4 min
Haxmas
An Evaluation of the North Pole’s Password Security Posture
Co-written by Jonathan Stines and Tommy Dew
. See all of this year's HaXmas content here
.
He sees your password choices;
He knows when they’re not great.
So don’t reuse those passwords, please,
And make them all longer than eight.
Now that Christmas has passed and all of the chaos from the holidays is winding
down, Santa and the elves are finally able to sit back and recover from the
strenuous Holiday commotion. H
6 min
Haxmas
Regifting Python in Metasploit
Metasploit has been taking random Python scripts off the internet and passing them off as modules! Well, not exactly. Read on to see how we're extending the module system's scalability and what Python has to do with that.
4 min
Haxmas
Forget The Presents: HaXmas Is All About The [Gift] Certificates
2017 is nearly at an end, and most of the cybersecurity world is glad to see it
go. We've been plagued with a myriad of vulnerabilities, misconfigurations and
attacks that have kept many of us working harder than Santa's elves on December
23rd to ensure our systems and networks were not in harm's way.
The attacks may be over, but 2017 is not done "giving" just yet.
Earlier this year, the Google Chrome team announced their intent to deprecate
and remove trust in Symantec-issued certificates due
5 min
Haxmas
Uses For Tech of HaXmas Past
Before you throw technology from HaXmas gifts past on the shelf of misfit toys, consider this story about how one security researcher found new uses for an old gizmo. Your old tech is crying out to be reused!
3 min
Haxmas
HaXmas: The True Meaning(s) of Metasploit
Rapid7 Research Director Tod Beardsley kicks off our storied "12 Days of HaXmas" series with a thrilling tale of browser 0day, exploit module development, and the true meaning(s) of Metasploit.
1 min
Haxmas
On the Zero-eth Day of HaXmas...
I suppose it’s only fitting that this year, we introduce our storied 12 Days of
HaXmas on the zero-eth day. Technically, Twelvetide
doesn’t start until
December 25th. This year, we’re focusing on the security events that grabbed our
attention, metrics that piqued our interest, and projects we pursued outside the
blog and research spheres. We wanted to take a moment here at the end of the
year to make sure that they didn’t just get lost lik
3 min
Metasploit
Metasploit Wrapup: Dec. 22, 2017
Even with the year winding down to a close, activity around Metasploit has been
decidedly “hustle and bustle”. Some cool new things to talk about this week, so
sit back and dig in!
For Your iOS Only
If you’ve been wanting to run Meterpreter under iOS, then this bit is for you!
While Mettle has technically worked on iOS
since February, @timwr
has added official Metasploit Framework support
2 min
Protecting Your Web Site from the Doubleclick XSS Vulnerability
Advertising largely supports free content on the Internet, and many significant
sites rely on DoubleClick for Publishers (DFP), Google’s advertising platform
for publishers to monetize their traffic. Unfortunately for the AdOps world, DFP
has been hosting cross-site scripting (XSS)-vulnerable ads since 2015! Ouch.
You’re writing compelling content for your readers and using Google ads to pay
the bills. Google has tools for you, and you’ve just found out that these tools
could compromise your
4 min
Detection and Response
Prepare for Battle: Let’s Build an Incident Response Plan (Part 4)
This is not a drill. In this final installment, read our recommendations for handling a real incident. Whether opportunistic or targeted, here's what you should be thinking about.
3 min
Public Policy
NIST Cyber Framework Updated With Coordinated Vuln Disclosure Processes
A key guideline for cybersecurity risk management now includes coordinated vulnerability disclosure and handling processes. This revision will help boost adoption of processes for receiving and analyzing vulnerabilities disclosed from external sources, such as researchers.
18 min
Vulnerability Disclosure
R7-2017-25: Cambium ePMP and cnPilot Multiple Vulnerabilities
Summary of Issues
Multiple vulnerabilities in Cambium Networks’ ePMP and cnPilot product lines
were discovered by independent researcher Karn Ganeshen
, which have, in turn, been addressed by the
vendor. The affected devices are in use all over the world to provide wireless
network connectivity in a variety of contexts, including schools, hotels,
municipalities, and industrial sites, according to the vendor
.
These issue
3 min
GDPR
MDR and GDPR: More than a lot of letters
With 2018 now well in our sights, the countdown to the General Data Protection
Regulation (GDPR). is most definitely on. Articles 33 and 34 of the GDPR
require organizations to communicate
personal data breaches when there is a high risk of impact to the people to whom
the data pertains. GDPR security requirements and breach notification go
hand-in-hand, for obvious reasons. In the words of the European Commission
Working Party 29 (the group who are ta
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Dec. 15, 2017
I Read the News Today, Oh Boy
As we near the end of the year we must express appreciation for the Metasploit
community as a whole. Each contribution is valuable, be it an exploit for the
latest vulnerability, documentation, spelling corrections, or anything in
between. Together we shape the future of Metasploit. The Metasploit community
really surprised us this time around, as the latest release brings five new
exploit and two new auxiliary modules.
Hey! You! Get Off of My Cloud
Zenofex
3 min
Incident Response
Prepare for Battle: Let’s Build an Incident Response Plan (Part 3)
Now, it’s time for the fun stuff. While an incident response plan review may feel like practicing moves on a wooden dummy, stress testing should feel more like Donnie Yen fighting ten people for bags of rice in Ip Man
2 min
Public Policy
FCC Repeals Net Neutrality: What Now?
[Update 05/16/18: The US Senate passed a resolution
, led
by Sen. Ed Markey, to reject the FCC rule that repealed net neutrality. Rapid7
supports the resolution and other efforts to effectively reinstate net
neutrality safeguards.]
This week, Rapid7 hosted an event with Massachusetts’ Edward J. Markey and a
number of Boston’s technology and business leaders to protest the likely repeal
of net neutrality. Our CEO, Corey T