Rapid7 Blog

Recent Posts

UNITED Spotlight: Industry Roundtables

Rapid7’s annual UNITED Summit is fast approaching, on September 13th and 14th in Boston. As a past attendee (both as a customer and as a Moose), I can assure you that UNITED is a great opportunity to learn about emerging and ongoing cybersecurity and…

Rapid7’s annual UNITED Summit is fast approaching, on September 13th and 14th in Boston. As a past attendee (both as a customer and as a Moose), I can assure you that UNITED is a great opportunity to learn about emerging and ongoing cybersecurity and IT topics—from the Rapid7 team and from experts across many different industries. My favorite example of this is the Industry Roundtables, scheduled on Wednesday, September 13th. These roundtables will focus on the Retail, Finance, Software Technology & Communications, Government, Healthcare, Manufacturing, and Higher Education industries, so we hope there is something for everyone in attendance. The best part about these roundtables is that it’s an opportunity for you to connect with other people in your industry that likely share similar priorities and concerns. It’s a chance for you to share your experiences with your peers, get feedback from others on current or future initiatives, and make new connections within your industry. To ensure that we’ve created the right atmosphere for these roundtables, no media, industry analysts, or sales professionals are permitted to attend these sessions. Read more about the rules of engagement here. Last year’s roundtables covered topics such as budgetary constraints and how to work around them, industry specific regulations, the challenge of obtaining buy-in and support for security initiatives, and even interoffice politics. Some of the groups even stayed in touch after UNITED to keep the discussion going. Given that each industry has a unique set of cyber and IT challenges, these roundtables will offer you the opportunity to network with others who have similar environments. If you haven’t already done so, register for UNITED, and be sure to join the industry round tables while you’re there. Look for me in all of the Assess & Remediate track sessions. I look forward to seeing you soon in Boston!

Cybersecurity for NAFTA

When the North American Free Trade Agreement (NAFTA) was originally negotiated, cybersecurity was not a central focus. NAFTA came into force – removing obstacles to commercial trade activity between the US, Canada, and Mexico – in 1994, well before most digital services existed. Today, cybersecurity is a…

When the North American Free Trade Agreement (NAFTA) was originally negotiated, cybersecurity was not a central focus. NAFTA came into force – removing obstacles to commercial trade activity between the US, Canada, and Mexico – in 1994, well before most digital services existed. Today, cybersecurity is a major economic force – itself a large industry and important source of jobs, as well as an enabler of broader economic health by reducing risk and uncertainty for businesses. Going forward, cybersecurity should be an established component of modernized trade agreements and global trade policy. The Trump Administration is now modernizing NAFTA, with the first renegotiation round concluding recently. There are several key ways the US, Mexican, and Canadian governments can use this opportunity to advance cybersecurity. In this blog post, we briefly describe two of them: 1) Aligning cybersecurity frameworks, and 2) protecting strong encryption. For more about Rapid7's recommendations on cybersecurity and trade, check out our comments on NAFTA to the US Trade Representative (USTR), or check out my upcoming presentation on this very subject at Rapid7's UNITED conference! Align cybersecurity frameworks Trade agreements should broadly align approaches to cybersecurity planning by requiring the parties to encourage voluntary use of a comprehensive, standards-based cybersecurity risk management framework. The National Institute of Standards and Technology's (NIST) Cybersecurity Framework for Critical Infrastructure ("NIST Cybersecurity Framework") is a model of this type of framework, and is already experiencing strong adoption in the U.S. and elsewhere. In addition to our individual comments to USTR, Rapid7 joined comments from the Coalition for Cybersecurity Policy and Law, and also organized a joint letter with ten other cybersecurity companies, urging USTR to incorporate this recommendation into NAFTA. International alignment of risk management frameworks would promote trade and cybersecurity by Streamlining trade of cybersecurity products and services. To oversimplify, think of a cybersecurity framework like a list of goals and activities – it is easier to find the right products and services if everyone is referencing a similar list. Alignment on a comprehensive framework would enable cybersecurity companies to map their products and services to the framework more consistently. Alignment can also help less mature markets know what specific cybersecurity goals to work toward, which will clarify the types of products they need to achieve these goals, leading to more informed investment decisions that hold service providers to consistent benchmarks. Enabling many business sectors by strengthening cybersecurity. Manufacturing, agriculture, healthcare, and virtually all other industries are going digital, making computer security crucial for their daily operations and future success. Broader use of a comprehensive risk management framework can raise the baseline cybersecurity level of trading partners in all sectors, mitigating cyber threats that hinder commercial activity, fostering greater trust in services that depend upon secure infrastructure, and strengthening the system of international trade. Helping address trade barriers and market access issues. Country-specific approaches to cyber regulation – such as data localization or requiring use of specific technologies – can raise market access issues or force ICT companies to make multiple versions of the same product. International alignment on interoperable, standards-based cybersecurity principles and processes would reduce unnecessary variation in regulatory approaches and help provide clear alternatives to cybersecurity policies that inhibit free trade. To keep pace with innovation and evolving threats, prevent standards from reducing market access, and incorporate the input of private sector experts, the risk management framework should be voluntary, flexible, and developed in an industry-led and transparent process. For example, the NIST Cybersecurity Framework is voluntary and was developed through an open process in which anyone can participate. The final trade agreement text need not dictate the framework content beyond basic principles, but should instead encourage the development, alignment, and use of functionally similar cybersecurity frameworks. Prohibit requirements to weaken encryption Critical infrastructure, commerce, and individuals depend on encryption as a fundamental means of protecting data from unauthorized access and use. Market access rules requiring weakened encryption would create technical barriers to trade and put products with weakened encryption at a competitive advantage with uncompromised products. Requirements to weaken encryption can impose significant security risks on companies by creating diverse new attack surfaces for bad actors, including cybercriminals and unfriendly international governments – ultimately undermining the security of the end-users, businesses, and governments. NAFTA should include provisions forbidding parties from conditioning market access for cryptography used for commercial applications on the transfer of private keys, algorithm specification, or other design details. The final draft text of the Trans-Pacific Partnership (TPP) contained a similar provision – though Congress never ratified TPP, so it never came into force. Although this provision would be helpful to protect strong encryption, it would only apply to commercial activities. The current version of NAFTA contains exceptions for regulations undertaken for national security (as did TPP, in addition to clarifications that a nation's law enforcement agencies could still demand information pursuant to their legal processes). This may limit the overall protectiveness of the provision, but should also moderate concerns a nation might have about including encryption protection in the trade agreement. This is beginning The NAFTA parties have set an aggressive pace for negotiations, with the goal of agreeing on a final draft by the end of the year. However, the original agreement took years to finalize, and NAFTA covers many subjects that can attract political controversy. So NAFTA's timeline, and openness to incorporating new cybersecurity provisions, are not entirely clear. Nonetheless, the Trump Administration has indicated that both international trade and cybersecurity are priorities. Even as the NAFTA negotiations roll on, the Administration has begun examining the Korea-US trade agreement, and both new agreements and modernization of previous agreements are likely future opportunities. Trade agreements can last decades, so considering how best to embed cybersecurity priorities should not be taken lightly. Rapid7 will continue to work with private and public sector partners to strengthen cybersecurity and industry growth through trade agreements.

