Posts tagged Hacking

2 min Hacking

All About the Very First Rapid7 Hacker Games

We just completed our first successful run of the first-ever Rapid7 Hacker Games competition, so I thought it'd be appropriate to do a little write-up on all the fun activities. So, what exactly is the Rapid7 Hacker Games competition? Well, a hacking competition! Specifically, a hacking competition for teams of university students set up via a virtual lab, so all participants could compete simultaneously from a remote location of their choosing. Each university fielded a team of up to 5 studen

2 min Cloud Infrastructure

#IoTSec and the Business Impact of Hacked Baby Monitors

By now, you've probably caught wind of Mark Stanislav's ten newly disclosed vulnerabilities last week, or seen our whitepaper on baby monitor security. You may also have noticed that Rapid7 isn't really a Consumer Reports-style testing house for consumer gear. We're much more of an enterprise security services and products company, so what's the deal with the baby monitors? Why spend time and effort on this? The Decline of Human Dominance Well, this whole “Internet of Things” is in the midst o

1 min Vulnerability Disclosure

#IoTsec AMA on Reddit: Sept. 9 @ 3:30pm EST with Mark Stanislav & Tod Beardsley

[update 3pm EST Sept 9] This AMA is now live! The direct link is here: https://www.reddit.com/r/IAmA/comments/3ka38q/we_are_professional_iot_hackers_and_researchers/ Join us and ask your questions! Following up on their research on IoT baby monitor vulns [https://www.rapid7.com/iotsec], Mark Stanislav [http://twitter.com/markstanislav] & Tod Beardsley [http://twitter.com/todb] will be doing an Ask Me Anything (AMA) on Reddit in r/IAMA this Wednesday, September 9, at 3:30pm EST. They'll be a

12 min Vulnerability Disclosure

#IoTsec Disclosure: 10 New Vulnerabilities for Several Video Baby Monitors

Usually, these disclosure notices contain one, maybe two vulnerabilities on one product. Not so for this one; we've got ten new vulnerabilities to disclose today. If you were out at DEF CON 23, you may have caught Mark Stanislav's workshop, “The Hand that Rocks the Cradle: Hacking IoT Baby Monitors.” You may have also noticed some light redaction in the slides, since during the course of that research, Mark uncovered a number of new vulnerabilities across several video baby monitors. Vendors w

5 min Exploits

Revisiting an Info Leak

Today an interesting tweet [https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome analysis on twitter lately!) came to our attention, concerning the MS15-080 [https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch: This patch (included in MS15-080) may have been intended stop one of the Window kernel bugs exploited by Hacking Team. But, after our analysis, it appears that there is

2 min Hacking

Making Your Voice Heard for the Future of Automotive Safety

TL;DR: Show Your Support to Secure the Future of Automotive [https://www.change.org/p/automotive-industry-we-request-that-you-unite-with-us-in-a-joint-commitment-to-safety-between-the-automotive-and-cyber-security-industries] Safety [https://www.change.org/p/automotive-industry-we-request-that-you-unite-with-us-in-a-joint-commitment-to-safety-between-the-automotive-and-cyber-security-industries] About a year and a half ago, Josh Corman [http://twitter.com/joshcorman] and I began having a discus

1 min Authentication

Can 800,000 individuals compromised at the French Orange breach put you at risk?

We just read about an attack on Orange France [http://www.zdnet.com/hackers-access-800000-orange-customers-data-7000025880/], where 800,000 people have potentially had their information compromised. The data that was accessed included names, mailing addresses, phone numbers, email addresses, customer accounts, and IDs. This could potentially trigger a domino effect of other companies being breached due to the personal data that the attackers acquired. There is a huge marketplace for selling p

1 min Hacking

40% of the COUNTRY hacked!

With the US retail market reeling from a tough end to the holiday season due to security breaches a little news from overseas [http://money.cnn.com/2014/01/21/technology/korea-data-hack/] shows this problem has no borders and is continuing to grow.  Headlines are designed to be the hook to the article and occasionally get trumped up, but in this case the numbers tell the story without need to exaggerate, 40% of the population of South Korea, ~20 million people, had their personal data stolen or

1 min Nexpose

Hacking as One Moose

Twelve hours into Rapid7's Annual Global Domination Hackathon and we are still going strong. Pulling together all the members of our global team for a multi-day kickoff in Boston gave us a fantastic opportunity to collect the wealth of talent and share in an epic hackathon event. Our cross-functional teams are getting their creative juices flowing, chugging Red Bulls and 5-hour energies, building robotic versions of our CTOs, destroying watermelons, driving million dollar virtual cars... and of

1 min Metasploit

Putting the Fax Straight: Rapid7.com and Metasploit.com Website Defacement

We want to share a short update regarding the defacement of Rapid7.com and Metasploit.com last week. A malicious 3rd party, claiming to be KDMS, changed the DNS settings with our domain registrar, Register.com. We have heard from Register.com that the attacker did NOT use a spoofed change request fax as originally and unintentionally communicated by Register.com. It's more likely the attackers used other social engineering techniques, resulting in compromised credentials of a Register.com emplo

1 min Metasploit

HackMiami Web Application PwnOff - Nexpose w/Metasploit Dominated

During the HackMiami 2013 Hacker Conference [http://hackmiami.org/]held in Miami Beach, a live Web Application Scanner PwnOff contest pitted common web scanning suites against each other. Participates included Acunetix, IBM Rational AppScan, NT OBJECTives NTOSpider, Portswigger Burp, and Rapid7 Nexpose [http://www.rapid7.com/products/nexpose/] with Metasploit [http://www.rapid7.com/products/metasploit/]. In a head-to-head battle each of the automated web application scanning suites went up agai

4 min Exploits

Ray Sharp CCTV DVR Password Retrieval & Remote Root

On January 22, 2013, a researcher going by the name someLuser [http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html] detailed a number of security flaws in the Ray Sharp DVR platform [http://www.raysharp.cn/en/prodNetWork.aspx?Id=62]. These DVRs are often used for closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann [http://www.swann.com/s/products/swannview], Lorex, URMET, KGuard, Def

1 min Exploits

White House Spear Phished

Yesterday news broke that an unclassified system at the White House Military Office was breached via a spear phish attack. The news of this attack is not surprising at all. Our government networks are under non-stop targeted attacks and some of these attacks will eventually compromise the intended victim. The reports that we've seen indicate that it was an unclassified network that was compromised. These types of systems are connected directly to the Internet, and wouldn't be considered mission

4 min Networking

SOC Monkey - Week in Review - 8.6.12

Monkeynauts, It's good to have you back. If this is your first time here, feel free to check out where I'm getting all my stories by downloading my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. Let's take a quick trip back to some of the big news from earlier this summer, and discuss LinkedIn again: LinkedIn: Breach Cost Up to $1M, Says $2-3 Million in Security Upgrades Coming. [http://w

3 min Networking

SOC Monkey's Week in Review - 3.23.12

Hello all, Every Friday I'm going to round up the week with a few of my favorite stories that we've seen during the week on my app (SOC Monkey, available now, free in the Apple App Store). Let's dive right in, shall we? One of the biggest items of the week was the latest word from Facebook on employers asking job applicants to reveal their passwords. Ars Technica's article saw a lot of interest: Facebook says it may sue employers who demand job applicants' passwords [http://arstechnica.com