3 min
Penetration Testing
7 Funny and Punny Halloween Costume Ideas for Tech and Cybersecurity Pros
Stuck on what to be this year? Here are some of our favorite Halloween costume ideas for tech and cybersecurity professionals.
Read Full Post
4 min
Penetration Testing
Putting Pen (Tests) to Paper: Lessons and Learnings from Rapid7’s Annual Mega-Hackathon
Rapid7's Mega-Hackathon offers a unique chance to go beyond the data and get a feel for what pen testers are like in their natural habitat.
Read Full Post
5 min
Breach Preparedness
Phishing Attacks Duping Your Users? Here’s a Better Anti-Phishing Strategy.
You’ve hired the best of the best and put up the right defenses, but one thing
keeps slipping in the door: phishing emails. Part of doing business today,
unfortunately, is dealing with phishing attacks
[https://www.rapid7.com/fundamentals/phishing-attacks/]. Few organizations are
immune to phishing anymore; it’s on every security team’s mind and has become
the number one threat to organizations
[https://www.sans.org/reading-room/whitepapers/analyst/2017-threat-landscape-survey-users-front-line-3
Read Full Post
1 min
Whiteboard Wednesday
Whiteboard Wednesday: How to Implement A Phishing Awareness Training Plan in 5 Steps
There’s no silver bullet to combating protecting your organization from
phishing
attacks [https://www.rapid7.com/solutions/phishing-protection/] today. The only
comprehensive approach leverages a combination of methods, many of which we’ve
covered in parts 1 [https://www.rapid7.com/resources/wbw-anti-phishing/] and 2
[https://www.rapid7.com/resources/wbw-phishing-protection/] of our three-part
phishing Whiteboard Wednesday series.
Phishing is a human problem, and part of the solution is to prop
Read Full Post
3 min
InsightPhishing
Rapid7 InsightPhishing (Beta): Unified phishing simulation, investigation, and analysis
Starting March 1, 2019, Rapid7 will no longer offer or support InsightPhishing,
and the beta program will end. Click here
[https://kb.help.rapid7.com/docs/insightphishing-end-of-program-announcement]
for more information.
Phishing attacks remain one of the top challenges for SecOps teams. Yes, we all
nod when we see the stats that get thrown around, like the ones below. But we
also know this because we’ve heard it directly from our customers. Rapid7 has a
long tradition of creating products an
Read Full Post
2 min
Metasploit
Federal Friday - 6.13.14 - New Group, Same Story
Happy Friday, Federal friends! It's another lovely Fall day here in Beantown but
I hope each of you are enjoying your early Summer weather. Some exciting news as
Rapid7 was named one of the Top Places to Work by the Boston Business Journal
(#11 Mid-size company)!
I'm going to keep it short and sweet today considering this is a topic I've
covered before. Given the news stemming from a new CrowdStrike
[http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_T
Read Full Post
2 min
Metasploit
Top 4 Takeaways from the "Live Bait: How to Prevent, Detect, and Respond to Phishing Emails" Webcast
In this week's webcast,Lital Asher - Dotan
[https://community.rapid7.com/people/lasherdotan] and ckirsch
[https://community.rapid7.com/people/ckirsch] tackled the hot topic, “Live
Bait:
How to Prevent, Detect, and Respond to Phishing Emails
[https://information.rapid7.com/prevent-detect-and-respond-to-phishing-emails.html?CS=blog]
”. Phishing has risen from #9 to #3 in the Verizon Data Breach Investigations
Report on the most common attack vectors. Phishing attacks are often successful
because i
Read Full Post
1 min
Metasploit
Federal Friday - 5.30.14 - Social Engineering from the Middle East
Happy Friday, Federal friends. You can tell it's almost Summah up here because
it's been 50 and raining this week.
So an interesting piece of news from an article on DarkReading
[http://www.darkreading.com/attacks-breaches/iranian-cyberspies-pose-as-journalists-online-to-ensnare-their-targets/d/d-id/1269270]
this week regarding an ongoing campaign targeting government officials and
contractors of both the US and Israel. This is a mash-up of social engineering
techniques from phishing to social
Read Full Post
2 min
Metasploit
Top 3 Takeaways from "7 Ways to Make Your Penetration Tests More Productive" Webcast
Earlier this week we heard from ckirsch
[https://community.rapid7.com/people/ckirsch], Senior Product Marketing Manager
for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint:
it's a lot!). With the increase in high profile breaches and their costs, more
and more emphasis is being put on the pen tester and security in general. Read
on if you'd like to get the top takeaways from this week's webcast so that you
aren't left in the dark about, "7 Ways to Make Your Penetratio
Read Full Post
1 min
Hacking
Rapid7: Coming to a city near you
We're taking this show on the road. Literally.
