Rapid7 Blog

Social Engineering  

Federal Friday - 6.13.14 - New Group, Same Story

Happy Friday, Federal friends! It's another lovely Fall day here in Beantown but I hope each of you are enjoying your early Summer weather. Some exciting news as Rapid7 was named one of the Top Places to Work by the Boston Business Journal (#11 Mid-size…

Happy Friday, Federal friends! It's another lovely Fall day here in Beantown but I hope each of you are enjoying your early Summer weather. Some exciting news as Rapid7 was named one of the Top Places to Work by the Boston Business Journal (#11 Mid-size company)!I'm going to keep it short and sweet today considering this is a topic I've covered before. Given the news stemming from a new CrowdStrike report there is yet anther group out of the Far East, that has successfully attacked government networks for years. How'd they do it? Well they attacked your most vulnerable assets to gain access to the information they were looking for. No, they didn't use a 0 Day, an XP vuln or any OpenSSL back-doors. So, what did they target then? To put it simply they went after your employees, and they're continuing to do so. While this new group was identified, and their tactics might differ slightly, the theme is the same - focus on the people and they'll show you right in the open door.This campaign, in particular, focused on closely-guarded satellite technology. The targets were government employees and contractors who were either attending or looking to attend industry conferences. They were duped with slick-looking attachments that looked like conference information, local tourist hot-spots and even yoga brochures. Once they clicked, they and your network were compromised.So, what can you do?Communicate, communicate, communicate. In fact, over-communicate. While it's a herculean task to change the mindset and work-flows of your employees at-large, your focus should be a top-down approach. Your c-level and management folks, aside from Sys, Admin, tend to pose the most risk to your networks. That being said highlighting the specific risk compromised credentials pose to your critical systems is a language decision makers should understand. The higher up the chain you can get, the more impact a conversation about risk has. Once you can convince the higher-ups of the risk the network faces, it's up to them to disseminate the information down through the organization. While this is a difficult conversation to broach, it's your charge to secure your networks and at the end of the day people are a big part of that.Change is constant, threats are persistent. Stay vigilant.Tom Hanks is keeping watch for new and unusual tactics.

Top 4 Takeaways from the "Live Bait: How to Prevent, Detect, and Respond to Phishing Emails" Webcast

In this week's webcast,Lital Asher - Dotan and ckirsch tackled the hot topic, “Live Bait: How to Prevent, Detect, and Respond to Phishing Emails”. Phishing has risen from #9 to #3 in the Verizon Data Breach Investigations Report on the most common…

In this week's webcast,Lital Asher - Dotan and ckirsch tackled the hot topic, “Live Bait: How to Prevent, Detect, and Respond to Phishing Emails”. Phishing has risen from #9 to #3 in the Verizon Data Breach Investigations Report on the most common attack vectors. Phishing attacks are often successful because it only takes error on the part of one user to compromise an entire organization. Read on to learn what security professionals should focus on to prevent, detect, and respond to phishing attacks effectively: Phishing = Low Risk & Great ROI for attackers – Phishing is cheap & effective. Compared to Wi-Fi hacking where attackers must be in close proximity to the target, phishing allows them to infiltrate an organization from anywhere in the world. Plus, phishing costs virtually nothing compared to using something like 0-day exploits. Assets are generally better protected than users, so users are a soft spot, and the success rate of these attacks is high. It only takes one mistake from one person to succeed.Use every resource at your disposal to prevent phishing attacks (technology AND training) – Identify and remediate client-side vulnerabilities to figure out what controls you should have in place as a baseline, and simulate social engineering campaigns to measure user awareness on the issue. The goal of these campaigns should be to educate the user rather than punish them for falling for a simulated phishing attack. Emphasizing how susceptibility to these attacks will affect the security of personal data on top of company data always helps. It's not a question of if you'll be attacked but when you'll be attacked – It is not possible to prevent all phishing campaigns. Even the best educated users will have a slip-up, especially since spear phishing attempts are extremely sophisticated and targeted. Compromising one user account through phishing is just the first foothold for an attacker to infiltrate an entire network.Detection & Investigation must be a constant, pro-active process – Security teams should know where to look to detect a breach. You must be able to reduce distracting false positives and shorten time to containment as much as possible. Monitor for abnormal user activity (administrator and executive accounts are common targets) such as escalation of privileges, data exfiltration, and logging in from remote or multiple locations at once.To learn more about the techniques and technologies that will help you every step of the way during prevention, detection, and investigation of inevitable phishing attacks on your organization view the webcast now.

