Skip navigation
All Places > Information Security > Blog > Authors techeditor

Information Security

10 Posts authored by: techeditor

Originally Posted by Didier Godart


Rapid7 is one of the 152 worldwide vendors approved by PCIco (the compliance body) to perform PCI scans of merchants and service providers’ external infrastructures.


To be considered ASV (Approved Scanning Vendor), a company must pass an annual test consisting of a scan of a specific vulnerable infrastructures (Lab) controlled by independent laboratories on behalf of PCIco.


As of mid-April 2011, in addition to the above annual testing PCIco requires that two of the ASV employees get qualified as QAE (Qualified ASV Employee).


This new certification consists of an online training of 7 modules (237 slides) about everything one could ever know about PCI. Candidates have 14 days to take the course and associated test (60 questions).


As usual Rapid7 took the  initiative and immediately registered two candidates.


Today we are proud to be the first of the 152 ASVs out there  having completed this process.


Having our employees qualified is the best way to serve our customers.


Didier Godart

Originally Posted by Didier Godart


What is PCI?

PCI stands for: Payment Card Industry denoting the debit, credit, pre-paid, e-purse, ATM and POS (Point of Sale) terminal and associated businesses.


But PCI is specifically referring to the Payment Card Industry Security Standards Council, a council formed by:


  • MasterCard
  • Visa
  • American Express
  • Discover
  • JCB


The PCI Council develops and maintains (so far) 3 standards that work together to protect payment transactions and cardholder data.


  • PCI DSS: (My bible) It covers systems that store, process, or transmit cardholder data and is used by acquirers, issuers, merchants, service providers and us.
  • PCI PA-DSS: it covers payment applications and is used by application developers.
  • PCI PTS: It covers point-of-interaction devices (or POIs) used for PIN entry.


PCI DSS isn't a regulation but a contract


PCI DSS is a contract that starts at payment card brands and is propagated through merchant banks to merchants. It is not a regulation. This contract requires merchants to protect payment card data using security controls, but it also requires organizations to contract for external testing, contractually require service providers to adhere to PCI DSS standards, and conduct audits regularly. These activities all involve IT security, but are by no means the sole responsibility of the security team.



In the next newsletter we will have a look to the payment processing terminology and workflow. In the meantime, if you want to learn more - Check out our PCI content on




Didier Godart


Risk Product Manager



Originally Posted by Didier Godart


Hi Everyone,


This is our second PCI 30 sec newsletter.


One cannot move through the PCI ecosystem without basic understandings of the payment processing terminology and workflow. So let’s have a look behind the scene.

The payment processing terminology


In a nutshell, the payment transaction could be depicted as follow:


We have cardholders that make payment card purchases from merchants, merchants that send payment transaction data to their acquirers, and acquirers that send payment transaction data through the payment brand network to the issuer.


  • The cardholder is the person that actually has the payment card and uses it to purchase goods or services.
  • The merchants are the organizations accepting payment.
  • The acquirer is the bank the merchant has a contractual relationship with.
  • The issuer is the organization that issued the card to the cardholder.
  • The payment brands are the credit card organization (Visa, MasterCard, Amex, Discover, JCB).




Visa and MasterCard never will issue cards. Their cards are always issued through a bank (Issuer) or other organization.  American Express, Discover, and JCB International  issue cards directly. They also acquire those transactions.

The payment processing workflow


It encompasses the following operations:


  1. Authorization
  2. Clearing
  3. Settlement


Authorization: At the time of purchase, the merchant requests and receives authorization from the issuer to allow the purchase to be conducted, and an authorization code is provided.


The process includes:


  1. The cardholder swipes or dips card at the merchant location.
  2. The merchant’s bank (or acquirer) asks processor to determine the cardholder’s bank (or issuer).
  3. The processing network determines the cardholder’s bank and requests approval for purchase.
  4. The cardholder’s bank approves the purchase.
  5. The processor sends approval to merchant’s bank.
  6. The merchant’s bank sends approval to the merchant.
  7. The cardholder completes the purchase and receives a receipt.


Clearing: In the Clearing process, the acquirer and issuer need to exchange purchase information to complete the transaction.The process includes:


  1. The merchant’s bank sends purchase information to the processor network
  2. The processor sends purchase information to the cardholder’s bank, which prepares data for the cardholder’s statement
  3. The processor provides complete reconciliation to the merchant’s bank


Settlement : The merchant’s bank pays the merchant for the cardholder purchase and the cardholder’s bank bills the cardholder.This process includes:


  1. Cardholder’s bank (Issuer) sends payment to the processor.
  2. The processor’s settlement bank sends payment to the merchant’s bank (Acquirer).
  3. Merchant’s bank pays the merchant for cardholder’s purchase.
  4. Cardholder’s bank bills the cardholder.


That’s all for today folks.




Didier Godart
Risk Product Manager
Moderator PCI ASV voice on LinkedIn


May Patch Tuesday

Posted by techeditor May 12, 2011

Originally Posted by Jen Ellis



So yesterday was Patch Tuesday, and following a mammoth April, it was a pretty quiet one, with only 2 vulnerabilities reported, and only one of those given the most severe rating of “critical”.  That said, of course any vulnerability reported should be investigated and understood, and particularly those rated critical.


