Announcements

• We've moved our video site! Due to some problems with Blip, all of our videos can now be found on YouTube in Tenable Security's Video Channel (http://www.youtube.com/tenablesecurity).
• New video has been released that shows the new Nessus 4.2 client and web interface. You can view the video in high definition on our You Tube channel.
• Great post by Marcus Ranum on Logs - Logs Of Our Fathers
• We are looking for feedback on the new Nessus client version 4.2, so head on over to our Nessus discussion forums and let us know what you think!
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Interview: Ron Gula - IANS Case Studies, Hacker Halted, and Nessus 4.2

• Ron you participated in two IANS case stuides about PCI and HIPPA compliance. What were these case studies and what did people learn about them?
• How was Hacker Halted and what did you speak on? We will use this talk also for Dojocon so we hope to see you there.
• Ron, tell us about Nessus 4.2 and future Security Center 4.0.

Stories

• Great article on how we need to authenticate the user AND the transaction
• What Star Trek Predicts About The Future of Information Security
• Reading Other People's Email
• Open Source Vulnerability Disclosure - FreeBSD NTP Remote Buffer Overflow
• Nessus Network Check For NTP
• Nessus Local Checks For All Major Distributions, including FreeBSD

Tenable Events

• Paul Asadoorian and others from Tenable Network Security will be attending Cyber Dawn Cyber Exercise on October 3-4, 2009
• Paul Asadoorian will be speaking at the Louisville Infosec conference on web application security on October 7, 2009

Announcements

We've moved our video site! Due to some problems with Blip, all of our videos can now be found on YouTube in Tenable Security's Video Channel (http://www.youtube.com/tenablesecurity).
• New whitepaper titled "Web Application Scanning with Nessus" has been released and covers some of the updated features added to Nessus in support of web application testing..
• Nessus 4.0.2 has been released, featuring support for Windows 7 and Snow Leopard.
• As always be sure to check out our blog at http://blog.tenablesecurity.com
• A new presentation has been posted to the Tenable Web Site. It is titled "Bob's Great Adventure: Attacking and Defending Web Applications" by Paul Asadoorian"

Interview: Ross Barrett: Technology smorgasbord

• What are some of the major features gained in SNMPv3?
• Why is it important to secure SNMP in your environment?
• What changes have you made in Nessus to better support SNMPv3?
• Tell me about some of the changes to Windows file monitoring added to Nessus configuration auditing.
• Along those lines, tell us about power managment auditing.
• What benefits do organizations gain by auditing power management?

Stories For This Week

• PC Infections Are Found To Be Long Term
• Malware Authors Moving To Open Source
• SANS Top Cyber Risks Published
• Great Post On Zues Bot - "The nasty thing about Zeus/Zbot is that it evolves. The latest generation bot uses rootkit techniques to hide its presence on a customer machine. The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds."

Tenable Events

• Ron Gula will be speaking at the Hacker Halted conference in Miami on September 23, 2009
• Paul Asadoorian and others from Tenable Network Security will be attending Cyber Dawn Cyber Exercise on October 3-4, 2009
• Paul Asadoorian will be speaking at the Louisville Infosec conference on web application security on October 7, 2009

Announcements

• New whitepaper on web application testing is being released next week.
• Correction on The Tenable appliance it does support Security Center, with future support for PVS and LCE Hardware appliance has been announced as well
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Interview: Brian Martin: The Dos and Don'ts of Web Application Testing

• What makes web application testing so challenging?
• What are some common mistakes that people make when trying to test a web application?
• If you are an organization with over 50 different web applications, how should you approach testing for and remediating vulnerabilities?
• Which web application vulnerabilities are the most elusive and why?
• What are some of the real dangers with vulnerabilities like XSS and CSRF and why do you think people don't pay too much attention to them?
• If you are to tackle doing an security assessment on a web application, where is the best place to start and what tools/resources do your recommend?

Stories

• RBS WordPay hacked, full database access
• Microsoft warns of SMB vulnerability in Windows Server 2008 and Vista
• Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Vulnerability (uncredentialed check)
• Wordpress Worm Being Used to Profit

Tenable Events

• Ron Gula will be speaking at the Hacker Halted conference in Miami on September 23, 2009
• Paul Asadoorian and others from Tenable Network Security will be attending Cyber Dawn Cyber Exercise on October 3-4, 2009
• Paul Asadoorian will be speaking at the Louisville Infosec conference on web application security on October 7, 2009

Announcements

• New videos on finding Rogue access points and discovering the latest IIS 5 FTP vulnerability uploaded http://tenablesecurity.blip.tv
• The Tenable appliance was announced, featuring immediate support for Nessus & Security Center, and future support for PVS and LCE
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Interview: Marcus Ranum on Zero Day Exploits: Defending Your Network

• If you are speaking to the security professionals responsible for network security, what can you tell them about "0day" exploits that is helpful?
• Does the media over-hype so-called "0Day" exploits?
• Why is that remote exploits garner so much attention, I mean XSS vulnerabilities are found everyday and no one seems to notice, yet find a juicy exploit in a commonly exposed network service and everyone goes bonkers?
• Many people are asking, "Who still uses FTP?". This is a common theme that I see even today, large organizations with mature security architecture using clear-text protocols such as Telnet, FTP, and TFTP, why? What can they do to expedite the usage of secure protocols, or does this even matter?
• What is missing from most organization's security architecture, in your opinion, that would work to thwart "0day" or even the most common exploits?
• How do economics work against us when it comes to 0day exploits? For example, there are companies that will hold on to, and sell, "0day" exploits, and there are others that will buy "0day" exploits and work with the vendors to fix them.

We also interview Dan Philpott from FISMApedia!

Stories

• New Version of the popular Subseven trojan released
• Microsoft Warns Of IIS FTp Flaw - Offers workarounds and cookies (okay, just workarounds)
• Upgraded to Snow Leopard? Time to upgrade Adobe Flash too!

Tenable Events

• Ron Gula will be speaking at the Hacker Halted conference in Miami on September 23, 2009
• Marcus Ranum is speaking at Forrester's Security Forum on September 10, 2009
• Paul Asadoorian and others from Tenable Network Security will be attending Cyber Dawn Cyber Exercise on October 3-4, 2009

Announcements

• New video site! http://tenablesecurity.blip.tv
• The academy pro posted a new video on load balancing multiple Nessus servers
• Be sure to check out our blog at http://blog.tenablesecurity.com

Interview: Ron Gula on PCI DSS compliance

• Who needs to be concerned with PCI compliance?
• What is the value of the PCI compliance standards? Does PCI compliance mean you are "secure"?
• What are your thoughts on the new information supplement Skimming Prevention: Best Practices for Merchants?
• The PCI council also recently released the Wireless Guidelines document. What threat does wireless pose and how can Tenable products help?
• Does adhering to the compliance standards really improve security? Are there statistics available to support this?
• Who should be in charge of compliance in the organization? Internal Audit? Security? IT?
• How can Tenable products further assist with PCI compliance?

Stories

• Infiltrating a Botnet
• Botnet Found Using Twitter As C&C
• Cloud Security Debate Continues - "Virtual Private Cloud"
• VMware ESX Local Security Checks

Tenable Events

• Ron Gula will be speaking at the Hacker Halted conference in Miami on September 23, 2009
• Marcus Ranum is speaking at Forrester's Security Forum on September 10, 2009
• Paul Asadoorian and others from Tenable Network Security will be attending Cyber Dawn Cyber Exercise on October 3-4, 2009

Announcements

• New blog post going up today on the experiences at Cyberdawn, a cyber exercise that puts hackers against defenders in a realistic environment.
• Attention Security Center customers! A new version is due to be released soon, 3.4.5 will include improvements such as web application scanning support.
• We are looking for feedback on the new Nessus client version 4.2, so head on over to our Nessus discussion forums and let us know what you think!
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Interview: John Lampe - Passive Vulnerability Scanning

• What is your background and how did you get starting in information security ?
• What is the primary product you work on here at Tenable?
• What does PVS do? Can you also give us some of the history behind it?
• How are the plugins structured? Are the easy to write? Can the end user look at the code? How are they updated?
• What is coming down the road for PVS?
• How does PVS differ from Snort?
• What kinds of client side vulnerabilities can be detected?
• How does PVS handle high speed networks?
• Can PVS detect vulnerabilities in web applications?
• What are some of the more interesting vulnerabilities that PVS can detect?

Interview: Tim Rosenburg - White Wolf Security

Tim joins us to talk about cyber exercises, what they are, how they are structured, and what the participants learn in these events.

Tenable Events

• Paul Asadoorian will be speaking at the Louisville Infosec conference on web application security on October 7, 2009
• Oct 15 - Ron Gula will be participating at the 2009 San Francisco CISO Executive Summit
• October 26-27 - Tenable will be at the Techno Forensics conference in githersburg, MD
• October 26-30 - 5th Annual IT Security Automation Conference in Baltimore, MD
• November 6-7 Dojocon

Announcements

• New blog post going up today on the experiences at Cyberdawn, a cyber exercise that puts hackers against defenders in a realistic environment.
• Attention Security Center customers! A new version of Security Center, 3.4.5, has been released and is available for download in the customer support portal (Security Center customers can find the release notes the discussion portal). It includes such improvements as web application scanning support.
• Paul Asadoorian was interviewed on Securabit Episode 40 and discusses all things Nessus and some of the features in our enterprise products such as Security Center and the Passive Vulnerability Scanner (PVS)
• Paul Asadoorian spoke at the Louisville Infosec conference on web application security on October 7, 2009
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Interview: John Bos - Cybrex, LLC

John Bos joins us to talk about his 10 years of experience with the Defcon CTF and his team "sk3wl0fr00t".

Stories

• Critical Flaw In Adobe Reader (0Day) - Adobe continues to present exploitable vulnerabilities on the client.
• The Importance Of Vulnerability Management - This article references a whitepaper from Dark Reading Room on vulnerability management. It should be clear that Tenable's Nessus vulnerability scanner contains more functionality than remotely assessing vulnerabilities and "exploiting" them. You can also use Nessus to perform patch and configuration audits, as outlined in the blog post "Top 3 Things You Should Know About Nessus"
• Lessons Learned: Vulnerability and Expectations Management - This is a great story, okay maybe not great if you are using a certain Anti-Virus vendors products, on how Nessus helped someone determine that patched systems were indeed still vulnerable.
• Updated FDCC Policies Available - If you are using Nessus, or working to ensure FDCC compliance in your organization, please note there are new policies available based on recent changes to the FDCC standards.

Tenable Events

• Oct 15 - Ron Gula will be participating at the 2009 San Francisco CISO Executive Summit
• October 26-27 - Tenable will be at the Techno Forensics conference in githersburg, MD
• October 26-30 - 5th Annual IT Security Automation Conference in Baltimore, MD
• November 6-7 Dojocon

Download Tenable Network Security Podcast Episode7

Announcements

• New blog post Microsoft "Patch Tuesday" - The Aftermath
• Tenable Appliance 1.0.3 is the latest appliance release. It supports VMware ESX versions 3.5 and older, vSphere/etc. 4.0 versions, and VMware Player, Server, Workstation and Fusion.
• An article on our blog went up about Louisville Infosec conference

Interview: Casey W. O'Brien - Community College of Baltimore County

Casey O'Brien, Co-Director of the Cyberwatch Center

Casey O-Brien is an Associate Professor in the Network Technology Department at the Community College of Baltimore County (CCBC). I am also a Co-Director of the CyberWATCH Center, a consortium of colleges/universities, government agencies, and businesses committed to improving the quantity and quality of the information security workforce in the Baltimore/Washington D.C. metropolitan area.

Stories

• Mozilla Blocks Microsoft Add-Ons to thwart security risks
• Oracle Releases 38 Patches - On top of the Microsoft and Adobe patches released last week, Oracle released another round. Interestingly enough, attackers are working on developing better tools to assess the security of databases. Metasploit contributors are releasing code for Oracle and MSSQL.
• SecTor Presentations Posted - Some great presentations, including videos.
• A video detailing the Louisville Infosec 2009 Capture The Flag Event

Tenable Events

• October 26-27 - Tenable will be at the Techno Forensics conference in githersburg, MD
• October 26-30 - 5th Annual IT Security Automation Conference in Baltimore, MD
• November 6-7 Dojocon

Download Tenable Network Security Podcast Episode 8

Announcements

• New blog post & video "Using Nessus To Audit Microsoft Patches"
• Tenable placed 270th on the Deloitte Fast 500 2009 list, Nessus was awarded a Silver "Reader's Choice" award from Information Security Magazine, and another "Reader's Choice" award from WindowsSecurity.com
• We're hiring! - Visit the web site for more information about open positions
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Andrew Hay

Andrew Hay

Andrew Hay is a Canadian security professional, author, and speaker living in Lethbridge, Alberta, Canada. In this interview we talk about securing university environment, SecTor, and much more!

Stories

• Ron Gula and I have a chat about the recent Rapid 7 Acquisition of Metasploit.
• Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices - Researchers scanning the internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack.
• Time Warner cable modem/router major security hole - 65,000 devices were found to be vulnerable to a vulnerability that allows remote management. Not only that, the devices were configured to use WEP to "protect" the wireless network.
• Scanning Embedded Systems In The Enterprise With Nessus - See our article on the topic of embedded device security and how you can use Nessus to audit the security of these devices.
• "Evil Maid" Attacks on Encrypted Hard Drives - Excellent article summarizing some of the attacks that could allow attackers to unlock your encrypted hard drive.
• Whitehouse Drupal and The Open Source Security Model - Great article by RSnake who makes a point about open source software, you can pen test it all day long without sending any packets to your target organization.

Tenable Events

• October 26-27 - Tenable will be at the Techno Forensics conference in githersburg, MD
• October 26-30 - 5th Annual IT Security Automation Conference in Baltimore, MD
• November 6-7 Dojocon

>Download Tenable Network Security Podcast Episode 9

Announcements

• New blog post "Defeating Zombies: Five Ways To Improve Defenses"
• Tenable placed 270th on the Deloitte Fast 500 2009 list, Nessus was awarded a Silver "Reader's Choice" award from Information Security Magazine, and another "Reader's Choice" award from WindowsSecurity.com
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions! We also have a new Facebook Group called Tenable Security Is Hiring where you can go to get more information about open positions (Requires Facebook account to view)
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Jason Holcomb - SCADA Security

Jason Holcomb - Digital Bond

Jason Holcomb is a key contributor to Digital Bond's control system security research and consulting practice with a lead role in asset owner security assessment services. He is also the technical lead for Bandolier, a Digital Bond research project for the US Department of Energy. In this role, he is working with vendors and asset owners to identify optimal security configurations for control system applications. As a result of Mr. Holcomb's work with Bandolier, thousands of security settings buried in the applications and operating systems are now--for the first time ever--catalogued and measurable using the Bandolier security audit files.

Stories

• Better Security For All - This is an interesting account of a security professionals journey to getting all of the machines in the Windows domain to adhere to an logout timer setting. They queried the machines on the network and found that 70% of their users had disabled the logout timer all together. However, they found that 1500 machines had been changed such that they would log out after 10 minutes, when the policy was going into effect that would change it to 15 minutes for all computers, and not give the end user the option to change it. You should be considering applying this policy in your domain as well, even if the other peers in your industry are not. I've always been skeptical when a manager asks me, "well, what is everyone else doing?". It goes back to my credo that you need to be in charge of risk management and security in your environment and make sure it reflects your bottom line, not someone else's.
• Windows 7 Forensics - Great post from Rob Lee over at the SANS Institute that covers some of the changes in Windows 7 and how they effect forensics, and specifically the browser configuration/history, and roaming profiles.
• Auditing Approved Services with Nessus Policy Compliance and WMI - A great post from Jason (interviewed on this episode!) on how to use Nessus audit files to be certain that only approved services are running (He uses WMI, go Jason!).
• Don't Be The Smelly Kid - This is a great little post that compares security to good hygiene, as in something you are never completely done with, but that has to be done on a regular basis. So don't be the smelly kid!
• Nessus Plugin For Firefox Released - Vulnerabilities in the browser can be deadly as malicious code can hide on just about any web page, its important to update your browser and query your environment to be certain all your users are up-to-date as well. Nessus plugin 42306 will check that Firefox is on the latest, 3.5.4, version.

Tenable Events

• 2009 OWASP Application Security Conference in Washington, DC at the Walter E. Washington Convention Center on November 10-13th, 2009
• October 26-30 - 5th Annual IT Security Automation Conference in Baltimore, MD
• November 6-7 Dojocon

Download Tenable Network Security Podcast Episode 10

Announcements

• Two New Videos Released Tenable Appliance Installation & Configuration and Web App Scanning With Credentials Using Nessus
• Windows 7 Audit Files have been released! Nessus ProfessionalFeed and Security Center customers can download them from the customer support portal.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions! We also have a new Facebook Group called Tenable Security Is Hiring where you can go to get more information about open positions (Requires Facebook account to view)
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Watch recorded versions of Ron Gula's Keynote and Marcus Ranum's "The State Of Information Security" Keynote from Dojocon!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Nicky Jones - Tenable Network Security

Out feature interview this week will focus on Tenable Network Securities open positions and information about coming to work for Tenable. Nicky Jones is the hiring and recruiting specialist and joins us to tell us all about the available job openings and a little about what its like to work at Tenable. If you are in the job market or looking to advance your career this is not to be missed!

Stories

• Major Flaw in SSL Released - Protocol Updated - This recent flaw could be used to perform MITM attacks against not only HTTPS, but other protocols as well such as IMAPS/POPS and some are speculating SSL VPNs could also be affected.
• iPhone Worm Spreads via default password - Rick Ashtley Wallpaper Results - Default passwords strike again! If you have a jail broken iPhone and install the SSH application, and leave the default password ("alpine"), this work infects your phone and changes your iPhone lock wallpaper to a picture of the 1980's "pop star" Rick Astley. Could this be a sign of things to come? It would have been really slick of your ring tone also changed to the popular rick roll song that will remain nameless :)
• OffSec Web Site Compromised - Lessons Learned - No matter how much you think you have security down to a science, someone always has a chance to break in. There are a lot of lessons to learn here, such as the propper way to disclose that you have been hacked. The OffSec guys came right out and said it, "yup, we got hacked, here's how they did it, and here's how long they went undetected, and here's what we're doing about it". Props to them for disclosing it. I also really like there slogan: "Just because you are paranoid, it doesn’t mean they are not out to get you" These are some words to live by.
• Patch Tuesday - Heads Up! - As many of you know, I'm not the biggest fan of the "Patch Tuesday" scheduling and culture. For more information about my views on this subject you can read my guest post on the FUDSEC blog titled "Why Microsoft Patch Tuesday Is...". However, it is nice to get a heads up when patches are going to be released and which technologies will be patched. It could also give the bad guys a place to start looking, so why not release the patches to the masses and let the enterprise customers develop their own patch strategy?

Tenable Events

• 2009 OWASP Application Security Conference in Washington, DC at the Walter E. Washington Convention Center on November 10-13th, 2009

Download Tenable Network Security Podcast Episode 11

Announcements

• A new blog post has been released that covers my experiences scanning Windows 7 with the latest version of Nessus 4.2 (yet to be released).
• Tenable in the news: Marcus Ranum Presents "Internet Nails" at TED, A Review of Nessus published by SC Magazine "Everyone needs a good network vulnerability scanner " was published
• Marcus Ranum was named one of the "industry pioneers" in a recent SC Magazine article, and Ron Gula was named in an article about market entrepreneurs also published by SC Magazine
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions! We also have a new Facebook Group called Tenable Security Is Hiring where you can go to get more information about open positions (Requires Facebook account to view)
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Marcus Carey - Dojocon/Dojosec

Marcus J. Carey supporting good causes like Hackers For Charity.

Marcus is the Director of Innovation at Saecur, an Information Assurance Architect, Inventor, Knowledge Transfer Expert, Mentor, and Speaker. He has created a monthly security briefing program called "Dojosec", and just recently launched the first yearly security conference to accompany the monthly briefings called "Dojocon".

Stories

• Spammer How-To Guide Leaked! - Cyber criminals made an "oops" that allowed users to download manuals containing instructions on how to conduct spamming attacks. The information included "how they use SEO optimization to achieve top rankings on search engines, and how they trick CAPTCHA. You can learn how to use Xrumer and Hrefer, two ideal spamming tools."
• The "Responsible Disclosure" Debate Continues - While the debate rages on between security researchers and vendors about what "Responsible" really means in this context, the fact remains that vulnerabilities are discovered, reported, and not patched. If you don't believe me, check out the ZDI initiatives pages of "upcoming advisories". It lists the vulnerabilities that have been reported, which vendor is responsible for the software, and how long it is taking to patch.
• Microsoft Issues Advisory on Windows 7 Security Bug - A new bug in the SMB protocol has been uncovered by security researcher Laurent Gaffie. Proof of concept code has been posted and is known to cause a denial of service condition on Windows 7 systems. Microsoft has released an advisory and is working on a patch.
• Good Social Engineering Article to Share With End Users - While attackers and penetration testers will use social engineering to break into your networks and access sensitive information, its important for end users to be educated about these attacks. In the same way you raise awareness surrounding email phishing scams or the latest malware, its important to raise awareness about social engineering. The examples in this article are well done, including this little story which highlights how "angry people" can slip past your defenses: "A good real world example of this is my buddy wanted to sneak some alcohol into an amusement park. The park has a guard station to check the bags and a wand to detect metal. My buddy started up a heated fight with his wife before they walked up and the guards just waved them by the checkpoint without checking or wanding them!"

Tenable Events

• 2009 OWASP Application Security Conference in Washington, DC at the Walter E. Washington Convention Center on November 10-13th, 2009
- Quote from our very own CEO: "I had a good time showing SC 3, SC 4 and Nessus 4.2 to folks at the OWASP conference last week. I really feel the combination of web app auditing with Nessus, web log monitoring with LCE and things like process accounting and MD5 checksum analysis of logs was much more than folks were expecting from Tenable at the show."

Download Tenable Network Security Podcast Episode 12

Download Tenable Network Security Podcast Episode 12

Announcements

• A new video has been released that covers how to use Nessus 4.2, the latest version of Tenable's Nessus vulnerability scanner.
• Tenable Network Security's CEO, Ron Gula, is featured in SC Magazine as one the entrepreneurial visionaries who have launched successful IT security companies in the last 20 years.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions! We also have a new Facebook Group called Tenable Security Is Hiring where you can go to get more information about open positions (Requires Facebook account to view)
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!
• Tenable is pleased to announce the release of the Log Correlation Engine version 3.4. This release has many new enhancements and features, plus some new functionality such as IDS correlation from various sources and new options in the LCE clients to monitor file integrity. For more information on new features in this release, please see the LCE 3.4 Release Notes. Tenable CEO Ron Gula and I had a chat about the features in this new release.

Interview: Marcus Ranum - CSO, Tenable Network Security

Marcus Ranum hacking up computers and challenging us to think differently about security..

Marcus Ranum always brings fresh and new ideas to the table (even if they are old and crusty, he manages to bring them back to life). In this interview we talk about how to sell security to upper management, the origin of the term "script kiddie", and how one nail can be the downfall of the Internet.

Stories

• New 0Day Flaw in Internet Explorer - A zero day exploit has ben released for IE versions 6 and 7 and is reported to run on Windows XP SP3 systems. According to the article, "If the software does pop up in online attacks, it will put pressure on Microsoft to rush out an emergency patch, ahead of its regularly scheduled Dec. 8 security update. ". I don't think that waiting until attackers are using the this exploit so heavily that it starts to show up on our radar screens in the best approach. For home or personal users of IE, they need the patch right away as attackers are likely already using it.
• Firms fail to secure mobile, cloud data, teamwork fail - A recent study highlights some of my own experiences working in IT and computer security. First, they found that companies are unwilling to provide IT the appropriate resources to security mobile computing. Everyone gets an iPhone! That sounds great, but what happens when company data is leaking like a faucet from them? Furthermore, if this happened, how would you know? This quote is classic: ""The (survey) provides still more evidence that companies are racing to adopt new technologies faster than they can understand their impacts on data security and develop effective use and integration policies," Larry Ponemon, chairman and founder of the Ponemon Institute. Ah so true, we tend to be users and consumers of technology, but ignore the risk factors in favor of the "cool" factor. The next point is scary: "The separation between security and operation also caused problems for network defenders. The information-security groups in nearly a third of companies fail to collaborate with their operational counterparts, the survey found."I've worked with network teams, with varying degrees of success, however I never underestimated the importance. You have to work with the IT department in your organization, they are your friends and you need to be there friends. Take them out for drinks, buy donuts on Fridays, whatever you need to do, the folks in IT are a huge part of your organization's security strategy.
• New Plugin: 42862 PHP < 5.3.1 Multiple Vulnerabilities - A new plugin has been released to detect older versions of PHP. The new software released fixes several bugs and vulnerabilities, including safe mode and "open_basedir bypasses.

Download Tenable Network Security Podcast Episode 13

Announcements

Correction: Nessus 4.2 supports Suse 10 Enterprise.

• Nessus 4.2 is released! - Brand new web interface, performance and reporting improvements, and wider platform support. Listen in for the exclusive details!
• A new video has been released that covers how to use Nessus 4.2, the latest version of Tenable's Nessus vulnerability scanner.
• Tenable Network Security's CEO, Ron Gula, is featured in SC Magazine as one the entrepreneurial visionaries who have launched successful IT security companies in the last 20 years.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions! We also have a new Facebook Group called Tenable Security Is Hiring where you can go to get more information about open positions (Requires Facebook account to view)
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Download version 4.2 of the popular Nessus vulnerability scanner, featuring an all new web interface!

