Posts tagged Government

4 min Authentication

Brute Force Attacks Using US Census Bureau Data

Currently one of the most successful methods for compromising an organization is via password-guessing attacks. To gain access to an organization using brute force attack methods, there are a minimum of three things a malicious actor needs: A username, a password, and a target. Often the targets are easy to discover, and typically turn out to be email systems such as Outlook Web Access (OWA) or VPN solutions that are exposed to the Internet. Once a malicious actor has a target, they next need a

7 min Public Policy

Wassenaar Arrangement - Recommendations for cybersecurity export controls

The U.S. Departments of Commerce and State will renegotiate [https://www.bis.doc.gov/index.php/forms-documents/doc_download/1434-letter-from-secretary-pritzker-to-several-associations-on-the-implementation-of-the-wassenaar-arrang] an international agreement – called the Wassenaar Arrangement [http://www.wassenaar.org/about-us/] – that would place broad new export controls on cybersecurity-related software. An immediate question is how the Arrangement should be revised. Rapid7 drafted some initi

4 min Public Policy

Rapid7, Bugcrowd, and HackerOne file pro-researcher comments on DMCA Sec. 1201

On Mar. 3rd, Rapid7, Bugcrowd [https://bugcrowd.com/], and HackerOne [https://hackerone.com/] submitted joint comments to the Copyright Office urging them to provide additional protections for security researchers. The Copyright Office requested public input [http://copyright.gov/fedreg/2015/80fr81369.pdf] as part of a study on Section 1201 [https://www.law.cornell.edu/uscode/text/17/1201] of the Digital Millennium Copyright Act (DMCA). Our comments to the Copyright Office focused on reforming

2 min Public Policy

I've joined Rapid7!

Hello! My name is Harley Geiger and I joined Rapid7 as director of public policy, based out of our Washington, DC-area office. I actually joined a little more than a month ago, but there's been a lot going on! I'm excited to be a part of a team dedicated to making our interconnected world a safer place. Rapid7 has demonstrated a commitment to helping promote legal protections for the security research community. I am a lawyer, not a technologist, and part of the value I hope to add is as a repr

13 min Public Policy

12 Days of HaXmas: Political Pwnage in 2015

This post is the ninth in the series, "The 12 Days of HaXmas." 2015 was a big year for cybersecurity policy and legislation; thanks to the Sony breach at the end of 2014 year, we kicked the new year off with a renewed focus on cybersecurity in the US Government. The White House issued three legislative proposals, [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] held a cybersecurity summit, and signed a new Executive Order, all before the end of February. The OPM br

4 min Government

Obama: Data Custodians are Accountable

Yesterday, President Obama announced he's proposing new legislation to boost data privacy and custodianship on a national level. [http://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families] As there's a lot to tackle here, I'm breaking my thoughts into a handful of areas. The need for a Federal mandate on breach notifications and data privacy Currently, data privacy is a bit of a patchwork that varies a great deal from state to state. Today, 47 s

1 min Metasploit

Federal Friday - 11.7.14 - Up in the Clouds...

Happy Friday, Federal friends! I hope everyone had a festive Halloween! According to the commercials I've been seeing on starting on 11/1 I guess we're skipping Thanksgiving this year and jumping right into the Holiday Season [http://www.idigitaltimes.com/black-friday-sales-2014-store-hours-and-start-time-target-walmart-best-buy-kmart-393775] ... So the time has finally come, Fed is starting to embrace the cloud (slowly). Within the last week we've seen NIST push out a road map for Cloud Infra

3 min Metasploit

Federal Friday - 10.24.14 - NCSAM Week 4

Happy Friday, Federal friends! Can anyone else believe next week is Halloween? Feels like only yesterday I was talking about the start of the MLB season and now we're through 2 games of the World Series... So this week is the 4th week of National Cybersecurity Awareness Month [http://www.dhs.gov/national-cyber-security-awareness-month-2014-week-four]. To me this is one of the more important weeks as the campaign centers around Cybersecurity for Small/Medium sized businesses and Entrepreneurs. T