This week our multi-city Rapid7 roadshow event, “Security at the Crossroads,”
kicked off in New York and Minneapolis. Industry experts and fellow
practitioners – including speakers from Forrester, Cardinal Innovations
Healthcare Solutions, Vertex Pharmaceuticals, Porter Airlines, and TriNet –
gathered to share security stories, strategies, and best practices.
There isn't enough room to share all the takeaways from these two events, but
here are
Read Full Post
4 min
Social Engineering
Social Engineering: Would You Fall For This Phone Call?
Cyber criminals don't always need a keyboard to hack into your bank account or
company network. In fact, a lot of attacks start with a simple phone call.
Typically, the attackers are either trying to get information out of you or to
make you do something. This is a technique they call social engineering.
I've read a lot about social engineering over the years, since it's a personal
area of interest. It can be used by a bunch off different occupations, such as
FBI interrogators, con artists, sal
Read Full Post
2 min
Events
Social-Engineer CTF Report Released
For the last five years, the team at Social-Engineer have been bringing one of
the most exciting events to DEF CON - the Social Engineering Capture the Flag.
The contest was designed to help bring awareness to the world about how
dangerous social engineering can be. In our 5th year, the competition was
fierce and the report is the best we have ever released.
This year a pool of 10 men and 10 women, from diverse backgrounds and experience
levels, tested their social engineering abilities again
Read Full Post
1 min
Social Engineering
The Threat Within: RiskRater User Risk Report
Last week, we released the third of three reports from our RiskRater
[https://riskrater.rapid7.com/] research.
The first two reports focused on mobile devices
[http://www.rapid7.com/docs/mobile_aug_2013.pdf] and endpoint devices
[http://www.rapid7.com/docs/RiskRaterEndpointReport.pdf]. The latest report is
centered around the risks posed by the one thing that no organization can
operate without: Users.
With the amount of protections in place at the perimeter, attackers have shifted
much of the
Read Full Post
2 min
Social Engineering
Social Media: Vector for the New Economic Attack?
The big news in security this week has been the hijacking of the Associated
Press' Twitter account
[http://www.nbcnews.com/technology/technolog/ap-twitter-account-hacked-posts-false-white-house-scare-6C9560165]
. The attackers leveraged the "bad news" atmosphere created by the events in
Boston last week to gain some measure of credibility for a tweet about bombs
exploding at the White House. This is not a particularly new approach: in 2007,
the Storm Worm [http://en.wikipedia.org/wiki/Storm_Worm
Read Full Post
4 min
Metasploit
New Metasploit 4.5: Manage Your Organization's Phishing Exposure
You can now get a better handle on your organization's exposure to phishing
attacks [http://www.rapid7.com/solutions/need/manage-phishing-exposure.jsp]:
Metasploit Pro now gives you quick insight on risks and advice on how to reduce
them. With today's new release version 4.5, Metasploit Pro's social engineering
features are no longer just for penetration testers but add a lot of value for
more generalist security professionals. A handful of our customers already
tested these new capabilities i
Read Full Post
1 min
Metasploit
Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit
Thanks for the many CISOs and security engineers who attended our recent
webcast, in which I presented some practical advice on how to leverage
Metasploit to conduct regular security reviews that address current attack
vectors. While Metasploit is often used for penetration testing projects, this
presentation focuses on leveraging Metasploit for ongoing security assessments
that can be achieved with a small security team to reduce the risk of a data
breach.
This webcast is now available for on-
Read Full Post
2 min
Metasploit
Man on the SecurityStreet - Day 2 Continued.
It's your favorite reporter in the field, Patrick Hellen, reporting back with
some more updates from our speaking tracks at the UNITED Summit.
Dave Kennedy, the founder of TrustedSec, gave an entertaining presentation
called Going on the Offensive - Proactive Measures in Security your Company.
Just like HD's earlier presentation, we had our staff artist plot out the entire
speech, which you can see attached below.
When I say entertaining, the previous talk track was a debate session that Dave
Read Full Post
1 min
Exploits
Man on the SecurityStreet - UNITED Day 1.
Hello from San Francisco, home of the 2012 UNITED Summit.