Stories

• Smart vs Stupid: But Not Why You Think So! - I really like this post because it is so matter of fact and to the point. Anton lists out defensive measures and risk mitigations that work, and ones that don't. He puts them in two columns called "Smart" and "Stupid". For example monitoring for attacks is smart, but saying, "Nobody wants to hack us", is well, not so smart.
• Don't Be Afraid To Use A Cheat Sheet - Along the lines of being prepared (and knowing that someday a compromise will occur on your network) having a cheat sheet is a life saver. When an incident occurs, it can be a stressful environment. Management is pressing to find out what happened, systems administrators are pushing to get systems back on line, and you are left wondering just how many systems were compromised, and more importantly how. Having a cheat sheet helps you keep a cool head and not struggle to remember commands or use incorrect syntax, which can greatly reduce the precious response time.
• New Plugin: SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection - Remember that nasty SSL bug that allows for MiTM attacks? Nessus now has a plugin to detect this condition on certain systems. This is a remote check that can identify systems that may be vulnerable to this attack. More details and references are listed in the plugin output.
• New Plugin: HTTP Cookie Import - This is a really nice feature to have when doing web application testing. Some applications will use cookies for various features, and trying to audit them without setting the values can be challenging, if not a futile effort entirely. Now you can use Nessus to import the application's cookies and then perform the vulnerability testing. Cookies can provide authentication information and other parameters that need to be present for the application to function properly. In order to retrieve an application's cookies you can use the Firefox extension called Export Cookies.

Download Tenable Network Security Podcast Episode 14

Announcements

• Nessus 4.2 is released! - The release is going really well, and feedback has been positive. Renaud will join us for this episode to fill us in on some more of the details.
• A new blog post has been released titled, "Movable Type mt-check.cgi Information Disclosure" and covers a pretty serious remote information disclosure vulnerability in Movable Type.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Renaud Deraison, creator of the Nessus vulnerability scanner, joins us to talk about the changes in Nessus 4.2.

Stories

• RFIDIOt 1.0a Released - RFID technologies are in wide spread use in many different organizations and for many different applications. Everything from inventory control to physical security access (hotels mostly) utilize RFID. The question I always like to ask is, if someone were to attack your organization using RFID technology, how would you detect it? For example, new functionality has been added to RFIDIOt to clone popular cards used for access control. This is extremely difficult to detect. You could, and should, monitor the logs from your physical access controls and correlate them with your other logs. For example, if someone were to gain access to a room, and then login to a system you can begin to paint a picture of whose accessing information and if it is authorized or not.
• SHODAN - The Internet Vulnerability Index - Shodan is a service that sans the Internet, for example polling systems for HTTP headers, and stores the results in a database. The database is made searchable for all to use. This means that you can find and exploit, then easily find vulnerable systems. Kind of a scary concept, surprised we have not seen this sooner.
• TSA Guideline Leaked - Its interesting that TSA has the same problems most organizations do, in that there are published guidelines and inconsistencies on how people execute them. For example, there is confusion on whether or not TSA can detain you for certain reasons. Also, the guidelines state that taking pictures at TSA checkpoints in some capacity is okay, when in practice it may not be. Whether or not all this makes our airports safer is debatable, but consistency speaks towards efficiency and success.
• BlackBerry Enterprise Server / Attachment Service PDF Distiller Unspecified Vulnerabilities (KB19860) - This Nessus plugin remotely checks for the vulnerability in your Blackberry server. This is a scary attack because an attacker who can compromise the Blackberry server can potentially control and run code on all Blackberry devices. These devices then get plugged into workstations, so the possibilities are endless.

Download Tenable Network Security Podcast Episode 15

Announcements

• A new blog post has been released that covers the December Microsoft Patch Tuesday roundup. In it we analyze some of the wording, details, and software vulnerabilities released in the December security bulletins from Microsoft.
• Hotfix02 for Security Center 3.4.5 has been released and addresses several small bug fixes. Customers can download the update from the Tenable support portal.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

George Theall heads up Tenable's Research group and shares with us some interesting thoughts about vulnerabilities, Nessus plugins, and more!

Stories

• Metasploit Project New Releases: Airpwn added - I wanted to use this story as a talking point to underscore a type of attack that not too many people know about. It debuted at Defcon years ago and is still a perfectly valid attack vector on open wireless networks. It allows an attacker to insert content into data streams using raw 802.11 frames. I've demonstrated this attack at conferences in the past, and had HTML code running on 50 people's browsers within a few minutes. The fix, use WPA!
• Adobe Flash Security Perspectives -Adobe, like Microsoft and other popular technologies, gets hit hard by attackers and many vulnerabilities are exposed as a result. This article covers both sides of the story, and offers some hope for Adobe as they realize that the popularity of their software has grown, and so should their security program and software development lifecycle.
• Be careful what you post online! - Employees, potential employees, and employers really need to take a hard look at what's being exposed through social networking sites. I'm not suggesting that companies "spy" on employees or potential employees, but to monitor what is available publicly.
• Cloud Security Public Announcement From Chris Hoff - If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to Cloud.
• Thunderbird 3.0 Released - While I'm not an earlier adopter of new software versions, it appears that version 3.0 of Thunderbird also fixes some newly discovered vulnerabilities. I'm still adjusting to the new features, but did perform the upgrade so that I could take advantage of any security fixes as well.

Download Tenable Network Security Podcast Episode 16

Announcements

• A new blog post has been released from Marcus Ranum titled, "Afterbites with Marcus Ranum: Gartner & Two-Factor Authentication"
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions!
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Stories

• PHP-Calendar remote code execution - I know, I know, we've all been warned about how bad PHP applications can be. But really, its bad. You may dismiss some of the web application vulnerabilities, but PHP has some nasty ones. Simple vulnerabilities can be manipulated to read files, including configuration files. SQL injection can be used to write files to disk, then execute them. In short, PHP vulnerabilities are just as good as remote shell in many cases, so treat them as such in your risk evaluation.
• "Attack Of The RAM Scrapers" - The evolution of computer security and hacking never ceases to amaze me. Just when you think that the good guys are "winning", you see attackers adapting to the changes and being very successful. This is prime example. Since many organizations, in part due to PCI regulations, are now encrypting data from end to end, attackers are just pulling it from RAM where it is temporarily stored unencrypted. This simple, yet elegant attack, has been around for some time, but becoming very useful in today's landscape.
• U.S. Predator drones video snooping - $26 worth of parts gives you the capability to snoop on video signals sent from the latest U.S predator drones. This epic fail makes us all wonder what else is being sent "in the clear" across the air that may be sensitive. In my experience, I've found that security through obscurity reigns supreme when it comes to radio communications. We've seen this happen with Wifi, bluetooth, ZigBee, and even pager traffic! If its in the air, people will intercept it, so it had better be encrypted.
• Top Ten Nessus Plugins of 2009 - This week we will be putting a post together that will document some of our favorite plugins. If you would like to make recommendations, feel free to email your suggestions to paul [at] nessus.org. I have to say that without a doubt the web application testing plugins are some of my favorites. There has been some new functionality added that you will see features on the blog and our video site starting next year. For example, Nessus now supports a cookie import feature. This is great for applications that use a cookie for various settings (for example DVWA uses it to set the security level) and for authentication. Also, with respects to authentication, Nessus can now login to an application and be provided with a web page and string to check which indicates if Nessus is still logged into the web application. The other class of plugins that are my favorites are any plugin that detects a default or weak username and password. My absolute favorite is the plugin that detects a Dell Remote Access Controller default password, which in certain cases gives you a root prompt!

Download Tenable Network Security Podcast Episode 17

Announcements

• A new blog post has been released titled "Airport Security: Don't Make The Same Mistakes" and compares the current challenges of airport security to the very same challenges we face with computer and network security.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Paul Crutchfield

Paul is the Director of Sales Engineering for Tenable Network Security. He comes on the show to talk about his experiences with our customers, including some details about using Nessus and the enterprise products on a very large scale. We also discuss evaluation criteria for vulnerability scanners and log management applications.

Stories

• A Tale Of Lock picks & Screwdrivers - It seems computer security problems will mirror physical security problems. Nothing could be more true that with the case of lock picking. You will find lock picking exhibitions at most major computer security and hacking conferences. This article covers some of the parallels between the two trades, and its message is clear: Attackers will always take the easy route. For example, an attacker that can bypass a door by going through a window. The same is true with encryption, many attacks against encryption attack the implementation of the encryption, not the encryption algorithm itself.
• Hidden admin access on D-Link routers - A SOAP-based management protocol (Home Network Administration Protocol, HNAP) allows attackers to query the device for information and bypass authentication, allowing attackers to change the settings of the device.
• Don't Wait To Lock Down DB2 - The database is often buried behind firewalls, web servers, and other layers of protection. However, this does not mean that security can be ignored. If the database is housing your data, it should represent the highest level of security. Unfortunately, as is the case with many DB2 users, security features are not always implemented.
• WMI Bluetooth Network Adapter Enumeration - This is a neat little Nessus plugin that will detect, and enumerate, which Bluetooth devices are plugged into remote hosts. If your security policy outlaws Bluetooth keyboards (which is should) this is a great way to enforce that policy. [Correction: This plugin will only detect Bluetooth Network adapters].

Download Tenable Network Security Podcast Episode 18

Welcome to the Tenable Network Security Podcast - Episode 98

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #9".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

1. Don’t Hit the Snooze Button on DigiNotar Alarm Bells - In 1995, we suggested the usage of network firewalls and SSL to protect web applications, and today we suggest that network firewalls and SSL protect cloud computing. There is a balance between evolving countermeasures and not hitting the snooze button on defensive technologies.
2. So-so SASO … So What? - Bringing more balance to security, there is room for automated testing and static code analysis, but should you let a 3rd party analyze your code? Most would say "Yes", unless you are Oracle...
3. Sound Database Security Starts With Segmentation - Segmentation needs to have context around it, and be based on the classification and location of your data.
4. SIEM: Dead as Claimed? - Computerworld - Its fun to see which technology will be declared dead, first it was IDS, now SIEM. Is it really dead?
5. 3 Indicted in Sophisticated Hacking Scheme - Attacker drove around the city of Seattle and broke into companies physical buildings and/or wireless networks, installed malware on their systems, and attempted to make a profit.
6. SecurityTracker: Apache Tomcat HTTP DIGEST Authentication Weaknesses Let Remote Users Conduct Bypass Attacks - I've recommended that DIGEST authentication be used over BASIC authentication in Apache. If you implemented my suggestions, make sure you take notice of this patch!
7. New OS X Trojan Horse sends Screenshots, Files to Remote Servers - I thought Macs didn't get viruses? Turns out they do...
8. Facebook Unfriending 'Bug' Gets Quick Fix - For Facebook users, this is a big deal, as you don't want your "Friends" to know that you are breaking up with them.
9. Man Builds Social Network Using Atlantic Ocean - I'd love to see the attacks against this social network, how would a cross-site scripting vulnerability play out?

Download Tenable Podcast Episode 98

Announcements

• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Nessus

• Mac OS X Multiple Vulnerabilities For Security Update 2012-002
• OpenSSL Versions Between 1.0.0 and 1.0.0j Denial of Service Vulnerability
• Mac OS X FileVault Plaintext Password Logging

Passive Vulnerability Scanner (PVS)

• PVS and Facebook Game Detection
• HTTP Server Insecure Basic Authentication
• Apple iOS 3.0 through 5.1 Multiple Vulnerabilities

SecurityCenter Report Templates

• Exploit Frameworks

SecurityCenter Dashboards

• Facebook Games

Compliance Checks

• A new check to Windows compliance which allows users to check the registry type (e.g. REG_DWORD, REG_SZ). More information about this new feature can be found in the Nessus Compliance Checks Reference Guide

Stories

1. FBI fears BitCoins
2. Netgear WNDRMAC 1.0.0.22 Information Disclosure ≈ Packet Storm
3. Wonderware Archestra SuiteLink Resource Consumption
4. Step on it: Virus could lead to motion-powered gadgets
5. Laptops at Security Conferences, (Mon, May 14th)
6. From LOW to PWNED [8] Honorable Mention: Log File Injection
7. 10 Symptoms Of Check-Box Compliance

Announcements

• New video: Ron Gula on Why Tenable Fits the U.S. Department of Defense
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Nessus

• CiscoWorks Common Services HTTP Response Splitting - HTTP response splitting is a tricky vulnerability, and therefore may be dismissed by some as not important. Its important to note, that essentially, it can give attackers control of a web application if they can convince users to click on a link or load HTML code in their browser. Also important to note that CiscoWorks is used by many to manage the entire network infrastructure. My attack against this software would aim to steal the SNMP or other credentials on all the network gear in your network.
• MediaWiki Multiple Vulnerabilities - Important updates for this software if you are running MediaWiki, a very popular Wiki software that also runs Wikipedia.
• VMware Workstation, Player, ESXi and ESX Critical Patches - ''This vulnerability may allow a guest user to crash the VMX
  process or potentially execute code on the host.'' - Any vulnerability that allows an attacker to execute code on the host system of your VMs should get the highest priority on your patch list.
• PHP Unsupported Version Detection - Keep up-to-date with your PHP releases! Easier said than done, as some developers will write applications that lock you into a specific version, which makes upgrading a much slower process.
• RuggedOS Telnet Server Backdoor - This one has been featured in the press lately. I'm confused as to why the MAC address would be displayed in the TELNET banner.
• Scrutinizer Multiple SQLi Vulnerabilities - Used to manage Netflow data, SQLi bugs are ones you don't want to see in this type of application.

Passive Vulnerability Scanner (PVS)

• Usenet File Detection (.nzb) - ''The remote web server is hosting .nzb files. NZB files are used by USENET clients to download large files.'' If you want to know if your network is participating in hosting USENET, this is the signature for you.
• Polycom VoIP Client Detection - VoIP software has had its share of vulnerabilities, and making sure it only exists where you want it to exist is part of good network management.

SecurityCenter Report Templates

• Adobe Readers and Players - It seems each week there is a new vulnerability exposed for either Adobe Reader or Adobe Flash. This report will provide you with your total exposure across both products.

SecurityCenter Dashboards

• DNSChanger Monitoring - This dashboard is a snapshot of which systems Nessus and PVS have discovered with DNSChanger malware, and provides a comprehensive look at your current state of infection.

Compliance Checks

• As part of the "NIST FDCC and SCAP Compliance Audit Policies" we've made available new USGCB audits for XP, Vista, IE7 and IE8 in the Tenable Customer Support Portal.

Stories

1. VMware Backdoor Response Uninitialized Memory Potential VM Break - When I review a vulnerability disclosure I like to pay attention to the dates. That is, the date the vendor was notified and the date the information was published. In this case: "Reported: December 5, 2011" and "Published: May 3, 2012". Not too shabby all things considered, such as what it might take to implement a code fix in VMware.
2. Stupid Human Tricks: Security Job Interviews - Some really great quotes, such as "In my last job I used Nexxus a lot". Now editors of this post please note this is an actual quote, and yes, someone said "Nexxus" instead of "Nessus"!
3. RuggedCom will block industrial control backdoor - Two things about this situation I wanted to point out, for one: "A year after it was first discovered, a backdoor in industrial networking kit from Canadian RuggedCom is to be fixed – sometime soon." I believe they need to have a date set for the fix to be released. And then this:
4. FTP a Dead Protocol or Very Much Alive? - "One thing that can be done is to segregate FTP traffic on your network by creating a VLAN for that particular traffic. Another thing is to turn off FTP on any workstation. One of the most important steps is to move to a secure protocol like SFTP that uses SSH and has a form of encryption to keep sensitive data safe also make sure that you are loging all trafic to and from the FTP servers." I don't so much agree with segmentation. It just takes the problem and moves it to a different part of your network, without really solving it. Turning off FTP on the workstations is a good idea, but you better make sure you have measures in place for continuous monitoring. SSH and SFTP are great ideas as well, but a pipe dream until Microsoft ships an operating system with an implementation of OpenSSH.
5. OS X Lion update exposes encryption passwords - The password used to encrypt your hard drives in OS X can be displayed in plain-text. This means the attacker can encrypt your drive, and then change the password. Whoops!
6. From LOW to PWNED [6] SharePoint - Great point about open shares, they are fountains of information.

Announcements

• New Video: Ron Gula on Why Tenable Fits the U.S. Department of Defense
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Nessus:

• Intuit QuickBooks Help System Multiple Vulnerabilities - Quickbooks contains sensitive information, such as financials and potentially employee/contractor SSNs. Ensuring this software is patched and up-to-date is extremely important.
• Juniper Junos CPU Utilization Denial of Serice - This vulnerability is a bit scary for me, as it could be triggered by non-malicious users. Sending data to an HTTP port is an activity that may not look suspicious, however, I've seen where this DoS condition can be triggered by a scanner, monitoring tool, or even an end user.
• Juniper SSH TACACS+ Incorrect Permissions - One of the first papers I wrote on security was on the subject of configuring TACACS+. I have to say, its not a simple tasks and there are many options, some of which could lead to either locking users out of a device or giving people too much access. This is a bug in the configuration, which could further complicate things.

Passive Vulnerability Scanner (PVS):

• Skype client detection - Skype just fixed a bug in the API that allows anyone to map a Skype username to an IP address. Vulnerabilities such as this, in addition to potential bandwidth consumption, are reasons to limit usage of this software in your environment.
• Rockwell Automation Service detection
- Rockwell is a popular manufacturer of SCADA devices, nice to see PVS adding signatures, not only is a great way to monitor sensitive equipment, it helps rasise awareness of security issues.

SecurityCenter Report Templates:

• Software Inventory - I think its great that you can work with this level of information and use it to detect policy violations.
• Netstat Active Connections - Yet another great component, not only can you see what software is installed, but which connections are being made. I see this being used to monitor in real-time, as well as a vital piece of information when doing incident response.

SecurityCenter Dashboards:

• Exploits By Platform - Great view of the percentage of exploitable vulnerabilities, and which exploit frameworks contain them.

Stories

1. How To Hide From Face-Detection Software - "here's what you might wanna wear to a party this weekend: A funny hat, asymmetrical glasses, a tuft of hair that dangles off your nose bridge and, most likely, a black-and-white triangle taped to your cheekbone." And why you might ask? To hide yourself from surveillance cameras of course! A researcher from New York University is working on ways in which to hide your face from cameras. This could be a way to protect your privacy or evade detection to commit crimes. The current methods have you, well, looking like a futuristic warrior from your favorite Sci-Fy flick. Other than Halloween, its not very practical. However, the researcher is:"trying to come up with a hat that will look cool and still could conceal his identity - at least from the computers."
2. Skype divulges user IP addresses - The H Security: News and Features - Using the Skype API, you can enter a username of someone using Skype and it will report back an IP address.
3. NfSpy – ID-spoofing NFS Client Tool – Mount NFS Shares Without Account - "NfSpy is a FUSE filesystem written in Python that automatically changes UID and GID to give you full access to any file on an NFS share. Use it to mount an NFS export and act as the owner of every file and directory." That's really neat! I always look for open NFS and SMB shares on the network when doing a penetration test, as it could yield some interesting data. This tool takes it a step further and gives you full access.
4. Who's tracking phone calls that target your computer? Stay Tuned to the ISC, (Sun, Apr 29th) - This is yet another account of social engineering: Someone calls pretending to be from Microsoft, tells you that you're infected with malware, then directs you to install their malware. The question being posed is just how frequent this attack is? I'm not certain how it scales, or how easy/difficult it would be to track down and defend against. A blanket warning to all computer users to "never install software from stingers" might help protect people, but who would listen?
5. Nissan Confirms Cyber Attack and Network Breach - "Nissan believes that no sensitive customer, employee or proprietary data was compromised, but acknowledged that some account login credentials may have been exfiltrated." First, I think its okay to keep a breach private for 7-10 days while you perform incident response. You just don't need that level of headache until you have all the facts. Furthermore, I want to know what techniques you are using to determine which data was accessed and if it was transmitted out of the organization. Is this a digital forensics issue? Do you look at the file system and see which files were accessed? Network logs? How do you know your data wasn't encrypted going out.
6. Vulnerability Management Evolution: Evolution or Revolution? - Some great tips in this article, such as "Start by revisiting your requirements, both short and long term. Be particularly sensitive to how your adversaries’ tactics are changing." I find a lot of people overlook this step or don't put in enough thought behind it. The products you use should align with the goals of your department and overall with your organization.
7. Google staff knew for years about Street View data breach - Is this information public already, and therefore not a big deal, or is Google being evil?
8. Inception | Break & Enter - If you need to unlock a system, Windows or Linux, this is the tool for you. Provided there is a Firewire port, you can gain direct access to memory and unlock a system.
9. CVSS – Vulnerability Scoring Gone Wrong « Neohapsis Labs - Some great points in this article on how to use CVSS: "Nobody cares that the distance between goal lines on an American football field is 3600 inches. Why? Because it is a useless unit of measurement when we are talking about football. Nobody cares if someone has made 2 inches of progress on the field, as yards are the only thing that matters. Similarly, what is an organization supposed to take away from a CVSS score that can take on 100 potential values? Is a 7.2 any better than a 7.3 when it comes down to whether someone is deciding to fix something or not?" He also talks about using CVSS data to determine HIgh, Medium, and Low severity, stating that your vulnerabilities could all be "6.9" and 7 or above is a high severity, and you are only fixing high vulns. Its a good idea to create some queries, dashboards, and report filters and look at your CVSS scoring in different ways to gauge risk and prioritize.

Announcements

• Tenable Selected for DISA’s ACAS Vulnerability Management Solution
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. New videos are always in the works and updated Nessus and Perimeter Service videos will be available soon.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Nessus:

• Netstat Active Connections - Active connections are enumerated via the 'netstat' command.
• SSL Resume With Different Cipher Issue - I just can't help but wonder how many times we can poke holes in SSL. The protocol does not breed much confidence and I'm curious if we will ever see a replacement.
• Citrix XenServer vSwitch Controller < 2.0.0+build11349 Multiple Vulnerabilities - While VMware clearly has a lion's share of the market, there are several other virtulization vendors in the market, and which ever platform you choose, security has to be one of the top priorities as reliability and integrity of your virtualization platform is of the upmost importance.
• HP System Management Homepage < 7.0 Multiple Vulnerabilities - Not only did HP miss a CSRF vulnerability, but they bundled in a vulnerable version of Apache, PHP, and OpenSSL. This is unacceptable in my opinion, a company this large, producing the amount of software they do, must have a better process for securing software.
• Mac OS X OSX/Sabpab Trojan Detection - Make sure you are running this plugin often against your OS X hosts, they could be infected with new variants or become re-infected from a Time Machine backup.

• IBM Tivoli Directory Server Web Administration Tool Unspecified XSS - More XSS is enterprise management applications.

Passive Vulnerability Scanner (PVS):

• Real Networks RealPlayer < 14.0.6.666 (Build 12.0.1.666) Multiple Vulnerabilities - Sometimes you just have to install select software to make something work. This is one such example, where a video won't play for a user, so they have to quickly install RealPlayer to make it work. Then they forget about it and its never kept up-to-date.

• TeamViewer detection - This software reminds me of PC Anywhere, or even better, GoToMyPC, all of which are just bad ideas. They work to bypass firewalls and give people access to their desktops. From a security perspective, this type of access has always lead to risky situations, which are often taken advantage of by attackers.

SecurityCenter Report Templates:

• Nessus Enhanced Botnet Detection - "The sample above was cut from one of three chapters and depicts the successful progress towards the removal of malicious software, and related configuration changes, measured by repetitive Nessus scanning over time. After the sharp upwards trend caused by initial malware detection there is a healthy downwards trend."
• TeamViewer Detection - "This template was designed to report hosts and network locations that have been observed using TeamViewer. The sample above was cut from one of two chapters in the template and points to the physical network locations where TeamViewer was observed in use."

