Posts tagged Labs

3 min Project Sonar

107,000 web sites no longer trusted by Mozilla

Mozilla's Firefox and Thunderbird recently removed 1024-bit certificate authority (CA) certificates from their trusted store. This change was announced to the various certificate authorities in May of this year and shipped with Firefox 32 on September 2nd. This change was a long time coming, as the National Institute of Standards and Technology (NIST) recommended [http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf] that 1024-bit RSA keys be deprecated in 2010 and disallowed after

3 min Project Sonar

Gaping SSL? My Heartbleeds

As you may already know, last night a vulnerability affecting OpenSSL was reported and it most likely affects your organization. The "Heartbleed" SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web-, email-, database- and chat-servers. How does it work? This vulnerability allows an attacker to read a portion of memory from the remote system without the need for any known credentials or other authentication forms.

4 min Project Sonar

Legal Considerations for Widespread Scanning

Last month Rapid7 Labs launched Project Sonar, [/2013/09/26/welcome-to-project-sonar]a community effort to improve internet security through widespread scanning and analysis of public-facing computer systems. Though this project, Rapid7 is actively running large-scale scans to create datasets, sharing that information with others in the security community, and offering tools to help them create datasets, too. Others in the security field are doing similar work. This fall, a research team at the

3 min Exploits

Estimating ReadyNAS Exposure with Internet Scans

I wanted share a brief example of using a full scan of IPv4 to estimate the exposure level of a vulnerability. Last week, Craig Young [https://twitter.com/craigtweets], a security researcher at Tripwire, wrote a blog post [http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/] about a vulnerability in the ReadyNAS network storage appliance. In an interview with Threatpost [http://threatpost.com/netgear-readynas-storag

4 min Project Sonar

The Security Space Age

I was fortunate enough to present as the keynote speaker for HouSecCon 4 [http://houstonseccon.com/]. The first part of my presentation focused on the parallels between information security today and the dawn of the space age in the late 1950s. The second section dove into internet-wide measurement and details about Project Sonar. Since it may be a while before the video of the presentation is online, I wanted to share the content for those who may be interested and could not attend the event. A