Gone Phishing: A Case Study on Conducting Internal Phishing Campaigns

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is…

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is growing at 3% annually. It's clear that emails aren’t going away anytime soon—and neither are their implications for security. According to the 2017 Verizon data breach investigations report (DBIR): “43% of all data breaches happened through social attacks or through social engineering. And of those social engineering attacks, phishing constitutes 93%.” Furthermore, nobody is immune to phishing—not even security companies. At this year’s UNITED Summit, I and several others on Rapid7’s IT and engineering teams will take our audience on a journey to explore the intricacies of conducting an internal phishing campaign. We’ll present a case study directly from the people who run internal phishing simulations at Rapid7, and we’ll talk about practical challenges and solutions when building an effective campaign. Among the questions we’ll address: How can we avoid spam filters in top email service providers like GSuite and Office365? How important is the reputation of your email to ensuring deliverability? What results did Rapid7’s security engineers see when they conducted internal phishing campaigns, and how did they change over time? And perhaps most important of all—how can you use this knowledge to improve security across your own organization? Email might be boring, but working on ways to better understand and combat phishing is endlessly interesting. Come hear about how Rapid7 solves security challenges both inside and outside its own walls—and if you haven’t yet signed up to join us at UNITED this year, register here. Want to know what other Rapid7 talks will headline at UNITED? Check out these teasers from threat intelligence lead Rebekah Brown, Metasploit's Brent Cook, and Research Director Tod Beardsley.

The Next Generation of the Rapid7 Community

Welcome to the new and improved place for Rapid7 blogs! Rapid7’s blogs aim to provide readers with pragmatic, down-to-earth information and advice to help you navigate the complexity and noise of the security landscape. We rely on, and greatly appreciate, the feedback and input…

Welcome to the new and improved place for Rapid7 blogs! Rapid7’s blogs aim to provide readers with pragmatic, down-to-earth information and advice to help you navigate the complexity and noise of the security landscape. We rely on, and greatly appreciate, the feedback and input of our community to help us identify what kinds of content and topics are most valuable. Thank you! We’re constantly looking for ways we can improve the quality of our content and the experience for our users. To that end, in August 2017 we launched two new resources to provide a richer, more seamless experience across Rapid7’s web assets and information sources: blog.rapid7.com is our platform for news, issues response and commentary, and research help.rapid7.com offers a rich and constantly-updated knowledgebase, and a forum where you can ask questions How can you get involved? We value community perspectives, so we hope you’ll continue to offer frank, insightful comments in response to our blog posts. We use Disqus to facilitate commenting and discussion on blog.rapid7.com articles. You won’t need your old community login to share your opinion: Disqus allows users to log in using email or major social platforms. Please note: logins for the old Rapid7 Community site (pre-August 31st 2017) are no longer valid. From deep-dive research to ad-hoc feedback, the community is our lifeblood. The entire Rapid7 team is excited (one might even say “pumped”) to share this next generation of community resources with you! If you have any questions or concerns about the future of our blog and help site, please contact community [at] Rapid7 [dot] com.