2 min Metasploit

Federal Friday - 10.17.14 - Cybersecurity Awareness Month

Happy Friday, Federal friends. I hope the 2nd full week of FY15 is going well for you. Feels like we have the last 2 warm days of the year coming up this weekend thanks in part to this little graphic from NOAA. October, one of the nicer month's out of the year is also known as Cybersecurity Awareness month. We talked about it earlier this month in another blog post [/2014/10/06/cyber-security-awareness-month-taking-it-to-the-c-level-and-beyond] , but I wanted to highlight it here as well. While

1 min Metasploit

Federal Friday - 10.3.14 - Happy (Fiscal) New Year

Happy Friday, Federal Friends! Something seems a little different this year than last year, can't quite put my finger on it though... [/2013/10/04/federal-friday--10413--shutdown-edition] So, being that we all just made it through another roller coaster of a FY I wanted to keep today fairly light. Just as we've seen the frequency of attacks increase we have also seen a dramatic rise in cyber related plot lines and references in mainstream media. The latest being a CBS show called Scorpion, ahem

1 min Metasploit

Federal Friday - 9.26.14 - Shell Shocked and Bashed

Happy Friday, Federal Friends! Having a relatively quiet week? Just looking forward to a quiet end to FY14? Riiiiiiiiight, same here.... Most of you probably had an interesting 2nd half of the week just as we are. Like a judge at the Olympics, DHS [http://www.huffingtonpost.com/2014/09/24/new-bash-software-bug-m_n_5878398.html?ir=Technology] has scored this little diddy a 10 out of 10 both in impact and how easy it is to use this vuln to run an exploit. While this doesn't have the "world-is-end

2 min Metasploit

Federal Friday - 9.19.14 - Talk Like A Pirate Day Edition

Arrrrrg! Happy Friday, Federal Mateys!  Th' air be crisp 'n th' leaves be turnin' in New England, which means ‘tis almost the hour to strap on me skis! Another week has gone by 'n another breach be bein' reported by FireEye [http://www.fireeye.com/blog/technical/2014/09/putting-transcom-in-perspective.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityBloggersNetwork+%28Security+Bloggers+Network%29] . Arrrgh mateys, 'tis one involves a foreign government penetratin' th' net

2 min Metasploit

Federal Friday - 9.5.14 - Keeping 3rd Parties Honest

Happy Friday, Federal friends! I hope all of you enjoyed the nice long Labor Day weekend, and the short week to follow. I happily took last week off as well, maximizing the effect of the "long" weekend effect. Additionally, a group of 25 Rapid7 Moose took on the "Great Northeast" Tough Mudder event back on 8/23. I'm happy to say all of the "Dirty Moose" made it through the mud and obstacles, for the 2nd year in a row, and we helped generate funds for the Wounded Warrior Project [http://www.wound

1 min Metasploit

Federal Friday - 8.22.14 - A Sensitive Cloud and Some Additional Strategy

Happy Friday, Federal Friends! Do you hear that? That sound you're hearing is the collective high-five every adult with children just gave each other in celebration of "Back to School [http://giphy.com/gifs/WKdPOVCG5LPaM]." For those of you who's summah is coming to a close, I hope it has been a great couple of months. For those of you that don't have to worry about that, I'll see ya at the empty beach in September. I read a great article this week about another take on cyber strategy. Piggy--b

2 min Metasploit

Federal Friday - 8.8.14 - Military Strategy in Cybersecurity

Happy Friday, Federal friends! I hope that you folks out in the desert are having a blast at BlackHat, B-Sides and DEFCON. It sounds like it's been a great week out there, mostly because it's been so quiet back here in HQ. Speaking of BlackHat; there was a session this week being hosted by Tom Cross, director of security research at Lancope. He, and two other industry experts, were going to be discussing utilizing a variety of militaristic approaches to cybersecurity. In particular, having orga