Federal Friday - 5.30.14 - Social Engineering from the Middle East

Happy Friday, Federal friends. You can tell it's almost Summah up here because it's been 50 and raining this week.So an interesting piece of news from an article on DarkReading this week regarding an ongoing campaign targeting government officials and contractors of both the…

Happy Friday, Federal friends. You can tell it's almost Summah up here because it's been 50 and raining this week.So an interesting piece of news from an article on DarkReading this week regarding an ongoing campaign targeting government officials and contractors of both the US and Israel. This is a mash-up of social engineering techniques from phishing to social network spoofing. The campaign, titled Newscaster, had the threat actors posing as legitimate members of the media who created fake LinkedIn, Facebook, Twitter, and YouTube accounts to validate their ruse. The malware used was rather basic, but the deceptive nature of creating these fake profiles and corresponding websites increased the sophistication level of the attack. This is something to take note of? Ajax spent most of their time in creating slick social engineering tools, and less time on malware. They also got creative in how they attacked their targets by focusing on their friends and family within the Social Networks they were using for the campaign. While the technology behind the attacks was basic, these tools and tactics were creative enough to ensnare 2,000 people in their trap.There is some silver lining out there, and it comes in the form of a Penetration Test. GCN had a nice piece this week from the Director of the Cyber Attack Prevention Division at Knowledge Consulting Group (KCG). He points out 6 vulnerabilities, both electronic and human, that a penetration test can highlight within your Network. While the  6 steps listed below won't stop every attack, discovering them in your network and addressing your defined gaps is a tremendous way to immediately improve your security posture.Pass-the-hashPassword reusePatch managementUnsupported legacy softwareInsecure in-house developed applicationsUser awarenessStay vigilant.Michael Dudikoff is ready, are you?

Top 3 Takeaways from "7 Ways to Make Your Penetration Tests More Productive" Webcast

Earlier this week we heard from ckirsch, Senior Product Marketing Manager for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint: it's a lot!). With the increase in high profile breaches and their costs, more and more emphasis is being put on the…

Earlier this week we heard from ckirsch, Senior Product Marketing Manager for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint: it's a lot!). With the increase in high profile breaches and their costs, more and more emphasis is being put on the pen tester and security in general. Read on if you'd like to get the top takeaways from this week's webcast so that you aren't left in the dark about, "7 Ways to Make Your Penetration Tests More Productive":Pen testers are in higher demand than ever – Pen testers are extremely highly skilled professionals. Hard to train, harder to find. With the latest developments to PCI enforcing stricter rules around penetration testing methodologies, remediation, and re-testing, pen test costs will be high and the tester's time will be extremely valuable since schedules will book up quickly as organizations clamber to prepare for their audits. This means that security professionals must increase productivity and do more with the same resources, or use expertise in more meaningful ways to get the job done. Increased productivity will allow them to complete more assessments, reduce backlog, enable businesses more quickly, and increase their own market value.Automation Scalability = Time Savings– With Metasploit Pro, pen testers can save 45% of their time through many simplified and expedited processes that don't sacrifice quality or thoroughness. You can even set up your own custom workflows to automate additional processes. In particular, the tool allows for automated:Tracking of all data (large sets gathered by both Metasploit and outside sources included!)Baseline pen testsWeb app testsVulnerability validationPost-exploitation modulesSocial engineeringReporting is king – Reporting can be the biggest headache when it comes time to pen test your network. Metasploit Pro tracks every action of a pen test for easy audit trails. Some popular reports include compromised hosts, credentials, web app testing, PCI DSS, and FISMA. Features like this allow security professionals to be more efficient and focused fully on their assessment.To learn how your organization can be more secure by making penetration test processes more productive, efficient, scalable, and automated, and to see a demonstration of how each of the 7 tips can be accomplished in Metasploit Pro, view the webcast on-demand now.

Rapid7: Coming to a city near you

We're taking this show on the road. Literally. This week our multi-city Rapid7 roadshow event, “Security at the Crossroads,” kicked off in New York and Minneapolis. Industry experts and fellow practitioners – including speakers from Forrester, Cardinal Innovations Healthcare Solutions, Vertex Pharmaceuticals, Porter…