Vulnerability Management Market Disruptors

Gartner’s recent vulnerability management report provides a wealth of insight into vulnerability management (VM) tools and advice for how to build effective VM programs. Although VM tools and capabilities have changed since the report’s last iteration in 2015, interestingly one thing hasn’t:…

Gartner’s recent vulnerability management report provides a wealth of insight into vulnerability management (VM) tools and advice for how to build effective VM programs. Although VM tools and capabilities have changed since the report’s last iteration in 2015, interestingly one thing hasn’t: Gartner’s analysis of potential disruptors to VM tools and practices. Great minds think alike, as we’ve been heavily investing in these areas to help our customers overcome these persistent challenges. We’ve made numerous enhancements to our vulnerability management solutions (InsightVM and Nexpose) since that 2015 report to address both current and emerging vulnerability management challenges. New Asset Types: Gone are the days when you could just count the number of servers and desktops in your network and be confident that any changes in between quarterly scans would be minimal. Now, networks are constantly changing thanks to virtual machines, IoT, and containers. Nexpose was always a leader in technology integrations, and InsightVM is even more closely integrated into modern infrastructure. InsightVM is the only vulnerability management tool that has direct integration with VMware to automatically discover and assess these devices as they’re spun up; the Insight Agent is also easily clonable so you can integrate an agent into any gold image for automatic deployment. This means that even if your network is constantly changing as VMs are spun up and down, we’ve automatically got you covered. IoT devices are a trickier beast, and Rapid7 is one of the leaders in IoT security research—our recently-released hardware bridge brings the power of Metasploit to IoT penetration testing, enabling research and security testing of a wide range of IoT devices. Finally, InsightVM currently lets you discover containers in your environment, and we’re working on the ability to actively assess containers and container images, providing visibility to another area that many security teams struggle with. Bring Your Own Devices: BYOD has been the buzzword of buzzwords for a number of years now, but as consumer and corporate adoption continues to rise (powered by mobile productivity apps like messaging tools, mobile CRM apps, etc. ), the combined attack surface increases, and the line between what’s personal and what’s corporate blurs. Gartner has released several reports on the topic and recognizes that this is a continuing challenge for vulnerability management. InsightVM makes it easy to get visibility into that attack surface and assess employee devices. We can discover mobile devices that connect to ActiveSync, providing visibility into corporate device ownership so security teams can see where their risk is. Rapid7 Insight Agents can be deployed to any remote laptop, providing continuous monitoring for any device, even if it never connects to the corporate network. Agents can be installed as part of your gold laptop images so that they’re automatically deployed to new employees. With InsightVM, you don’t have to worry about losing track of people working from home or replacement laptops becoming security holes that are never scanned. Cloud Computing: Gartner lists cloud computing as an issue related to the loss of control of infrastructure and even of the devices to be scanned. We find the biggest challenge with cloud services is visibility; cloud instances are often spun up and down rapidly, and the details don’t always make their way to security, giving them only a small inkling of the true footprint and attack surface of their AWS or Azure environments. Similar to our integration with VMWare, InsightVM integrates with AWS and Azure to automatically detect new devices as they’re spun up or down. InsightVM also makes it easy to deploy agents to new cloud devices by embedding them into a gold image. To aid in visibility, you can import tags from Azure into InsightVM, so security teams can report on the same groupings that their IT and development teams use. Thus security teams can be confident in understanding their changing attack surface as rapidly as new devices are deployed. Large Volumes of Data: With all of the above factors drastically increasing the scope of vulnerability management, data management and analysis becomes more important. Even if a tool can gather vulnerability data from every part of your network, you’re never going to have time to fix everything; how do you prioritize what to fix first, and how do you get a holistic view of your security program’s progress? This challenge is why we launched InsightVM and the Insight platform in general; by leveraging the cloud for data analysis, we can provide features like live customizable dashboards and remediation tracking without weighing down customer networks. It also lets us more rapidly deploy new features, like dashboard cards and built-in ticketing integrations with ServiceNow and JIRA. Vulnerability Prioritization: According to Gartner, “A periodic scan of a 100,000-node network often yields from 1 million to as many as 10 million findings (some legitimate and some false or irrelevant).” Given the limited resources that virtually every security team faces, it’s increasingly difficult to figure out what to spend time on, especially given that some systems are more important from a business context than others. Understanding how attackers think and behave has always been one of Rapid7’s strengths, and we pass this on to our customers with InsightVM. Our risk scoring leverages CVSS and amplifies it by factoring in exploit exposure, malware exposure, and vulnerability age to provide a much more granular risk score of 1-1000, enabling customers to focus on the vulnerabilities that make it easiest for an attacker to break in. Combined with the ability to tag certain assets as critical to automatically prioritize them in remediation, we automate the often-manual process of trying to figure out what to fix first. InsightVM has been built to tackle the future of vulnerability management head-on, so that customers never have to worry about falling behind the curve and opening gaps in their security posture. For more information, Gartner customers can download the report, and try out InsightVM today!

