect
2 min
Authentication
Are Your Users Heartbleeding?
As we figure out the implications of the OpenSSL Heartbleed Vulnerability
(CVE-2014-0160), we are beginning to realize that due to the vast reach of the
vulnerability, one of the largest impacts will be on your networked users. We
suggest you read about ways to protect yourself against Heartbleed here
[http://information.rapid7.com/heartbleed-vulnerability-resources.html].
User accounts over web and cloud services may have been compromised and there is
no way to have full visibility of thes
10 min
Authentication
Heartbleed War Room - FAQ
Yesterday we did an impromptu (completely unrehearsed) live Q&A titled ‘The
Heartbleed War Room Webcast' which you can go listen to here:
http://information.rapid7.com/heartbleed-war-room.html
On this webcast we had
* Trey Ford, Rapid7's Global Security Strategist (@treyford)
* Mark Schloesser, Security Researcher at Rapid7 (@epmovsb), and
* Josh Feinblum, Rapid7's VP of Information Security (@TheCustos)
For more information, please visit our resource page:
* Heartbleed Vulnerability R
2 min
Authentication
Cyber security around the world - 17/2/14 - UK & Singapore
With so much happening in cyber security around the world lately, we're
highlighting some of the interesting stories each week from across Europe,
Middle East, Africa and Asia Pacific. This week, we're in United Kingdom and
Singapore…
United Kingdom
A few weeks ago, Tony Neate, CEO of the UK Government's Get Safe Online
initiative, state that any password is better than no password at all, even if
it's as simple as “abc123”
[http://www.theguardian.com/technology/2014/jan/20/uk-cyber-security-