It's been an incredibly full day. I'm writing this quick update from an
excellent presentation that nex [https://community.rapid7.com/people/nex] of
Cuckoo Sandbox fame is giving about threat modelling. According to Claudio's
research, only 103 of the almost 50,000 odd vulnerabilities in NVD's
vulnerability database are actually being exploited in crimeware kits like
BlackHole.
Claudio identified MS Office as the most exploited piece of
Read Full Post
3 min
Metasploit
SOC Monkey - Week in Review - 8.20.12
Monkeynauts,
Welcome back to your weekly round up of the best bits from my App
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] that you should be
downloading from the Apple App Store
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8].
This week, let's dive right into the most clicked story from last week with an
update on how Mat Honan is dealing with life post hack: How I Got My Digital
Life Back Again After An Epic Hacking.
[http://www.wired.com/gadgetlab/2012/08/mat-h
Read Full Post
4 min
Networking
SOC Monkey - Week in Review - 8.13.12
Welcome back Monkeynauts,
It's Monday, so that means I'm going to tell you to download my App
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], from the Apple
App
Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], before
launching into the top stories the Pips found interesting last week. Let's take
a look, shall we?
Let's start this week with something that might hit close to home for several of
you, including your favorite Monkey twitter aggregate: Blizzard's B
Read Full Post
4 min
Networking
SOC Monkey - Week in Review - 8.6.12
Monkeynauts,
It's good to have you back. If this is your first time here, feel free to check
out where I'm getting all my stories by downloading my App
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] from the Apple App
Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8].
Let's take a quick trip back to some of the big news from earlier this summer,
and discuss LinkedIn again: LinkedIn: Breach Cost Up to $1M, Says $2-3 Million
in Security Upgrades Coming.
[http://w
Read Full Post
3 min
Compliance
SOC Monkey Week In Review - 7.23.12
Hello my Monkeyreaders - and welcome back to another edition of the ongoing
misadventures of the InfoSec world, as told though my Free App
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], available as
always in the Apple App Store
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8].
I figured I'd start off the week with a story that reminds me of all the Breach
stories from my last Review: Eight Million Email Addresses And Passwords
Spilled
From Gaming Site Gamigo Months A
Read Full Post
2 min
Penetration Testing
SOC Monkey Week in Review - 6.1.12
Dearest Monkeynauts,
As always, I'm back on Friday to give you the biggest news items the Pips have
sent out this week via my free app
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], available in the
Apple App store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8].
Download now!
I'm sure none of you are surprised to see that our biggest topic is currently
Flame [http://www.wired.com/threatlevel/2012/05/flame/]. My feeds started to
explode earlier this week when Wire
Read Full Post
2 min
Compliance
SOC Monkey - Week in Review 5.25.12
It's SOC Monkey, coming to you on May 25th, otherwise known as Geek Pride Day
[http://en.wikipedia.org/wiki/Geek_Pride_Day]. Unrelated, sure, but not
something my Monkeynauts should be unaware of. Also, they should be aware of my
IPhone App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], still
free to download from the Apple App Store
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8].
First, let's start with a big company from the beginning of the Internet: Yahoo
Axis
Read Full Post
3 min
Networking
SOC Monkey Week In Review 5.11.12
Monkeynauts!
I have returned, and I bring free gifts from the Apple App Store
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] - my SOC Monkey App
[http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] that you should be
downloading as I type.
First up, I've got a great story from the always wonderful Wired
[http://www.wired.com/], about just how ubiquitous being attacked really is
these days: Everyone Has Been Hacked. Now What?
[http://www.wired.com/threatlevel/2012/05/every
Read Full Post
2 min
Patch Tuesday
Microsoft Security Bulletin Summary for February 2012
In the Microsoft Security Bulletin Summary for February 2012, Microsoft released
nine bulletins to address 20 vulnerabilities. Instead of love on Valentine's
day, organizations may have fear pumping through their hearts when you couple
the recent news of several high profile breaches with Patch Tuesday.
There are four bulletins rated “critical” and they will likely affect all
organizations. The critical bulletins are MS12-008, MS12-010, MS12-013, and
MS12-016 which are all related to browsers a
Read Full Post
3 min
Metasploit
How to Fly Under the Radar of AV and IPS with Metasploit's Stealth Features
When conducting a penetration testing assignment, one objective may be to get
into the network without tripping any of the alarms, such as IDS/IPS or
anti-virus. Enterprises typically add this to the requirements to test if their
defenses are good enough to detect an advanced attacker. Here's how you can make
sure you can sneak in and out without "getting caught".