R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)

This post describes three security vulnerabilities related to access controls and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze fixed all three issues by May 6, 2017, and user action is not required to remediate. Rapid7 thanks Fuze for their quick…

This post describes three security vulnerabilities related to access controls and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze fixed all three issues by May 6, 2017, and user action is not required to remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these vulnerabilities: R7-2017-07.1, CWE-284 (Improper Access Control): An unauthenticated remote attacker can enumerate through MAC addresses associated with registered handsets of Fuze users. This allows them to craft a URL that reveals details about the user, including their Fuze phone number, email address, parent account name/location, and a link to an administration interface. This information is returned over HTTP and does not require authentication. R7-2017-07.2, CWE-319 (Cleartext Transmission of Sensitive Information): The administration interface URL revealed from the URLs enumerated in R7-2017-07.1 will prompt for a password over an unencrypted HTTP connection. An attacker with a privileged position on the network can capture this traffic. R7-2017-07.3, CWE-307 (Improper Restriction of Excessive Authentication Attempts): Authentication requests to the administration portal do not appear to be rate-limited, thus allowing attackers to potentially find successful credentials through brute-force attempts. Product Description Fuze is an enterprise, multi-platform voice, messaging, and collaboration service created by Fuze, Inc. It is described fully at the vendor's website. While much of the Fuze suite of applications are delivered as web-based SaaS components, there are endpoint client applications for a variety of desktop and mobile platforms. Credit These issues were discovered by a Rapid7 user, and they are being disclosed in accordance with Rapid7's vulnerability disclosure policy. Exploitation R7-2017-07.1 Any unauthenticated user can browse to http://mb.thinkingphones.com/tpn-portlet/mb/MACADDRESS and, if a valid MAC address is provided in place of MACADDRESS, receive a response that includes the following data about a Fuze handset user: Owner email address Account (including location information) Primary phone number Administration portal link Here is a (redacted) example of retrieving the above information using Fuze's TPN Portlet: While the total possible MAC address space is large (48 bits), the practical space in this case is significantly less. An attacker would only need to enumerate options starting with related published OUIs to target the subset of MAC addresses for Polycom and Yealink phones, which are the officially supported phone brands that Fuze offers as outlined here. For example, Polycom's OUIs are 00:04:F2 and 64:16:7F. An attacker can use this information to enumerate all Fuze customers/users with hard phones and collect their their email addresses, their phone numbers, and also access the Fuze device admin login page (shown below) and potentially make configuration changes. While it is common for handsets to request configuration from a remote server during boot, and indeed for those requests to not be authenticated, the fact that the configuration server is located in the cloud versus on-prem, and the fact that the specific URLs are crafted using a known pattern of MAC addresses, adds an unexpected surface for undesired information disclosure. R7-2017-07.2 Network traffic between a handset and the TPN Portal (http://mb.thinkingphones.com/tpn-portlet/mb/MACADDRESS/admin.jsp) are made over HTTP. Thus if an attacker is able to capture/intercept network traffic while the handset boots up, they would be able to view the content of requests made to the Portal, including the admin code, as shown below: R7-2017-07.3 If an attacker was not listening to network traffic during handset boot, they could still determine the administration portal URL by MAC enumeration as mentioned in R7-2017-07.1. Given that URL, the attacker could try various admin codes until they are successfully logged in, as it does not appear that authentication attempts are limited. Remediation Fuze addressed R7-2017-07.1 on April 29, 2017 by requiring password authentication to access the TPN portal (http://mb.thinkingphones.com/tpn-portlet/mb/MACADDRESS), and R7-2017-07.2 on May 6, 2017 by encrypting traffic to the TPN portal. No user action is required to remediate these two issues. Hashed passwords were pushed out by Fuze to customer handsets during a daily required update check. Handsets were also configured to use TLS for future communication with the portal at that time. After this update was pushed, Fuze's servers were configured to deny unauthenticated requests, as well as requests made over HTTP. If any handsets did not receive these updates, users would not be able to perform some actions from the handset directly, such as re-assigning to a new user. This may impact a small number of users, who should work with Fuze support to resolve. Phone re-assignment and other configuration changes can still be made and pushed from the Fuze server side. More importantly, if a handset did happen to be offline during the initial update push, once back online it would still be able to download firmware updates and essential configuration updates, including those related to SIP and TLS requirements. Fuze addressed R7-2017-07.3 on May 6, 2017 by rate limiting authentication attempts to the administration portal. In addition, MAC enumeration to find URLs providing the administration portal URLs is no longer possible given the authentication requirement. No user action is required to remediate this issue, as the change was made to Fuze's servers. Vendor Statement Rapid7 is a Fuze customer and a highly valued voice in ensuring that Fuze is continuously improving the security of its voice, video, and messaging service. As users of the entire Fuze platform, Rapid7’s team identified security weaknesses and responsibly disclosed them to the Fuze security team. In this case, while the exposure was a limited set of customer data, Fuze took immediate action upon receiving notification by Rapid7, and remediated the vulnerabilities with its handset provisioning service, in full, within two weeks. Fuze has no evidence of any bad actors exploiting this vulnerability to compromise customer data. Fuze is grateful to Rapid7 for its continued partnership in responsibly sharing security information, and believes in its larger mission to normalize the vulnerability disclosure process across the entire software industry. -- Chris Conry, CIO of Fuze* Disclosure Timeline Wed, Apr 12, 2017: Issues discovered by Rapid7 Tue, Apr 25, 2017: Details disclosed to Fuze Sat, Apr 29, 2017: R7-2017-07.1 fixed by Fuze Sat, May 6, 2017: R7-2017-07.2 and R7-2017-07.2 fixed by Fuze Tue, May 23, 2017: Disclosed to CERT/CC Fri, May 26, 2017: CERT/CC and Rapid7 decided no CVEs are warranted since these issues exist on the vendor's side, and customers do not need to take action. Tue, Aug 22, 2017: Public disclosure