We're taking this show on the road. Literally. This week our multi-city Rapid7 roadshow event, “Security at the Crossroads,” kicked off in New York and Minneapolis. Industry experts and fellow practitioners – including speakers from Forrester, Cardinal Innovations Healthcare Solutions, Vertex Pharmaceuticals, Porter Airlines, and TriNet – gathered to share security stories, strategies, and best practices. There isn't enough room to share all the takeaways from these two events, but here are some speaker sound bites (and stay tuned for pictures):On why you can't just build a higher wall: “There's been an increase in deception-based attacks – attackers nowadays aren't just going to try to get over the wall, they're going to follow someone in the front door hoping nobody notices them.” On being strategic when reporting threats and vulnerabilities to upper management: “Don't just drop information in their laps. Include evidence as to what you think is happening.”On why users are the weakest link: “Productivity always wins. At the end of the day, employees [using cloud services] are just trying to get the job done.”On social engineering threats: “Attackers will ask, ‘How do I attack someone without creating a lot of noise?' It's always easier to call and ask for a password versus trying to crack it.”On knowing your organization's weaknesses: “Nobody will try breaking in through a window if your front door is open.”If any of this sparks your interest, there's still time to register for Santa Monica, Washington DC, or Phoenix. Did we mention attendance is free? Oh, and also you get 6 CPE credits. Hope to see you there!

Social Engineering: Would You Fall For This Phone Call?

Cyber criminals don't always need a keyboard to hack into your bank account or company network. In fact, a lot of attacks start with a simple phone call. Typically, the attackers are either trying to get information out of you or to make you do…

Cyber criminals don't always need a keyboard to hack into your bank account or company network. In fact, a lot of attacks start with a simple phone call. Typically, the attackers are either trying to get information out of you or to make you do something. This is a technique they call social engineering.I've read a lot about social engineering over the years, since it's a personal area of interest. It can be used by a bunch off different occupations, such as FBI interrogators, con artists, sales reps, performers and - yes - marketers such as myself. (I hope this won't stop you believing me!)I've used and spotted social engineering techniques here and there over the years, but it never truly hit home about how vulnerable we all are until I sat in on a few calls in the Social Engineering Village at DefCon, organized by Chris Hadnagy over at social-engineer.org. I watched three volunteers phone into Fortune 500 companies - a large computer manufacturer and a giant selling household appliances. The volunteers had to elicit 40 pieces of information (called flags) from the targets in 20 minutes, using only publicly available information to start with. Flags included seemingly inconspicuous things like their browser and version, their physical security company, where they typically go for lunch, and getting them to surf to a specific website. I was floored when one smart lady did it not once, but twice in 20 minutes - simply wrapped in pleasant conversation. Once a malicious attacker is armed with this information, it won't take long for them to breach the network.So how can you avoid getting social-engineered? Here are some tips for you:Don't divulge non-public information: Especially if you don't know the caller and it's an incoming call, don't disclose any information on the phone that the caller couldn't also get from a public record such as your website. If they ask something you're not comfortable sharing, stay courteous and ask them why this piece of information is important to them. If in doubt, check with your manager or your security officer.Don't trust referrals given by the caller: Often, social engineers will call around a company and ask who's the best person to speak about a certain topic. Your colleagues may point them in your direction. When they call you, they'll say "Linda said you'll be able to help me with this." Don't assume that Linda knows the caller or that she has vetted him. Call her and ask her how well she knows the caller.Get third-party confirmation: If someone calls you, ask them about the company they're calling from, google the company and call them back. Don't take the number they give you as proof - do your own third-party research.Don't trust Caller ID: Caller ID is great to let you know who's calling, but it's really easy to spoof a number. It's easy and cheap. Don't believe me? Try it out for free in 5 minutes on http://www.spoofcard.com/Don't make exceptions just because you like them: Social engineers know what it takes to make you like them. For example, they will claim to have things in common with you. "Oh, I also went to Cornell. I had such a great time there!" They may even research some of your background on Facebook, Twitter, and LinkedIn to claim these commonalities before you even mention them. Another great way to build the relationship quickly is if they do you a favor and you feel you have to reciprocate. You may feel like a jerk doing it, but you can politely decline to return the favor and feel better - and safer - afterwards.Don't blindly follow their instructions: At DefCon, I also watched Kevin Mitnick, a well-known social engineering expert, do a live call on stage. He had permission from the company to call 5 of their employees. The first three calls went to voicemail, the fourth one picked up. Pretending to be a colleague from the HR department, he said that the employee had to approve the new health & benefits small print. Kevin got the user to type in a URL in his browser and to accept a Java applet to run on the machine. At that moment, the audience saw the user's computer connecting to the presenter's computer, giving the presenter full control over the user's machine - unknown to the user. Remember this story next time someone asks you to type a URL into your browser or type something in the command line.Urgency and bad things: The previous example also serves as another great lesson: Social engineers often tell you to do something to avoid a negative outcome. "Enter the link or you won't get this week's paycheck. You have to do it now, because our cut-off is in the next 90 minutes."Social engineers don't restrict themselves to the phone but also use faxes, letters, email, or show up in person at one of your offices, so be on your guard!