Stories

1. Three No-Nos When Interviewing For an InfoSec Job - Some really funny stories here, like the interviewee who was hacking into the wireless network!
2. USB drive uses voice recognition for increased security - I'm curious to see how (or if) this really works, a voice pattern to unlock your USB thumb drive. Very James Bond, but typically the security on this these devices is bypassed some other way, getting around the "my voice is my password". Though, I've always wanted to say "Hi, my name is Werner Brandes. My voice is my passport. Verify Me. "
3. WordPress fixes file upload security problems - Wordpress is a scary place. If you must use it, make sure you have your own install and are hardening your PHP install and using something like Mod_Security.
4. Firefox skirts Windows security feature to make silent updates happen - UAC bypass to install updates!
5. Monitor OS X LaunchAgents folders to help prevent malware attacks - There are a few different folders in OS X that software will reside in to automatically start. This is a neat place to look and check the things that get placed here. Similar to the Windows registry keys.
6. 15-year-old arrested for hacking 259 companies - How bad is web site security when a 15-year-old can hack over 200 companies?
7. XSS Shortening Cheatsheet « Neohapsis Labs - Pay attention to this if you are finding XSS and not able to exploit it or demonstrate it.
8. The Trouble with IPv6
9. Security Issues in IPv6 Transition
Tenable Network Security Podcast Episode 121 Direct Download (mp3)
]]> paul@nessus.org Tue, 24 Apr 2012 12:35:11 -0400 Podcast 23B480DF-D020-4199-A9D0-2536E1AC38F6 Paul Asadoorian New Nessus & PVS plugins, report templates and more! New Nessus & PVS plugins, report templates and more! tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/04/tenable-network-security-podcast-episode-120.html Welcome to the Tenable Network Security Podcast Episode 120

Announcements

• Nessus 5.0.1 Released - This update includes support for FreeBSD 9 and gives you more flexibility when specifying port ranges and types (UDP or TCP) for the port scanner. Several bug fixes are included as well, including Windows installation issues.
• SecurityCenter 4.4 Released:

• Improved performance, with a new XML-RPC-based interface that speeds cross-system connections and adds fault-tolerance and improved reliability.
• Easy report template and information sharing. New reports, designed by Tenable experts, can be downloaded from the new Tenable SecurityCenter Enterprise Reporting blog, imported into SecurityCenter, and used immediately, customized, or exported to share with others.
• Easy access to over 100 pre-defined Quick Reports, including SANS Consensus Audit Guidelines, Center for Internet Security Audits, FISMA compliance indicators, HIPAA compliance checks, OWASP, PCI, and other IT and patch audit reports.
• New data visualization displays that use charts and color-coding to indicate the number and severity of vulnerabilities based on IP addresses, host names, and asset groups.
• Integration with Tenable’s cloud-based Nessus Perimeter Service.
• Improved integration with GRC, SIEM, IDS, firewall analysis, and other systems that support Nessus reporting. SecurityCenter now exports scan data in the Nessus v2 format.
• Scan hosts by specifying the DNS host name or URL for web application assessments.
• Authentication: Support for the use of digital certificates with SecurityCenter. Support for smartcard authentication (including U.S. Department of Defense’s Common Access Card (CAC)).
• New Version of Nessus Perimeter Service Released - As Tenable is an Approved Scanning Vendor (ASV), you can use the Perimeter Service to perform PCI scans, using an approved PCI policy, and submit the scan results to Tenable for PCI ASV validation. The Perimeter Service allows you to scan as many systems as you like, as often as you like, and submit two scans for validation per quarter at no extra cost.
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. New videos are always in the works and updated Nessus and Perimeter Service videos will be available soon.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Nessus:

• nginx 1.0.7 - 1.0.14 / 1.1.3 - 1.1.18 ngx_http_mp4_module Buffer Overflow - Nessus looks at the server response header, and if the installed version of

  nginx is between 1.0.7 and 1.0.14 or 1.1.3 and 1.1.18, the host is flagged as vulnerable. This web server is more commonly used than you might think...

• VMSA-2012-0007 : VMware hosted products and ESXi/ESX patches address privilege escalation - More ESX patches, make sure you stay on top of these! Makes me wonder what some of the tricks are to running 100 or more systems on ESX, then having to patch it and take down all those hosts for maintenance.
• Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows - This remote check uses the banner to determine if the vulnerability exists. We also released local plugins for several major Linux distributions including Red Hat, Ubuntu, Debian, and Fedora. This vulnerability made some major news as Samba is a commonly-used SMB server for Linux/UNIX servers and is exploitable remotely (i.e., CANVAS has released an exploit for this vulnerability).

Passive Vulnerability Scanner (PVS):

• Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows - Using banner detection, this plugin detect is for the version of Samba 3.x running on the remote host earlier than 3.6.4 / 3.5.14 / 3.4.16.
• Facebook Game - The Smurfs & Co Detected - Yep, this is my excuse to talk about the Smurfs on the Tenable podcast.

SecurityCenter Dashboards:

• Snort IDS Events - The Snort IDS Events dashboard organizes and visualizes events collected from the Snort intrusion detection system.

SecurityCenter Report Templates:

• RDP Detection - This report template was designed to detail RDP (Remote Desktop Protocol) server and connection detection.
• Unmanaged and Unsupported Hosts - This report template was designed to identify unmanaged and unsupported operating systems and appliances within a large enterprise.

Stories

1. Vulnerabilities, Exploits, and Good Dental Hygiene - From the Tenable Blog, an article discussing vulnerability management, exploits, and penetration testing.
2. Phrack 68 Released- Good to see Phrack still kicking'
3. Smart Meter Attacks - Smart Meter hacks are coming to life, and the security community is biting its tongue trying not to say "I told you so".
4. Not Your Parents Wifi - Great article that summarizes the different types of wireless and the threats they post, from Bluetooth to DECT.
5. Oracle accidentally release MySQL DoS proof of concept - Oops!
Tenable Network Security Podcast Episode 120 Direct Download (mp3)
]]> paul@nessus.org Tue, 17 Apr 2012 15:23:16 -0400 Podcast 0A0DD382-83C8-4CFA-8CD5-D0F0B8350649 Paul Asadoorian New Nessus, SecurityCenter and Perimeter Service released, plugins, dashboards, report templates and more! New Nessus, SecurityCenter and Perimeter Service released, plugins, dashboards, report templates and more! tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/04/tenable-network-security-podcast-episode-119.html Welcome to the Tenable Network Security Podcast Episode 119

Announcements

• Tenable Network Security Certified as Approved Scanning Vendor (ASV) by PCI Security Standards Council.
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The "Top Ten Things You Didn't Know About Nessus" videos have been posted from #10 through #2, so check them out!
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Nessus 5 OnDemand Training Now Available

New & Notable Plugins

Nessus:

• OS Identification : NativeLanManager -
• at32 Reverse Proxy Admin Portal No Password -
• Microsoft ASP.NET ValidateRequest Filters Bypass -
• Cisco WebEx WRF Player Multiple Buffer Overflows (cisco-sa-20120404-webex) -

]]> paul@nessus.org Tue, 10 Apr 2012 14:09:18 -0400 Podcast 91F13936-60FF-4117-BE97-B5DFA6EBD784 Paul Asadoorian Macs don't get viruses, detecting OS X malware Macs don't get viruses, detecting OS X malware tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/02/tenable-network-security-podcast-episode-118.html In this episode we talk about some great new plugins being released, including detection of jailbroken iOS devices, Cisco IOS vulnerabilities, and more!

http://blog.tenable.com

]]> paul@nessus.org Wed, 04 Apr 2012 13:42:15 -0400 Podcast D20FA623-4547-4CB7-8A5F-4AE21E72E731 Paul Asadoorian In this episode we talk about some great new plugins being released, including detection of jailbroken iOS devices, Cisco IOS vulnerabilities, and more! http://blog.tenable.com In this episode we talk about some great new plugins being released, including detection of jailbroken iOS devices, Cisco IOS vulnerabilities, and more! http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/02/tenable-network-security-podcast-episode-117.html paul@nessus.org Tue, 20 Mar 2012 14:22:53 -0400 Podcast 3973D05E-8714-4BB4-AE7E-626AE08F0709 Paul Asadoorian Interviews from the Mid-Atlantic CCDC Interviews from the Mid-Atlantic CCDC tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/02/tenable-network-security-podcast-episode-116.html paul@nessus.org Tue, 13 Mar 2012 13:59:09 -0400 Podcast 39591216-9859-4986-BB17-36D7FEEC4E31 Paul Asadoorian "Detecting IPv6, iTunes vulnerabilities, Security is dead?" "Detecting IPv6, iTunes vulnerabilities, Security is dead?" tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/02/tenable-network-security-podcast-episode-115.html paul@nessus.org Tue, 13 Mar 2012 13:57:35 -0400 Podcast 67FCC147-7F61-442D-BFA2-B02A37BE144C Paul Asadoorian "Hacking sprinklers, vulnerability remediation, photo slurping" "Hacking sprinklers, vulnerability remediation, photo slurping" tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/02/tenable-network-security-podcast-episode-114.html paul@nessus.org Tue, 13 Mar 2012 13:56:43 -0400 Podcast 8C5A7EB9-720C-419F-B9C2-92E0A788B82F Paul Asadoorian "0day exploit sales, software backdoors, Wifi everywhere" "0day exploit sales, software backdoors, Wifi everywhere" tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/02/tenable-network-security-podcast-episode-113.html Welcome to the Tenable Network Security Podcast Episode 113

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• New iSeries and AS/400 plugins are being released this week!
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The "Top Ten Things You Didn't Know About Nessus" videos have been posted from #10 through #2, so check them out!
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Passive Vulnerability Scanner

• Novell iPrint Client < 5.78 Multiple Code Execution Vulnerabilities
• Mozilla Thunderbird 3.1.x Multiple Vulnerabilities

Nessus

• RealPlayer for Windows < 15.0.2.71 Multiple Vulnerabilities
• HP Data Protector Media Operations Server 'DBServer.exe' Remote Code Execution

Nessus 5.0 - New Features Discussion

Installation & Configuration

• A browser-based installation wizard for users on a wide variety of platforms (Windows, Mac, Linux, or UNIX) - What does this meam for end-users?
• Configuration and management is now done through the GUI. Nessus users can now quickly initiate plugin updates and see last update information through the GUI.

Scan Policy Creation & Design

• Users can quickly select multiple filter criteria, such as, Vulnerability Publication Date, public vulnerability database ID (OSVDB, Bugtraq, CERT Advisory, and Secunia), Plugin type (local or remote), information assurance vulnerability alert (IAVA), and more!
• Scan for all easily remotely-exploitable vulnerabilities for which there is an exploit published in your favorite exploit framework, local third-party client software that is unpatched, systems that have been missing patches for more than a year, CVSS scores greater than 8, weak or default passwords.

Scan Execution

• Nessus v5.0 now has five severity levels: Informational, Low Risk, Medium Risk, High Risk, and Critical Risk.
• A new vulnerability summary and redesigned host summary make it easy to see risk level without even running a report.
• One click to jump from a critical vulnerability to see the host(s) that is vulnerable to the details of the vulnerability.
• As the scan is being run, not only can you see the results as they are being gathered, but navigate and filter on them as well.

Report Filtering & Customization

• Users can apply multiple result filtering criteria, and targeted reports can be generated against the filtered results.
• . A user can exclude particular vulnerabilities from a report before it is generated, allowing delivery of results targeted to specific audiences.
• Four new pre-configured report formats — Compliance Check, Compliance Check (Executive), Vulnerabilities by Host, and Vulnerabilities by Plugin: users can quickly create reports by chapters.
• Reports can be generated in native Nessus formats, HTML, and now PDF formats (requires Oracle Java be installed on the Nessus server).
• Multiple report templates can be combined into one report.
]]> paul@nessus.org Wed, 15 Feb 2012 14:46:12 -0500 Podcast E7ECFBD2-C786-448B-9EA4-F4A9B8965B29 Paul Asadoorian Nessus 5.0 - New Features Discussion Nessus 5.0 - New Features Discussion tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/02/tenable-network-security-podcast-episode-112.html Welcome to the Tenable Network Security Podcast Episode 112]]> paul@nessus.org Tue, 07 Feb 2012 13:00:19 -0500 Podcast 90FF0BAF-7A60-4501-9839-ED32610F8C4F Paul Asadoorian Welcome to the Tenable Network Security Podcast Episode 112 Welcome to the Tenable Network Security Podcast Episode 112 tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/01/tenable-network-security-podcast-episode-110.html Welcome to the Tenable Network Security Podcast Episode 110

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• PVS 3.6.0 for Linux now Available - Added the "Strip VLAN tags" setting to ignore the VLAN header, Nessus V2 report output format support, Deprecated the "failure-threshold" configuration setting, Improved stability when parsing PASL scripts, New license format (Requires a new license)

New & Notable plugins

• Use Nessus to find XSS and HTML Injection Vulnerabilities in your Cacti servers < 0.8.7g
• Use Nessus to detect when SMB signing is disabled on your Windows hosts
• Detect vulnerabilities in Oracle databases from the January 2012 critical patch update with Nessus
• Detect the latest PHP denial of service vulnerability (CVE-2011-4566, CVE-2011-4885) with PVS

Interview: Dale Peterson of Digital Bond



Dale is an internationally-renowned SCADA security technologist and is responsible for a large amount of the available technical SCADA security content. In addition to his widely read SCADA security blog, Dale has written two Protection Profiles for NIST’s PCSRF, many whitepapers, magazine articles and presentations.

1. What is S4 and how did the conference go this year?
2. What were some of your favorite talks from S4 this year?
3. Vendors in the SCADA industry come under heavy fire from several in the security community. What can we do to help improve this siutation?
4. Have industrial systems gotten more resilient over time? For example, are they able to be scanned across the network or are local checks still preferred?
5. Recenty our respective research teams worked on creating several new Nessus and PVS plugins for several SCADA vulnerabilities. What are some of the vendors and products that have been added?
6. What is Project Basecamp?
7. Tell us about some of the other projects at Digital Bond, such as SCADApedia, Bandolier, Portaledge, and Quickdraw SCADA IDS

Stories

• Hacking critical infrastructure systems now as easy as pushing a button?

• Quantum physics enables perfectly secure cloud computing

• ‘Citadel’ Trojan Touts Trouble-Ticket System

• Mozilla pushes browser-based alternative to passwords

• Security Manager's Journal: You can't secure every employee's home

Download Tenable Network Security Podcast 110 (mp3)
]]> paul@nessus.org Thu, 26 Jan 2012 15:08:09 -0500 Podcast 5040F1BF-85D3-49B2-9663-FB7D9E8D1416 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/01/tenable-network-security-podcast-episode-109.html Welcome to the Tenable Network Security Podcast Episode 109

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released Nessus plugin 57462 to detect that nasty FreeBSD TELNET bug we touched on last week.
• PVS plugin released to detect Google Chrome < 16.0.912.75 Multiple Vulnerabilities
• Nessus plugin 57558 detects unsupported MySQL and feeds right into this dashboard.

Stories

• Five Principles to Better your Security Monitoring - I believe that knowing yourself is different from being able to get the data that you need in order to be successful. I know people love Sun Tzu and all, and I've even been known to make a reference to his philosophy, however this is not about knowing yourself. This is about working as a team and sharing information that makes sense. I've experienced this several times within organizations, and that is teams are working as their own little armies. The fact is that everyone needs to cooperate when it comes to security. Furthermore, knowing the terrain is a moving target, IT systems and landscape changes all the time, so while you may know it today, you may not tomorrow.
• Wireshark 1.4.x and 1.6.x Updates Close Security Holes - I've seen a long history of problems related to security with this tool. It stems from the fact that its parsing data, lots of different types of data, and sometimes not very well. I still tend to lean towards the command line tcpdump, but if you are using Wireshark, be certain to be on the latest version and consider running it on systems that have the least impact if compromised.
• PHP 5.3.9 Released with Hash DoS Fix - I used to think that DoS vulnerabilities were not a big deal. However, now that the entire world relies on the web for any number of things, these are a big deal.
• Recovering a Hacked Gmail Account - This can be a very time consuming process. The story goes into details of the attack, the emails to friends about being mugged overseas and needing money, etc... it begs the question of whether or not using cloud-based email is worth it. I am a huge fan of using it, but adding protections such as strong pass phrases, two-factor authentication, getting rid of the security question, and using PGP.
• 10 Years of Breach - I've heard of University breaches that have gone on for years without being detected, but this one takes the cake. They found that for 10 years attackers had planted viruses on university systems, until finally one day a monitoring system detected some behavior that led to an investigation. Ignoring security is a strange thing, if you ignore the problem everything will seem okay. Until one day when you find out about the problems and it's too late. However, the longer you let the problem go, the worse off you will be. Ten years is such a long time that there is no way to even tell who is affected. 10 years is a lot longer than most people attend college!
• Sysinternals Updates - Updated have been released for this tool, and there is a great story about how Mark fixed his Mom's computer over the holidays!
• PRC Targeting DoD Smart Cards - Never fails, when you adopt this awesome technology to secure things, people will attack it.
• Time to Check your DNS Settings? - The bad guys behind this botnet had infested approximately 4 million computers in more than 100 countries with malware called DNSChanger. This Trojan horse allowed them – among other things – to redirect requests of unsuspecting users to malicious or illegal destinations by altering their connection settings, namely the address of the DNS server - If you were to write malware to do just one evil thing, changing the DNS server may be on the top of the list.
• Windows Live May Be a Vulnerability for Xbox Live Users
• Zappos Says Hackers Accessed 24 Million Customers' Account Details - I was just commenting how awesome Zappos was to shop with, then this. However, after it blows over, will I still shop there?
• ACROS Security Blog: Is Your Online Bank Vulnerable to Currency Rounding Attacks? - Warning, lots of math here. However, some neat profiles of "Exploitation".

Download Tenable Network Security Podcast 109 (mp3)
]]> paul@nessus.org Wed, 18 Jan 2012 12:20:18 -0500 Podcast E6AB1E30-0C6B-4770-963B-B9B432E2FAC1 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2012/01/tenable-network-security-podcast-episode-108.html

Welcome to the Tenable Network Security Podcast Episode 108

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released Nessus plugin 57462 to detect that nasty FreeBSD TELNET bug we touched on last week.
• Nessus plugin 57461 was recently added to scan for Apple iOS Lockdown services
• PVS can now detect systems reaching out to .xxx domains, enhanced OS identification.

Stories

1. "Can you be forced by law to decrypt your computer? US v. Fricosu court case rages on"
2. When Someone Else's Insider is Your Threat
3. The inconvenient truth about passwords
4. Oracle: Firewalls Against SQL Injection Are a Good Idea After All
5. Why Security Does Not Concern Generation Y
6. Microsoft denies Xbox Live security breach
7. Smart meter SSL screw-up exposes punters' TV habits
8. HP sneaks out printer firebomb firmware security fix
9. Apple patent stashes passwords in chargers
10. Paul Ryan turns against SOPA following a Reddit-based attack
11. Adobe to release zero-day fixes for Reader and Acrobat
12. Microsoft finally vanquishes the BEAST-related bug
13. P0f is back!

Download Tenable Podcast Episode 108

]]> paul@nessus.org Thu, 12 Jan 2012 09:30:23 -0500 Podcast 5C9A9000-9942-4757-9162-BF472AEAEA46 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/12/tenable-network-security-podcast-episode-107.html paul@nessus.org Thu, 12 Jan 2012 09:29:29 -0500 Podcast FA3265FE-A7D9-4FEC-B917-F7B0901CCA86 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/12/tenable-network-security-podcast-episode-106.html

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Ron Gula, Tenable's CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!

• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

1. Can Security Teams and DBAs Play Nicely? - Some great points in this article highlight that it is a two fold problem. On the one hand, database administrators are very focused on performance, tuning, and reliability (as they should be) and are neither trained up on, nor focused on, security. On the other hand, you have many security people who are neither trained nor skilled in databases. This makes for a difficult situation in which to implement security. However, I do want to point out that security folks can encourage database administrators to patch the database and improve on the patch cycle. I'd also argue that if you know databases well, and can tune them and keep them running, you likely already know how to secure them, you just don't want to.
2. Study: Chrome the Most Secure Browser - Wow, a study commissioned by Google finds that Chrome is the most secure browser. Funny how that works, eh? The study is a good resource to learn about modern browser protections, and also notes that URL filtering for malware is not that great amongst all browsers.

3. Dumbest Camera Ban Ever - Get this: "the station has decided to only ban DSLRs due to "their combination of high quality sensor and high resolution". Other cameras are allowed in, as long as they don't look "big" enough to shoot amazing photos." Its this kind of security that really bothers me, and I see it so often. Just the other day I heard the person working at the home improvement store talking about how one company's locks are so much better and more secure than another's. So much so that when she bought her house, she changed them to the company's she likes. Now, if her house is like mine, or like most houses, there is a big window right next to the door.

4. BonkersWorld: Backwards Compatibility - While I thought this cartoon was morbidly funny, it reminds me of the lengths people will go to in order to maintain backwards compatibility. This typically has an adverse affect on security, and at some point you just need to move forward, which has consequences as well, some of them, well, morbid.

5. Shamir’s Predictions of the Future - Adi Shamir, one of the winners of the Turing award for his work in public-key cryptography, makes some predictions for the future. I find them to be pretty epic, such as he states "Crypto will be invisibly everywhere. Vulnerabilities will be visibly everywhere." Whew, let's let that one roll around in the old noggin for a bit… Okay, so he also states that "Non-crypto security will remain a mess." Now, Shamir is a crypto guy, but let's not lose site of that fact that crypto only solves part of the problem, the privacy and integrity part mostly. However, crypto is only as good as the implementation, and I predict that people will still manage to mess up the crypto so it's not secure.

6. Two Bets on 2012 - I love predictions, they are just too much fun! Here are some to consider: "The safe bet: first, bad guys will continue to develop new ways to break into systems and steal information. It’s just too profitable for them to stop. The adventurous bet: second, 2012 may be the year for mobile device hacks that really hit some big name organizations hard. " Okay, so we know that bad guys are going to keep at it and make money. Ever since there was a law, there were people breaking the law to make money. This will always be a constant (not really a prediction). Also, every year someone says, "This will be the year that attackers really go after mobile devices." I think the piece that's missing is, it's still far too profitable and easy to go after desktops. So, why bother wasting time with mobile devices when you can make a thousands or much more per week renting out a bonnet on random hosts you've trojaned on the Internet?
7. 8 Out of 10 Software Apps Fail Security Test - If you want to know what the problem is with web application security, it's right here. The software is not resilient, in many aspects. Also, we keep buying and using the software, so there is no incentive to change it. Then attackers mass exploit SQLi and make a profit. There is no question this will continue, until we make better software or stop using the poorly written code.

8. MS11-080 - A Voyage into Ring Zero - Just nice to know it's still possible to do stuff like this, however, I didn't see it published that this attack works on Windows 7 or 64-bit XP even, proving even more that Microsoft has raised the bar of operating system security.

9. The Security Threat Stephen King Warned Us About? - Funny how there is a lot of information being published about how embedded systems are everywhere and "bad things could happen". That was my talk almost two years ago now. However, fast forward to today, and take a peek into the future, you will truly see computers in everything. Some will say it's a movie plot come to life, that computers will take over the world and we will all be living in cocoons, living out our daily lives in a digitally created world where nothing seems real. Oh wait, maybe that's just me! If it were, I'd encourage everyone to read the book "Daemon" by Daniel Suarez, perhaps the best and most realistic usage of technology in a work of fiction that I've ever read.