This month the critical vulnerability is MS11-035, which states that a “vulnerability in WINS could allow remote code execution”.  Microsoft is reassuring customers that “By default, WINS is not installed on any affected operating system.”  Fair enough, good to know, but you shouldn’t overlook the fact that  many third party applications use WINS, especially legacy applications.  And yes, it’s true that since Windows Server 2003, WINS has been optional, but in fact many people find that it breaks other things when disabled. As a result, WINS is widely deployed in both government and commercial networks.  If this is you, the bottom line is that you need to test and deploy this update as soon as possible.

That’s all from us for this Patch Tuesday, but as usual, if you have questions or stories to share, please post them in the comments sections.

Originally Posted by Didier Godart


Hello everyone from Belgium (the chip, beer and chocolate place but also the place without government since 1 year).


I thought it could be useful if I distribute this newsletter on a regular basis. I called it “The PCI 30 sec newsletter” because It should not take you more than 30 sec to digest.


Didier Godart

Originally Posted by Jen Ellis



Recently we’ve really been feeling the love from the good people Boston Business Journal (BBJ) and I wanted to take a moment to share this love and say a big thank you


It started a couple of weeks ago when the BBJ published this article on its Pacesetters for 2011, positioning Rapid7 as the 5th fastest growing private company in the region overall, and fastest growing in the software category.  We’re pretty proud of our growth and recently announced that we’ve had eight consecutive quarters of record revenue.  Whoop whoop!  We’re very happy to see our hard work paying off and it’s lovely that the BBJ has recognized that!


Our current success is not just down to hard work though: we have great leadership in the form of our CEO Mike Tuchen, who recently reached the semi-finals of the Ernst & Young Entrepreneur of the Year New England Program. Fingers crossed for Mike when the finalists are announced later this year.


Under the leadership of Mike and his team, not only has Rapid7 gone from strength to strength financially, it’s also a great place to work: very high energy and fun.  The old “work hard, play hard” adage is liberally applied at Rapid7 and it seems to work for us as we’ve just had more love from the BBJ, this time as one of the best places to work in Massachusetts.

The list recognizes the top 75 places to work in the region, split into 3 equal categories of small, medium and large businesses and evaluated through employee satisfaction surveys.  Rapid7 was recognized in the “small company’ category.  This is probably partly because we regularly get our people out having fun together and make sure we always celebrate each other’s successes together as a family.  Our kickball and softball teams, Thursday Night Out gatherings and our famous company-wide annual boat cruise are all part of the Rapid7 DNA. We also feel strongly about giving back with many of the Rapid7 employees involved in company-sponsored charity events.


We’d also really like to congratulate all our neighbor, partner and customer companies also featured in the lists.  It’s very heartening that there are so many great places to work and so many satisfied employees in and around Boston!  If you think your company is a great place to work, why not tell us all about it in the comments section.


If you’re interested in becoming one of those “satisfied” employees, I have great news for you… Rapid7 is hiring! If you think you reflect our core values of trust, respect, integrity, honesty and innovation with a constant desire to help our clients meet their daily challenges, visit for information on all the positions currently open.

Originally Posted by HD Moore


Over the last two months the Rapid7 team has been hard at work rewiring the database and session management components of the Metasploit Framework, Metasploit Express, and Metasploit Pro products. These changes make the Metasploit platform faster, more reliable, and able to scale to hundreds of concurrent sessions and thousands of target hosts. We are excited to announce the immediate availability of version 3.7 of Metasploit Pro and Metasploit Express!


Existing customers can apply the latest software update to automatically upgrade to version 3.7 or download the latest installer from For information about the Open Source Metasploit Framework, please see this blog post.


Metasploit Pro and Metasploit Express users will notice an immediate improvement in product response time. Customers with large enterprise networks will be happy to note that the commercial product can easily scale to thousands of hosts within a single project. The Data Import backend has undergone a rewrite, speeding up most import tasks by a factor of four. Metasploit Pro users will note that shell sessions can now be accessed by multiple users at a time. This allows an entire team to collaborate on the post-exploitation process and can be used as a training aid for junior analysts.


In addition to the scalability and performance improvements in this release, the Metasploit team (Rapid7 and Community) added 67 new modules, consisting of 35 exploits, 17 post-exploitation modules, and 15 auxiliary modules.  This release adds full support for SMB Signing (courtesy Alexandre Maloteaux), which allows for exploitation of Windows systems that enforce a mandatory-signing policy (2008 Server). The MySQL and PostgreSQL databases will now yield sessions when a password is succesfully cracked or replayed with Bruteforce. The Microsoft SQL Server modules now support NTLM authentication. Please see the Release Notes for a complete list of changes.


The screen shots below showcase some of the improvements in this release.