Survival of the fastest: evolving defenders with broad security automation

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’…

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’s not that they have better tools or work harder than the defense, so what gives? If you're struggling with these issues and happen to be coming Rapid7's annual United Summit, swing by the Detection and Response track on Wednesday, September 13 and hear Justin Pagano and I talk about how we are working on solving these problems! Turns out, the status quo is kind of the worst. Defenders are trying to work against the clock, to go back in time to deal with issues we thought were resolved decades ago...and on top of that, there aren’t nearly enough defenders out there (yet!). So what can we do against these types of odds? The key is automation—but not just any old kind of automation. Limited, silo-ed approaches to automation have helped put us where we are now. To move forward, we need broad security automation based on our understanding of the adversaries: how they operate, how they've targeted us in the past, and how they're likely to target us in the future. And that brings us to why I'm involved in this talk in the first place—the combination of broad security automation and threat intelligence! We need to automate what we should, not just what we can. This won’t look the same for every organization because organizations are protecting different types of information, defending against different types of adversaries, have different resources and constraints. What our talk will offer isn't a magical, one-size-fits-all solution, but instead a new approach to security automation. We will cover broad automation’s dependencies (e.g., scripting/programming skills, APIs, time, money, motivation, and prioritization), as well as what it takes to have worthwhile threat intelligence (sources, timely analysis, and expertise). We'll wrap it up with how to combine the two and develop a program that focuses on real threats, helps prioritize non-automated responses, and frees up the time needed to innovate and learn as defenders. We hope to see you there! If you haven't registered yet, do so here.

Metasploit: The New Shiny

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month:…

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month: once at the FSec 17 Conference in Varaždīn, Croatia September 7-8, and a second time at UNITED 2017, Rapid7's annual security conference in Boston September 11-14. The talk should be a wild ride through some of the interesting new features that Metasploit has gained over the past year, as well as amazing stuff we have underway for the next major version of Metasploit. With a project so large and varied, it can be challenging keeping it fresh and relevant. Amazing new open-source security projects pop up almost as fast as CVE allocations. Metasploit is definitely seeing a generational shift, with new developers coming in and older ones moving to new projects. As a result, we have done a lot of work this year moving Metasploit Framework to the next level, while preserving the things people love about it the most. Our 2017 Roadmap was just the beginning—we have a lot of interesting work on the horizon that will change how you think about Metasploit. I'm also helping with the Metasploitable3 CTF at the UNITED conference and helping run some Metasploit training. So if you have any questions about Metasploit, past, present, or future, this is your chance to get expert advice, either from me or from the five other Metasploit developers who will also be attending. It should be fun and educational, if not a little exhausting! Hope to see you there! Haven't yet signed up to join us at UNITED this year? Register here, or read more about some of the talks and features of this year's summit.

An open letter concerning my resignation from the Digital Economy Board of Advisors

Yesterday I resigned from my position as a member of the Department of Commerce’s Digital Economy Board of Advisors. It has been an honor to serve on the Board; however, I believe it is the responsibility of leaders to unequivocally denounce bigotry, racism, hate,…

Yesterday I resigned from my position as a member of the Department of Commerce’s Digital Economy Board of Advisors. It has been an honor to serve on the Board; however, I believe it is the responsibility of leaders to unequivocally denounce bigotry, racism, hate, and violence, and to respect diversity and uphold the values of an inclusive America. I am incredibly thankful to both my colleagues on the Board, as well as the team in the Department of Commerce, and have greatly valued the insights and engagement they have shared. Rapid7 - and myself in particular - will continue to work proactively with various parts of the U.S. Government to support and create better cybersecurity and digital economy outcomes. We applaud the continued efforts of the vast majority of civil servants who work tirelessly on behalf of the American people. Finally, I believe that the US has been, and continues to be, a story of progress as we pursue the goals of a just and fair society with a thriving economy for all Americans. And while our economy faces challenges impacting many, we must move forward and not backward. I firmly believe that we can create an economy that lifts up all Americans and provides our children with better opportunities than we have today. Sincerely, Corey Thomas CEO, Rapid7

More Answers, Less Query Language: Bringing Visual Search to InsightIDR

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of…

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of the complete picture. From a human perspective, distilling this data requires two unique skillsets: Incident Response: Is this anomalous activity a false positive, a misconfiguration, or true malicious behavior? Data Manipulation: What search query should I construct to get what I need? Do I need to build a custom rule for this, or report on this statistic? We’ve built InsightIDR with the goal of reducing friction and complexity on both of these fronts. On the incident response side, you’re armed with a dossier of user behavior analytics across network, endpoint, and cloud services to make faster, informed decisions. You can now enjoy Visual Search, which aims to lower the level of complexity associated with writing queries and making sense of your wealth of log data. Visual Search was first released in InsightOps, our solution for IT infrastructure monitoring and troubleshooting. It’s had a great reception, and we’re proud that it’s now a shared service also available in InsightIDR. Visual Search identifies anomalies, allows for flexible drill-downs, and helps you build queries without using the Log Entries Query Language (LEQL). Your First Visual Search In InsightIDR, start by heading to Log Search. You’ll notice that we’ve refreshed the look and feel—we’re continuously improving the speed and responsiveness of the search technology. A breakdown of the updated interface: Activate Visual Search by selecting it under the Mode dropdown. At this point, three cards will auto-populate, proactively identifying anomalies from your data. For each data set, we brainstormed with security teams, including our own, to map out interesting starter queries. You can click on the gear to edit, copy, or remove the card. This is the same architecture as the cards in Dashboards, so the suggested queries can improve your LEQL skills and help you see your data differently. From here, you can click into any of the bars or data points on the card to drill further. For example, for the “Group by destination_port” card, we can click on the 5666 bar. It automatically performs the search query, where(destination_port=5666). Visual Search is a great first step in highlighting “where to look”. As each data set is enriched with user and location data, this feature really highlights the user behavior analytics core in InsightIDR. These cards wouldn’t be possible to populate from the raw log data alone. By proactively identifying anomalies tailored to each data set, and guiding you towards LEQL search strings, you can find answers while gaining skill along the way. If you don’t have InsightIDR, but would like to know how customers are using the combined UBA+SIEM+EDR capabilities, head over to our interactive product tour to explore top use-cases.