Let's have a look at some of last year's predictions:

• Security Predictions for 2011 and 2012 - The Emerging Security Threat (SANS Institute)
• Top 10 Security Predictions For 2011 (Information Week)
• My 2011 Security Predictions (Rich Mogul, Securosis)

Download Tenable Podcast Episode 106

]]> paul@nessus.org Wed, 14 Dec 2011 09:27:06 -0500 Podcast CF8D72A7-8C39-4E67-9E65-1A7DC3FBAFFA Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/12/tenable-network-security-podcast-episode-105.html Paul, Jack, Ron, and Carlos talk about Tenable's new integration with patch management platforms such as Microsoft's WSUS, SCCM, Vmware Go, and Red Hat Satellite server.
]]> paul@nessus.org Sat, 10 Dec 2011 08:54:42 -0500 Podcast 87DD6EFC-59DC-4A5D-9FB0-E8871E0B4D4D Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/11/tenable-network-security-podcast-episode-104.html
6. Tenable's Ron Gula Discusses Protection of University Data
7. ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution - A lot of places still use FTP to share files. Sometimes it's to allow partners or contractors to upload files, sometimes it's part of the production process and used to automatically transfer files between systems, and other times it's just because people are too lazy to use SSH/SCP. Whatever the reason, FTP is still in use, so being able to monitor for vulnerabilities is still valid. This signature is part of Tenable's Passive Vulnerability Scanner (PVS), which allows you to find vulnerabilities in FTP server you may not have previously known about. I've found that people will often use ACLs, firewalls, and the FTP configuration itself to try to hide the shameful fact that they are using a protocol that does not encrypt the login or data.
8. Oracle Report Server - 2-Cent Hack Trick - I just love flaws like this. Its not traditional XSS or SQLi, but using the functionality of an application in a way it was not intended. Hacking in its purest sense. I often find that these are the problems that go unfixed, because it's a logic thing, not a patch thing.
9. Mobile Security Can Be a Major Pain - Now doctors are walking around with my health information on a mobile device, and guess what? Sometimes their devices get lost, along with my information. So, as we get more mobile with our computing, let's not forget to use encryption. Also, PCs are cheap, why can't we have one in every room and put the pertinent patient information in the hands of doctors? Oh wait, we can. There were a couple of guys that made software to do this, based on object oriented programming. They got bought by Microsoft and are used in thousands of hospitals across the globe.
10. Firms Slow to Secure Flaws in Embedded Devices - Ron Gula has come great comments in this article as well (he's all over the media this week!). One thing the article failed to mention was why security doesn't get baked into embedded systems in the first place. Typically there are severe limitations on processing power and storage, which forces developers to just make things work and not add-in any extra security measures, such as using SSH vs. TELNET.
11. iTunes Security Vulnerability had been Present for Over Three Years - If Apple knew about this one, why didn't they patch it? Software update vulnerabilities are a big deal, and three years is way too long to let one go.
12. Six Myths of Risk Assessment - Some interesting points in this article. One jumps out at me, and that is a risk assessment will determine that you should not implement security. I think many may look at this backwards, and try to use a risk assessment to get more security, when in fact it should prove that you need less. I think one aspect left out is WHERE you should put your security, not how much or little you implement as a whole.
13. $200 Kit Smashes Intel's HD Video Encryption - Now, I don't encourage people to break the law, but I do get a kick out of people who break the rules. Any time you stand up a technology that limits people's ability to do, well, anything, someone will break it. The real kicker comes when they break it by spending less than $500, because that means it's in the hands of the masses and you've failed to protect anything with it from that point forward.
14. US Police use Radio Encryption to Stop iPhone Eavesdropping - So just now the police are going to encrypt communications? I remember when I was growing up, several people had police scanners and I always thought it was kind of silly that anyone could just listen in. But now you can do it from a smart phone, so it's a real threat.
15. Siri Hacked to Remotely Start a Car - Look, I can't get Siri to call my wife or even spell "cigar" in a TXT message. So, hack it all you want, it likely won't start my car on the first try, or second, or third….
16. Hacker Says Texas Town Used Three-Character Password to Secure Internet Facing SCADA System - I wanted to take a moment to tell people to run regular scans against your perimeter. Your regular scans should include some form of password brute-force guessing. Nessus does some of this for you, but take the time to come up with a repeatable process for testing Internet-facing systems for easily guessable passwords. Right now, you can integrate Hydra into Nessus and test your systems using a custom dictionary. You should do this on the inside and outside. Every sysadmin I've every spoken to has that one password, or more, that they've used all over the place and swear they've changed it. You need to test and make sure they have.
17. Hackers Target IPv6 - One more reason to stay on IPv4.
18. Hacking Printers - Again
19. The New (and Old) .htaccess Attacks – Now Using .in Domains - If someone is changing your configuration files, like .htaccess, you should notice. This should be part of your basic defenses.
20. Apache mod_proxy/mod_Rewrite Bug Lets Remote Users Access Internal Servers
]]> paul@nessus.org Fri, 09 Dec 2011 08:54:42 -0500 Podcast 746CAB63-495C-457C-9CE0-DFB2929D0FF6 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-103.html paul@nessus.org Fri, 09 Dec 2011 08:53:08 -0500 Podcast 3D63C0B1-F876-415B-94E2-1A114F2CED8A Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-102.html paul@nessus.org Tue, 15 Nov 2011 11:41:51 -0500 Podcast 34D7C9C6-4C65-48D8-9C13-51F1ED26EAB9 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-101.html

Welcome to the Tenable Network Security Podcast Episode 101

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Chasing APT: Persistence Pays Off - One of my greatest concerns that this article reminded me of is the risk to small business. And by small I mean the number of employees, not how much money they manage. You could likely construct a lucrative business attacking small firms that manage a LOT of money, but are small and have no dedicated IT team, let alone a dedicated security person.
• Exposing the Market for Stolen Credit Cards Data - Maybe its just me but given that this article states "Liberty Reserve is the payment option of choice for the majority of the portals" can't you just follow the money and/or go after the organizations that are allowing the transactions? I'm sure its far more complicated than that, but just a thought. I'm sure that when targeting drug cartels and organized crime similar avenues are explored.
• EFF on HTTPS - Great quote from this article: "In short: there are a lot of ways to break HTTPS/TLS/SSL today, even when websites do everything right." So true! There has to be a better way to get this SSL thing fixed. One suggestion from folks at the EFF was to have users rank SSL certificate authorities to build public trust into SSL.
• US observation satellites hacked - I love this: "The article states that the nature of the attack appears to point to the Chinese military, though it stops short of making a direct accusation." Everyone is always quick to blame the Chinese, likely because people are saying "Well, if anyone would want to hack into a satellite it would be them". I'm saying who wouldn't want to hack into a satellite, thats so cool!
• Cisco WebEx Player Buffer Overflows Let Remote Users Execute Arbitrary Code - Webex is popular software, and if you were to hold a webinar and tell people they get something for free, you could probably compromise a lot of systems with this vulnerability.
• 6 Deadly Enterprise Security Mistakes - I have to say, usually when I see articles like this, I take the opportunity to rip them to shreds. I will not do that with this article because I agree with it 110%. Nicely done.
• Hackers could have TAKEN OVER Amazon Web Services - Imagine if you could take over the cloud, would that make you God for a day?
• The 8 Craziest YouTube Account Hacks - This is just fun and covers "Beiber Fever" and "Hanna Montana faking her death". Just doesn't get any better than this!
• Why You Still Can’t Teach a Machine to Hack - I wanted to again explore the debate over automation versus manual testing.
• US Government Regulations on Piracy

Download Tenable Podcast Episode 101

]]> paul@nessus.org Thu, 03 Nov 2011 08:30:40 -0400 Podcast 498DB72A-FD1C-4AE4-9722-0BF5DD0EC5C7 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-100.html

Welcome to the Tenable Network Security Podcast Episode 100

Hosts

• Paul Asadoorian, Product Evangelist
• Ron Gula - Chief Executive Officer and Chief Technical Officer
• Renaud Deraison - Chief Research Officer
• Jack Huffard - President and Chief Operating Officer

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #9".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

In honor of the 100th Tenable podcast, and the nine year anniversary of Tenable Network Security, we've decided to produce a special podcast episode. In this episode we sit down with the founders of Tenable Network Security and ask them ten questions:

1. How did the three of you meet?
2. What spawned the idea to create Tenable Network Security?
3. What are the qualities of Nessus, and its author, that were the driving factors to create the company around it?
4. What was the first new product created as a company?
5. What are some of your most favorite milestones in the companies history?
6. What gets you most excited when you go to work everyday?
7. What are some of the greatest challenges that organizations face in security and how do our products help them?
8. Why was the open-source model abandoned and how has this benefited the Nessus community?
9. What is the strangest feature request you've ever received?
10. The creation of LCE, the Tenable Log Correlation Engine, is a distinct separatation from vulnerability management. What prompted this move and how does this product set itself apart from other products in the line?
11. What's coming next for the company and Tenable's products? Spoiler Alert: Renaud gives us a sneak peek into the next version of Nessus!

Download Tenable Podcast Episode 100

]]> paul@nessus.org Wed, 19 Oct 2011 15:10:12 -0400 Podcast 9596B67C-6E42-4EFF-BECB-BBD4ADCAAA89 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-99.html

Welcome to the Tenable Network Security Podcast - Episode 99

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #9".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

1. iPhone 5 Emails Infect Windows PCs with Malware - Attackers have proven to be very opportunistic when it comes to email scams and malware. Take the iPhone 5 for example, emails sent to thousands of people in an effort to get them to read up on the iPhone 5, which from the screenshot appears to be completely transparent. A neat defiance of physics, the real kicker being that Apple announced the 4S, not iPhone 5 yesterday.
2. The 20 Controls That Aren’t - Ben Tomhave calls out the SANS CAG as 1) Not being actionable 2) Not able to scale and 3) Being designed to sell a product. While I agree in principle, its all about how you use the tools and guidelines. For example, if I want to know the areas that I should be covering in my information security program and some tips on how to do that, I might turn to the SANS CAG. Then I would go to the CIS benchmarks for recommendations about how to configure my systems security. At the end of the day, I am going to have to buy some products to help me get the job done, and I believe the various standards do not recommend a vendor, but areas in which you should focus on to help secure your organizations. Having said that, don't ignore vendors that provide products or services outside published guidelines, sometimes they can help you the most (of course, sometimes they are just the opposite).
3. Some Hotel Safes Not So… Safe - We may have covered this one before, but just a reminder, the hotel safes are not safe and there are videos all over the web showing the default password. This one has reached true full-on public status. So you can either carry all of your stuff with you, or is there such a thing as a travel safe? Or, do you try to hack the safe first before putting your valuables in it?
4. Cisco Patches Slew of IOS Bugs - I love this: "A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability" Yeah, because a full TCP-Three-Way handhake is a defense, that'll stop em'! I love remote code execution on a switch, yes make my port a mirror port. No one is in a big hurry to apply an update to a switch either.
5. Post Exploitation Shellbaging Security Aegis - I thought Carlos would enjoy this one, its a post-exploitation script that performs an interesting type of file system forensics: "Since the ShellBag keys store various metadata on how Windows Explorer items were arranged and since they are recorded for each user, from a computer forensics standpoint, one can parse the data and pull out various pieces of information that relate to user interaction. When combined with other available computer artifacts, it could provide a more complete picture of what files were accessed or deleted by the user and from what storage device they were accessing at the time (could be either an internal, external or network storage device)."
6. File Disclosure Browser - DigiNinja - Ever see those weird .DS_Store files on various shares, web servers, and even on your own file systems and USB drives? Turns out those come from OS X and can contain information about your files, and even the location of some hidden files. Robin Wood's script extracts this information from .DS_Store files posted on web sites.
7. NOTE: This page has been known to trigger A/V alerts, visit at your own risk! - http://securityxploded.com/passwordsecrets.php - Password Secrets of Popular Windows Applications - What a great list of applications and where they store their passwords, and how!
8. Collected 1st & 2nd Level Domains - Some neat research from Max, who has collected 1st and 2nd level domain information, enumerating the domain names across large sections of the Internet.
9. Fail a Security Audit Already -- It's Good for You - If that's the case, everyone is really healthy! However, failing is a part of learning. Most do not pass their first security audit, if you do, then why did you pay for one in the first place? You security audit should be telling you things you can do better, because chances are what you are doing has a few gaps or is just simply not enough. Audits, assessments, and penetration tests should tell you something you didn't already know.
10. More Than One-Fourth of Google Chrome Extensions Contain Vulnerabilities - This is one of the things that keeps me up at night. We rely on all of these frameworks, and each of the frameworks allows people to write code and install it on your system(s). Sometimes that code does evil things.
11. Sometimes the Security Helpdesk Gets The Last Laugh - Word to the wise: Format and re-install your OS after you've contracted Malware.
12. Air Traffic Control Data Found on eBayed Network Gear
13. Bank of America Website Disrupted for Fourth Day in a Row
14. Check Your Machines for Malware, Linux Developers Told - I wonder if they are also formatting and re-installing? Oh wait, its Linux, it doesn't get viruses.
15. Law Enforcement Increasingly Asking Internet Companies to Share Data - Yes, 4th Amendment in full swing, we need a warrant, we can't get one, so can you collect the evidence for us?
16. Amazon Kindle Tablet Routes Web Traffic to Cloud First

Download Tenable Podcast Episode 99

]]> paul@nessus.org Wed, 19 Oct 2011 15:09:07 -0400 Podcast 3C6BE24A-CBD8-4B5B-932A-5A7280B9E493 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-98.html .

Welcome to the Tenable Network Security Podcast - Episode 98

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #9".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

1. Don’t Hit the Snooze Button on DigiNotar Alarm Bells - In 1995, we suggested the usage of network firewalls and SSL to protect web applications, and today we suggest that network firewalls and SSL protect cloud computing. There is a balance between evolving countermeasures and not hitting the snooze button on defensive technologies.
2. So-so SASO … So What? - Bringing more balance to security, there is room for automated testing and static code analysis, but should you let a 3rd party analyze your code? Most would say "Yes", unless you are Oracle...
3. Sound Database Security Starts With Segmentation - Segmentation needs to have context around it, and be based on the classification and location of your data.
4. SIEM: Dead as Claimed? - Computerworld - Its fun to see which technology will be declared dead, first it was IDS, now SIEM. Is it really dead?
5. 3 Indicted in Sophisticated Hacking Scheme - Attacker drove around the city of Seattle and broke into companies physical buildings and/or wireless networks, installed malware on their systems, and attempted to make a profit.
6. SecurityTracker: Apache Tomcat HTTP DIGEST Authentication Weaknesses Let Remote Users Conduct Bypass Attacks - I've recommended that DIGEST authentication be used over BASIC authentication in Apache. If you implemented my suggestions, make sure you take notice of this patch!
7. New OS X Trojan Horse sends Screenshots, Files to Remote Servers - I thought Macs didn't get viruses? Turns out they do...
8. Facebook Unfriending 'Bug' Gets Quick Fix - For Facebook users, this is a big deal, as you don't want your "Friends" to know that you are breaking up with them.
9. Man Builds Social Network Using Atlantic Ocean - I'd love to see the attacks against this social network, how would a cross-site scripting vulnerability play out?

Download Tenable Podcast Episode 98

]]> paul@nessus.org Fri, 30 Sep 2011 09:34:33 -0400 Podcast 14D8256E-14AA-44DF-9441-D28C53A4D3DF Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-97.html Welcome to the Tenable Network Security Podcast - Episode 97

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Blog posts:
  • Microsoft Patch Tuesday Roundup - September 2011
  • Top Ten Things You Didn't Know About Nessus Video - #9 Nessus Detects Misconfiguration
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #9".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

---




Stories

• Hackers Break SSL Encryption Used by Millions of Sites
• Security Duo Finds Another Pair of Vulnerabilities in Android - More Android vulnerabilities! One allows attackers to install any app they want, and the other gives you a command prompt. The video on the web site is awesome, showing running Linux commands right on your phone.
• 5 Secrets to Building a Great Security Team
• Windows 8 Will Run from USB Thumb Drive
• The Future of Passports - Hrm, seems they are relying on PKI, Wifi, and smartphones to make this work. What could possibly go wrong?
• CAPTCHA Hell - How do you prevent SPAM without a CAPTCHA?
• Warning: HIPAA Has Teeth And Will Bite Over Healthcare Privacy Blunders
• End of the Road for DigiNotar as Bankruptcy Declared
• Compliance is Not Security — “Unbusted”
• The Automation of Social Engineering

Download Tenable Podcast Episode 97

]]> paul@nessus.org Tue, 27 Sep 2011 14:02:23 -0400 Podcast CB77DBD1-F5A5-4BEF-B8EB-DB31564C8C0E Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-96.html Welcome to the Tenable Network Security Podcast - Episode 95

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #10".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• 15 Years of Software Security: Looking Back and Looking Forward - First a look back: Remember smashing the stack for fun and profit? Buffer overflows were all the rage, and resulting in what the author calls "undesired functionality" in applications. Vendors tended to ignore the vulnerability disclosure process and many more vulnerabilities, and associated exploits, floated around the Internet until someday the vendor decided to patch them, or not. The security community as a whole grew up, many companies were created to sell products, and many got bought and folded into larger companies. Before we look into the future, what has really changed? Web applications have provided us with a newer form of the buffer overflow, as the vulnerabilities lead to "undesired functionality", and are as plentiful, if not more, than traditional buffer overflows were. The difference is that they are now spread across thousands of applications and many require end-user interaction. The author then looks into the future, which is dangerous, or not, depending on how you look at it. Since it hasn't occurred yet, you can make predictions and it doesn't matter if you were correct or not, it was just a prediction.
• Rubbing an iPhone on your face won't cure acne - FTC - I wonder how many people fell for this one: "The Federal Trade Commission has fined two developers who claimed their mobile apps could cure acne with flashing colour, but there's still plenty of snake-oil on sale." We rely on technology for so many things, removing pimples with your iPhone is not one of them.
• Hacker claims he can exploit Windows Update - "I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc.," - Thats a bold statement, begging the question could someone issue patches using stolen certificates? Of course, for this attack to work, you would have to first perform a MiTM attack against the targeted Windows systems. We hope there are enough protections in place to prevent this attack from being successful.
• Security Manager's Journal: Assessing the company's Internet-facing apps - Application testing is so important, and this article highlights some of the common problems associated with applications. Sure, physical security is important, and if all your assessment team is telling you is that "piggybacking" is possible, you should find another assessment team. The results of the web application testing were impressive, in addition to the XSS vulnerabilities, it was found that customer data was being sent without SSL encryption, pay products could be downloaded without paying for them, and documents that could be downloaded, modified, then re-uploaded. The tricky part is how do you fix these problems and make sure they are fixed on an ongoing basis.
• Inside Cisco global security operations - "That depth of intelligence enabled us, in a very specific example, to provide an update that would indicate by trajectory, IP block by IP block, who had likely already been infected. We could increase the risk associated with those IP blocks dynamically, as it propagated," The article talked in depth about communication and "depth", two concepts which are so important to information security.
• Linux world in security spinout as Linux Foundation and Kernel.org remain "temporarily unavailable" - "I'm still struggling to decide quite what the Loony Linux Lovers - those who insist that Linux is immune to malware - will make of this episode. Whilst Linux malware is not new, this is probably the closest it has ever come to the heart of their beloved operating system." I'm still amazed that Linux folks take the high ground when it comes to security, goes to show that no one is truly immune, not that its a new concept, but compromising kernel.org and linux.com certainly sends a message. Speaking of messages, saying that a web site is "down for maintenance" makes people believe its compromised.
• From Logs to Hell! - Log management can be extremely effective at finding compromised, however, take into consideration "Unreachable devices, Supported formats, Performance impacts on the network flows, (De)commissioning of (old)devices, Overlapping in IP subnets
  and Procedures / follow-up".
• Early Patch Tuesday Today: Microsoft September 2011 Patches, (Fri, Sep 9th)
• Apple releases updates for DigiNotar SSL debacle - But what about iOS devices?
]]> paul@nessus.org Tue, 13 Sep 2011 15:18:35 -0400 Podcast E3EFDBBB-10F0-4B8F-902B-05789B1BFE29 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/09/tenable-network-security-podcast-episode-95.html

Welcome to the Tenable Network Security Podcast - Episode 95

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #10".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Ron Gula on using SecurityCenter's report iterator to create "cooler" detailed reports based on correlated events from the LCE (Log Correlation Engine)

Stories

• OpenSSH 5.9 arrives - New features include a new SHA256-based HMAC (Hash-based Message Authentication Code) transport integrity mode (which will end up being the default) and sandboxing of child processes to prevent communications with other hosts (currently experimental). Its nice to see the OpenSSH project continuing to take security seriously and building in new features.
• Control 14: Wireless Device Control - Over time I've noticed a decreased awareness of wireless security concerns. If you run a network you should be concerned about actively hardening your end-user systems, actively monitoring the wireless network, and using a tool, such as Nessus (referenced in this article) to detect rogue access points. The problem is compounded by all of the newer wireless technologies that have made their way into your infrastructure, including Bluetooth, ZigBee, 900MHz communications, RFID, and more! The good news is a large percentage of these attacks require an attacker to be in physical proximity of your users or buildings, still making it quite a journey from China or Romania.
• The Register Gets Hacked Hijacked - Turns out this was DNS hijacking, and affected many more web sites. This shows that security is not only an internal facing activity, but external as well. Here's a good exercise to go through, make a list of all external companies and services that you rely on to run your business. Then, run through exercises to see what would happen if one was compromised. You need to build defenses against these attacks, which is the difficult part.
• VMware's vShield dash; Why It’s Such A Pain In the Security Ecosystem’s *aaS… - Hoff gives us some insight into how vShield compares to some of the 3rd party vendors products that are similar.
• More on Microsoft’s response to the DigiNotar compromise - I have to hand it to Microsoft, they have built-in several different checks to prevent someone from being able to control the update process for all Windows computers. The attackers even attempted to issue certificates for "Windowsupdate.com", however since that domain is not in use, the attack was not successful. Microsoft also removed DigiNotar from the CA list immediately.
• Tech Insight: Three Hardware Tools For Physical Penetration Testing - John Sawyer covers some of the popular methods to performing physical penetration testing, primarily visiting a site and maintaining a backdoor. The tougher part is detection. If an attacker were to drop off a device that plugs into the network, and accepts no incoming connections (layer 3/4 anyhow) and uses 3G to connect back, how would you detect this? You would be limited to physical survey, layer 2 analysis, and cell phone jammers. Not all that attractive options, however it would be neat to review the new MAC addresses coming up on your network and compare them to a list of known access points or network devices (such as the pwn plug). Then again, attackers may just change the MAC address to hide the device type...
• 4 simple steps to bulletproof laptop security - The list reads like this: Passwords, fingerprint readers, full-disk encryption, and after-the-fact theft protection. No question, you should have "good passwords". You probably should only have two passwords, one for the BIOS and one for the OS itself. Sounds simple, but convenience often wins in the battle for "good passwords". Biometrics can help add another layer, but people tend to put too much faith in this technology, which is easily bypassed with Play-Doh. Full-disk encryption is just a good idea, provided what you are protecting is worth the expense of implementation. You should think about theft protection, rather than reaction. It's simple, when you are not in the office and traveling with your laptop it should never leave your hands or your sight. I follow this rule, however I'm not perfect, and I'd be lying if I said I hadn't ran out of a restaurant realizing I left my laptop in the car that I just handed the keys to the valet.
• Diebold demos cloud-based ATM - To the cloud! Working with VMware, Diebold has developed an ATM that has no on-board computer: "Virtualisation removes the onboard computer from the ATM, tying each terminal single server running many "virtual" ATMs. This consolidation allows greater control and therefore better security, at least in theory. Far from offering a single point of failure, this approach would also allow faster failure recovery and more rapid software upgrades and services deployment, leading to an overall increase in ATM uptime, according to Diebold."


• Apple loses iPhones, seeks security experts - Apple is still suffering from the problem of "leaks", as is the case with the latest revision of the iPhone. Should this top Apple's concerns or should they focus on securing their platforms instead? I wonder if it's more a concern of public image rather than competition, as I believe it would be difficult to replicate the iPhone's features if you got a pre-released phone a month before launch. Or, is this just all publicity by Apple to build buzz before a product's release?
]]> paul@nessus.org Tue, 13 Sep 2011 15:17:28 -0400 Podcast 35BAB786-25B1-4478-8226-A6ED2E71A323 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/08/tenable-network-security-podcast-episode-923.html

Welcome to the Tenable Network Security Podcast - Episode 94

Hosts:

• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Tenable Ranks 17th Among Security Companies on Inc. 5000
  • Junos Local Patch Checking Support Added to Nessus
  • The Top Ten Things You Didn't Know About Nessus - #10
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #10".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

One Third Of Security Pros Not Practicing What They Preach - "Survey shows security pros breaking security policies for convenience, and overall difficulty in making major changes to security technologies and strategies" - An interview with our very own Ron Gula.

• "TaoSecurity Security Effectiveness Model" - A good reminder that we should consider the motivations of attackers when planning your defenses.
• "Details of the RSA Hack" - Turns out it was an email to HR applying for a job. I can't tell you how many times this has been successful on penetration test.
• "Morto Windows Worm spreading via RDP Remote Desktop Connections" - A password brute-forcing worm is being successful, this should not be the case!
• "Tenable Ranks 17th Among Security Companies on Inc. 5000" - Hey wait, that's us!
• "Malicious infections enter 99% of enterprise networks" - I remember ten years ago consulting with organizations on security. I would tell them that if systems on their network had "spyware", they were in fact compromised. It seems we have not learned from the past, and still overlook malware on the desktops as a primary threat.
• "Digital Certificate Authority Hacked - While its bad when this happens, the important defensive measure it to discover it as quickly as possible and revoke certificates and update CA lists.
• "Digital Hit Men for Hire Krebs on Security" - I love stories such as this that provide insight into the world of "cyber crime".
• The Urban Legend of Multipass Hard Disk Overwrite - I re-write 20,000,000 times, then I break out the sledge hammer, is that overkill?
• Universities Account for a Higher Number of Breaches - Having worked in this space, and commented on University security a lot, I'm curious to hear from others on the show.


]]> paul@nessus.org Fri, 02 Sep 2011 11:34:55 -0400 Podcast 4918BADB-B97E-4EFB-ACAA-41B9F7F75413 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/08/tenable-network-security-podcast-episode-923.html Welcome to the Tenable Network Security Podcast - Episode 93

Hosts:

• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch auditing using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

---

Stories

• How to Prevent IT Sabotage Inside Your Company - Each week I read in the news about yet another company that was "hacked" by a former employee. These are low frequency (compared to common malware), but highly destructive attacks. Good IT practices, closely coupled with HR, really helps limit the damage.
• If We Are Turning Off Social Media, I Want News Channels Shut Down, Too - What's more accurate, news channels or Twitter?
• Accelerometer Used to Log Smartphone Keystrokes - "The researchers were able to correlate the acceleration measured when tapping individual number keys to the specific key pressed with an accuracy of more than 70 per cent. In contrast to the camera, microphone and GPS sensor, the accelerometer (some devices also contain a gyroscope) is not viewed as a security risk. Apps do not typically require special privileges to monitor a device's movements."
• Tech Insight: Cutting-Edge Techniques for Data Exfiltration - I like this one: "The third option leverages an email-to-fax interface, where an internal email address receives files that can be faxed anywhere. Similarly, an attacker could leverage a multifunction printer that has the ability to scan directly to a fax number or email address." Think that people will look at the security of printers and multi-function devices now? Why isn't this type of stuff included in compliance audits (or is it?).
• Insulin Pump Attack Prompts Call for Federal Probe A representative of Medtronic, one of several companies that make such devices, has been quoted as saying: “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.” - First, how can they be so sure. Second, just because it has never reportedly happened in the past, doesn't mean it won't happen now! This is the same old excuse of, "Well, no one has hacked us before."
• Expect to Hear "IDS is Dead" (Again) - Wow, haven't heard that in a while! So, now that we're on the subject, is IDS dead today? What are some of the arguments for keeping IDS? Also, if it can detect it, should it prevent it too?
• Collar Bomber Gets Owned by Word Metadata USB Drive - Let me start off by saying that thankfully this turned out to be a hoax. However, someone did break into another person's home and put a necklace around a child with a box attached, claiming it was a bomb. This gets even more bizarre and scary, as the ransom note was left on a USB thumb drive. Metadata analysis found that the person had made a Word doc version, that included their first name and the first letter of their last name. He was promptly found and arrested.
• Logs - The Foundation of Good Security Monitoring, (Sun, Aug 21st) - Hurray! Logs are a good foundation, however you have to check them for them to be useful. How often should you check your logs?
• Inter-Company Invoice Emails Carry Malware - This is not a new idea, but got me thinking about how we once worried about email attacks (e.g. the "ILOVEYOU" virus) then we were worrying about network worms, and now we're right back to worrying about email again. Seems to me that the "inter-company email malware" is just another form a of a worm, or a means to spread evil internally.
• Security Software Engineering Reality - This is an outstanding representation of how software development, not just security software, can go, well, horribly wrong.
• Flashy Cars Got Spam Kingpin Mugged - So, imagine you are this big shot Russian SPAM/online pharmaceuticals rep. Okay, now imagine you are car shopping, but you have to take into account that someone will steal your car if it's too flashy. Ha! Justice perhaps?