Advice for Sony PSN users

Posted by techeditor Apr 28, 2011

Originally Posted by Jen Ellis


Unless you’ve been living in cave during the past week, you will likely have heard that Sony’s PlayStation Network (PSN) was breached last week.  The much-reported immediate impact for PSN users has been that the network has been unavailable for use since April 21st 2011.


It seems likely though that there will be a greater impact for some users as Sony has confirmed that hackers have stolen user data. Although Sony maintains that payment card information was encrypted and kept safe, rumors have been spreading on the Internet that some PSN users have coincidentally been the victim of credit card fraud.


Whether this is due to the breach or just a trick of timing, it does seem certain the PSN attackers will try to use the stolen information in ways that will further harm the victims. As such, we recommend that users take the following steps to protect their identity:


1)      Think hard about where you’ve used the same usernames, email addresses, and passwords that you’ve used for your PSN accounts, then change all passwords. The obvious password re-use cases will be email, PayPal, Facebook, and Twitter accounts. Having your email compromised could lead to more information leakage and allow the attackers to reset other website passwords. If possible, don’t give your new information to PSN anytime soon. The breach was relatively recent and it may take a while to fix the root cause of the breach.


2)      Companies should be cautious and warn employees against password re-use, because some people use corporate email accounts with the same passwords everywhere. Encourage users that may have made this mistake to change their passwords immediately.


3)      If you are worried about the rumors that payment card information was revealed, it would be wise to cancel any payment cards that were stored to PSN accounts and get new cards issued.

Originally Posted by Jen Ellis


   LOTS of patches from Microsoft this week...

This week’s Patch Tuesday was pretty significant, with a record-tying 17 bulletins that patch a record 64 vulnerabilities, 15 more than the previous largest-ever set in October 2010.  As usual, the Rapid7 team was all over it, monitoring the threat and trying to help out where possible.


This month’s bulletin addresses vulnerabilities across Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and GDI+. There are several critical security flaws, so prioritizing remediation efforts will be very important for all system administrators this month.


MS11-020 looks like the most severe flaw, with an exploit scenario similar to MS08-067 (server service, pre-authentication).  It should be at the top of most organizations’ list for remediation since it is based on a common server (SMB), is rated “exploit-likely” by Microsoft, and does not require user–authentication. This bulletin includes one transaction parsing vulnerability. This requires an attack to send a malicious crafted SMB packet against a vulnerable system including Windows XP SP3- Windows 7.


MS11-018 should be a high priority for most organizations as there are currently two vulnerabilities associated with this bulletin being exploited in the wild. Both of these are memory corruption vulnerabilities, requiring client interaction, which does raise the bar on the attacks as they will need to setup a malicious website and perform a drive-by malware-based attack.


MS11-030 uses UDP/TCP ports 5355, a service that many folks don’t specifically firewall today. This may be trivially exploitable, but more work still needs to be done to verify this.  Another interesting thing to note for MS11-030 (Vulnerability in DNS Resolution) is that it would only allow elevation of privileges on Windows XP SP3 and 2003, but would allow remote code execution on Windows Vista, 2008 and 7. This means that anyone that has deployed newer versions of Windows should make sure they carefully review this bulletin.


Our advice on this was picked up by a number of people covering Patch Tuesday and you can see more on their take at the following links:






If you have a Patch Tuesday story or some tips to share, post it in our comments section…

Originally Posted by Chris Kirsch


Today, we relaunched the site. We hope you’ll find it as awesome as we do. The new site not only has updated looks, we’ve also rewritten much of its content and put it on a shiny new server to make it faster.


We mainly focused on three aspects: learn, download & contribute:


Learn – Many Metasploit newbies told us they found it hard to get started with the Metasploit Framework, so we took a fresh look at our website to design it so that new Metasploit Framework users would find it easy to learn about penetration testing and take their first steps with the Metasploit Framework. Since the Metasploit Framework is supported by the community, the website often points users to valuable resources on the Web – created by you! We also provided better information on how to get support for the Metasploit Framework. We’ll do more in the coming weeks to provide even more help – stay tuned.


Download Not surprisingly, most people come to the Metasploit website to download the Metasploit Framework – that’s over a million downloads each year. We made sure the downloads are now even easier to find and that you won’t have any trouble understanding the different types of installers available to you. We also listed other related software on the site, such as free vulnerability scanner NeXpose Community Edition and the free web application scanner w3af as well as the commercial Metasploit Editions.


Contribute – The Metasploit Project has a huge following. We reorganized the site to make things easier to find, so you may now find resources you didn’t know existed. We took a hard look at the old site and think that we’ve ported every important piece of information. In case we missed something, or if you would like us to add something to the page, please let us know by sending an email to


We have also given Metasploit a new logo. It brings together the the offensive and defensive nature of the Metasploit Project. If you look closely, you’ll not only see the blue shield but also the M-shaped helmet inside the shield; the blade-like look of the shield and the aggressive face-like features of the “M” represent a natural evolution of the “hacker face” that has been such a visual centerpiece of Metasploit over the years.


Let us know how you like the new site on Twitter, using the hash tag #metasploit or directing your feedback at @metasploit or @rapid7 – check out the new Metasploit website now!

Filter Blog

By date: By tag: