All Posts

Seven FOSS Tricks and Treats (Part One)

Adventures in FOSS Exploitation, Part One: Vulnerability Discovery _This is the first of a pair of blog posts covering the disclosure of seven new Metasploit modules exploiting seven popular free, open source software (FOSS) projects. Back over DEFCON, Metasploit contributor Brandon Perry decided to peek in on SourceForge, that grand-daddy of open source software distribution sites, to see what vulnerabilities and exposures he could shake loose from an assortment of popular open source enterpri

3 min Project Sonar

Legal Considerations for Widespread Scanning

Last month Rapid7 Labs launched Project Sonar, a community effort to improve internet security through widespread scanning and analysis of public-facing computer systems. Though this project, Rapid7 is actively running large-scale scans to create datasets, sharing that information with others in the security community, and offering tools to help them create datasets, too. Others in the security field are doing similar work. This fall, a research team at the

2 min Events

Social-Engineer CTF Report Released

For the last five years, the team at Social-Engineer have been bringing one of the most exciting events to DEF CON - the Social Engineering Capture the Flag. The contest was designed to help bring awareness to the world about how dangerous social engineering can be. In our 5th year, the competition was fierce and the report is the best we have ever released. This year a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities again

4 min Cybersecurity

National Cyber Security Awareness Month: Avoiding Cloud Crisis

As you'll know if you've been following our National Cyber Security Awareness Month blog series, we're focusing on user awareness. We belief that these days every user in your environment represents a point on your perimeter; any may be targeted by attackers and any could create a security issue in a variety of ways, from losing their phone to clicking on a malicious link. Each week through October we've provided a simple email primer on a topic affecting users' security. We hope these emails

3 min IT Ops

How to Easily Get All Your Logs from AWS EC2

Let’s say that you, like many of your colleagues, are hosting your application on AWS’s EC2 cloud infrastructure. You’re chugging along at a steady rate of growth when BAM! One day you get a spike of traffic and have to scale up quickly. “Good job,” you think as you pat yourself on the back in your mind, “this choice to host in the cloud means we can easily handle this load spike without a problem. We’ve set it to auto-scale, so we’ll have all the instances we need.” But is everything all good?

4 min

Weekly Update: vBulletin's and D-Link's Backdoors, and MS13-080 revisited

Simulating the Adversary A big part of what we do here at Metasploit is "simulating bad guys." On a good week, we can focus on taking real exploits that are being actively used on the Internet, clean them up to our standards for publishing, make sure they actually work as reported, and publish a Metasploit module. This last week has been very good indeed, at least from our point of view, since there's been loads of exploitation going on lately that's come into public view. vBulletin's accidenta

1 min

Audit the security configuration on your Cisco devices with Nexpose 5.7.14

Nexpose 5.7.14 brings you the ability to audit the configurations on your Cisco network devices for security in accordance to best practices in the industry. What is a configuration benchmark? A configuration benchmark is a scoring system which evaluates an asset's compliance against a set of security policy rules. The benchmarks are derived from industry best practices and consensus from domain knowledge experts to help organizations evaluate the security of the systems and devices on their n

3 min Authentication

National Cyber Security Awareness Month: Basic Password Hygiene

Throughout October, we're creating basic emails you send to the users in your company to help educate them on information security issues that could affect them in the workplace. Each email provides some information on the issue itself, and some easy steps on how to protect themselves. Check out the first two posts, providing primers on phishing and mobile security

4 min IT Ops

How To Track Peak Load and Memory Usage vs Response Time on Heroku

A few months back Heroku introduced log-runtime-metrics, which you can enable from the command line to insert CPU load and memory usage metrics into your log events at 20 second intervals. Like all log data in its raw format it’s not massively useful to see metrics getting dumped into your logs every 20 seconds. That’s not exactly what Heroku had in mind, however. At the same time they introduced log-runtime-metrics, Heroku al

5 min IT Ops

How To Receive Log Alerts Via Flashing Lights In Your Office or Home

This is a guest blog post by Jason Ruane, the technical director atMoposa , a place for brides and grooms to plan and manage their wedding. In this post Jason describes how he used a Wi-Fi enabled light and Logentries alerts to receive Logentries alerts via flashing lights in his house. Jason and his team are long time users of Logentries, analyzing all their logs from multiple servers in one centralized, cloud location. How I receive my Logentries alerts via home lighti

2 min Metasploit

Staying Stealthy: Passive Network Discovery with Metasploit

One of the first steps in your penetration test is to map out the network, which is usually done with an active scan. In situations where you need to be stealthy or where active scanning may cause instability in the target network, such as in SCADA environments, you can run a passive network scan to avoid detection and reduce disruptions. A passive network scan stealthily monitors broadcast traffic to identify the IP addresses of hosts on the network. By initially running a passive scan, you c

4 min Android

National Cyber Security Awareness Month: Keeping Mobile Devices Safe

To mark National Cyber Security Awareness Month, we're trying to help you educate your users on security risks and how to protect themselves, and by extension your organization. Every week in October we'll provide a short primer email on a different topic relating to user risk. The idea is that you can copy and paste it into an email and send it around your organization to promote better security awareness among your users. The first post was on phishing

2 min Government

GestioIP Authenticated Remote Command Execution module

GestioIP is an open-source IPAM (IP Address Management) solution available on Sourceforge, written in Perl. There is a vulnerability in the way the ip_checkhost.cgi deals with pinging IPv6 hosts passed to it. If you pass an IPv4 address, the CGI uses a Perl library to perform the ping and return the results to the user. However, this library doesn't seem to support IPv6 hosts, so the developer uses the ping6 utility to perform the ping of an IPv6 machine. The developer did perform some validat

3 min

It's the Great Pumpkin Patching Contest, Charlie Brown!

It's October! You all know what that means! That's right! It's National Cyber Security Awareness Month ! Oh...some of you thought Halloween...right. Well let's see if we can shoe-horn those two together. Browsing the internet can be a little scary at times. Kind of like trick or treating, there are houses you know to avoid because the lights are out, but how do you avoid the house where they've gone on a health kick and are