Download Tenable Podcast Episode 93

]]> paul@nessus.org Wed, 24 Aug 2011 07:49:53 -0400 Podcast 9FFB9848-0106-4233-B9EA-990730B596BE Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/08/tenable-network-security-podcast-episode-92.html Welcome to the Tenable Network Security Podcast - Episode Episode 92
Hosts:
• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch auditing using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• SILENT BUG IS SILENT. - A seemingly well-known bug in Internet Explorer, which allows for privilege escalation within IE itself, has been silently fixed. The bug allows processes in low integrity mode to execute processes in medium integrity mode. A remote exploit in IE is required to take advantage of this flaw, which has been patched.
• Blow Your Own Horn - This article describes a series of talks in which the presenter was to offer situations in information security where they "won". An elevator speech if you will, and one such example was this: "Last year you (the Board) approved purchase of a $50,000 license fee for AV software on the email server. This past month, records show it stopped 1 million viruses, which would otherwise have gotten through. Had they been run, they would have cost $500 each (estimated industry average) to clean up. Therefore, your prescient decision to spend $50,000 has returned $500,000,000 to the company."Is that a "win" or an example of socially engineering management?
• Anonymous hacks BART, creating even more innocent victims - Anonymous hacks San Francisco's BART (Bay Area Rapid Transit) system. "They performed a SQL injection (SQLi) attack against the site and were able to extract more than 2,000 records containing names, usernames, passwords (plain text), emails, phone numbers, addresses and zip codes." Begs the question, what are the motives of Anonymous? Do they wish to expose user data to hurt the users themselves, hurt the target organization to make an example, or are they funded by organizations for political or capital gain? I'm not sure what is to gain by attacking this system, but certainly begs the question.
• XSS on eBay's site - The problem seems to crop up in eBay's sub-domains, which could mean that the main eBay site gets all of the attention, leaving the sub-domains vulnerable to easy find and fix XSS vulnerabilities.
• Device finds child porn on WiFi - It's refreshing to see technology being used for good, rather than evil. A recent example is Fluke Networks Aircheck WiFi device that can detect child pornography on open and encrypted WiFi networks. Also: "This device can also be used against identity theft, Internet stalking and even online phishing scams."Nice, I wonder if it does in fact break the encryption on WiFi networks if permission, e.g. a warrant, is required?
• Microsoft patches 1990s-era 'Ping of Death' - Microsoft released MS11-064, which fixed the infamous "Ping Of Death" vulnerability in the Windows TCP/IP stack. "...appeared that today's "Ping of Death" bug was a different vulnerability than Microsoft patched in its now-ancient OSes of the 1990s. The bug exists in Windows Vista, Server 2008, Windows 7 and Server 2008 R2, Microsoft said, but not in Windows XP or Server 2003. Others were less concerned with the new Ping of Death problem. "It's definitely an old-school kind of attack," said Sarwate of Qualys. "But if it is exploited, I think it would be more on the prank side.""
• Defcon: VoIP makes a good platform for controlling Botnets - This is one of the most interesting Botnet command and control channel implementations I've seen in some time. Using "MoshiMoshi", open-source software that converts DTMF tones to bits and bytes, they can use it to communicate with the bots. This is difficult to detect, as VoIP networks are typically separate and often not monitored for this type of communications. However, if you were to look closely at the session data, you may be able to pick up on anomalies such as long sessions, or in this case long phone calls or phone calls with specific patterns.

Download Tenable Podcast Episode 92

]]> paul@nessus.org Wed, 17 Aug 2011 10:43:35 -0400 Podcast 3D4785AA-E201-4E5C-BC4F-7185F3DBBD31 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/08/tenable-network-security-podcast-episode-91.html Welcome to the Tenable Network Security Podcast - Episode 91
Hosts:
• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Carlos Perez, Lead Vulnerability Researcher

Announcements

21. Several new blog posts have been published this week, including:
    • Using Nessus and Metasploit Together
    • Integrating Nessus with BackTrack 5's Tools

22. Windows .audit files now have the capability to run Windows Powershell commands.
23. Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch auditing using Nessus.
24. We're hiring! - Visit the Tenable web site for more information about open positions.
25. You can subscribe to the Tenable Network Security Podcast on iTunes!
26. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Bitcoin-Mining Botnet Controlled Through Twitter - Is this the equivalent of printing money?

---

• USB Device Found in Pub Contained Unencrypted Housing Company Data - Data leakage is not limited to the network, it also extends to the pub.
• Wardriving Evolves Into Warflying -
• Cisco warns over warranty discs of EVIL -
• Exploit writer spills beans on secret iPhone function -
• 10-year-old hacker finds zero-day flaw in games -
• Siemens Shows Up For Black Hat Demo Of SCADA Hack
• Shady RAT Attack Hit 72 Organizations

Download Tenable Podcast Episode 91

]]> paul@nessus.org Thu, 11 Aug 2011 11:43:19 -0400 Podcast 12F10E96-A8BB-4917-AF5D-FF2A03F5ECCE Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/07/tenable-network-security-podcast-episode-90.html Welcome to the Tenable Network Security Podcast - Episode 90
Hosts:
• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

27. Several new blog posts have been published this week, including:
    • Security, Log Management & Burying Stumps
    • Enabling Nessus on BackTrack 5 - The Official Guide
    • Microsoft Patch Tuesday Roundup - July 2011
28. LCE WMI Monitor Agent 3.6.0 Now Available
29. Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
30. We're hiring! - Visit the Tenable web site for more information about open positions.
31. You can subscribe to the Tenable Network Security Podcast on iTunes!
32. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Could hackers set fire to your Apple battery with a virus? - Hiding in battery firmware is a really neat way to plant a backdoor.
• US-CERT Director Leaves Abruptly - Could it be that the latest string of attacks against government agencies was too much for the director of US-CERT?

---

• Bypassing Software Restriction Polices.. With one Wicked Clown - Breaking out of software restrictions gives you access to more Windows commands to compromise the domain.
• Massive botnet 'indestructible,' say researchers - Using encryption and P2P technologies is not new, neither is hiding in the boot sector, what makes "TDL-4" indestructible?
• Is your IT support making you vulnerable to hackers? - Allowing easy remote access doesn't always equate to security. This also reminds me of how easy it is to socially engineer the help desk.
• Pfizer’s Facebook hacked in AntiSec hit - This is truly a measure of how important social media has become, when a major companies Facebook page getting hacked is major news.
• wifuzz: A Access Point 802.11 Stack Fuzzer! - Compromising the access point is far more evil that most people believe, and this tool allows you to fuzz the 802.11 stack to do just that: take over the access point. What would be even better is to compromise an entire string of access points...
• Weekend Project: Use HoneyD on Linux to Fool Attackers - I want to see more people using honeypots and honeynets to put context around security events. We need to break the sterotype of "Honeypots are systems that we let attackers break into", and move it towards: "Honeypots are systems that we use to collect information about the bad guys".
• Apple Releases iOS 5 Beta 4 With Over-the-Air Updates - Finally! While iOS may look far better security-wise than Android, largely due to the closed application market, few non-techies apply software updates to their phones. Hopefully doing it "over-the-air" will help make it easier for people to apply updates and security fixes.

Download Tenable Podcast Episode 90

]]> paul@nessus.org Tue, 26 Jul 2011 14:43:24 -0400 Podcast A6F660D5-7350-47F7-8F31-6738D76BC961 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/07/tenable-network-security-podcast-episode-89.html Welcome to the Tenable Network Security Podcast - Episode 89
Hosts:
• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Facebook blocks a second contact export tool - Information, in the right context, can be quite powerful and expose your privacy. Facebook recently blocked Google+ from exporting your list of Facebook friends' names (not email addresses). When you put this in the context of attacks, knowing the names of someone's friends on Facebook could be quite valuable for social engineering.
• Space Shuttle: good riddance - I won't pretend to know the details of the space program, but Robert Graham does a nice job of relating it to information security. The problem is preservation and complexity. In the Space Program model, they implemented the preservation and re-use model, trying to re-use as many parts as possible. However, this makes things much more complex. We tend to do the same thing with security and information technology. I hope that we are seeing a shift from permanent client desktop computers and servers, to "throwaway" workstations and virtualization. The simpler you make the environment, the easier it is to implement security. For example, if client desktops can be re-imaged quickly, that's a huge advantage.
• Microsoft to fix critical vulnerability in Windows 7 and Vista - More critical vulnerabilities to patch, including a remotely exploitable hole that affects Windows Vista and 7.
• Jailbreakme Takes Advantage of 0-day PDF Vuln in Apple iOS Devices - The security of your phone is increasingly more important. I was talking to some folks yesterday and they were talking about how your phone will be the only thing you carry. It will replace your wallet, serve as your connection to the Internet for email/web, and allow you to communicate (if it's with anyone under the age of 30 it will be text messaging). The security of this platform is important, and even more so allowing the users operate them securely, which right now is difficult.
• Abusing Password Resets - Simple things, such as building in account lockouts and generic login failure messages, go a long way to protecting your web application. Of course, you should also be able to easily detect and respond to brute force attempts as they are pretty "noisy".
• Cisco VPN Client Unsafe Permissions Lets Local Users Gain Elevated Privileges - Making it difficult for attackers to escalate privileges on your systems is important to your defensive strategy. I have run into systems that are secured in this way, and it can go a long way to protecting your information. It forces the attacker to leave a larger fingerprint when multiple attempts fail. However, it's not an easy thing to accomplish as it only takes one client software program to have a bug in order to circumvent your security.

Download Tenable Podcast Episode 89

]]> paul@nessus.org Wed, 13 Jul 2011 08:59:27 -0400 Podcast BCCE7A13-29C0-47A9-A436-B0EE1C87EEEF Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/07/tenable-network-security-podcast-episode-88.html Welcome to the Tenable Network Security Podcast - Episode 88

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Two new blog posts have been published to the Tenable Blog:
• Making It Easier To Perform Credentialed Scanning & Auditing
• Advanced Vulnerability Scanning Using Nessus Course

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Interview: Jesse Kornblum

Jesse Kornblum is a Computer Forensics Research Guru with the Kyrus Technology


---

corporation (yes, that's his official title). Jesse joins us to talk about computer forensics and current events, including:
• Various utilities Jesse has written over the years to aid with computer forensics.
• A new tool called "Carbon Black" which "monitors key points on the operating system and gathers data that is useful to intrusion responders and system administrators for security and compliance functions."

Download Tenable Podcast Episode 88

]]> paul@nessus.org Thu, 07 Jul 2011 09:42:37 -0400 Podcast 27F071C3-9E5B-4706-8FE9-6C8B6CE3B60F Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/06/tenable-network-security-podcast-episode-87.html Welcome to the Tenable Network Security Podcast - Episode 87

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher, Jack Daniel, Product Manager

Announcements

• Several new blog posts have been published to the Tenable Blog:
• 4 out of 5 CISOs Don't Scan for Off-Port Web Servers
• Comparing the PCI, CIS and FDCC Certification Standards

• Firewall and Boundary Auditing Best Practices
• Risky Business #198 - Tenable CEO Interview on Cybercrime Insurance
• Microsoft Patch Tuesday Roundup - June 2011
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• WordPress plugins Trojanised, spotted, fixed - I get nervous when the application I am using supports plugins and add-ons that are not written or even checked centrally. It compromises the security of the framework.

---

• Patching Flash - CVE-2011-2110 post-mortem - People patch Flash quicker than Java, however we can still get an improperly signed Java application to execute code. In fact, we can even purchase a certificate, rid ourselves of the warning, and still get code execution, and throw in a bonus we can bypass Anti-Virus. You don't need a vulnerability to compromise a system.
• Most Common iPhone Passcodes - "1234", thats also the password to my luggage.
• Sony lawsuit: security experts fired prior to breach - I bet there are a few people sitting around saying, "I told you so".
• DNS cache poisoning: still works and still makes lots of damage - Why can't we as a community work to prevent this type of attack, or can we?
• Are All Networks Vulnerable? - Is yours? Johannes makes a good point, its not about protecting 100% of the security incidents.
• Rootkit infection requires Windows reinstall, says Microsoft - Get this, its a "boot sector" virus, remember those?
• Disgruntled IT guy slips porn into CEO's PowerPoint - A few lessons learned here: 1) Never give a presentation while your laptop has a network/Internet connection, 2) Don't anger your IT department, 3) Maintain the integrity of your laptop.
• Virtualization and cloud computing race ahead of security practices - I mean really, what is all the fuss about virtualization security? Your systems can be virtual or real, security is still a problem. I just don't get all the fuss.

Download Tenable Podcast Episode 87

]]> paul@nessus.org Tue, 28 Jun 2011 16:55:08 -0400 Podcast 8AEEFDD9-F1EB-4BF4-9689-AD1E1A137560 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/05/tenable-network-security-podcast-episode-86.html

Welcome to the Tenable Network Security Podcast - Episode 86

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

33. Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
34. We're hiring! - Visit the Tenable web site for more information about open positions.
35. You can subscribe to the Tenable Network Security Podcast on iTunes!
36. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
37. Jack Daniel joins Tenable as Product Manager.
38. Nessus for Android has been updated, including support for the Motorola Zoom.

Stories

• Dan Kamsinky On The RSA SecurID Compromise - "I recommend replacing devices in an orderly fashion, possibly while increasing the rotation rate of PINs. I dismiss concerns about source compromise on the grounds that both hardware and software are readily reversed, and anyway we didn’t change operational behavior when Windows or IOS source leaked." It's true, when entire operating systems' source code has leaked, no one really panicked or changed the way they do business. Yes, you should be replacing all your tokens and, of course, have some other forms of security and authentication other than SecurID.
• Tests show wireless network could jam GPS systems
• Why we secretly love LulzSec | Risky Business
• June Advance Notification Service and 10 Immutable Laws Revisited - See Ten Immutable Laws Of Security (Version 2.0) for more information.
• ATM Lie-detector in Russia
• Mac OS X Lion beta reveals "Restart to Safari" browser-only mode
• What if I put malware on your Network Card?

Download Tenable Podcast Episode 86

]]> paul@nessus.org Thu, 16 Jun 2011 09:38:30 -0400 Podcast B8E226E5-1571-4881-AA69-8D1741ACC2B2 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/05/tenable-network-security-podcast-episode-85.html

Download Tenablepodcast-episode85

Welcome to the Tenable Network Security Podcast - Episode 85

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

39. Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
40. We're hiring! - Visit the Tenable web site for more information about open positions.
41. You can subscribe to the Tenable Network Security Podcast on iTunes!
42. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• RSA finally comes clean: SecurID is compromised - It turns out to be true: attackers possess the seed values for the tokens and the encryption algorithm is already public. RSA says they withheld the information because they did not want to tell attackers how to implement attacks, but it turns out evil bad guys figured it out and used it to attack Lockheed Martin. RSA will now replace all 40 million+ SecurID tokens worldwide. Ouch. This is a breach that cost RSA dearly, in terms of money and reputation.

---

• Detecting New Hardware by Ethernet Address - Detecting new hosts that have connected to your network can provide some interesting events to analyze. For example, if all of a sudden you have 30 new hosts on your servers' subnet, there may be something wrong, such as one host impersonating multiple systems or other layer 2 attacks.
• Chinese army: We really need to get into cyber warfare - I believe China gets blamed for a lot of attacks, both "cyber" and real-world. I also believe they are putting massive efforts into "cyber warfare"; whatever that means to you, they are most certainly directing attention to techniques that use computers and networks as a part of "warfare". They claim to be much farther behind than most believe, stating "Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations."
• Apple iOS: Why it's the most secure OS, period - Their reasons are far over-stated, almost as if Apple wrote this article themselves! They list five reasons why iOS is more secure than most desktop applications, and they are less than compelling (in my opinion anyhow):
  • A sandbox isolates programs and iOS's memory - Okay, this may be the one thing that actually does contribute to a more secure platform. However, desktop operating systems have had similar protections (DEP, ASLR) for quite some time now. It's clear that mobile platforms are still playing catch up.
  • Applications are vetted by Apple - Apple must have some serious resources dedicated to reviewing code. Even so, there is a fundamental problem with this: once an application is vetted, the code can change and updates to apps will modify the function of the app. For example, a perfectly legitimate Flashlight app may allow tethering. Sure, Apple may find it, but only after thousands of people install it. And really, how do you control what 425,000 apps are doing?
  • Patches can be quickly applied - While patches can be released, there is nothing forcing the user to apply them. In fact, many people report that "non-techie" iPhone users never apply iOS updates, or even plug the phone into the computer.
  • The software is regularly reviewed - Review all you want, there will still be vulnerabilities.
  • Attackers still target smartphones far less than desktop systems - This has to be the most ridiculous part of the article. It's like saying, "No one breaks into the homes in my neighborhood, so I leave my doors unlocked and windows open".
• So why are senior U.S. officials using Gmail? - Turns out this problem is twofold: 1) many government agencies are moving to Gmail as their email platform and 2) many people keep two email accounts, one for corporate/government use and one for personal stuff. The problem with the latter is that people forward "work" emails to their personal accounts. I hate to say it, but I will say it anyway: sometimes PGP is the answer. Now, that only solves part of the problem, but it certainly helps.
• 8 security considerations for IPv6 deployment - I want to address just one statement in this article (which is a great article, so you should read the whole thing): Many users may be obscured behind fixed sets of addresses. Obscuring users behind large network address translation protocol translation (NAT-PT) devices could break useful functions like geolocation or tools that enable attribution of malicious network behaviors, and make number and namespace reputation-based security controls more problematic. I believe there is something to be said for not giving all your systems routable IP address space on the Internet. It makes attacking those systems just a little bit harder. I also don't believe that NAT is that difficult to implement, nor is it that tough to keep documentation of IP address mappings. I've seen large environments go from internal to external and vice versa, and the results when everyone has a routable IP address are not good.
• vCash, Crypto, and Anonymization Equals Drugs to Your Door - A new form of currency is being created called "bitcoins". It's a new digital currency, and some say it could undermine real currency and be used to buy illegal goods and services.
• MS Web Application Configuration Analyzer - The rule checks were determined by Microsoft's own Information Security & Risk Management review team, whose job it is to harden pre-production and production servers within Microsoft. These checks are now being shared with the public. We often get hung up on firewalls, WAFs, IPS, IDS, and anti-virus. I'd like to see all of us get back to basics and ask yourselves the question: "Are my systems configured properly?" as I believe this goes so much further than "stop-gap" protections.
• Worm uses built-in DHCP server to spread - It then scans for available addresses on that network and launches its own DHCP server. When another machine on the LAN makes a DHCP request, it attempts to answer before the legitimate DHCP server, sending an IP address from the pool of previously gathered addresses, the gateway address as configured on the infected system and, for DNS, the IP address of the criminals' maliciously configured DNS server. It's nice, or rather not-so-nice, to see this attack being automated in common malware. It's an attack that most penetration testers have used for years, and many have defended against in the past. However, it has always been a localized one-off type of attack. Now it's embedded inside malware so you better be able to detect and defend against it. I once knew of folks configuring their switches to detect so-called "rogue DHCP servers".
• Logging Isn't Hard -- Getting Started Is - Considering how ridiculously low-cost hard drive storage is, there's no reason why the smallest SMB can't set up a server with a 1- to 2-terabyte hard drive to serve as central collection point. I couldn't agree more. My first SEIM was a Linux server with as much disk space as I could afford. It ran syslog and I pointed logs from as many devices and systems as I could at it, and then used sed/awk/grep to find events of interest. Of course, there are better solutions that exist today, but if you can get started on the cheap, then you have a better chance of showing management the benefits and getting something with more features.
• Multiple Vulnerabilities in Cisco Unified IP Phones 7900 Series - security vulnerabilities database - Cisco Unified IP Phones 7900 Series devices are affected by a signature verification bypass vulnerability that could allow an authenticated attacker to load a software image without verification of its signature. This vulnerability allows an attacker to upload new firmware to the phone. This can be a very stealthy form of eavesdropping. Who's going to know that one of their phones is compromised?

Download Tenable Podcast Episode 85

]]> paul@nessus.org Tue, 07 Jun 2011 16:44:20 -0400 Podcast tenable-network-security-podcast-episode-85 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/05/tenable-network-security-podcast-episode-84.html Welcome to the Tenable Network Security Podcast - Episode 84

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

• Two new blog posts have been published this week:
  • Hardening OS X Using The NSA Guidelines
  • Announcing The Nessus Android App
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Discussion

• Security Center 4.2 has been released! New features include:
• Dashboards can be exported and imported. You can visit our dashboards page for a sneak preview.

- Dashboards of different types - Download and install and share Dashboards

• New license keys that are now more manageable by the end users.
• New Built-in analysis tools that allow you to view a CVE Summary, MS Bulletin Summary, and List Software and TONS more reporting enhancements.
• Ability to generate a PDF report using a password for encryption, and RTF (Rich-Text Format) output
• Assign vulnerability scanning "blackout" windows
• LCE (Log Correlation Engine) 3.6.1 has been released! New features include:
  • Automatic downloading and updating of all the TASL scripts
  • Other enhancements made specifically for SecurityCenter 4.2
  • LCE WMI client for Linux was released. This is a Linux client that allows you to get remote Windows events from multiple systems.
• Nessus is now the only vulnerability scanner included by default in Backtrack 5

Download Tenable Podcast Episode 84

]]> paul@nessus.org Tue, 31 May 2011 17:54:31 -0400 Podcast tenable-network-security-podcast-episode-84 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/05/tenable-network-security-podcast-episode-83.html Welcome to the Tenable Network Security Podcast - Episode 83

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

• A new blog post has been published:
  • Plugin Spotlight: Detecting PsExec
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• A new Nessus plugin is being released into the feed that will identify the device type of your targets. For example, if Nessus finds that a device is running Cisco IOS, it will flag it as device type: router. This is useful when reporting, trending, and "dashboarding" with SecurityCenter.
• A new promotion is being run: All new Nessus Professional Feed users will receive a free demo of the Nessus Perimeter Service.
• Upcoming Product Releases: SecurityCenter 4.2 and LCE 3.6.1. One of the major new features of SecurityCenter 4.2 is the ability to share dashboards. You can visit our dashboards page for a sneak preview.

Stories

• Using Google Web Search to Find Compromised Google Images - "...even though the image is actually hosted on a server at enterupdate.com, Google will display the image preview and site information as though it's from the referring (compromised) site." This is a pretty big problem and I hope the smart folks at Google can come up with a solution. I still like the idea of the "petri dish", and having a virtual system surf to the pages and see if it gets infected.
• Architect of Great Firewall of China 'takes shoe to face' - "The creator of the Great Firewall of China was reportedly pelted with shoes and eggs during a visit to Wuhan University last week." I hope you treat your firewall administrators better
• How to stop your executives from being harpooned - First, the article talks about "spear phishing", "whales", and "harpooning" but has nothing to do with attacks on killer whales or references to Star Trek: The Voyage Home. The article does try to give us some tips on how to prevent your executives from successful social engineering attacks. Some of the advice is okay, some is just buzz words we've always heard like "user education". I do agree, by socially engineering your own users you can create a culture of awareness. I think every organization should do this. However, I also believe that it only takes one user and one skilled social engineer to have an attack be successful. This is where technology comes in to help you; unfortunately, it's typically too late. The article does say one thing that I find a bit out of place: "you can't rely on automated security tools to safeguard your user, information, and network -- you have to do hands-on investigation and monitoring as well." I think its misguided to say that you can't "rely" on automated tools. They are just that, tools, and you need people who know how to use the tools in order to get things done. When you build a house you are going to use hammers. In fact, you may even have automatic nail guns to assist you. But you can't just expect these tools to build the house... you need people with skills.
• Cold calling scams return with a twist - I've heard this story before: a user gets a call from "Microsoft Support" and walks the user through purchasing and installing the solution. Of course, the criminal makes out with the cash and gets the user to install malware. Brilliant!
• Sony hit again with two hacks - Do I dare say "poor Sony"? They just can't seem to catch a break this week, logging to more security breaches that hit the media this week. As if the Sony rootkit wasn't enough....
• Battling 'Breach Fatigue' - Goes with Less Talk, More Action - "A fight breaks out between giant robots, pirates, and ninjas. Who wins?" At what point are we just talking about things that don't really matter?

Episode 83 Direct Download

]]> paul@nessus.org Tue, 24 May 2011 14:07:35 -0400 Podcast tenable-network-security-podcast-episode-83 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/05/tenable-network-security-podcast-episode-82.html Welcome to the Tenable Network Security Podcast - Episode 82

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published:
  • Microsoft Patch Tuesday Roundup - May 2011
  • Sony: Compliance Lessons Learned
  • 3D Tool Version 2.0 Released
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Interview: KC Berg, Level3 Communications



KC works for Level3, the world's largest Internet service provider. He uses Nessus, and in a big way. They scan hundreds of thousands of IP addresses every day, customize NASL, and make extensive use of the API. KC is also a big fan of credentialed auditing and tells us how he uses that to help maintain security on some of the busiest networks in the world.

Episode 82 Direct Download

]]> paul@nessus.org Mon, 16 May 2011 09:15:13 -0400 Podcast tenable-network-security-podcast-episode-82 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/05/tenable-network-security-podcast-episode-81.html Welcome to the Tenable Network Security Podcast - Episode 81

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO

Announcements

• A new blog post has been published this week:
  • Plugin Spotlights: New Nessus OS Identification Plugins
• A new version of the 3D tool will be available this week and a new CIS Oracle 11 audit policy is available for download in the Customer Support Portal
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Hackers are worried that the Sony compromise will lower the Value of stolen cards - Supply and demand applies to stolen credit cards. Additionally, this graphic of a Sony controller provides a humorous take on the whole incident.
• Mom’s Guide to the NSA’s Home Security Guidelines - Are these things that corporate security folks should live by? Does keeping your software up-to-date (not patches but versions) really keep you from getting hacked?
• The best password is a sentence, says expert - Or even the first letter of each work in a sentence. Attackers are after your email accounts, as that seems to be the jumping off point for more serious attacks.
• Serious flaw in OpenID - It's good when there is a common system for authentication, it's bad when that system has a security flaw, like OpenID has.
• Samsung Data Management SQLi - Also, the root password for the device was hard-coded into the firmware. This also means that all devices had the same root password.
• Spear Phishing A Tough Catch - Or an easier catch, stolen subscriber information will provide attackers with more than what they need to perform email social engineering against targets whose data was stolen.

Download Tenable Podcast Episode 81

]]> paul@nessus.org Tue, 10 May 2011 16:36:21 -0400 Podcast tenable-network-security-podcast-episode-81 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/04/tenable-network-security-podcast-episode-80.html Welcome to the Tenable Network Security Podcast - Episode 80

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher, Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• The Latest Adobe 0day
• SQL Injection - The attackers are learning, why can't we?
• "Weaponizing" GPS Tracking Devices
• Exploit Intelligence Project - Very cool take on vulnerabilities and defense. Basically, Dan presented evidence that there are 8000 vulnerabilities in popular software released since 2006, but you only have to worry about 75 of those. To mitigate the 75 vulnerabilities you have to worry about, there are some very targeted things you can do (such as use Google Chrome). Not having seen the presentation myself, I believe there is merit to taking a smarter approach to vulnerability mitigation. It boils down to choosing better software, go figure.
• Anonymous "hacker" breaks into wind turbine systems
• "Cyber Warriors" & Herding Cats
• NSA Recommendations For RSA SecurID

Download Tenable Podcast Episode 80

]]> paul@nessus.org Tue, 26 Apr 2011 16:07:03 -0400 Podcast tenable-network-security-podcast-episode-80 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/04/tenable-network-security-podcast-episode-79.html Welcome to the Tenable Network Security Podcast - Episode 79

Announcements

• Several new blog posts have been published this week, including:
  • Tenable All-Star Security Showcase - New York City 2011
  • Microsoft Patch Tuesday Roundup - April 2011
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Alan Paller: The Importance of Cyber Exercises



This week we hear from Alan Paller, the Research Director for The SANS Institute. Alan talks about the various challenges and exercises being used to develop "hacking" talent here in the US. It is a very inspiring talk with lots of great information about the current state of security and what is being done to develop information security skills.

Download Tenable Podcast Episode 79

]]> paul@nessus.org Tue, 26 Apr 2011 16:05:49 -0400 Podcast tenable-network-security-podcast-episode-79 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/04/tenable-network-security-podcast-episode-78.html Welcome to the Tenable Network Security Podcast - Episode 78

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • New Nessus Scan Policy Templates Added in the Plugin Feed
  • "LizaMoon" Detection Added to Nessus, PVS and LCE
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• SCADA: Security is Only One Part of Availability - While this may be true, how do you measure the likelihood of events causing disruptions to service? This is where I like to see threat modeling come into play, but it's tricky business. While some events are immediately recognizable as disruptions, such as a tsunami, what about attacks that are much more stealthy, until such time they cause a disruption?
• Network security blunders: Tales from the field - Wow, I've made some of the same blunders talked about in this article. Even more, it makes me question the effectiveness of firewalls. Managing a firewall is not an easy thing, and with attackers using methods that are extremely firewall-aware, I'm suggesting that our efforts are better spent in other areas of security (process monitoring, event management) and simplify the firewall rules and management.
• Open-Source Tool Similar to Maltego - Information gathering is a critical part of in-depth security assessments, and it's great to see tools out there to help people perform this service. Also, if you are defending a network it is a good idea to see what these tools return. You might be surprised just how much information is available about your organization.
• "Shairport" - Apple Private Key Exposed - Turns out Apple uses the same private key on all Airport Extreme products.
• Dropbox Found Using Host ID For Authentication - A host ID is used for authentication and is unique per machine, but can be easily stolen and re-used.

Download Tenable Podcast Episode 78

]]> paul@nessus.org Tue, 05 Apr 2011 17:16:29 -0400 Podcast tenable-network-security-podcast-episode-78 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/04/tenable-network-security-podcast-episode-74.html Welcome to the Tenable Network Security Podcast - Episode 77

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher, Ron Gula Tenable CEO/CTO

Announcements

• Preventing & Detecting Malware: A Multifaceted Approach
• Tenable Releases New SCADA Plugins
• Tenable All-Star Security Showcase - San Francisco 2011
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

---

• Enabling Browser Security in Web Applications
• The Changing Wireless Attack Landscape
• RSA hackers exploited Flash zero-day bug
• How to Learn the IT Skills of a Security Professional -
• Malware Analysis For Idiots
• The Social-Engineer Toolkit v1.3 “Artillery Edition” Released

Download Tenable Podcast Episode 77

]]> paul@nessus.org Tue, 05 Apr 2011 17:16:29 -0400 Podcast tenable-network-security-podcast-episode-77 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/03/tenable-network-security-podcast-episode-76.html Welcome to the Tenable Network Security Podcast - Episode 76

Hosts: Paul Asadoorian, Product Evangelist, Marcus Ranum, Tenable's CSO and Dave Poynter, Tenable Training Team

Announcements

• One new blog post has been published this week:
  • APT - There.. I Said It.
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Marcus Ranum Interview

Marcus comes on the show to discuss risk management pitfalls, "APT" and more!


---




Nessus On Demand Training

Dave Poynter comes on the show to tell us all about the new Nessus On Demand training and answer questions such as:

• What is On Demand training and how does it work?
• What products are currently being offered via On Demand?
• Are tests and quizzes included?
• Is there a certification?
• What are some of the topics that will be covered in the Nessus module?

Download Tenable Podcast Episode 76

]]> paul@nessus.org Thu, 31 Mar 2011 16:17:40 -0400 Podcast tenable-network-security-podcast-episode-76 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/03/tenable-network-security-podcast-episode-75.html Welcome to the Tenable Network Security Podcast - Episode 75

Hosts: Paul Asadoorian, Product Evangelist & Dennis Brown, Research Engineer and "Malware Aficionado"

Announcements

• Several new blog posts have been published this week, including:
  • Mid-Atlantic CCDC - Lessons Learned in Communication
  • Botnet Reputation and Content Scanning in Nessus
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Hacker gets Microsoft Kinect to work with Sony Playstation 3
• Malware - Chuck Norris Style
• Dutch Rule: Wifi Hacking Not A Crime
• New TV Show About Penetration Testing
• Reverse Engineering RSA’s “Statement”
• Charlie Miller Reveals His Process for Security Research

Download Tenable Podcast Episode 75

]]> paul@nessus.org Tue, 22 Mar 2011 13:44:39 -0400 Podcast tenable-network-security-podcast-episode-75 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/03/tenable-network-security-podcast-episode-74.html Welcome to the Tenable Network Security Podcast - Episode 74

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher and Ron Gula, Tenable CEO/CTO

Announcements

• Several new blog posts have been published this week, including:

  • Microsoft Patch Tuesday Roundup - March 2011
  • Leveraging Wake-On-LAN Support to Audit Powered-Off Hosts with Nessus

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Penetration Testing Execution Standard - A group has been formed to define what a penetration test really is and means. Several standards and compliance documents reference a "penetration test", but yet no one has really taken the time to define it. Carlos and I are involved with this effort, myself on the vulnerability scanning portion and Carlos on the post-exploitation side.
• Analyzing PDF exploits for finding payloads used - If you are defending a network, you should read up on analyzing malicious PDFs, as they are likely being sent to your users.
• Mid-Atlantic Collegiate Cyber Defense Competition (CCDC) - This was a fantastic event, thanks to all who participated!
• With hacking, music can take control of your car - I've always pondered the use of music files and images as a way to take over a system. It happens so naturally; people play music and view images all the time, so what if there were a malicious payload inside? It's a difficult thing to defend against. For example, how do you check a music file that will be played in your car for viruses? Anti-virus software for your car?
• Router-rooting malware pwns Linux-based network devices - First off, this is a password attack. Second, malware for Linux-based routers is not new (i.e. "Chuck Norris worm"), but still remains a threat for which we have little defense against. Still, to this day, people do not often consider vulnerabilities on embedded systems to be a big enough problem to pay attention to. However, if an attacker can compromise the router or access point, they can manipulate all of the traffic flowing through it.
• Making sport of browser security, hackers topple IE, Safari - Browsers continue to fall at the "Pwn2own" contest. What can we do to protect our users from these exploits? I'm starting to think there is no such thing as a "secure" web browser, likely due to usability and features driving development, not security.

Presentation: Dr. Tom Langstaff

Dr. Tom Longstaff is the Chief Scientist for the Cyber Missions Branch at Johns Hopkins University Applied Physics Lab. APL is a University Affiliated Research Center, a division of the Johns Hopkins University. Tom joined APL in 2007 to work with a wide variety of infocentric operations projects on behalf of the U.S. Government to include technology transition of cyber R&D, information assurance, intelligence, and global information networks.

His talk is titled: "Where the Wild Things Are: Analyzing Attack and Defense in Our Modern Global Cyberspace"

Download Tenable Podcast Episode 74

]]> paul@nessus.org Tue, 15 Mar 2011 14:42:40 -0400 Podcast tenable-network-security-podcast-episode-74 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/03/tenable-network-security-podcast-episode-73.html Welcome to the Tenable Network Security Podcast - Episode 73

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher and Ron Gula, Tenable CEO/CTO

Announcements

• Several new blog posts have been published this week, including:
  • Agentless FDCC, USGCB and CyberScope Reporting Webinar - March 23 2:00 PM EST
  • Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!
  • The Nessus Port Scanning Engine: An Inside Look
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Outbound SSH Traffic from HP Blade Servers - In this case it appears to be a bug, but what if it wasn't? I believe we need to keep close tabs on network connections in our environment. I'm a huge fan of Netflow analysis, largely because if you are attacking anything on the network, you need to make a connection. It's a difficult thing to get around (provided you do not have physical access to a medium that is not being monitored, such as 3G or some other wireless protocol). Also, it raises a scary situation where devices are pre-owned, meaning that during the manufacturing process attackers placed backdoors on the systems. Network monitoring can help identify these channels. For example, you should be able to spot your networking gear's management interfaces attempting to make connections out to the Internet.
• Microsoft Internet Explorer Lets Remote Users Spoof the Address Bar - Quite a few years ago I was researching this type of vulnerability. It largely goes unnoticed, as we tend to pay attention to remote exploits, XSS and SQL injection. However, tricking the end-user can be very profitable (in more ways than one) by attackers. Presenting a web site that appears to go to a site that would be trusted by the user, such as Google, is a very powerful feature. The research I was doing pointed out several different flaws in popular browsers that allowed attackers to spoof the address and status bars. The vulnerability referenced here, according to the article, does not have a patch.
• pwn2own Competition Will Be Harder Due to Patch Release for WebKit - The "pwn2own" competition always brings out some fun vulnerabilities and exploits. On one hand though, it does influence some people to find vulnerabilities, hold on to them (i.e. not tell the vendor), and then release them at CanSecWest. However, that is a showcasing of skills to find and maintain a vulnerability for a long period of time, and shows that vendors aren't doing the best job they can in finding flaws in their own software. Apple's WebKit, the browser engine that powers Safari and iTunes, typically falls victim during the contest, and likely will again even though they've patched.
• Every Windows Security Event Log Documented - It's one thing to collect logs, but it's another to know what they actually mean. This post will help you better understand your Windows event logs using old-fashioned documentation. Let's get back to basics and start reading, and understand what our systems are doing rather than relying on magic or spiritual rituals.
• Facebook Scam! BTW, follow us on Facebook - The whole Facebook thing is really funny. Facebook just keeps growing, and as it grows it breeds all new scams. This scam tries to lure you in by promising a video of a man who took a picture of his face every day for 8 years. Sounds interesting, but really just delivers you some malicious JavaScript. Oh, you can follow us on Facebook too, if you dare! Despite the dangers, people will still use Facebook! It happens at least a few times a month: one of my friends or family members sends out the message "please don't click any links from me, I got a virus". You can tell people, "don't use it", but chances are no one will listen, including your employees. I encourage all of us to use Facebook, and help come up with usable and creative ways of using it safely.

Download Tenable Podcast Episode 73

]]> paul@nessus.org Wed, 09 Mar 2011 11:45:24 -0500 Podcast tenable-network-security-podcast-episode-73 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/03/tenable-network-security-podcast-episode-72.html Welcome to the Tenable Network Security Podcast - Episode 72

Hosts: Paul Asadoorian, Product Evangelist and Carlos Perez, Lead Vulnerability Researcher

Announcements

• Nessus 4.4.1 has been released! Includes several improvements and a new option for SYN port scanning.
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Throwing Star LAN Tap - I have to admit, I'm a big fan of ninjas. Ever since I was a kid (in some ways I still am) I've been fascinated with ninjas. It's a combination of things that fuel my fascination: smoke bombs, swords, poison and, of course, throwing stars. Any time I can arm myself with a ninja-like tool that pertains to my job, I'm in. The LAN tap throwing stars allow you to monitor network traffic passively (e.g. there is no send, only receive) between a host and the network. This comes in handy for troubleshooting, forensics, and even to collect some data using Tenable's Passive Vulnerability Scanner.
• When Love Turns to Money - Literally: "...love turned to money. Around $200,000, that is, which is the approximate amount of cash that said man had wired to his cyber-girlfriend over the course of their quote-unquote time together"
• Do Not Click This Link - Just proof that if you think people will not click on stuff, they probably will.
• - This device plugs into the wall and looks very "unsuspicious". However, it's connecting to (likely just "open") wireless networks, ARP cache poisoning, and replacing content in HTTP streams. While the implementation is focused on creating bogus news stories, it could be used to send out attacks... at least that's what I'd use it for!
• ZeuS crimeware variant targets Symbian and BlackBerry users - "Upon successful infection, the crimeware injects a legitimately looking field into the web page. The aim is to trick end users into giving out their mTANs, which stands for mobile transaction authentication numbers. Now that the gang has obtained access to their cell phone number, including the type of the device, a SMS is sent back to the victim with a link to a mobile application targeting either Symbian or BlackBerry devices." I believe this presents a problem for many organizations on the network monitoring front. It's difficult, if not impossible, to monitor cell phone communications over 3G, 4G, or CDMA. If attacks are coming at your users via these communications networks, you have only host-based security in play to defend yourselves. User education only buys you so much; a well-constructed social engineering attack is going to trick some users, with increasing success rates as we rely on technology more and more. Hardening your systems, including mobile devices, and having some client security (anti-virus software, host intrusion prevention, or something along those lines) is going to be key to being more secure than the out-of-the-box software that comes with your phone, which seems to be a monolithic operating system with little security. The bar is set a tad higher for iOS devices, as the apps have to be signed, showing that code-signing does work to at least deter attacks. However, if you can trigger a browser exploit on the iPhone, you don't need to run a signed app.
• RAT (Remote Administration Tool) in Beta For OS X - RAT is a fun tool. I've seen it action in a few different capture the flag events. It's fairly noisy on the system and on the network, but it can embed itself into different processes. Of course, if you think there are no viruses for ANY platform in general use today, you are likely mistaken.

Download Tenable Podcast Episode 72

]]> paul@nessus.org Tue, 01 Mar 2011 15:28:43 -0500 Podcast tenable-network-security-podcast-episode-72 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/02/tenable-network-security-podcast-episode-71.html Welcome to the Tenable Network Security Podcast - Episode 71

Hosts: Paul Asadoorian, Product Evangelist and Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Analyzing the Compromise - without Going Hungry
  • Nessus "Exploitable With" Field Updated
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Security vulnerabilities galore in social networks - A new web site, www.socialnetworksecurity.org, has been created to document the ever increasing vulnerabilities present in popular social networking sites such as Facebook. It seems that many sites, as it will come to no great suprise, are vulnerable to things like XSS. I believe its the nature of the beast, so many of these web sites are in a race to add features and functionality, and its too time consuming for them to properly identify security vulnerabilities as they go along. I do hope that big web sites take a step back from the fast and furious pace and start to implement security, before they get too far down a path and end up with a site that requires a major overhaul to be "secure".
• inSSIDer 2 - Neat little wireless tool - Remember the days of NetStubler? Those were fun I know! Since then though many of the original wireless tools have not been kept up-to-date to support Windows 7 and 64-bit. Enter inSSIDer, it works with XP, Vista, and 7 (32 and 64-bit) and claims to use the native WiFi API to find wireless networks in your area and let you sort them, or even correlate them with a GPS.
• Meet hacker’s new best friends, Anti-virus and Firewalls - Turns out anti-virus software and firewalls have vulnerabilities too! How worried should you be about them though? Its an interesting question that begs debate.
• Monitoring Your Database - I find that so many environments ignore databases as a source for security information. If you really think about it, you should start implementing security at the database level, because, well, that's where we keep the information. GreenSQL makes a free product for you to try out and you can use Tenable's enterprise tools to monitor and scan your databases and database systems.
• Good Tip on Snort DAQ - With Snort 2.9 came DAQ, or Data Acquisition Library, which abstracts the system calls to "get packets" into a self-contained library, that supports PCAP and several other methods. For those running Snort, be warned, it requires some tuning and special attention, and some of the details are highlighted in this article.
• SSDs are Tougher to Erase Securely - It sounds silly, but you should have a method of physically erasing the data, e.g. sledgehammer, fire, shotgun, whatever your most favorite weapon of destruction happens to be. Maybe shredders need to have slots now for USB thumb drives.

Download Tenable Podcast Episode 71

]]> paul@nessus.org Tue, 22 Feb 2011 16:03:22 -0500 Podcast tenable-network-security-podcast-episode-71 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/02/tenable-network-security-podcast-episode-70.html Welcome to the Tenable Network Security Podcast - Episode 70

Hosts: Paul Asadoorian, Product Evangelist and Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - February 2011
  • Tenable All-Star Showcase - Atlanta - February 22
• Tenable will be at the upcoming RSA conference next week. Please stop by our booth (#729)!
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Honeynet Project Releases PhoneyC - Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.
• A python domains extractor from IPs - The tool reads a .txt file containing IP Addresses (on each line) and check which “sites” are associated with that IP Address.
• Free Fast Traffic Generator - "Mausezahn" - Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet. It is mainly used to test VoIP or multicast networks but also for security audits to check whether your systems are hardened enough for specific attacks. I LOVE breaking stuff.
• Comcast DOCSIS 3.0 Business Gateways Multiple Vulnerabilities - Yet another example of hard-coded passwords in an embedded system. The other was a Linksys router vulnerability.
• "Cyberweapon" Could Take Down Internet - I'm skeptical. I think the Internet is too useful of a tool, and everyone needs it, so why take it down?
• Google 2-factor authentication - This seems like a good thing: enter your password and then you must provide a PIN that gets SMS'd to your phone. Could this be the answer to our password problems?

Download Tenable Podcast Episode 70

]]> paul@nessus.org Tue, 15 Feb 2011 17:01:46 -0500 Podcast tenable-network-security-podcast-episode-70 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/02/tenable-network-security-podcast-episode-69.html Welcome to the Tenable Network Security Podcast - Episode 69

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, and Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Tenable All-Star Showcase - Atlanta - February 22
  • Nessus 4.4 Receives SC Magazine "Recommended Award"
  • Risky Business 181

• Tenable will be at the upcoming RSA conference next week, please stop by our booth (#729)!
• UMD and Tenable Announce New Cybersecurity Partnership
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• "Hackers" Break Into NASDAQ
• Attackers Still On The Hunt For TELNET
• Java JFileChooser Programmatic Manipulation Vulnerability
• Debian 6.0 Released: "This means the Debian userland running on top of FreeBSD."
• Lessons Learned from the Exposure of 1.5 Million Twitter Accounts

Download Tenable Podcast Episode 69

]]> paul@nessus.org Tue, 08 Feb 2011 20:13:52 -0500 Podcast tenable-network-security-podcast-episode-69 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/02/tenable-network-security-podcast-episode-68.html Welcome to the Tenable Network Security Podcast - Episode 68

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, and Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Nessus App for iPhone - The Video
  • Passively Detect all of your Exploitable Vulnerabilities - PVS 3.4 Released
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Kaspersky Source Code Leaked - Turns out an former employee had distributed copies of the software. This is a tricky thing to defend against, since how do you know if one of your employees is stealing source code? Sure, many would say that you need to limit and control access to the source code, but you still need to allow the developers to access it. Now, antivirus software in particular probably gets a high bounty on the computer underground because if you could analyze the source code directly, you stand a better chance of making malware that is more resilient. The former employee of Kaspersky was arrested and sentenced to three years in prison.

---

• Smartphone Botnet Code & Video - Unfortunately I was not able to attend this talk at ShmooCon, however, this is a really neat showcasing of mobile phone technology. And why not use SMS to control your Android phone botnet! Attackers can use this to send SMS spam, force your phone to make calls and more. The nice part is that most people don't update their phone or pay attention to security on mobile devices so if you stay stealthy you could create quite a large botnet. With 4G phones coming out as well, you will have plenty of bandwidth too, and I think this will drive more and more attackers to this medium.
• Plug and Prey: Malicious USB Devices - Adrian Crenshaw (a.k.a "Irongeek") has done a fantastic job of writing up how different malicious USB devices work, and more importantly what you can do to detect them. I really appreciate Adrian's efforts in this area, especially the details on detection and defense.
• Tapping 802.1x Links with "Marvin" - 802.1x was really big when I was working for a university. It was around 2003 and everyone was being hit by worms. If a workstation or laptop that was infected plugged into the network, all vulnerable hosts could be infected very quickly. Then along came NAC, which relies on 802.1x. It sounded great in 2003, and for the most part would challenge the user before getting on the network, even checking to see that they are not going to spread a worm. However, attackers have found many ways around this technology, including the bridging technique employed by this tool. If you are trying to keep attackers off your network, NAC may not be for you. I tend to lean towards getting the printer's IP address from the control panel, and then unplugging the printer and using the network jack (Joe Mcray made reference to this in his talk at Brucon as a way to bypass NAC).
• Asterisk Buffer Overflow in SIP Channel Driver Lets Remote Authenticated Users Execute Arbitrary Code - If you are an authenticated user of an Asterisk server, using the caller ID field can trigger a buffer overflow. I like flaws like this because the attack comes from an authenticated user, so people think "oh, I have a firewall so I don't need to patch it". What if someone compromises a workstation and uses a soft phone? What if phones in your environment have vulnerabilities? Now you give the attacker control of your phone system, which only leads to bad things.
• Lab Discovers 50 Millionth Virus - "That comes out to about 55,000 new viruses each day, 2,300 per hour, 38 per minute, and one every two seconds, according to Website AV-Test." Whatever the numbers work out to, there is a lot of malware in circulation. What I don't understand is that so many people are still focused on "can attackers get into my network" and "I don't need to test against 0-day exploits". What I believe people need to come to grips with is that malware has infected machines on the inside of your network and it contains 0-days. Now what defenses do you have in place to detect, monitor, react and prevent bad things from happening?

Download Tenable Podcast Episode 68

]]> paul@nessus.org Wed, 02 Feb 2011 13:07:41 -0500 Podcast tenable-network-security-podcast-episode-68 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/01/tenable-network-security-podcast-episode-67.html Welcome to the Tenable Network Security Podcast - Episode 67

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Nessus: Mythbusters Edition
  • Tenable and SCAP 1.1
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Shmoocon Preview - Twice the Mobile (in)Security - The trend has been heating up for a while now, and its just about ready to boil over and send people screaming, panic stricken, as attackers take hold of their mobile devices. I believe Google's Android and Apple's iPhone have put the "smartphone" front and center in our lives as the most popular piece of technology we use in our everyday lives. For the attackers and the security community alike, this means we must find ways to hack it. The motives are of course different, the security community wants a safer place, and the attackers want to profit.

---

• Getting Started With Corporate iPad and iPhone Mobile Security - This is a great list of features in iOS that can really help you get a hold on the i in your environment. iOS supports remote wiping, AES encryption of the phone backups, and offers control on firmware updating and application installation and updates. Your organization must have a mobile computing policy and be
• Who's Who Of Bad Password Policies - It should come as no surprise, but many web sites do not do a good job of implementing good password policies. We're often so quick to blame the user, but many popular sites do not require SSL, allow special characters, limit length, and more. One site even displayed your password in clear-text on the web site!
• Apple Appoints David Rice as CSO - This is great news for Apple, its been a long time coming too. Apple really needs to step up its game when it comes to security. Random security updates, insecure architecture in OS X, and more have contributed to a ticking time bomb. As they gain market share, these issues will become important. David is a great great, extremely knowledgeable about information and software security, and may be just what Apple needs to improve its security posture.
• Brute Force Safe Cracking - I find that security leaks its way into almost every conversation, oh wait, maybe thats just me. In any case, someone made a robot that will try everyone possible combination on a safe. While thats great, most thieves know that if you can flip the safe over and hit the bottom with a sledge hammer, you win. Also, the doors on safes are typically really hard to break through, but the sides are sometimes flimsy and easy to cut through with the right tools. Of course, there is something to be said for getting into the safe and leaving to trace behind that you were even there.
• Nessus Plugin: HP OpenView Network Node Manager Remote Execution of Arbitrary Code - If you run HP Node Manager, use this plugin. If you think that you may have Node Manager installed somewhere, use this plugin. If you run a network, use this plugin to scan the network and look for instances of Node Manager! This vulnerability, well several actually, manifests itself as a command injection vulnerability in software that does not require authentication by default, and could lead to attackers gaining control of a system that manages the network. Just a bad combination!