You've Got 0-Day!

Hey all, it feels like it's been forever since I wrote a blog post that wasn't about some specific disaster currently consuming the Internet, so I just wanted to drop a note here about how I'll be speaking at UNITED 2017, Rapid7's annual security summit…

Hey all, it feels like it's been forever since I wrote a blog post that wasn't about some specific disaster currently consuming the Internet, so I just wanted to drop a note here about how I'll be speaking at UNITED 2017, Rapid7's annual security summit in Boston September 11-14. Specifically, I'll be closing out the Research and Collaborate track at UNITED on a topic near and dear to my heart: the vagaries of vulnerability disclosure. Vuln disclosure is a funny business; when you're on the receiving side, it's at best some unwelcome news about some bug in your product that's putting your customers at risk. If you're on the giving side, it's pretty much an invitation for angry letters from CTOs and their attorneys. So why bother? Turns out, despite all the emotional pain associated with it, reasonable vulnerability disclosure is pretty much the most effective tool we have to make the internet-connected products and services we produce and use that much stronger in the face of an increasingly hostile public network. We need vuln disclosure conversations in order to get better at what we do, since it's literally impossible to write, assemble, package, and deliver software of any complexity completely vulnerability-free on the first try. So, the goal of this talk is to share some stories about my experiences in vuln handling from both sides. As director of research here at Rapid7, I'm often the first point of contact for software and technology vendors when one of our researchers uncovers a vulnerability. On the flip side, I also get notifications about Rapid7 product bugs from security@rapid7.com, so I spend a fraction of my work life helping to get those bits of nastiness resolved. If you're looking for tips and advice on how to handle vulnerability disclosures—either as a discoverer, or as someone responsible for patching shipping software—then I hope my experiences will give you some insight into how this surprisingly emotion-driven business of disclosure works. Haven't yet signed up to join us at UNITED this year? Register here.

Top Reasons for Graduate Students to Attend UNITED

The countdown is on to Rapid7's annual UNITED Summit in Boston on September 13-14. Rapid7 has partnered with top universities all over the globe to provide students with industry-leading security solutions as part of their coursework, equipping them with hands-on knowledge as they head into…

The countdown is on to Rapid7's annual UNITED Summit in Boston on September 13-14. Rapid7 has partnered with top universities all over the globe to provide students with industry-leading security solutions as part of their coursework, equipping them with hands-on knowledge as they head into the workforce. This year, for the first time, Rapid7 is expanding its Higher Education Program and providing scholarships to allow select graduate students in cybersecurity Master's and PhD programs to attend UNITED. Read on for what students stand to gain from joining us at UNITED (or just skip down to the bottom and apply now!). Top Reasons for Students to Attend UNITED We can think of a lot more reasons to attend UNITED's inaugural year of student programming, but for the sake of time, we've narrowed this list down to the top three: UNITED is a great place to network with other students, cybersecurity practitioners, and thought leaders. We'll have pen testers, incident responders, and other practitioners eager to share their knowledge (not to mention Metasploit developers!). Whether you're looking for a job or just aiming to hone your skills, networking and learning opportunities abound at UNITED. Local to Boston? We're always looking for great talent. Rapid7 is fueled by research. Whether it's through our Heisenberg project, threat intelligence, Project Sonar, or one of the many other research and open source projects we support, we're constantly thinking about how we can inform and advance the community. At UNITED, you'll be able to attend workshops that explore the data and philosophies behind these projects. Brainstorm with our researchers or have a deep-dive discussion with our data scientists—there will be plenty of time to seek out people who are leading their fields in security research and beyond. Want to meet and learn from the Metasploit team? UNITED is your perfect chance: In addition to talking shop with the people who make the world's de facto framework for penetration testing, Metasploit is hosting an exclusive CTF (Capture the Flag) competition at UNITED. Learn how to hack with the best, and win prizes doing it. I want to attend! How do I get in on this? For more information and to confirm eligibility, contact us here with your name, school, the degree program in which you're enrolled, and what you're hoping to gain from attending. Want to learn more about our Higher Education Program? We are committed to solving the information security talent gap and training the next generation of cybersecurity professionals. Learn more here. Not a student but still want to attend UNITED? See the full agenda and register here!