Social-Engineer CTF Report Released

For the last five years, the team at Social-Engineer have been bringing one of the most exciting events to DEF CON - the Social Engineering Capture the Flag.  The contest was designed to help bring awareness to the world about how dangerous social engineering…

For the last five years, the team at Social-Engineer have been bringing one of the most exciting events to DEF CON - the Social Engineering Capture the Flag.  The contest was designed to help bring awareness to the world about how dangerous social engineering can be.  In our 5th year, the competition was fierce and the report is the best we have ever released.This year a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric.In the first segment of the competition, contestants were given two weeks to gather as much intelligence about their target using information obtained only through Google, LinkedIn, Flickr, Facebook, Twitter, the corporate websites and other internet sites. During this information-gathering phase, contestants could attempt to capture as many of the pre-defined flags as possible, but could not contact the company or its employees.Contestants then performed a live call portion of the event during DEF CON 21. In this segment of the competition, social engineers used pretexts established in the information-gathering phase to call employees of the company to further elicit information.Our FindingsEven though social engineering has received major press, as well as been the topic for discussions amongst the security community and corporate America, it still proves to be a major threat and the easiest way in to most companies. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company's employee-only online portal. It's disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.Below are some of the statistics from the report.Top flags gathered in the 2013 SECTF competition1. Specific Internet browser2. Operating system information3. Information on corporate wireless access4. Confirmation of a corporate Virtual Private Network (VPN)5. Presence of an onsite cafeteriaThese flags can be used by attackers to build solid pretexting, phishing emails and phone scripts that could lead to a breach of the company.ConclusionsSocial engineering is a risk for every company and every person.  It is the easiest vector for attack as humans want to trust other humans.  Malicious social engineers utilize inherent human traits to trick unsuspecting targets to take an action that is NOT in their best interest. Our goal always has been, and continues to be, ‘Security through Education.'”On Tuesday, Nov. 5, 2013 1:00 p.m. ET. the Social-Engineer Team will be holding a free webinar to discuss the results as well as steps to mitigate against social engineering attacks. To register for the webcast, visit https://attendee.gotowebinar.com/register/6320784838786225410.To download a copy of the 2013 DEF CON SECTF report, please visit: http://www.social-engineer.org/defcon-21-sectf-report-download/About Social-Engineer, Inc. – Security through EducationSocial-Engineer, Inc. is the leading authority in the art and science of social engineering. Social-Engineer, Inc. is comprised of two segments. Social-Engineer.Org is an educational organization notable for developing the world's first social engineering framework and offering the latest social engineering news through our blog and monthly podcast. While maintaining this educational portion of our organization, we offer professional training and services supporting customers in government and private industry through Social-Engineer.Com.Follow Social-Engineer, Inc. (@SocEngineerInc) on Twitter at https://twitter.com/SocEngineerInc or https://twitter.com/HumanHackerWe want to express our gratitude to companies like Rapid7 that help us spread this message and raise awareness.

The Threat Within: RiskRater User Risk Report

Last week, we released the third of three reports from our RiskRater research.The first two reports focused on mobile devices and endpoint devices. The latest report is centered around the risks posed by the one thing that no organization can operate without: Users.With…

Last week, we released the third of three reports from our RiskRater research.The first two reports focused on mobile devices and endpoint devices. The latest report is centered around the risks posed by the one thing that no organization can operate without: Users.With the amount of protections in place at the perimeter, attackers have shifted much of their efforts toward social engineering in recent years. Unfortunately, two findings in our survey indicate that many organizations are ill-prepared for this change in attacker methodology:Only 2 out of 3 respondents conduct security awareness training in their organizations.Only 1 out of 3 organizations actively test the security awareness of their employees with simulated phishing campaigns.It was encouraging to see that 9 out of 10 respondents have a password policy in place in their organizations, but our finding that only 56% of these same people audit password policy across all services is troublesome when you consider that attackers often only need one sets of credentials to get in.The full report is located here, please take a look.You can see how your organization rates against our benchmarks with our free RiskRater tool located here.

Social Media: Vector for the New Economic Attack?

The big news in security this week has been the hijacking of the Associated Press' Twitter account. The attackers leveraged the "bad news" atmosphere created by the events in Boston last week to gain some measure of credibility for a tweet about bombs exploding at…

The big news in security this week has been the hijacking of the Associated Press' Twitter account. The attackers leveraged the "bad news" atmosphere created by the events in Boston last week to gain some measure of credibility for a tweet about bombs exploding at the White House. This is not a particularly new approach: in 2007, the Storm Worm used bad news in an email subject to get people's attention (“230 dead as storm batters Europe”) and install malware on their machines.The difference here is that the AP twitter hack resulted in 4,000 retweets within 15 minutes, and the DOW dropped 143 points. It not clear whether the latter was the motivation for the attack, but it does raise the question of whether we might see more social media attacks aimed at impacting the stock market in the future. The impact on the stock exchange may have only been momentary, but it was significant. This seems to me like it could potentially spawn a new attack trend with some pretty significant economic implications.We have seen a number of high profile brands targeted through their social media profiles. For instance, in February, Burger King's twitter account was hacked and its photo was set to the McDonald's logo with a message stating that Burger King was sold to McDonalds. Fortunately, in addition to the merger tweet, the hacker tweeted other inappropriate things – so it was fairly obvious the account was hacked. And it is safe to say that the fast-food company's stock did not fluctuate wildly.So the four things I would challenge individuals and organizations to consider are:The power of social media tools and the impact it can have on your reputation, personally or at an organizational level. Organizations might want to consider developing a security/ risk management strategy around these systems.The criticality of good passwords on every account, not just sensitive financial or company data. Use longer passwords (8-12 characters), don't reuse passwords across multiple sites, and use special characters.  Also, don't use words obviously associated with you, your organization, or the site in question. For example, "Rapid7_Twitter_password" might be long and use special characters, but it's probably not the best bet for us!The entry point for the attack was a spear-phishing email. These can be really hard to spot these days, so be wary in general of emails encouraging you to click on something or open something. Always check whether the "from" address look right and don't click on the link itself - open a browser and type in what you think the link should be based on logic. Bottom line: if in doubt, forward the email to your colleagues in security or IT, or else just ignore it.Lastly, consider testing your users to measure their susceptibility to these kinds of attacks. to user risk testing, For example, automated social engineering testing can help you identify training and education needs.

New Metasploit 4.5: Manage Your Organization's Phishing Exposure

You can now get a better handle on your organization's exposure to phishing attacks: Metasploit Pro now gives you quick insight on risks and advice on how to reduce them. With today's new release version 4.5, Metasploit Pro's social engineering features are no longer…

You can now get a better handle on your organization's exposure to phishing attacks: Metasploit Pro now gives you quick insight on risks and advice on how to reduce them. With today's new release version 4.5, Metasploit Pro's social engineering features are no longer just for penetration testers but add a lot of value for more generalist security professionals. A handful of our customers already tested these new capabilities in a technical preview and were very excited about the experience, all rating it between 8 and 9 out of 10 points.With Metasploit 4.5, you can control your organization's phishing exposure in three easy steps:Go Phish: Simulate a phishing attack to get a fast overview of your risk exposure.Identify weaknesses: Spot where your organization is the most vulnerable.Control risks: Provide targeted security awareness training and tweak technical controls.Phishing is often the initial attack vector of a data breach, for example in the recent South Carolina Department of Revenue data breach. You may already be conducting end-user trainings and implementing technical security controls to protect your data. However, do you know how widely your organization is exposed to phishing and which countermeasures actually reduce risk?With Metasploit Pro, you can now measure the effectiveness of both security awareness trainings and technical security controls, and provides metrics and recommendations on each step in the chain of compromise. For example, a click-through on an email points to a lack in security awareness whereas an exploited browser indicates a technical problem. Reports contain both overview statistics and details about the risk level of each user and host.You can direct users who fell for the simulated phishing email to an online training, where they can learn to spot and correctly handle phishing emails in the future. Alternatively, administrators can consult the Metasploit social engineering report to follow up with individuals by email or in person.Attackers often set up fake websites for phishing. With Metasploit Pro, you can easily clone a website – just enter the URL. Metasploit automatically changes forms to capture user input, and adds client-side exploits - if desired. You can also test end-user security awareness by creating malicious files on USB flash drives that can be left in the company parking lot or restrooms as bait. Metasploit's social engineering functionality can also be used for penetration testing engagements to compromise one or more computers as a starting point for a more comprehensive security assessment. If you are a penetration tester familar with Metasploit's social engineering campaigns, you will be very happy about the usability improvements we've added in this release.Unlike alternative penetration testing solutions, Metasploit Pro's social engineering reports provides conversion rates at each step in the campaign funnel, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. Only Metasploit provides advice on how to address risk at each step in the social engineering funnel.While some phishing simulation services can only measure user awareness, Metasploit Pro can also measure the effectiveness of technical controls. If desired, phishing web pages or email attachments can contain exploits that test patch levels, security configurations, and network-based defenses.Here's what Shane Clancy, Principal at Crosslin Technology, said about the new release after they tested it as part of the tech preview:“Within the world of information security, it is well understood that prevention is less expensive than recovery from a compromise.  What doesn't appear to be as clearly understood is the return on an investment for something like Metasploit.  Instead of spending money and valuable time on an array of tools that will indicate that vulnerabilities might exist within an environment, it is possible to actually validate which weaknesses truly exist and begin the remediation process with a single software package.  As an example, phishing messages are often attack vectors used by attackers and are frequently the subject of annual information security training – yet they still continue to prove effective for the attackers.  Metasploit allows Crosslin Technologies to provide our customers with real-world examples of how attacks, including phishing, are executed against their environments and moves the remediation approach from an academic subject in an annual training presentation to tangible lessons learned.“When information security is viewed as a means to manage an organization's risk, as opposed to simply meeting minimum compliance standards, the value presented by Metasploit and its ability to enable measurable change in the security posture of an organization is unmistakable.”Want to measure how vulnerable your organization is to phishing attacks? Download the fully featured Metasploit Pro trial and run a phishing campaign today - you'll get the results within a couple of hours of sending out the emails!Today's Metasploit 4.5.0 release also includes 95 new exploits, 72 new auxiliary modules, and 13 new post modules over the 4.4.0 release, for a grand total of 180 new modules, all of which are available in all Metasploit editions and detailed in the release notes.

Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit

Thanks for the many CISOs and security engineers who attended our recent webcast, in which I presented some practical advice on how to leverage Metasploit to conduct regular security reviews that address current attack vectors. While Metasploit is often used for penetration testing projects, this…

Thanks for the many CISOs and security engineers who attended our recent webcast, in which I presented some practical advice on how to leverage Metasploit to conduct regular security reviews that address current attack vectors. While Metasploit is often used for penetration testing projects, this presentation focuses on leveraging Metasploit for ongoing security assessments that can be achieved with a small security team to reduce the risk of a data breach.This webcast is now available for on-demand viewing What you'll learn in this webcast: Recent attack trends and how they matter to your businessAutomating penetration tests to prevent untargeted, automated attacksQuick & easy ways to verify vulnerabilities reported by your vulnerability assessment program so you can focus your limited resources where they have the most impactConducting regular password audits that require minimal effort to set up and maintainRunning social engineering campaigns to measure security awareness in an enterpriseAudience questions answered in this webcastView the Security Programs with Metasploit Webcast Now

Man on the SecurityStreet - Day 2 Continued.

It's your favorite reporter in the field, Patrick Hellen, reporting back with some more updates from our speaking tracks at the UNITED Summit.Dave Kennedy, the founder of TrustedSec, gave an entertaining presentation called Going on the Offensive - Proactive Measures in Security your Company.…

It's your favorite reporter in the field, Patrick Hellen, reporting back with some more updates from our speaking tracks at the UNITED Summit.Dave Kennedy, the founder of TrustedSec, gave an entertaining presentation called Going on the Offensive - Proactive Measures in Security your Company. Just like HD's earlier presentation, we had our staff artist plot out the entire speech, which you can see attached below.When I say entertaining, the previous talk track was a debate session that Dave also participated in, and if the audience did not agree with your point, you had to drink scotch. Dave, if you read this, I'm impressed at your ability to stay focused, on track, and to keep the room engaged.The topic itself, a proactive approach to infosec problems, is not new of course but Dave's point is that neither is our approach to security. We generally find our security teams in a bind, in that they're stuck trying to secure problems from 2 years ago, with no downside for the hackers themselves. In today's world, it's apparently far more profitable to be a hacker than it is to be a drug dealer. He presented a stat that in 2011, the profits that drug trafficking took in was 372 billion, with all the risks of death and jail time. Also in 2011, hacking uncovered 678 Billion in stolen money/information, with almost zero chance of being killed, and far less severe criminal sentencing.He also made the point that we see more and more breaches occurring, and more and more money being spent on security, and yet still more breaches occurring and yet still more money being spent on security. In his case, the attack vector he's going to take to get in to and take over a system? The users of course.Social Engineering = something you can train against, but not something you can really purchase your way out of.He did touch on several more subjects, including the risk of Cloud computing and his very frank opinions on APT, and how security professionals should keep things simple, all of which you can take a look at when we post the slides and information from all of our talk tracks here on SecurityStreet in the near future.Next up, Beer tasting. I want to make sure I'm on time for that event.Best,-P.

Man on the SecurityStreet - UNITED Day 1.

Hello from San Francisco, home of the 2012 UNITED Summit.It's been an incredibly full day. I'm writing this quick update from an excellent presentation that nex of Cuckoo Sandbox fame is giving about threat modelling. According to Claudio's research, only 103 of the almost…

Hello from San Francisco, home of the 2012 UNITED Summit.It's been an incredibly full day. I'm writing this quick update from an excellent presentation that nex of Cuckoo Sandbox fame is giving about threat modelling. According to Claudio's research, only 103 of the almost 50,000 odd vulnerabilities in NVD's vulnerability database are actually being exploited in crimeware kits like BlackHole.Claudio identified MS Office as the most exploited piece of software for targeted attacks, while Java is by far and away the most targeted for mass-malware or "drive-by" attacks. Flash and Java are getting more and more popular due to their cross-platform nature, meaning attackers can hit achieve broader reach. Still, the takeaway is that the thousands of vulnerabilites that are out there come down to three vendors: Adobe, Oracle, and Microsoft. This can help you to prioritize patching by vendor and product.My personal (and concerning) takeaway? That attackers are using far more basic and unsophisticated malware options, ie no exploits, that are not detected by our current technologies. While it's less common currently, we're going to see social engineering continue to gain ground.Claudio is doing an excellent job of engaging his audience, as people are adding their opinions and asking questions at every point he makes to further this conversation. He wants us to look at security in a new way - what could possibly happen vs. what is actually likely to happen, and to use that data to make intelligent decisions about how to best secure our networks.If you're here, and you're following along with these talk tracks, use our hashtag #Unitedsummit, to get us your feedback, questions, and to start making those connections that are valuable to us all.Also, if you're walking around, stop me and say hi. I'd love to get the chance to speak with you in person.More updates coming soon - so stay tuned here!-P.

SOC Monkey - Week in Review - 8.20.12

Monkeynauts,Welcome back to your weekly round up of the best bits from my App that you should be downloading from the Apple App Store.This week, let's dive right into the most clicked story from last week with an update on how Mat Honan…

Monkeynauts,Welcome back to your weekly round up of the best bits from my App that you should be downloading from the Apple App Store.This week, let's dive right into the most clicked story from last week with an update on how Mat Honan is dealing with life post hack: How I Got My Digital Life Back Again After An Epic Hacking. Honan once again deconstructs the events that led to his digital disaster. The thing I liked best about this article is that Mat is almost apologetic about how fast he was able to resurrect his digital life, due to the fact that he's a technology writer and has contacts deep in the organizations that would have to help him restore his data. If the same thing were to happen to you or I, we'd be looking at a much longer, and potentially more expensive process. He also goes in-depth about pulling his data off the Macbook Air he was using, and the difficulties and cost of restoring from a SSD drive.  Over all, an excellent article that pulls no punches about how intense even a private network's hacking can be.Next, let's dip into the political realm a bit, and discuss Iran's ongoing discussions about disconnecting from the Internet entirely: Iran threatens to disconnect from the Internet. This brings us back to the story about AC/DC blasting out of speakers in various nuclear facilities, and even mentions Metasploit by name. I can say with assurance, that we do not have a "thunderstruck at full volume" exploit written into the product...yet. Still, these attacks, and malware like Flame and Stuxnet have seemingly pissed off the Iranians enough that they're taking their Internet and going home. The article discussed the political, economic and social costs of cutting the cord to the rest of the world. What do you think? Can a country just pull the plug from the Internet and maintain one of the most well educated populaces in their section of the world? This should be interesting as it continues to escalate.Speaking of malware, let's look at the top malware story from last week: Mystery malware wreaks havoc on energy sector computers. This lovely piece of work, named Shamoon, is being discussed as a copycat worm in the style of Wiper, but the real concern is the extent of the fallout from the attack itself. Shamoon goes above and beyond to destroy data, and makes sure it can't be recovered, while simultaneously wiping out the system files so the machine can't be turned back on. So far, fewer than 50 systems show this infection - but for those of you out there watching the malware world with a keen eye, this one is one to watch.Going right back to Ars Technica, a site the Monkeynauts very much love, this article once again circles back to the new "attack the attackers" mentality that's gaining ground in the industry: White hats publish DDoS hijacking manual, turn tables on attackers. Is anyone else stressing out about an attacker with a grudge suddenly rooting around in someone's networks? Look at the high profile hacktivism events of the last year and you can see what a dedicated mind with a cause can do. Imagine that cause is revenge?  I'm willing to be wrong on this one, but I don't think offense is the key to a strong defense.Some other hits of the week:Resilient SMSZombie Infects 500,000 Android Users in China | SecurityWeek.ComHP Communities - The inevitability of a data breach - The mental hurdle Security Executives must get over.In my final spot, this article pretty much blew my mind: Harvard cracks DNA storage, crams 700 terabytes of data into a single gram | ExtremeTech. It's officially the future folks. A one gram, biological, 700TB storage devices is unreal to me. It feels like we're living in a William Gibson novel pretty much at all times, doesn't it?Thanks for stopping by this week, and we'll be putting up the usual hit list at the same time next week.-SM