Download Tenable Podcast Episode 67

]]> paul@nessus.org Tue, 25 Jan 2011 16:06:56 -0500 Podcast tenable-network-security-podcast-episode-67 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/01/tenable-network-security-podcast-episode-66.html Welcome to the Tenable Network Security Podcast - Episode 66

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this week, including:

  • Putting a Virus under the SIEM Microscope Webinar
  • Microsoft Patch Tuesday Roundup - January 2011

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Facebook Allows Apps to access Personal Information - This is not a good move by Facebook. While you have to give an application permission to access this information, I'm certain the "shady" application developers will find a way to get your phone number. The payoff is just too high, SMS Spam and telephone scams can make the attackers too much money.
• Dancho Danchev Goes Missing - This is a strange story, security blogger and self-investigator of cyber criminal activity has been missing. Appears that the Bulgarian Government has bugged his apartment, and he's been missing since August 2010. There is a lot of room for speculation, but one thing that scares me is the stakes surrounding cyber crime. UPDATE: Reports now indicate that Dancho has been found and is checked into a psychiatric hospital.
• Mining Web Proxy Logs For Interesting, Actionable Data - John is spot-on with his analysis, Antivirus logs often go unchecked with the assumption that they're working, but they can be useful in spotting attack trends and problematic users who regularly visit malicious sites. Likewise, Web proxy logs hold similar value and can be mined for a lot of useful, actionable data, like daily summaries of malicious HTTP User Agents, content types (think "executables"), and more.
• Three Reasons Your Security Program is Failing - I agree with these: No one decision maker (executive decision maker), No clearly defined, attainable goals, No concrete step-by-step plan for execution
• 11 Log Resolutions for 2011 - I don't usually make resolutions, but these are fantastic.
• Must read Stuxnet article - I like the Hollywood movie plot stuff: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist. A great article from Wired also covered some recent Stuxnet news.

]]> paul@nessus.org Tue, 18 Jan 2011 16:50:41 -0500 Podcast tenable-network-security-podcast-episode-66 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/01/tenable-network-security-podcast-episode-65.html Welcome to the Tenable Network Security Podcast - Episode 65

Hosts: Paul Asadoorian, Product Evangelist & Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

---




Stories

• Nessus Viewer v1.0.0 released - The web site states: "Nessus Viewer enables IT Security auditors and penetration testers to quickly navigate inside Nessus reports by sorting and filtering each entry. It is able to import Nessus XML v2 reports and filter them by IP, host name, plugin name, operating system, keywords… It can also parse plugin outputs to extract and build clickable lists of web servers, Windows users, missing patches and much more." I think it's great to see a tool like this to help people with with Nessus data in specific cases.
• Hacking your car for fun and profit - Researchers make an interesting statement about the various control systems in your car: they are plugged into a hub network, not a switch. This means there is no separation between systems, so if you gain access to the car, you gain access to all systems, including safety, brakes, etc. This is not a huge problem for now because cars are not connected to the Internet. Oh wait, enter the Chevy Volt, the first car to have an IP address (so I am told).
• Internet ID For All Americans - "Possible methods of creating a ‘trusted identity’ could include issuing a ‘smart card’ or digital certificates that would prove that online users are who they say they are. They could then be used to buy goods and carry out financial transactions on the Internet."
• We're Running Out Of IPv4 Address Space! - Seems that I hear this every year, that this will be the year when we run out of IP addresses. They always point to the fact that all kinds of devices, such as TVs, BlueRay players, Tivos, alarm clocks, and toasters will have an IP address. I have to say, I have a lot of devices on my home network. I love technology and get my hands on as much network-connected stuff as possible. I have a private subnet that can address 253 devices. I could use a Class A if I wanted to, and I still only need one public IP address. So, I fail to see the rush to IPv6, which I am pretty sure will not solve the security problem, but create more problems as people find more problems with IPv6 security.
• Researcher Develops Password Hacking Software for Wi-Fi Networks Using Amazon Web Services - Don't get me wrong, I think this is a very useful way to attack WPA-PSK. Using "the cloud" to brute-force passwords has lowered the security of the password even further (if that was at all possible). However, is the defense against this attack simply to generate a random 16 character string and use that as a password? Of course, this is not user-friendly, so people tend to choose weaker keys. In the end, we are exploiting the human, not the technology.
• Final Fifteen - Web Hacking Techniques - There are some really cool techniques in this list. I strongly suggest to our listeners that you review this list and learn about all of these techniques.

Download Tenable Podcast Episode 65

]]> paul@nessus.org Tue, 11 Jan 2011 16:33:20 -0500 Podcast tenable-network-security-podcast-episode-65 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2011/01/tenable-network-security-podcast-episode-64.html Welcome to the Tenable Network Security Podcast - Episode 64

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO

Announcements

• Several new blog posts have been published this week, including:
  • Log Correlation Engine 3.6 – Now with its own GUI
  • SSL Certificate Authority Auditing with Nessus
  • SecurityCenter 4 Receives FDCC and SCAP Validated Tool Certification
  • 3D Tool beta Video

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• A router that runs the Tor software prevents Web tracking - While off-loading your Tor traffic routing and encryption to your home router may sound appealing, Tor comes with its own set of caveats. For example, how can you be certain the Tor exit node you are using is not operated by someone with malicious intent? For general web browsing it can be problematic, as the exit node you go through may be in another country with restrictions on content that can be viewed. Tor does a great job of providing anonymity, however use caution when sending your data over this network as someone could be listening.
• Breaking GSM Using a $15 Phone - This is the same thing as Wifi. In the beginning, it was really expensive to eavesdrop on Wifi. So, people implemented no security. Then more people sniffed Wifi, so they came up with WEP. WEP was easily broken, and the cost of Wifi sniffing plummeted. SO they came up with WPA. The problem is that people still THINK Wifi is secure, when its really not. GSM seems to be going through a very similar evolution.
• Wikileaks Targets - Interesting little rumbling of Wikileaks having information on Bank Of America. Recent reports are stating this is not untrue. My fear is that even speculation could be damaging.
• thicknet: starting wars and funny hats - This has to be one of the best blog posts I've read in quite some time (aside from any of Ron's posts of course). The concept is pretty simple, its like your cutting in at a dance and stealing the homecoming queen, but with technology. Using TCP, some Perl scripts, and MiTM, you can steal sessions and do whatever you want with them. Why wait for sensitive data to be passed? Just steal the session, send a query/request for sensitive data, and be done. I really love this technique.
• 2011 Predictions - This section left blank intentionally. No seriously, as a general rule of thumb I don't make predictions. They tend to be not based on fact and not really all that helpful. It is fun to speculate, but take it for what its worth, speculation. However, we can tell you about some of the things that Tenable is working on for 2011.

Download Tenable Podcast Episode 64

]]> paul@nessus.org Mon, 20 Dec 2010 15:01:49 -0500 Podcast tenable-network-security-podcast-episode-64 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/12/tenable-network-security-podcast-episode-63.html Welcome to the Tenable Network Security Podcast - Episode 63

Hosts: Paul Asadoorian, Product Evangelist & Carlos Perez, Lead Vulnerability Research Engineer

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - December 2010 - "Bad Santa" Edition
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

---




Stories

• Cisco IOS Hacking Information - Everything from protocol attacks, remote exploitation and forensics is covered in this handy little page from the folks over at "Recurity" (Home of "FX", famed printer and router hacker). I believe people have lost sight of Cisco IOS security. Cisco devices need to be locked down and secured even more than most of your computers and workstations, yet security is almost an afterthought after availability, scalability, and cost.
• JavaScript Portscanner Using HTML5 - This is a neat little extension
• Little Black Box - Kind of a little black book, but for SSL! Several applications and devices come with privately generated SSL keys. This tool stores all the ones they could find and allows you to use them for MiTM and decrypting traffic. Brilliant!
• Using Powershell To Bypass Windows Protections - Each month Microsoft says that users with less privileges are less susceptible to attacks because they are not running as Administrator. Each week I read about a new privilege escalation attack, such as this one that uses Windows Powershell to overcome restrictions placed on the "sa" account associated with MSSQL.
• Watch Out For Exim - Nice write up from Ron Bowes on the Exim vulnerability. We've released a Nessus plugin to check for it.
• HP StorageWorks P2000 G3 MSA hardcoded user - This is just so fitting to be my last story of the year for the podcast. It shows just how bad the fail is when it comes to embedded devices.

Download Tenable Podcast Episode 63

]]> paul@nessus.org Mon, 20 Dec 2010 15:01:49 -0500 Podcast tenable-network-security-podcast-episode-63 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/12/tenable-network-security-podcast-episode-62.html Welcome to the Tenable Network Security Podcast - Episode 62

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this week, including:

  • Using Nessus For Host Discovery
  • If an exploit falls in the forest, does anyone hear it being patched?

• Don't forget to sign up for Advanced SIEM Webinar Series - November through December
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new Nessus Perimeter scanning service.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• SQLi Cheat Sheet - It amazes me just how many different ways of doing the same thing are built into our technologies. This exists in almost every programming language; there have always been multiple ways to write different code that accomplishes the same goals. Unfortunately, attackers use this to their advantage to evade filters. This one just happens to be for SQLi, and if you are a penetration tester this is a handy reference. However, if an attacker is trying to exploit this against live systems, you should be able to detect these attempts. Also, if an attacker can run these tests offline in an environment mirroring what the target has in production, you can be very successful. To combat this threat I want to stress really securing your environment, which means plugging all those information leaks that seem to be all too common in web applications.
• j0llydmper - Attackers will use any means necessary to collect sensitive information. This includes the program j0llydmper, which runs as a Windows service and dumps selected files from USB drives to a select location on the disk for easy recovery. I believe it's going to be tough to identify malware in the coming years, as it will likely try to do things that are normal, like copying files and not doing things like writing registry entries, etc.
• BeEF - Browser Exploitation Framework Updated - BeEF is becoming one of the more dangerous penetration testing tools out there. It's nice to see it gain momentum and get updated, as it can really put context around web application attacks such as XSS. For me, it seems logical, as it quite easily evades firewalls, antivirus, patching, IDS and several other technologies. When I speak to people about defense, still to this day, many do not completely understand the attack vector, let alone tune their networks to detect and prevent browser-based attacks. Josh Wright has one of the most enlightening quotes that was posted on the PaulDotCom Mailing list: "I owned the network with a HSRP MITM attack, followed by Ettercap+etterfilter injection to serve up malicious PDFs in 1x1 iframes". This is a great example of how attackers are able to be successful, and as far as defense goes, it's not an easy answer.
• Abusing Open Web Proxies - It's weeks like this that just make me want to cry when I think about defense. The scary part is, open web proxies have been around since the beginning of time (er, "The Internet" anyhow). Attackers are using anonymous, stealthy proxies to do things like brute force login and password combinations for popular web sites. One could also use these proxies to attack web sites anonymously, giving protection mechanisms such as IDS, IPS and WAFs a run for their money. I think it boils down to: you have to have a web site that is hardened to the max to survive in today's Internet.
• Military Bans Removable Media To Curb Leaks - While this may seem logical, it's difficult to enforce. You can hide a USB thumb drive just about anywhere (pause for laughter). If you can control the computers, you can physically disable the USB ports, which forces someone to bring in their own computer to steal information.
• Gawker web site CMS and database compromised - 1.3 million users' account information has been stolen and published via Bittorrent. How did this happen? Your guess is as good as mine, and it looks like someone is in need of some application security.

Tenable Pocast Episode 62 Direct Download

]]> paul@nessus.org Tue, 14 Dec 2010 13:22:38 -0500 Podcast tenable-network-security-podcast-episode-62 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/12/tenable-network-security-podcast-episode-61.html Welcome to the Tenable Network Security Podcast - Episode 61

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Don't forget to sign up for Advanced SIEM Webinar Series - November through December
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new Nessus Perimeter scanning service.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Metasploit Meterpreter scripts for privilege escalation - Every month Microsoft releases the security bulletins, and many of the remote exploit threats are describes as somewhat "mitigated" if the user is not running as an administrator. I believe that techniques, such as the ones presented in this post, are reasons why we all need to re-adjust our perception of risk as escalation of privilege is now commonplace. For example, a new Metasploit module was released that will "...interactively send keystrokes to an open application window using the vbscript SendKeys method. Can be used to escalate privileges into RunAs-invoked command shells on XP." Nice...
• Packet Payloads, Encryption, and Bacon - Great post on how to analyze a packet dump to determine if the data is encrypted, multiple techniques are presented. It's always a good idea to make sure that if you expect data to be encrypted, at some point you sniff the traffic and check it!
• There are no more internal applications - I think a great point to add to this would be that if you give your users access to the Internet, you shouldn't use the word "internal" in the context of security and risk.
• D-Link DIR Series routers authentication bypass - Here's a great example of a vulnerability that will largely go unnoticed, but in the right (or wrong) hands could lead to compromise. Through a PHP script in the admin interface, the admin username and password could be changed. Identification of these routers is not difficult, as I discussed in my recent embedded hacking talk. An attacker could place code on any web site that changes the admin password and enables remote administration of the device and gain access to people's routers. So far, models D-Link DIR-300, DIR-320, DIR-600 and DIR-615 are confirmed as vulnerable. Software patches have been released, but who applies them anyway?
• Malware Encrypts Hard drive, demands ransom - Remember when 99% of all viruses would infect the boot sector and destroy your computer? Fast forward to today and your hard drive gets encrypted, then the malware demands payment and ransom. Actually, I wish more malware would do this. I think its really a wake up call for security as it puts the user in quite the predicament!
• Know what's on your network - I ask this of you: if someone installed a device on your network, would you know? In most cases if someone put an embedded system on the network, you could detect it. However, if it was firewalled off properly and simply sniffed traffic and conducted passive attacks, this could get tricky. I've always theorized that trojaned hardware could bypass most people's security, and most believe it to be an urban myth. It would require physical access, but have a high degree of success.

Download Tenable Podcast Episode 61

]]> paul@nessus.org Tue, 07 Dec 2010 13:40:36 -0500 Podcast tenable-network-security-podcast-episode-61 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/11/tenable-network-security-podcast-episode-60.html Welcome to the Tenable Network Security Podcast - Episode 60

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• A new blog posts has been published this week:
  • Scanning For Default & Common Credentials Using Nessus
• Don't forget to sign up for Advanced SIEM Webinar Series - November through December
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• SSL: the sites which don't want to protect their users - With it being "Cyber Monday", I thought this post was timely.
• Whacking Moles - It's neat that defenders still like to play the process "whacking" game, even though you can execute everything in memory using an already existing process. It does make for fun command line kung fu though, which I still think is handy if you are a systems administrator.
• Windows "0-Day" Flaw Bypasses UAC - There are many users who believe either one of two things about UAC: 1) "Wow, this really helps me be secure!" or 2) "Wow, this is annoying, turning it off now". In either case, the user is in a bad situation. Believing that something can keep you secure often leads to a quick downfall.
• You're Only As Secure As Your DNS Servers - As Secunia found out, you should have some pretty tight security around your DNS server, especially if you run a service where users can scan their PCs for outdated software. Wow, wouldn't that be a neat database for an attacker to get their hands on!
• Apple iOS Networking Packet Filter Rule Invalid Pointer Access Local Privilege Escalation - Remote attacks against iPhones would be bad as they are easy to identify on the network. You could even target just AT&T address space.
• ZeuS variant only infects super-fast PCs - Malware authors are looking to evade detection and analysis, rather than just harness computing power. Even a bunch of slow PCs can do a lot of "evil bidding".

Download Tenable Podcast Episode 60

]]> paul@nessus.org Tue, 30 Nov 2010 13:07:06 -0500 Podcast tenable-network-security-podcast-episode-60 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/11/tenable-network-security-podcast-episode-59.html Welcome to the Tenable Network Security Podcast - Episode 59

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Special Guest: Carlos Perez, Lead Vulnerability Research Engineer

Announcements

• Don't forget to sign up for Advanced SIEM Webinar Series - November through December
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

---




Stories

• Nessus Plugin 50658: Stuxnet Detection (uncredentialed check) - Stuxnet has been one of the most talked about pieces of malware this year. Nessus can now detect Stuxnet on the network!
• Passwords Are Not Safe - Each week I keep seeing more powerful GPUs, cheaper prices on the hardware, and more software becoming available for intense password cracking. You could build a machine with multiple CPUs, tons of RAM, and multiple GPU cards for well under $5,000 and crack passwords at lightning speed. I think we need to move beyond passwords and require another form of authentication in addition to the password. This seems so simple, why don't we do it?
• "That's Too Hard" - We've all heard it before, the "that's too hard" excuse when it comes to information security. A much better excuse is "That doesn't align with our business goals or acceptable risk levels". Dave outlines several common areas where the "it's too hard" excuse comes in, such as application whitelisting, secure coding, and outbound network ACLs and filtering. He also mentions the "cowboy culture in IT". I agree, some administrators are too quick to pull the trigger and change management can help. However, I've been in a situation where I had to jump in and "save the day" (capes may have even been involved) and my entire group was labeled as "cowboys". This really hurt our reputation in the organization and made things difficult for us for quite some time. Be careful with change management and cowboys, because it is a double-edged sword.
• On Security Conference Themes: Offense *Versus* Defense – Or, Can You Code? - I agree, offense is sexy, it's definable, and it's demonstrable. However, what about defense? Many security conferences are filled with talks about the latest and greatest ways in which to penetrate systems. That's great, and don't get me wrong, I love talking about offense. However, defense is important, except it's not as sexy, not as definable (well, at least it's different for each person/organization), and it's not as demonstrable. One of the things I will be working on in the next few months: making defense sexy.
• Nessus Parsing 101 - This is a great little write-up that shows you how to implement some Bash scripts to do basic parsing of NBE files. While I use many different methods to parse, sort and create reports from Nessus results, sometimes a quick and dirty Bash command is the best method, and this tutorial does a nice job!

Download Tenable Podcast Episode 59

]]> paul@nessus.org Wed, 24 Nov 2010 08:54:06 -0500 Podcast tenable-network-security-podcast-episode-59 Paul Asadoorian Kelly and Paul discuss the stories of the week with new special guest Carlos Perez! Stuxnet detection, cracking passwords with GPUs, and "It's too hard". Vist: http://blog.tenable.com Kelly and Paul discuss the stories of the week with new special guest Carlos Perez! Stuxnet detection, cracking passwords with GPUs, and "It's too hard". Blog: http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/11/tenable-network-security-podcast-episode-58.html Welcome to the Tenable Network Security Podcast - Episode 58

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Advanced SIEM Webinar Series - November through December
  • Nessus 4.4 Introduction Webinar - November 17th 1:00PM EST
  • Nessus 4.4.0 Released!
  • Microsoft Patch Tuesday Roundup - November 2010 - "Stuck In The Mud" Edition
  • Advanced Web Application Scanning Using Nessus Video

• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

News Stories & Articles

• 4 Reasons Why You Should Upgrade To Nessus 4.4.0 (Digital Bond) - Nice post from the folks over at Digital Bond! It outlines some of the major new features and some (like the ability to cipher the Nessus data) that you may have missed. Of course the big feature is scheduling!
• New Google Hacking Database Being Hosted and Maintained by Exploit-DB - So glad to see this back! GHDB has been a great source of information for identifying exposed information indexed by Google. The new interface is slick and there is a description of each "Dork" with a direct link to execute that search. This may be a good time to review your robots.txt entries.
• Can't we all just use the same WPA-PSK and be safe? - No, and no, and oh wait, a thousand times NO. On a WPA-PSK network everyone shares the key, and this means everyone can eavesdrop on each other. Nice job of this article pointing out flaws in another article that was suggesting we all agree on a WPA-PSK value, such as "free", to protect ourselves from Firesheep!
• How to secure your centos - I just have to say, this is a great web site with lots of useful tips on hardening CentOS. I've really been liking CentOS lately, and as Debian frustrates me even more, I am gravitating towards CentOS for my Linux server deployments. Also, Tenable's enterprise products have excellent coverage for CentOS.
• All-In-One ATM Skimmers - This article outlines some of the features sought after by ATM card skimmers, who stand to make some decent money. However, they do have to physically visit the machine if they are using this device. Brian Krebs does a lot of great work in the area of uncovering how the bad guys are operating. I think its important for us to understand physical security and how it interacts with data security.
• Searching for Sensitive Data Using URL Shorteners - Ever wonder what type of URLs people shorten? Well, the author of this post did and wrote a script to pull shortened URLs, and to no one's surprise, found sensitive information and other interesting things.


Direct Download for Episode 58

]]> paul@nessus.org Fri, 19 Nov 2010 08:39:14 -0500 Podcast tenable-network-security-podcast-episode-58 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/11/tenable-network-security-podcast-episode-57-dennis-brown.html Welcome to the Tenable Network Security Podcast - Episode 57

Hosts: Paul Asadoorian, Product Evangelist

Announcements

43. Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
44. We're hiring! - Visit the web site for more information about open positions.
45. You can subscribe to the Tenable Network Security Podcast on iTunes!
46. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Interview with Dennis Brown



"Dennis Brown is a research engineer for Tenable Network Security. He specializes in malware analysis with a penchant for botnet research. Dennis has spoken previously at Defcon 18, Toorcon 10 and 11 and on the PaulDotCom security podcast. He also organizes the DC401 hacker group in Rhode Island and the QuahogCon security conference."

Dennis recently gave a presentation titled "Resilient Botnet Command and Control with Tor" at HiTB Malasia and Toorcon 13. Dennis and I discussed the following topics:

• I was working for a University when Tor first became popular. This presented many challenges, students were using it to evade detection by the RIAA/MPAA, attackers were using it to launch attacks against us, and I even encountered a few Tor exit nodes in my time. How has the Tor network evolved over time?
• Which botnets have been observed in the wild using Tor?
• What is a private Tor network? How do you build a private Tor network? Is it easy?
• How does using Tor affect speed? Does this impact the botnet, and how so?
• What is an HTTP hidden service? Tor3web proxy? How does this all work to mask the botnet's command and control channel?
• I always though that encryption would be the end of the good guys fight against malware, but largely that has turned out not to be true or has it?
• It seems that masking the command and control channel produces the highest rate of success for a botnet, how does Tor help the bad guys accomplish this?
• How can we detect botnets using Tor?

Direct Download Link - Episode 57

]]> paul@nessus.org Wed, 03 Nov 2010 13:28:09 -0400 Podcast tenable-network-security-podcast-episode-57 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/11/tenable-network-security-podcast-episode-56.html Welcome to the Tenable Network Security Podcast - Episode 56

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Plugin Spotlight: D-Link DCC Protocol Security Bypass
  • Integrating Nikto with Nessus Video
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

---




Stories

• SCADA Vendors Still Need Security Wake Up Call - Security researcher and member of the Tenable Research Team Jeremy Brown brings light to vulnerabilities in SCADA systems. I have been observing this behavior from vendors for quite some time (and not just in SCADA) and that is they don't want to admit there is a problem. You can look at this two ways: if I want to take over the world and cause mass hysteria and carnage, I could write exploits for control systems and take them over. Then again, finding a 0-day vulnerability in Windows XP and writing an exploit for it could have the same results. However, the general "feeling" I get from SCADA vendors is they are very distant from the security culture and processes. This has to change.
• Cross-platform malware runs on Windows, Mac and Linux - This malware pretends to show you a video; it turns out it's a slide show from "Hot or Not" and in the background the malware installs a Java applet, asks you to trust it, and if you click "Allow" it downloads files to your computer and runs them. This is a very scary technique that has been most effective, both for penetration testers and evil bad guys alike.
• iPhone, meet Wireshark - Capturing Traffic from Mobile Devices - You could really do this with any mobile phone. It could be fun to open multiple applications and see what data they are sending and receiving, and identify if encryption is or isn't being used.
• BIOS Password Backdoors in Laptops - It really amazes me how vendors can just forget about security completely. According to this article, if you enter an incorrect BIOS password 3 times most systems will display a warning message that says "System Disabled" along with a checksum value. The checksum value can then be used to derive the real password via cracking methods published in several scripts released by the author.
• Evilgrade gets an upgrade - There are now 63 modules in the Evilgrade framework, allowing attackers to intercept the update process of several popular applications and install software of their choosing. You do need to be "in the middle" to make this attack happen, however it can easily bypass antivirus and give you access to fully patched systems, or even turn a fully patched system in to a not-so-fully-patched-system.
• [Insert Token Adobe Zero Day Vulnerability Warning Here] - End of message. No, seriously, there are more flaws being found in Adobe products, including Flash and Reader. My only suggestion is to take a look at FX's presentation from Black Hat 2010 called "Countering Flash Exploits". The overview is that they are working on software that looks at what an application does, such as Flash or a PDF document, then re-writing it and only allowing the functions that are being implemented. Think of it as a sandbox that is customized for every document and application. This technology has a good chance of creating a more secure computing environment for many.

