National Cybersecurity Awareness Month: Tips for Improving Your Personal Pa55w0rd! Management
It's National Cybersecurity Awareness Month, which means it's a great time to chat about why you should consider a password manager to stay secure.…
Under the Hoodie 2018: Lessons from a Season of Penetration Testing
Today, I’m excited to announce the release of our 2018 edition of Under the Hoodie: Lessons from a Season of Penetration Testing by the Rapid7 Global Services team, along with me, Tod Beardsley and Kwan Lin.…
2018 National Exposure Index Research Report: Internet Security Posture by Country
Today, I’m happy to announce that Rapid7 has released our third annual National Exposure Index (NEI), a state of the internet report focusing on where in the world the most exposure is presented on the internet. I’m pretty pleased with how this year’…
CVE 100K: A Big, Round Number
There have been 100,000 CVEs published. That's a big, round number.…
Actually, Grindr is Fine: FUD and Security Reporting
On Wednesday, March 28, NBC reported Grindr security flaws expose users' location data, a story which ticks a couple hot-button topics for security professionals and security reporters alike. It’s centered around the salacious topic of online dating in the LGBT community, and hits a…
R7-2018-01 (CVE-2018-5551, CVE-2018-5552): DocuTrac Office Therapy Installer Hard-Coded Credentials and Cryptographic Salt
DocuTrac QuickDoc & Office Therapy ships with a number of static accounts which are not disclosed to the end user.…
R7-2017-28: Epson AirPrint XSS (CVE-2018-5550)
The Epson AirPrint web configuration page is vulnerable to a reflected cross-site scripting (XSS) issue in the INPUTT_GEOLOCATION parameter in the web administration console. This issue could be leveraged by an attacker with network access to the web UI to the printer to trick…
On Random Shell Generators
A couple days ago, AutoSploit.py was released by a person named Real__Vector. It’s safe to say that it’s made some waves in the security Twitterverse, and a few people have asked us here at Rapid7 what we think about it given…
Meltdown and Spectre: What you need to know (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
After waking up from a long winter’s nap, you may have heard the lamentations about the “Intel Kernel Leak” vulnerability, or the “Kernel Speculative Execution” vulnerability, or, now, the “Meltdown and Spectre” vulnerabilities. This is a quick post to let you know just how…
HaXmas: The True Meaning(s) of Metasploit
Rapid7 Research Director Tod Beardsley kicks off our storied "12 Days of HaXmas" series with a thrilling tale of browser 0day, exploit module development, and the true meaning(s) of Metasploit.…
On the Zero-eth Day of HaXmas...
I suppose it’s only fitting that this year, we introduce our storied 12 Days of HaXmas on the zero-eth day. Technically, Twelvetide doesn’t start until December 25th. This year, we’re focusing on the security events that grabbed our attention, metrics that piqued…
R7-2017-25: Cambium ePMP and cnPilot Multiple Vulnerabilities
Summary of Issues Multiple vulnerabilities in Cambium Networks’ ePMP and cnPilot product lines were discovered by independent researcher Karn Ganeshen, which have, in turn, been addressed by the vendor. The affected devices are in use all over the world to provide wireless network connectivity in…
Attention Humans: The ROBOT Attack
What’s the ROBOT Attack? On the afternoon of December 12, researchers Hanno Böck, Juraj Somorovskym and Craig Young published a paper, website, testing tool, and CTF at robotattack.org detailing a padding oracle attack that affects the way cryptography is handled on secure websites.…
CVE-2017-16943: Exim BDAT Use-After-Free
Exim BDAT Use-After-Free (CVE-2017-16943): What You Need To Know Turns out, the Exim Internet Mailer team was busy over the Thanksgiving holiday, after security researcher “meh” reported a pair of vulnerabilities in the wildly popular open source email server. The first, a critical remote execution…
5 Tips for a Cyber Holiday Season
Five tips on how to approach security this holiday season with family and friends…
