All Posts

R7-2016-08: Seeking Alpha Mobile App Unencrypted Sensitive Information Disclosure

Due to a lack of encryption in communication with the associated web services, the Seeking Alpha mobile application for Android and iPhone leaks personally identifiable and confidential information, including the username and password to the associated account, lists of user-selected stock ticker symbols and associated positions, and HTTP cookies. Credit Discovered by Derek Abdine (@dabdine ) of Rapid7, Inc., and disclosed in accordance wit

2 min Nexpose

Patch Tuesday, July 2016

July continues an on-going trend with Microsoft's products where the majority of bulletins (6) address remote code execution (RCE) followed by information disclosure (2), security feature bypass (2) and elevation of privilege (1). All of this month's 'critical' bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services

4 min Komand

A Guide to Defending Pokemon Go Gyms: Lessons from Cybersecurity

You’ve probably heard of this Pokemon Go thing. We recently featured the game in our latest newsletter, and have since been running around like PokeManiacs trying to catch ‘em all. While discussing our Komand group strategy (Yes, we’re playing as a team 😅), we couldn’t help but notice parallels between Pokemon Go and cybersecurity. In particular, we see strong correlations between gym defense and cyberdefense. For those that aren’t privvy, the goal of Pokemon Go is to collect and train as many

5 min IT Ops

Keep Your Code Clean while Logging

In my consultancy practice, one of the things that I do most frequently is help teams write so-called “clean code.” Usually, this orients around test-driven development (TDD) and writing code that is easily maintained via regression tests and risk-free refactoring. Teams want to understand how to do this, and how to do it in their production code (as opposed to in some kind of toy “let’s build a calculator” exercise). One of the most prominent, early sticking points that rears its head tend

9 min Komand

Local Cybersecurity Meetups Near You

Here at Komand, we understand the importance of being part of a community . Not everyone can can afford the cost or time commitment necessary to attend large conferences. But that shouldn’t stop you from staying current, connected and active with the security community. Think local meetups: easy access, inexpensive, and in a relaxing environment with familiar faces. Recently, we featured US Cybersecurity Conferences

7 min DevOps

Honing Your Application Security Chops on DevSecOps

Integrating Application Security with Rapid Delivery Any development shop worth its salt has been honing their chops on DevOps tools and technologies lately, either sharpening an already practiced skill set or brushing up on new tips, tricks, and best practices. In this blog, we'll examine how the rise of DevOps and DevSecOps have helped to speed application development while simultaneously enabling teams to embed application security earlier into

1 min Metasploit

Announcement: End-of-Life Metasploit 32-Bit Versions

UPDATE: With the release of version 4.15 on July 19, 2017, commercial Metasploit 32-bit platforms (Metasploit Pro, Metasploit Express, and Metasploit Community) no longer receive future product or content updates. These platforms are now obsolete and are no longer supported. Rapid7 announced the end of life of Metasploit Pro 32-bit versions for both Windows and Linux operating systems on July 5th, 2017. This announcement applies to all editions: Metasploit Pro, Metasploit Express and Metasploi

9 min IT Ops

Self-describing Logging Using Log4J

UPDATE POSTED 12.12.21: If you are using Log4j, please be aware that on December 10, 2021, Apache released version 2.15.0 of their Log4j framework, which included a fix for CVE-2021-44228 , a critical (CVSSv3 10) remote code execution (RCE) vulnerability affecting Apache Log4j 2.14.1 and earlier versions. This is a critical vulnerability, and we strongly urge you t

9 min Automation and Orchestration

The Best Strategies for a Successful Security Operations Center Explained by 4 Security Experts

The threats we all hear about today aren’t new. They also aren’t going away, but they are evolving. Hackers have existed for many years, and so too have our defenders. What has and is changing is the tactics used to defend against increasingly complex threats. And it’s on our security operations centers (SOCs) to batten down the hatches and sound the alarms, but are they enabled and prepared to do so? While we have many ideas on

4 min IT Ops

How Audit Logs Help Confirm and Correct Security Policy

There are many possible definitions for the term “security policy,” but all of them share certain elements in common. A security policy should lay out what assets, both physical and digital, an organization wishes to protect. It should explain what it means to be secure and to behave securely. In short, a security policy identifies what assets are to be protected, what kinds of risks such protection is meant to defeat or mitigate, and how security can be established, measured, and monitored. A

6 min IT Ops

Signal AND Noise The Best of All Worlds for Logging

One of the absolute, classic pieces of advice that you’ll hear when it comes to logging is what I think of as the iconic Goldilocks logging advice. It goes something like this. When it comes to logging, you don’t want to miss anything important because logging helps you understand your application’s behavior. But youalsodon’t want to log too much. If you log too much, the log becomes useless. You want to log just the right amount. Sage advice, to be sure. Right? Or, maybe, when you sto

6 min Project Sonar

Digging for Clam[AV]s with Project Sonar

A little over a week ago some keen-eyed folks discovered a feature/configuration weakness in the popular ClamAV malware scanner that makes it possible to issue administrative commands such as SCAN or SHUTDOWN remotely—and without authentication—if the daemon happens to be running on an accessible TCP port. Shortly thereafter, Robert Graham unholstered his masscan tool and did a s ummary blog post

5 min Automation and Orchestration

AWS Series: Creating a Privoxy, Tor Instance

Synopsis: If you want to increase your privacy or perform security research with Tor , Privoxy , etc. a virtual server is an excellent choice. I’m using Amazon EC2 which provides a years worth of a VM with limited resources for free. A few benefits are listed below 1. Low cost 2. Access from just about anywhere 3. Low resource allocation 4. Easy to spin up Creating the Cloud Instance: After logging into your Amazon cloud account select

6 min Automation and Orchestration

AWS Series: OpenSWAN L2TP over IPSEC VPN Configuration

Synopsis: We will look at how to configure an L2TP over IPSEC VPN using OpenSWAN and how to connect to it using Mac OSX. This guide is written for running the VPN software on a CentOS 7 x86_64 EC2 instance (ami-6d1c2007) provided by Amazon Web Services. The VPN will be configured to use local authentication and a pre-shared key. This is a great way to allow access into your AWS VPC. Procedure: The procedure is broken into 3 parts: * AWS – Create an EC2 instance *