SOC Monkey - Week in Review - 8.13.12

Welcome back Monkeynauts,It's Monday, so that means I'm going to tell you to download my App, from the Apple App Store, before launching into the top stories the Pips found interesting last week. Let's take a look, shall we?Let's start this week with…

Welcome back Monkeynauts,It's Monday, so that means I'm going to tell you to download my App, from the Apple App Store, before launching into the top stories the Pips found interesting last week. Let's take a look, shall we?Let's start this week with something that might hit close to home for several of you, including your favorite Monkey twitter aggregate: Blizzard's Battle.net Hacked - Recommends All Users Change Passwords. This was the most retweeted article I saw on Friday, followed directly by Ars Technica's more in depth breakdown; Hackers collect significant account details from Blizzard servers. The fact that the hack exposed not only the passwords, but the personal security questions and answers, is the bit that I'm paying close attention to. Now, for those of you who haven't logged in to your Night Elf Mohawk in the past year, this might not be that dramatic of a breach for you. In any case, Blizzard is recommending that everyone with an account on Battle.net log in and change their passwords. Unlike a great deal of other high profile breaches of late - Blizzard was quick to respond and got information out to the public in a very timely manner, so lots of credit there.If I wasn't already paranoid enough about my various passwords and security questions, I absolutely was after reading the full aftermath of Mat Honan's epic hack: How Apple and Amazon Security Flaws Led to My Epic Hacking. In a beautifully efficient and brutal attack, Mat's attackers took over his google accounts, deleted all of his gmail, wiped the data on his iPhone, iPad, and Macbook, and then took over his Gizmodo twitter. Granted, my monkey accounts are not nearly as valued as a Wired and Gizmodo writer, but the moment I finished reading this article I made sure to turn on Google's Two Step Verification. The main take away from this very detailed and startling moment by moment account of a hack? Better passwords wouldn't have helped Mat at all. In fact, the attacker actually gained access into the first account by knowing only two pieces of information - Mat's billing address, and the last four digits of one of his credit card numbers. With this data, Mat's attackers bluffed their way into Apple and Amazon's services, and then were able to get access to every piece of digital data he owned. If you're like me, you'll find yourself setting up backups and security questions this week to avoid the catastrophe following the rare chance that you're next on this list.Using Amazon as the pivot point, apparently some shipping labels got mixed up in the last few weeks: Man Orders TV Through Amazon, Gets Assault Rifle. Now, really anywhere you fall on the gun rights debate - I think we can all agree that watching the latest season of Game of Thrones on an Sig Sauer rifle instead of the 39" flat screen you ordered is a bit difficult. The article is pretty hilarious, but as shocking as it must be to open a package expecting a television and seeing a gun- opening a package expecting a gun and finding anything other than a gun must involve a cold sweat moment like nothing else. Also, I know Amazon really does have everything, but semi-automatic assault rifles? I think the last thing I bought from them was a thumb drive and a sci-fi novel, so maybe I'm not their target audience.Back to Wired again for a moment, the always excellent Kim Zetter has a follow up article on the new evolution of the Flame and Stuxnet malware: Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload. Generally, I could just put a link to Wired's excellent Threat Level page, and be done with it, as they do a fantastic job week after week, but this requires special mention. This article, about this newly uncovered spyware named Gauss looks to be targeting banks in and around the Middle East. The mystery here is that the payload of the malware is encrypted, and as of yet remains uncracked. We'll be hearing more on this one once the encryption is broken and as more evidence of its appearance starts to show up.Last two links this week: How to Hack NASA's Curiosity Mars Rover | News & Opinion | PCMag.comWikiLeaks.org is crippled under a massive DDoS. Is the TrapWire leak to blame? | Naked SecurityUsually I end with something lighthearted and funny, but I really can't beat getting an assault rifle in the mail from Amazon, so we'll call it a day here. Have you found an interesting, funny, or thought provoking article that you'd like to share?  Send it my way, and we'll see if anyone is making mention of it on my App as well.Thanks,-SM

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now