Metasploit Wrapup

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections…

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an exploit module for fulfilling your SMBLoris needs. The Adventure of LNK Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a wide range of Windows releases, a recently-landed exploit module might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet. Would you like RCE with your PDF (reader)? If so, Nitro's PDF reader might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the new exploit module and enjoy some of that tasty RCE. Jenkins, tell me your secrets... If you periodically happen upon a target running Jenkins, we've got a new post module you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of versions and platforms and is ready for you to give it a try. And more! We've also: enabled ed25519 support with net-ssh added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, @multiplex3r!) New Modules Exploit modules (2 new) LNK Code Execution Vulnerability by Uncredited and Yorick Koster exploits CVE-2017-8464 Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution by sinn3r, Brendan Coles, and mr_me exploits CVE-2017-7442 Auxiliary and post modules (2 new) SMBLoris NBSS Denial of Service by thelightcosine Jenkins Credential Collector by thesubtlety Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.15.4...4.15.6 Full diff 4.15.4...4.15.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Hack with Metasploit: Announcing the UNITED 2017 CTF

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights.…

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337 abilities by competing for top prizes, or learn how to capture your first ever flag. Read on for details, and if you haven't already done so, register for UNITED! Our UNITED competition isn't your average CTF. Why? Because this CTF is designed and hosted by the Metasploit team. That means two things: First, if you need a hand learning the ropes or help reverse-engineering an exceptionally tricky flag, you'll have access to the foremost experts in the offensive security field. Second, you'll be the first members of the public to test out the brand new Metasploitable3 Linux vulnerable machine. The Metasploit team has been waiting to debut a Linux version of Metasploitable, and we can't think of a better opportunity than UNITED to do it. Details The competition will kick off September 13, 2017 at 1:15 PM EDT at the inaugural workshop in UNITED's Phish, Pwn, and Pivot track: A Hands-on Introduction to Capture the Flag (CTF) Competitions Using Metasploitable (aptly named). Flag-capturing will end at 2:15 PM September 14, when we'll present awards and host discussion on advanced tactics for all the future CTFs you'll be able to dominate. New to CTF competitions? Be sure to attend the hands-on introduction. Already captured, like, a million flags in your career? You don't need to attend sessions to participate—just connect to the competition infrastructure and get to work! Metasploit experts will be available to all participants during the conference, both in and outside of the sessions. OK, what can I win? Prizes will be awarded to the top three competitors. Top prize: Two complimentary passes to UNITED 2018, a HAK5 ESSENTIALS FIELD KIT, and a T-shirt. Second place: A HAK5 WIFI PINEAPPLE (NANO Basic) and a T-shirt Third place: A HAK5 USB RUBBER DUCKY and a T-shirt What do I need to participate? A desire to learn, perseverance, and a laptop with WiFi capabilities. You will need to generate an SSH key pair and connect to the competition infrastructure via SSH. To generate your keys, follow these tutorials: Windows: https://www.ssh.com/ssh/putty/windows/puttygen Ubuntu and OS X: https://www.ssh.com/ssh/keygen/ Never generated an SSH key pair before? We can help you when you arrive! If you are using Windows please download PuTTY and PuTTYgen in advance. We look forward to seeing you at UNITED 2017 for what's basically guaranteed to be the coolest CTF in the history of flags and competitions. Haven't yet registered for UNITED? Fix that here—or contact your Rapid7 Account Executive or Customer Success Manager. You can explore more of UNITED 2017's lineup of speakers, trainings, and track sessions here.

Remote Desktop Protocol (RDP) Exposure

The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. RDP client and server support has been present in varying capacities in most every Windows…

