5 min
Public Policy
Prioritizing the Fundamentals of Coordinated Vulnerability Disclosure
In this post, we aim to distinguish between three broad flavors of CVD processes based on authorization, incentives, and resources required. We also urge wider adoption of foundational processes before moving to more advanced and resource-intensive processes.
3 min
Public Policy
Georgia should not authorize "hack back"
Update 05/09/18: Georgia Governor Deal vetoed SB 315. In a thoughtful veto
statement, the Governor noted that the legislation raised "concerns regarding
national security implications and other potential ramifications," and that "SB
315 may inadvertently hinder the ability of government and private industries"
to protect against breaches. The statement expressed interest in working with
the cybersecurity and law enforcement communities on a new policy.
The Georgia state legislature recently pas
2 min
Public Policy
Welcome transparency on US government's process for disclosing vulnerabilities
The White House recently released details on the US government's process for disclosing - or retaining - zero-day vulnerabilities. The new VEP charter provides answers to several key questions, but it remains to be seen how it will operate in practice.
4 min
Government
Cybersecurity for NAFTA
When the North American Free Trade Agreement (NAFTA) was originally negotiated,
cybersecurity was not a central focus. NAFTA came into force – removing
obstacles to commercial trade activity between the US, Canada, and Mexico – in
1994, well before most digital services existed. Today, cybersecurity is a major
economic force – itself a large industry and important source of jobs, as well
as an enabler of broader economic health by reducing risk and uncertainty for
businesses. Going forward, cybe
5 min
Public Policy
Copyright Office Calls For New Cybersecurity Researcher Protections
On Jun. 22, the US Copyright Office released
[https://www.copyright.gov/policy/1201/section-1201-full-report.pdf] its
long-awaited study on Sec. 1201 of the Digital Millennium Copyright Act (DMCA),
and it has important implications for independent cybersecurity researchers.
Mostly the news is very positive. Rapid7 advocated extensively for researcher
protections to be built into this report, submitting two sets of detailed
comments—see here
[/2016/03/15/rapid7-bugcrowd-and-hackerone-file-pro-res
2 min
Public Policy
Legislation to Strengthen IoT Marketplace Transparency
Senator Ed Markey (D-MA) is poised to introduce legislation to develop a
voluntary cybersecurity standards program for the Internet of Things (IoT). The
legislation, called the Cyber Shield Act, would enable IoT products that comply
with the standards to display a label indicating a strong level of security to
consumers – like an Energy Star rating for IoT. Rapid7 supports this legislation
and believes greater transparency in the marketplace will enhance cybersecurity
and protect consumers.
The
4 min
Public Policy
Rapid7 issues comments on NAFTA renegotiation
In April 2017, President Trump issued an executive order directing a review of
all trade agreements. This process is now underway: The United States Trade
Representative (USTR) – the nation's lead trade agreement negotiator – formally
requested [https://www.regulations.gov/docket/USTR-2017-0006] public input on
objectives for the renegotiation of the North American Free Trade Agreement
(NAFTA). NAFTA is a trade agreement between the US, Canada, and Mexico, that
covers a huge range of topics, fr
4 min
Public Policy
White House Cybersecurity Executive Order Summary
Yesterday President Trump issued an Executive Order on cybersecurity:
“Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure.”
[https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure]
The Executive Order (EO) appears broadly positive and well thought out, though
it is just the beginning of a long process and not a sea change in itself. The
EO directs agencies to come up with plans
4 min
Public Policy
Rapid7 urges NIST and NTIA to promote coordinated disclosure processes
Rapid7 has long been a champion of coordinated vulnerability disclosure and
handling processes as they play a critical role in both strengthening risk
management practices and protecting security researchers. We not only use
coordinated disclosure processes in our own vulnerability disclosure
[https://www.rapid7.com/security/disclosure/] and receiving activities, but also
advocate for broader adoption in industry and in government policies.
Building on this, we recently joined forces with other
3 min
Nexpose
Publishing Nexpose Asset Risk Scores to ePO
Security professionals today face great challenges protecting their assets from
breaches by hackers and malware. A good vulnerability management solution
[https://www.rapid7.com/solutions/vulnerability-management/] could help mitigate
these challenges, but vulnerability management solutions often produce huge
volumes of data from scanning and require lots of time spent in differentiating
between information and noise.
Rapid7 Nexpose [https://www.rapid7.com/products/nexpose/] helps professionals
6 min
Government
Vulnerability Disclosure and Handling Surveys - Really, What's the Point?
Maybe I'm being cynical, but I feel like that may well be the thought that a lot
of people have when they hear about two surveys posted online this week to
investigate perspectives on vulnerability disclosure and handling. Yet despite
my natural cynicism, I believe these surveys are a valuable and important step
towards understanding the real status quo around vulnerability disclosure and
handling so the actions taken to drive adoption of best practices will be more
likely to have impact.
Hopef
4 min
Authentication
Brute Force Attacks Using US Census Bureau Data
Currently one of the most successful methods for compromising an organization is
via password-guessing attacks. To gain access to an organization using brute
force attack
[https://www.rapid7.com/fundamentals/brute-force-and-dictionary-attacks/]
methods, there are a minimum of three things a malicious actor needs: A
username, a password, and a target. Often the targets are easy to discover, and
typically turn out to be email systems such as Outlook Web Access (OWA) or VPN
solutions that are expo
2 min
Public Policy
I've joined Rapid7!
Hello! My name is Harley Geiger and I joined Rapid7 as director of public
policy, based out of our Washington, DC-area office. I actually joined a little
more than a month ago, but there's been a lot going on! I'm excited to be a part
of a team dedicated to making our interconnected world a safer place.
Rapid7 has demonstrated a commitment to helping promote legal protections for
the security research community. I am a lawyer, not a technologist, and part of
the value I hope to add is as a repr
2 min
Metasploit
Federal Friday - 4.25.14 - A Whole Lot of Oops
Happy Friday, Federal friends! I hope all of you enjoyed some nice family time
over the respective holidays last week. After a successful Marathon Monday here
in Boston we're blessed with chirping birds and blooming flowers (finally)!
As you all probably know by now, Verizon released their latest DBIR
[http://www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf]
report earlier this week. While this report covered a wide range of topics in
regards to breaches, I
2 min
Government
GestioIP Authenticated Remote Command Execution module
GestioIP is an open-source IPAM (IP Address Management) solution available on
Sourceforge, written in Perl.
There is a vulnerability in the way the ip_checkhost.cgi deals with pinging IPv6
hosts passed to it. If you pass an IPv4 address, the CGI uses a Perl library to
perform the ping and return the results to the user.
However, this library doesn't seem to support IPv6 hosts, so the developer uses
the ping6 utility to perform the ping of an IPv6 machine. The developer did
perform some validat