Scan speed
First of all, bear in mind that you'll want to slow down your initial network
scan so you don't raise suspicion by crea
Read Full Post
1 min
Metasploit
Bait the hook: How to write good phishing emails for social engineering
What are the baits that make people click on a link or attachment in a social
engineering email? I've looked at some common examples and tried to categorize
them. Maybe this list will trigger some ideas next time you're writing social
engineering emails.
Habits: Think of this as exploiting the brain's auto-pilot - standard email
triggers standard response of opening attachment or clicking on link:
* LinkedIn connection requests
* GoToMeeting invitations
* Daily reports from a CRM/ERP sys
Read Full Post
1 min
Penetration Testing
Using the <base> tag to clone a web page for social engineering attacks
Social engineering campaigns can be a lot more effective if you can impersonate
a well-known website that users trust. However, when you simply clone a website
by cutting-and-pasting the page source and putting it on your own server, your
links will stop working. Copying all links and images from the other site can be
cumbersome, but there's an alternative: the HTML <base> tag. It specifies a
default address/target for all links on a page; it is inserted into the head
element.
Let's say you've
Read Full Post
2 min
Networking
Is Cyber Espionage Cheating?
There is a great quote attributed many times to baseball legend Mark Grace: "If
you aren't cheating, then you aren't trying hard enough."
This resonates well with me in the current global market where everyone is
playing by new rules. It seems like even though many Americans value concepts
such as intellectual property, trade secrets, and competitive advantages, they
don't consider the value other countries place on them too, and they don't take
the necessary steps to protect their valuable
Read Full Post
2 min
Microsoft
Microsoft Patch Tuesday - November 2011
November's Microsoft Patch Tuesday contains four bulletins: one “critical”, two
“importants”, and one “moderate”. The majority of these bulletins relate to
Microsoft's later versions of the OS, implying that the flaws they address were
possibly introduced with Windows Vista. Generally more vulnerabilities are found
in earlier versions of the OS, so this month is unusual.
The critical bulletin – MS11-083 – is a TCP/IP based, specifically UDP,
vulnerability which affects Vista, Windows 7, Server
Read Full Post
2 min
Microsoft
Zero-Day Attacks: Don't Believe the Hype
Microsoft Security Intelligence Report Volume 11
[http://www.microsoft.com/security/sir/default.aspx] for the first half of 2011
offers solid evidence to support what security researchers have been shouting
feverishly for the last year. This is just more data to confirm that zero-day
attacks – while they can certainly cause damage – aren't needed for over 99% of
actual attacks. The numbers also show that the top two attacks are user related.
The top attack vector was attacks requiring user in
Read Full Post
2 min
Networking
A Security Lesson from Benjamin Franklin
"Believe none of what you hear and half of what you see." is my favorite
Benjamin Franklin quote. Being an information security practitioner for over
half of my 36 years has taught me that this saying is true time and time again.
I dropped my wife and daughter off at a store this past weekend, while I stayed
in the car trying to keep up with the football scores on a Sunday afternoon. I
watched as a man walked out of the store and was interrupted by a male driver in
a frantic state who was stopp
Read Full Post
2 min
Networking
Chinese agencies double cyber attacks on Germany
"Prost Neujahr!" That's what we say for "Happy New Year" in Germany, where I
just spent a few days with my family to relax and get away from work. A futile
attempt, since the Bundesamt für Verfassungsschutz (Federal Office for the
Protection of the Constitution, or BfV for short) decided to publish new
statistics about cyber attacks. (And, yes, Germans love long words.)
According to the BfV's department for counter-espionage
[http://www.verfassungsschutz.de/de/arbeitsfelder/af_spionageabwehr_
Read Full Post
1 min
Metasploit
Rapid7 scam busters: Using social engineering to train your users about phishing attacks
With the holidays approaching, many people are looking for gift ideas and deals.
Holiday season is also hunting season for malicious hackers who send out gift
idea and deal phishing emails.
How do you protect your employees from divulging their personal and even
corporate passwords to an attacker? It's hard to combat phishing with
technology. Training employees to spot phishing scams is the most effective, but
training is time intensive and may impact productivity.
What if you could find a w
Read Full Post
2 min
Exploits
Sesame open: Auditing password security with Metasploit 3.5.1
Secret passwords don't only get you into Aladdin's cave or the tree house, but
also into corporate networks and bank accounts. Yet, they are one of the weakest
ways to protect access. Sure, there are better ways to secure access, such as
smart cards or one-time password tokens, but these are still far from being
deployed everywhere although the technology has matured considerably over the
past years. Passwords are still the easiest way into a network.
The new Metasploit version 3.5.1 adds a l
Read Full Post