The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. RDP client and server support has been present in varying capacities in most every Windows version since NT. Outside of Microsoft's offerings, there are RDP clients available for most other operating systems. If the nitty gritty of protocols is your thing, Wikipedia's Remote Desktop Protocol article is a good start on your way to a trove of TechNet articles. RDP is essentially a protocol for dangling your keyboard, mouse and a display for others to use. As you might expect, a juicy protocol like this has a variety of knobs used to control its security capabilities, including controlling user authentication, what encryption is used, and more. The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default. If you are interested in reading more about securing RDP, UC Berkeley has put together a helpful guide, and Tom Sellers, prior to joining Rapid7, wrote about specific risks related to RDP and how to address them. RDP's history from a security perspective is varied. Since at least 2002 there have been 20 Microsoft security updates specifically related to RDP and at least 24 separate CVEs: MS99-028: Terminal Server Connection Request Flooding Vulnerability MS00-087: Terminal Server Login Buffer Overflow Vulnerability MS01-052: Invalid RDP Data Can Cause Terminal Service Failure MS02-051: Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure MS05-041: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service MS09-044: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution MS11-017: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution MS11-061: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege MS11-065: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution MS12-036: Vulnerability in Remote Desktop Could Allow Remote Code Execution MS12-053: Vulnerability in Remote Desktop Could Allow Remote Code Execution MS13-029: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution MS14-030: Vulnerability in Remote Desktop Could Allow Tampering MS14-074: Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass MS15-030: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service MS15-067: Vulnerability in RDP Could Allow Remote Code Execution MS15-082: Vulnerabilities in RDP Could Allow Remote Code Execution MS16-017: Security Update for Remote Desktop Display Driver to Address Elevation of Privilege MS16-067: Security Update for Volume Manager Driver In more recent times, the Esteemaudit exploit was found as part of the ShadowBrokers leak targeting RDP on Windows 2003 and XP systems, and was perhaps the reason for the most recent RDP vulnerability addressed in CVE-2017-0176. RDP is disabled by default for all versions of Windows but is very commonly exposed in internal networks for ease of use in a variety of duties like administration and support. I can't think of a place where I've worked where it wasn't used in some capacity. There is no denying the convenience it provides. RDP also finds itself exposed on the public internet more often than you might think. Depending on how RDP is configured, exposing it on the public internet ranges from suicidal on the weak end to not-too-unreasonable on the other. It is easy to simply suggest that proper firewall rules or ACLs restricting RDP access to all but trusted IPs is sufficient protection, but all that extra security only gets in the way when Bob-from-Accounting's IP address changes weekly. Sure, a VPN might be something that RDP could hide behind and be considerably more secure, but you could also argue that a highly secured RDP endpoint on the public internet is comparable security-wise to a VPN.  And when your security-unsavvy family members or friends need help from afar, enabling RDP is definitely an option that is frequently chosen. There have also been reports that scammers have been using RDP as part of their attacks, often convincing unwary users to enable RDP so that “remote support” can be provided.  As you can see and imagine, there are all manner of ways that RDP could end up exposed on the public internet, deliberately or otherwise. It should come as no surprise, then, to learn that we've been doing some poking at the global exposure of RDP on the public IPv4 internet as part of Rapid7 Labs' Project Sonar. Labs first looked at the abuse of RDP from a honeypot's perspective as part of the Attackers Dictionary research published last year. Around the same time, in early 2016, Sonar observed 10.8 million supposedly open RDP endpoints. As part of the research for Rapid7's 2016 National Exposure Index, we observed 9 million and 9.4 million supposedly open RDP endpoints in our two measurements in the second quarter of 2016. More recently, as part of the 2017 National Exposure Index, in the first quarter of 2017, Sonar observed 7.2 million supposedly open RDP endpoints. Exposing an endpoint is one thing, but actually exposing the protocol in question is where the bulk of the risk comes from. As part of running Sonar, we frequently see a variety of honeypots, tarpits, IPs or other security devices that will make it appear as if an endpoint is open when it really isn't—or when it really isn't speaking the protocol you are expecting. As such, I'm always skeptical of these initial numbers. Surely there aren't really 7-10 million systems exposing RDP on the public internet. Right? Recently, we launched a Sonar study in order to shed more light on the number of systems actually exposing RDP on the public internet. We built on the previous RDP studies which were simple zmap SYN scans, followed up with a full connection to each IP that responded positively and attempted the first in a series of protocol exchanges that occur when an RDP client first contacts an RDP server. This simple, preliminary protocol negotiation mimics what modern RDP clients perform and is similar to what Nmap uses to identify RDP. This 19-byte RDP negotiation request should elicit a response from almost every valid RDP configuration it encounters, from the default (less secure) settings of older RDP versions to the NLA and SSL/TLS requirements of newer defaults: We analyzed the responses, tallying any that appeared to be from RDP speaking endpoints, counting both error messages indicating possible client or server-side configuration issues as well as success messages. 11 million open 3389/TCP endpoints,and 4.1 million responded in such a way that they were RDP speaking of some manner or another. This number is shockingly high when you remember that this protocol is effectively a way to expose keyboard, mouse and ultimately a Windows desktop over the network. Furthermore, any RDP speaking endpoints discovered by this Sonar study are not applying basic firewall rules or ACLs to protect this service, which brings into question whether or not any of the other basic security practices have been applied to these endpoints. Given the myriad of ways that RDP could end up exposed on the public Internet as observed in this recent Sonar study, it is hard to say why any one country would have more RDP exposed than another at first glance, but clearly the United States and China have something different going on than everyone else: Looked at from a different angle, by examining the organizations that own the IPs with exposed RDP endpoints, things start to become much more clear: The vast majority of these providers are known to be cloud, virtual, or physical hosting providers where remote access to a Windows machine is a frequent necessity; it's no surprise, therefore, that they dominate exposure. We can draw further conclusions by examining the RDP responses we received. Amazingly, over 83% of the RDP endpoints we identified indicated that they were willing to proceed with CredSSP as the security protocol, implying that the endpoint is willing to use one of the more secure protocols to authenticate and protect the RDP session. A small handful in the few thousand range selected SSL/TLS. Just over 15% indicated that they didn't support SSL/TLS (despite our also proposing CredSSP…) or that they only supported the legacy “Standard RDP Security”, which is susceptible to man-in-the-middle attacks. Over 80% of exposed endpoints supporting common means for securing RDP sessions is rather impressive. Is this a glimmer of hope for the arguably high number of exposed RDP endpoints? Areas for potential future research could include: Security protocols and supported encryption levels. Nmap has an NSE script that will enumerate the security protocols and encryption levels available for RDP. While 83% of the RDP speaking endpoints support CredSSP, this does not mean that they don't also support less secure options; it just means that if a client is willing, they can take the more secure route. When TLS/SSL or CredSSP are involved, are organizations following best practices with regard to certificates, including self-signed certificates (perhaps leading to MiTM?), expiration, and weak algorithms? Exploring the functionality of RDP in non-Microsoft client and server implementations Rapid7's InsightVM and Metasploit have fingerprinting coverage to identify RDP, and InsightVM has vulnerability coverage for all of the above mentioned RDP vulnerabilities. Interested in this RDP research? Have ideas for more? Want to collaborate? We'd love to hear from you, either in the comments below or at research@rapid7.com.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now