4 min
Rapid7 Perspective
Attention Humans: The ROBOT Attack
What’s the ROBOT Attack?
On the afternoon of December 12, researchers Hanno Böck, Juraj Somorovskym and
Craig Young published a paper, website, testing tool, and CTF at robotattack.org
detailing a padding oracle attack that affects the way
cryptography is handled on secure websites. ROBOT, which stands for Return Of
Bleichenbacher's Oracle Threat, details a weakness in the RSA encryption
standard known as PKCS#1v1.5 that can ultimately allow an attacker to learn a
secur
4 min
GDPR
Creating a Risk-Based Vulnerability Management Program for GDPR with InsightVM
The General Data Protection Regulation’s (GDPR)
deadline in 2018 is rapidly
approaching, and as companies prepare for GDPR compliance
, they’re facing a struggle that’s plagued
every security program for years: how to quantify that nebulous, scary thing
called “risk.” GDPR compliance
specifically talks about “risk” several times in its guidelines, particularly in
Arti
5 min
IT Ops
6 Best Practices for Effective IT Troubleshooting
System monitoring and troubleshooting
can
be a time-consuming and frustrating activity. It’s not unusual for IT folks to
spend hours finding and fixing a problem that could have been resolved in 10
minutes had better troubleshooting tools and processes been in place.
Improving IT troubleshooting and monitoring doesn’t need to be an expensive
undertaking. Many times it’s just a matter of implementing a few company-wide
2 min
Patch Tuesday
Patch Tuesday - December 2017
No big surprises from Microsoft this month
, with 70% of the 34 vulnerabilities addressed being web browser defects. Most
of these are Critical Remote Code Execution (RCE) vulnerabilities, so
administrators should prioritize patching client workstations. It doesn't take
sophisticated social engineering tactics to convince most users to visit a
malicious web page, or a legitimate but
2 min
Application Security
The Magic Behind Managed Application Security Services
When I was younger, one of my favorite gifts was a magic kit. My dad did magic
tricks with cards and rope, and whenever I asked how he did it, he’d say, “A
magician never tells his secrets.” Part of why I loved that gift so much is I
got to be the magician—and I got a glimpse of the secrets.
Whenever I spend time with the Managed Application Security team at Rapid7, I
feel like I did when I was younger: excited to learn about how the magic works.
Here are some of the secrets I’ve learned.
Appl
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Dec. 8, 2017
Have you ever been on a conference call where you really wished you could take
command of the situation? With Metasploit Framework and the new Polycom HDX
exploit, you can (if given permission by the owner of the device, that is)! If
teleconferencing isn't your target's style, you can also pwn correspondence the
old-fashioned way: through a Microsoft Office exploit. Be it written or video,
we here at Rapid7 know you value other people's communication!
After another Python module and the Mac r
3 min
Detection and Response
Prepare for Battle: Let’s Build an Incident Response Plan (Part 2)
In Part 1, we covered key considerations when drafting an incident response plan. Here, we'll cover the best way to get buy-in from key company stakeholders...
2 min
Rapid7 Perspective
Standing with Massachusetts technology leaders in support of net neutrality
On Monday, Rapid7 will host Senator Edward J. Markey and a group of technology
and business leaders from across Massachusetts as we stand in support of net
neutrality. Together, we’ll affirm our commitment to a free and open internet
that promotes growth and innovation and gives all users broad access to internet
content.
At the heart of net neutrality is the principle that internet service providers
must treat all content transmitted across the internet equally. In practice,
this means that IS
2 min
InsightIDR
2017 Gartner Magic Quadrant for SIEM: Rapid7 Named a Visionary
If you’re currently tackling an active SIEM project, it’s not easy to dig
through libraries of product briefs and outlandish marketing claims. You can
turn to trusted peers, but that’s challenging in a world where most leaders
aren’t satisfied with their SIEM ,
even after generous amounts of professional services and third-party management.
Luckily, Gartner is no stranger to putting vendors to the test, especially for
SIEM, where since 2005 they’ve rele
1 min
Vulnerability Management
CVE-2017-10151: What You Need to Know About the Oracle Identity Manager Vulnerability
I have Oracle Identity Manager running in my environment. What's going on? Am I
vulnerable?
Recently, we’ve been getting more than a few questions about the Oracle
Identity
Manager vulnerability (CVE-2017-10151)
, which was
rated by Oracle with the most critical CVSS score of 10
. This is the highest possible
CVSS score, which represents a vulnerability with a low complexity for
4 min
GDPR
GDPR Compliance Checklist: December – Assess & Review
With under six months to go until the General Data Protection Regulation (GDPR)
comes into force,
organizations that handle the personal data of EU citizens are preparing for
this new compliance regulation. In order to help you through this new
regulation, we’re creating a series of helpful blog posts to see you all the way
to May 25th 2018. This GDPR-focused infographic covers the month-by-month high
level topics. If you missed our November bl
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Dec. 1, 2017
Here in the U.S., we just celebrated Thanksgiving, which involves being thankful
, seeing friends and family, and eating
entirely too much (I know that last one is not uncommon here). After a large
meal and vacation, we figured that it would be a nice, slow week for security
research in the States. Then we opened Twitter and were suddenly happy we had
procrastinated and most of us had put off upgrading to High Sierra.
Community CTF
In case you missed yesterd
3 min
Detection and Response
Prepare for Battle: Let’s Build an Incident Response Plan (Part 1)
Creating and testing an IR plan mitigates risk—help your organization perform at its best by preparing it for the worst. Join us for Part 1: drafting the plan.
2 min
Metasploit
Announcing the Metasploitable3 Community CTF
Been waiting for the Linux version of Metasploitable3 to drop? We’ll do you one
better: Metasploit is giving the community a week to rain shells on a
penguin-shaped Metasploitable3 instance—and to win prizes at the end of it. Play
starts December 4; see below for full competition details.
TL;DR: Sign up, drop shells, win stuff.
Not into capturing flags but jonesing for a look at the code? We’ll release the
Linux Metasploitable3 source code to the community soon after the competition
ends. Happ
3 min
InsightAppSec
InsightAppSec Feature Highlights: On-Premise Engines, JIRA Integration, and More
Powerful Yet Simple DAST Scanning Gets Even Better
InsightAppSec , Rapid7’s
cloud-powered web application security testing solution
, has added three
powerful new features:
* On-premise scan engines
* JIRA integration
* Scan Activity view
Test Your Internal Applications and Reduce Your Risk
Web application security testing