Posts tagged Authentication

1 min Metasploit

Top 2 Takeaways from the "Credentials are the New Exploits: How to Effectively Use Credentials in Penetration Tests" Webcast

This week, Christian Kirsch [] enlightened us about the latest trend in attacker methodologies: Credentials. In the webcast, "Credentials are the New Exploits: How to Effectively Use Credentials in Penetration Tests [] ", we learned why credential abuse is in vogue, and what penetration testers can do to tackle this head on with as much efficiency and proficiency as poss

2 min Metasploit

Feedback on Rapid7's Tech Preview Process and Metasploit Pro 4.10

By guest blogger Sean Duffy, IS Team Lead, TriNet Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a process they call Tech Preview. They asked me to openly share my thoughts with the community. Preparation and Logistics I always enjoy working with Rapid7. Preparatory meetings and documentation made the installation and testing process a breeze. Rapid7 was also kind enough to extend my testing and feedback sessions when work so rudely intruded on the fun. Zero compla

4 min Metasploit

Hunting for Credentials: How Metasploit Pro Beat Me on the Command Line

By guest blogger Robert Jones, Information Security Manager, City of Corpus Christi I had the opportunity to participate in a tech preview of Metasploit Pro's new credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority of my time pentesting, but instead I often times I find myself using Metasploit to educate users by showing them how I can compromise their machines. It is incredibly compelling

2 min Metasploit

Metasploit Pro's New Credentials Features Save Us Time in Workflows

By guest blogger Dustin Heywood, Manager, Security Assurance, ATB Financial Recently I was invited to participate in Metasploit Pro's Tech Preview Program, where customers are given early access to new product releases.  I've taken part in this program before and I have always loved the experience. For those of you who haven't been involved in a Rapid7 Tech Preview program: It starts out with a call with the customer engagement manager and the product management team, who gave me an overview o

5 min Authentication

Why hesitation hurts - act now to prevent costly problems later

The growing value of information and systems coupled with the shifting nature of attackers puts a lot of pressure on security professionals to demonstrate results. Adding to the challenge of balancing competing interests, resource constraints and budgets is the need to figure out how to improve. The increasing interest in compromised credentials from attackers demands our attention. Focusing on accounts and looking for compromised credentials requires action. The challenge is taking the right

5 min Authentication

Why you need to let go in security to get what you want

The second part of the Party Crashers series focused on the need for us to embrace change in order to combat the shifting nature of attackers and their penchant for compromised credentials. Guided by the preparation (/2014/07/29/embrace-the-c hange-we-need-in-security-to-reap-the-benefits), our conversation is global. The advantage to the series is the opportunity to maintain a dialogue. We shared a lot of comments, insights, and thoughtful questions. The series suggests a growing number of

3 min Events

Weekly Metasploit Update: Countdown to DEFCON

Don't Be (too) Naked in Vegas Wow, it's exactly two more weeks today until DEFCON. While Rapid7 has had a vendor presence at Black Hat for many years (at booth #541), this year is, I believe, the first time that we'll have a vendor table at DEFCON. I'm super stoked about both gigs, since the Black Hat booth will give us an opportunity to unload give away a fresh new batch of Metasploit T-Shirt Design contest []

4 min Authentication

Why we can be optimistic in security even in the rise of compromised credentials

While use of compromised credentials in attacks isn't new, the growing trend is cause for consideration. Adapting our mindsets and actions to the changing nature of attackers is essential to achieving success in our efforts. The kick-off conversation of our _Party Crashers [] _Summer Series [] held a few “aha moments” and revelations. More than just looking at the changing mindset and methods of

2 min Authentication

I've got Sunshine

Sometimes sunshine can bring a smile on a cloudy day—encouraging thoughts come from entirely unexpected places. One of our favorite Internet darlings is having a rough go. Someone posted an alleged sample of the data, which was (pretty quickly) refuted by the online marketplace. The ever-vigilant and curious Rapid7 Labs team tore into the sample data. A diamond in the rough is what I wish to share with you. We all know that passwords should be hashed. (There is no real reason anyone should ev

2 min Authentication

Top 3 Takeaways from "9 Top Takeaways from the Verizon Data Breach Investigations Report"

Hi, I'm Kelly Garofalo – you may know me as the voice of the moderator in most of our security webcasts. (You know, the one that tells you about how you can snag CPE credits for joining us and sends you a nice follow-up so that you can access more wonderful webcasts and content.) I'm excited to bring you the top takeaways from our recent webcast, “9 Top Takeaways from the Verizon Data Breach Investigations Report []” (Essentia

4 min Authentication

ControlsInsight: A step-by-step approach to troubleshoot missing assets

ControlsInsight retrieves data from Nexpose, so it is important to make sure that the site is properly configured. In this blog post, we will go through a step-by-step procedure of setting up a site configuration that will enable ControlsInsight to report on all Windows assets. We will also go through a scenario to troubleshoot why an asset did not make it into ControlsInsight. Step 1: Things we need * The list of assets to be scanned either by IP range or hostnames * ControlsInsight c

2 min Phishing

Stolen passwords - the no. 1 attack vector

The latest Verizon DBIR 2014 report []published last week is clearly showing that the use of stolen credentials became the most common attack vector in 2013. In our upcoming webcast [], Matt Hathaway [] and I will discuss how user-based attacks are becoming the no. 1 "threat action" (in Verizon's words) and how organizations can detect

2 min Authentication

Are Your Users Heartbleeding?

As we figure out the implications of the OpenSSL Heartbleed Vulnerability (CVE-2014-0160), we are beginning to realize that due to the vast reach of the vulnerability, one of the largest impacts will be on your networked users.  We suggest you read about ways to protect yourself against Heartbleed here []. User accounts over web and cloud services may have been compromised and there is no way to have full visibility of thes

10 min Authentication

Heartbleed War Room - FAQ

Yesterday we did an impromptu (completely unrehearsed) live Q&A titled ‘The Heartbleed War Room Webcast' which you can go listen to here: On this webcast we had * Trey Ford, Rapid7's Global Security Strategist (@treyford) * Mark Schloesser, Security Researcher at Rapid7 (@epmovsb), and * Josh Feinblum, Rapid7's VP of Information Security (@TheCustos) For more information, please visit our resource page: * Heartbleed Vulnerability R

2 min Authentication

Cyber security around the world - 17/2/14 - UK & Singapore

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week, we're in United Kingdom and Singapore… United Kingdom A few weeks ago, Tony Neate, CEO of the UK Government's Get Safe Online initiative, state that any password is better than no password at all, even if it's as simple as “abc123” [