Download Tenable Podcast Episode 56

]]> paul@nessus.org Tue, 02 Nov 2010 13:27:15 -0400 Podcast tenable-network-security-podcast-episode-56 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/10/tenable-network-security-podcast-episode-55.html Welcome to the Tenable Network Security Podcast - Episode 55

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Risky Business #173 Interview with Ron Gula - Process Accounting and El Jefe
  • Deloitte Names Tenable as one of America’s Fastest Growing Companies - Again!
  • Nessus Reaches Plugin 50000
  • Integrating Hydra with Nessus Video
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Joomla! - Is one software more secure than another?
• Ninja: A Privilege Escalation Detection and Prevention System! - "Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user."
• New Tool Released - HTTP sessions & Social Networking - "When it comes to user privacy, SSL is the elephant in the room" said Eric Butler
• Apple Closes FaceTime For Mac Security Hole - Software security may be a problem, but then there is stuff like this.
• 12-year old Finds Buffer Overflow in Firefox - gets $3,000
• Least Common Denominator - How do we solve the problem where 1% of the users drive a large percentage of the software's functionality and features?

Download Tenable Podcast Episode 55

]]> paul@nessus.org Tue, 26 Oct 2010 13:25:05 -0400 Podcast tenable-network-security-podcast-episode-55 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-54.html Welcome to the Tenable Network Security Podcast - Episode 54

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Continuous SSL Certificate Monitoring - not just for HTTPS
  • Microsoft Patch Tuesday Roundup - October 2010 - "Nightmare" Edition
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

---

• "The Evil Maid Attack" - Here's the scenario: you've left your laptop in your hotel room while you went out around town, to a conference or out to dinner. Because you know that there are attacks that can use the Firewire bus to steal your hard disk encryption keys, you've powered down your laptop. An evil maid comes in, plugs in a USB thumb drive with special code on it, powers up your laptop and infects it with malware. The next time you log onto the system and enter your password to decrypt the drive, the malware records it and stores it to disk or sends it to the attacker. The next day or at some point in the future, the attacker can steal your laptop and now has the code to decrypt your drive. Moral of the story: never leave your laptop in the hotel room unattended.
• Half Of UK Homes Have Open Wifi - A study was conducted to seek out just how bad the security of wireless networks is in the UK. They found that just about half the homes in the UK had open access points or used WEP to protect their networks. I just want to point out that as if WEP wasn't bad enough, there are several ways in which to crack it today that are vendor or implementation specific. For example, Verizon FIOS, the Neesus Datacom 21-bit attack, and aircrack PTW. Despite these attacks, you can still find manufacturers using WEP by default, unless smart users re-configure their routers to use WPA. Even WPA-PSK with a long random passphrase is adequate to stop most attackers from accessing your wireless network. Why isn't that the default?
• India's Operating System - As to not rely on Western technology, India has decided to write its own operating system. Good luck with that. Microsoft has been at it for a while now, and just fixed 49 security vulnerabilities. I think operating systems are like encryption; anyone who tries to write one themselves will suffer enormous security problems because it will be largely untested. Also, I'd hardly call Linux "Western" technology.
• Do we really know what we're doing? - I find this Fishnet Security study to be compelling. Let's look at some of the data that was collected. For example, the top security concerns according to the survey are: mobile computing 69%, social networks 68%, and Cloud computing platforms 35%. Now, let's take a look at the spending percentages, which are firewalls 45%, antivirus 39%, authentication or anti-malware 31%. Hrm, something doesn't add up here! I'm not saying ditch your firewalls, but you have to adapt to the ever-changing threat. Just what does that mean? It means different things to different organizations. For some, it may mean outsourcing your firewall management and maintenance. For others, it may mean not upgrading your firewalls this year. Security needs to be tuned for your needs according to the current threats, not attacks from 1990.
• Facebook to issue one-time passwords - When I read the title, I thought this was a great idea! One-time passwords could work to help solve the user security problem. For example, it's really hard to stop an attacker from getting on a system and installing a keystroke logger and stealing the user's password. If the password is only valid for a short period of time, this greatly limits the risk. However, sending it via TXT message to your cell phone is not such a great idea. What if your cell phone is compromised?
• Newer operating systems are more secure? - Not sure if I'm buying this one, but statistics from Microsoft show that new operating systems such as Vista and Windows 7 have lower infection rates. I think it's just because XP is still more popular in terms of number of seats and attackers have tried and true exploits for them. It will take some time for attackers to catch up and get around to creating exploits that work well on the new platforms and bypass the new security measures.

Download Tenable Podcast Episode 54

]]> paul@nessus.org Mon, 18 Oct 2010 15:11:40 -0400 Podcast tenable-network-security-podcast-episode-53 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-53.html Welcome to the Tenable Network Security Podcast - Episode 53

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Using Nessus for OWASP and PCI Web Audits
  • Nessus and SecurityCenter APIs and Data Internals Published
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

---




Stories

• Netflow Rules - I think the characteristic of NetFlow data I like the best is that it's hard to hide from. Any time you compromise a network you leave a trace inside the NetFlow data. I still think there is interesting research in the area of attacking a network and making your attacks look as much like "normal" traffic as possible. It's sort of like the inmate escaping in the laundry truck.
• Man gets 10 years for VoIP hacking - Sounds like the "hacking" was brute-forcing prefix codes for several different VoIP providers. I find it interesting that we're going back to our roots and hacking phone systems, except look at how we have changed. Instead of just being curious, people are out to make big bucks by stealing services and reselling them. Good thing his girlfriend turned him in, otherwise I think he may have flown under the radar for some time.
• iPad Jailbreak and withholding 0Day - The story goes that there are two different groups looking to release the "jailbreak" for the iPad. One group released a new version that used a new exploit. Another group was scheduled to release yet a different exploit, but pulled back and is re-packaging with the already public exploit. I love it; jailbreakers are hiding the 0day from Apple and likely the rest of the world.
• Nessus XML parsing with awk - I love the command line, and I love quick and dirty ways to parse Nessus output from the command line even more. This is a really cool awk script to do just that.
• Microsoft Patch Tuesday & Oracle Patches - On this sad day, the day of October 12, 2010, Microsoft will release 16 security bulletins that will fix 49 vulnerabilities. Oracle will also release patches to fix 81 vulnerabilities (which now include Solaris and Java).
• MS10-070: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) (uncredentialed check) - Without logging into the target, this plugin can identify the missing MS10-070 patch.


Download Tenable Podcast Episode 53

]]> paul@nessus.org Mon, 18 Oct 2010 15:10:37 -0400 Podcast tenable-network-security-podcast-episode-52 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-52.html Welcome to the Tenable Network Security Podcast - Episode 52

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this past week, including:
  • New Tenable eCommerce Site Supporting Nessus ProfessionalFeed Renewals
  • New Nessus Feature: Public Exploit Availability
  • BruCon 2010 Training & Conference Wrap-up





• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

---




Stories

• Monitoring Employees' Online Behavior - There are two aspects to this story that I find interesting. First, I think its important for companies to look at what information is available publicly about a potential employee. The employee is most likely doing the same with the company and some of its employees, so its only fair. Also, the information you put on the Internet via social networking sites is public, so don't be surprised when people actually look at it. Also, if you are an existing employee of the company, don't be surprised if the information is being monitored as well. This is not all "spying", but monitoring the company name and any new accounts created by employees, legitimate or fake, is an excellent thing to keep an eye on.
• Vulnerability Assessment Testing Automation and Reporting Part III - This article comes from the SANS Internet Storm Center, and is the final part in a series about automation and vulnerability scanning. Adrien releases some neat scripts to convert v1 .nessus files to v2, discusses some use cases for the Nessus API, and splitting up large .nessus files.
• Turning the Tables – Part I - I had never thought of the difficulties one might encounter when finding vulnerabilities in software that is primarily used by criminals. I mean, they deserve responsible disclosure too, right? Billy Rios found out the hard way that when you email criminals, all you get back is SPAM. He also found a vulnerability in the Zeus botnet command and control administration interface, which lets you extract the keys needed to control the bots, and essentially take over someone's botnet. This type of disclosure angers many, including the attackers and the good guys who would have likely used it to shut down a bunch of botnets. Now that its public, its a level playing field, and brings up all sorts of new angles on the disclosure issue. One thing to consider, if this bug does not go public likely the bad guys and small set of good guys will know about it, leaving the rest of us in the dark.
• THC-Hydra released 5.8 - Its nice to see this code being maintained as its my favorite software for username and password brute forcing. There is a wrapper NASL so you can run this alongside Nessus which we cover in the advanced Nessus training course. I will update it with the enhancements to the latest version, including support for Apple File Sharing Protocol (AFP).
• FireMaster: The Firefox Master Password Recovery Tool! - One thing to remember is that the attacks against the Firefox password database are offline dictionary and brute-force attempts. There currently are no documented flaws that I am aware of that allow attackers to get around the encryption of the database.

Download Tenable Podcast Episode 52

]]> paul@nessus.org Mon, 04 Oct 2010 14:28:16 -0400 Podcast tenable-network-security-podcast-episode-51 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-51.html Welcome to the Tenable Network Security Podcast - Episode 51

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this past week, including:
  • Apple Security Update 2010-006, File Sharing and Mac OS X defaults
  • Announcing The Nessus iPhone App
  • Microsoft Patch Tuesday Roundup - September 2010 - "Silent but deadly" Edition
  • Nessus ‘Here You Have’ Worm Detection Plugin Released





• Please join Tenable's own Ron Gula, Renaud Deraison, Marcus Ranum and Paul Asadoorian for a Security Showcase on October 6, from 8:30am to 2:00pm at the New York Marriott East Side, 525 Lexington Ave. at 49th Street in New York City. Breakfast and lunch will be provided during this half-day FREE event. Contact Donal McRae (dmcrae -at- tenablesecurity.com) to reserve your seat (space is limited for this event).
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Paul talks about the Brucon security conference, including Nessus training, presentations, and more!


---




Stories

• Results of an SSH Honeypot
• Is that PDF so scary?
• Windows Mobile 6.5 Phonecall Shellcode
• MS10-070 Released OOB - We released Nessus Plugin 49695 to detect this patch.


Download Tenable Podcast Episode 51

]]> paul@nessus.org Mon, 04 Oct 2010 14:26:40 -0400 Podcast tenable-network-security-podcast-episode-50 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-50.html Welcome to the Tenable Network Security Podcast - Episode 50

Announcements

• Several new blog posts have been published this past week, including:
  • Making Penetration Testers Lives Awful
  • Tenable Network Security Podcast - Episode 49 - Interview with Dennis Brown
  • Passive Vulnerability Scanner Network Licensing
• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

---




Stories

• Hexinject - Packet Injection Tool - I think it's really interesting to see what can be injected into packets, such as turning ARP requests into ARP responses! The potential attack vectors are numerous.
• Apple Secret "wispr" Request - I find it neat when a particular device sends out a default "phone home" or other kind of probe on a wireless network. This leaves it vulnerable to all sorts of attacks and there are many researchers working on a way to exploit this one.
• Accton Switches Backdoor - Vendor Response - Here we go again, a gaping security hole put into a product in the name of user friendliness. I think this is a lame excuse. If your product is well designed and documented, you should not have to put a security hole in it to make it usable.
• Security is so much better than 10 years ago... - Someone obviously got the wrong idea about measuring security. There is a difference between local and global incidents, and just because we haven't seen something like the "ILOVEYOU" virus in the last ten years doesn't mean security is getting better. It begs the question, is security getting better, worse, or is that question just oversimplifying everything?
• Bear in the woods or prairie dog in the forest? - I like going through these analogies; it's fun because not only do we get to talk about all kinds of animals, but it helps us understand the right things to do. The prairie dog allows smaller animals to take refuge in their homes, giving them protection from predators. Starving the predators (or attackers) is a good analogy as we don't want to keep feeding the bad guys and let them get more powerful.
• Five Ways To Stop Mass SQL Injection Attacks - While I think these steps are a good start when addressing SQL injection, they don't address the real problem: that people aren't doing these things in order to stop attacks! Developers do not always validate input and organizations do not always implement security controls around their web applications and databases.
• upSploit Advisory Management - This is a very cool "automated" system for managing the vulnerability disclosure process. I thought it was nice for those that find vulnerabilities, create exploits for them, and just sit on them because a vendor is unresponsive. Usually these are low impact vulnerabilities, and I think this system will work well in that scenario.

Download Tenable Podcast Episode 50

]]> paul@nessus.org Fri, 17 Sep 2010 12:11:50 -0400 Podcast tenable-network-security-podcast-episode-49 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-49.html Welcome to the Tenable Network Security Podcast - Episode 49

Announcements

• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Interview: Tenable Security Researcher Dennis Brown


Dennis going "incognito"

In this interview Dennis and Paul discuss:

• New PVS rules to detect database queries
• TASL script that looks for common SQL detection such as Basic SQL Injection Attacks, Logging Data to a File, User/Password Dumps, Detect Locally Executed Commands
• Why the passive monitoring approach is different from what is commonly seen with WAFs and the like

Related discussion forum posts:

• PVS 3.2 SQL Query Detection (April 2010)
• Auditing SQL with PVS and LCE (May 2010)
• Monitoring Suspicious SQL with PVS and LCE (May 2010)

Dennis and Paul also discuss the new Fast Flux detection TASL. More information about this script can be found in the discussion forum posting titled: Fast Flux Network Detection with LCE

Download Tenable Podcast Episode 49

]]> paul@nessus.org Fri, 17 Sep 2010 12:11:01 -0400 Podcast tenable-network-security-podcast-episode-48 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-48.html Welcome to the Tenable Network Security Podcast - Episode 48

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Tenable Network Security on the Inc 5000 List
  • The Three Legged Stool Of Vulnerability Management
• New Nessus training is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Ron Gula

Ron and Paul discuss web application testing using Nessus!


---




Stories

• Cisco IOS XR BGP DoS - Any time there are vulnerabilities with a product that implements BGP, it is a cause for concern. BGP is the routing protocol that runs the Internet, and we've been fortunate that there have been no known attacks against it that have caused any serious damage. Well, I guess if you consider Pakistan taking down YouTube serious, then there has been one serious "attack". However, this was a misconfiguration, not a vulnerability in a product or the BGP protocol itself. Well okay, there was a presentation at Defcon 16 that demonstrated a weakness in the protocol that allows for snooping of data in transit. So, maybe BGP is a little broken but my bet is that people will not DoS the Internet. It's too important.
• New Windows Meterpreter Search Functionality - This is a great feature. Once you compromise a machine, you can use the built-in indexing service to more efficiently search the computer for sensitive information. You can also perform specific searches for things like IE browser history. This is the equivalent of breaking into a house and using the homeowner's flashlight to find the valuables.
• CEO, CFO, Pants on Fire? - An interesting article that looks at public audio from publicly traded companies' meetings with shareholders. Now, CEO/CFO lying aside, I think it's both interesting and useful to be able to tell when someone is lying (like when your users tell you, "I picked an awesome password" or the systems administrators tell you, "I applied all available patches to all of our systems"). After analyzing the data gathered from CEO/CFOs, the researchers came up with a few common phrases that indicate when they may be lying, such as "They make more references to audience or general knowledge – “As you know…”" and "They use more words linked to extreme positive emotions – “The outlook for the company is fabulous!”". So, when your IT manager says, "As you know, our password policy for the company is fabulous!", he or she could be lying.
• HTTP Strict Transport Security - Here's a solution to this problem: if someone goes to a page using HTTP, when they should have used HTTPS, rather than automatically re-direct them, put up a static page WITHOUT any HTML links, that states: "For your own safety, Please go to the HTTPS version of this site." No? Right? Maybe?
• Home Security Tips - For the most part, good security applies to both information and your home, and Rich provides some good tips for home security. However, I do disagree with the video surveillance suggestion, which Rich says, "The one thing I'm not really big on is cameras. For my home I worry a lot more about someone getting in than capturing them after the fact. And we live in a densely populated subdivision with neighbors we know well and inform before we leave on big trips. That and an alarm sign out front are better than any crazy camera system." While I am not too worried about capturing a burglar, I do want to keep an eye on things. For one, even if you know your neighbors well, there could be an "insider" attack. Furthermore, a burglar is even more likely to skip over your house if they see alarm signs AND a camera pointing at them. You can even get fake cameras that will do the job just fine. With respects to network security, there are lessons to be learned. First, intrusion detection and monitoring is extremely important and should be in every network. Second, two defensive measures are better than one.
• Attackers go after the DLL injection vulnerability - There's lots of information out there about this. It's interesting how the NSA issued a warning against this vulnerability 12 years ago and was a voice in the wilderness. Nessus has plugins to cover this vulnerability as well, one titled "Insecure Library Loading Could Allow Remote Code Execution" and another called "Microsoft Windows 'CWDIllegalInDllSearch' Registry Setting"

Download Tenable Podcast Episode 48

]]> paul@nessus.org Fri, 17 Sep 2010 12:09:59 -0400 Podcast tenable-network-security-podcast-episode-47 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-47.html Welcome to the Tenable Network Security Podcast - Episode 47

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• A new blog post was published this week:

  • Nessus Web Application Scanning - New plugins & Configuration

• New Nessus training is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Passive Vulnerability Scanning Segment with Ron Gula

Ron joins us to discuss some new features added to the Passive Vulnerability Scanner, including:

• VxWorks and QNX passive vulnerability detection
• New passive patent
• New PVS licensing options for network address spaces

Stories

• SQL Injection Cheat Sheet - A great guide to different SQL injection attacks, including a nice write-up of how the SQL syntax should work, followed by attack examples. It also includes information on which databases support the various attacks. I thought this was going to be "just another cheat sheet", boy was I wrong!
• rsmangler - Password Dictionary Customization - This is a great tool for making your password dictionaries more effective. I've learned over the years that the more time you spend customizing password lists, the greater you increase your chances for success. Combine this with CeWL and the pw-inspector utility that comes with Hydra, and you can go to great "lengths" in customizing your password lists.
• Wi-Fi Aerial Surveillance Platform, WASP drone - Taking Wifi detection and attacks to a new level is the WASP, or Wireless Aerial Surveillance Platform, complete with Wifi, multi-user interfaces, and complete with Backtrack Live CD for all your hacking needs. This just in: new wireless intrusion prevention systems now come with anti-aircraft weapons.
• Study Finds That Anti-Virus Software Doesn't Prevent Exploits - This is an interesting article to debate. One could question "should exploits be stopping the exploit, the payload, or both?".
• Apple Files Patent For Human Authentication - Really neat patent filed by Apple that will attempt to authenticate a user by their face, voice, and even heartbeat. While this is unique, like anything else it will most likely be hacked. I don't think Apple is going for security, but in true Apple fashion, usability.
• Speaking of directory traversals - An entire tool dedicated to them! It's important to point out not only to look for them, but consider both HTTP and FTP protocols.

Download Tenable Podcast Episode 47

]]> paul@nessus.org Fri, 27 Aug 2010 11:10:23 -0400 Podcast tenable-network-security-podcast-episode-46 Paul Asadoorian http://blog.tenable.com http://blog.tenable.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-46.html Welcome to the Tenable Network Security Podcast - Episode 56

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Two new blog posts have been published this week, including:

  • Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition
  • San Francisco Security Showcase - Sept 15, 2010

• New Nessus training is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as Nessus overview and future plans, The advantages of pairing active and passive scanning, An overview and discussion of current security strategies and new industry trends, The past, present and future of regulatory compliance, and Tenable Network Security product/solutions overview.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Ruby XSS Vulnerability - I find two things interesting about this article. First, I think it's scary when a programming language itself, or supporting libraries, contains a flaw. This means that all of the programs using it are vulnerable. I think this is also scary because we don't often audit code that is popular and has been in wide use. For example, when performing an assessment you typically don't find a penetration tester looking through Apache source code for vulnerabilities. Several people have likely been there before and it's not worthwhile, however the payoff is big, and how big depends on how widespread the deployment. The second thing about this story that I find interesting is that Apple patched it first. Normally Apple seems behind the curve, releases fixes whenever they feel like it and provides few details on any vulnerabilities being fixed.
• Facebook "dislike" Scam - I like how Facebook is like the new AOL, except with more users and more nefarious activity.
• Adobe ColdFusion "directory traversal" CVE-2010-2862 - You may look at this vulnerability at first and say, "big deal, people could read files on my web server". Dig a bit deeper and find that it leads to command execution on the server hosting the vulnerable code. Again, I will stress that when making a decision about implementing a patch or workaround, take into consideration all of the potential attack vectors and don't always trust the vendor's criticality rating.
• RIPS PHP Source Code Scanner - I have to say, it can't hurt to run this tool (or similar tools) against your PHP apps. Homegrown apps need some type of code checking, especially PHP as it's easy for developers to make mistakes that lead to vulnerabilities. Even with open-source or commercial apps, it never hurts to be certain they are not coding in something ridiculously easy to exploit.
• Collecting Common Usernames From Facebook - I think this is neat research. If you structure your security program and think, "no one should be able to harvest or collect my user's usernames", think again. I believe that if you can collect 150 million usernames from a popular site like Facebook, and come up with the top ten or twenty usernames (like "jsmith"), this is valuable data to attackers and security professionals alike.
• More Fun with Nessus Reports - This is a really nice Python script that sorts the Nessus report by vulnerability, by host. By default, as of the current version, Nessus does not export this report (SecurityCenter does). So, this is a neat little program to generate this type of report. I have heard from the Nessus developers and there are some things in the works along these lines, so stay tuned.

Download Tenable Podcast Episode 46

]]> paul@nessus.org Fri, 27 Aug 2010 11:09:14 -0400 Podcast tenable-network-security-podcast-episode-45 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-45.html Welcome to the Tenable Network Security Podcast - Episode 45

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Blackhat 2010 Round Up -
  • Security Metrics - Is This Network Getting Better?

• The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 10 open positions listed:
  • Sales Engineer
  • Regional Sales Manager
  • Inside Sales Representative
  • Tenable Nessus Trainer
  • Customer Support Engineer
  • Quality Assurance Analyst/Engineer
  • Compliance Auditor
  • Vulnerability Research Engineer
  • Linux Appliance Engineer
  • Flex/Flash Developer
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Crack The Hashes! - There are several tools available to crack hashes, including John The Ripper and Ophcrack. This new tool called "Hashcat" looks really nice! It's able to crack multiple hashes (MD5, SHA, MySQL, NTLM, etc.), is multi-threaded, and claims a high rate of password cracking. I think it's important to note that someone could easily buy a fast server "in the cloud" and use this software to crack lots of passwords, lowing the time and cost associated with password cracking. This should cause you to implement more and better defenses than just an MD5 hashes password protecting your database. Don't forget to check out oclHashcat which uses graphics cards' CPU to crack the passwords!
• Tinkering With Registry Allows LNK Patch to install on XP SP2 - Neat little trick! Of course, you could just install SP3...
• Windows Kernel Bug 0-Day - Exploitable? - I tend not to base my risk decision too much on the "exploitability" factor. The truth is there could be people out there with the knowledge and skills to exploit a vulnerability that most are saying is next to impossible to exploit. Also, maybe they are just stringing us along and really do have a working exploit. In any case, if there is a bug or vulnerability, it should be patched. If patches break things, well, you should test them first. If you run software that is easily broken by a patch, then you should buy new software because there is a greater risk (and cost) of running bad software to run your business then there is that it will be exploited.
• "Smartphone Security" - First, what the heck is a smart phone? I heard someone ask the question earlier today, and I began to think about that it really was. At the end of the day, a smartphone a computer with a cell phone built-in. I mean, its clunky to carry around a laptop and hold it to your ear to talk, so they just made them smaller. In all facets, it's just a small computer. In that sense, it should come as no surprise that it will be attacked just like your computer. Chris Wysopal stated that smartphones are now at the point the PC was in 1999. Amen brother, this is just the beginning.
• Auditing your Kiosks - iKat is a great tool to audit your Internet terminals and Kiosks. It's a web site that you browse to when using a kiosk and provides several different ways to break-out of the kiosk environment and get to the operating system. The new version adds some features, such as newer exploits, Silverlight, and an "emo-kiosking" which crashes the kiosk in an attempt to break out. I suggest that organizations use this tool in your lab to test how difficult (or easy) it would be for someone to walk up to one of these machines and install malware on it or use it to attack the rest of the network.
• Fuzzing Barcode Readers With LED - This is so cool: "The LED is turned on for sections of the barcode that should be white (this simulates reflected light), and off for black sections of the barcode (very little reflected light)." It could be a really neat kind of attack if you could create a barcode that were to inject malicious code into the system. You could create barcodes and stick them anywhere, hoping to get your code to run!


Download Tenable Podcast Episode 45

]]> paul@nessus.org Wed, 11 Aug 2010 13:58:56 -0400 Podcast tenable-network-security-podcast-episode-44 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/08/tenable-network-security-podcast---episode-44.html Welcome to the Tenable Network Security Podcast - Episode 44

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Scanning Large Networks with Nessus
  • Plugin Highlight - Web Application Tests : Load Estimation (ID 33817)
  • 10 Devices Attackers May Think About Attacking
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" will be at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 8 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, list Nessus plugin statistics and more!

Stories

• More Badge Hacking Fun! - Dennis Brown had some fun with the Ninja Party badges, which all used ZigBee with little authentication, meaning you could change player levels and messages on other people's badges.
• GSM Catcher gets a run at Defcon - I saw a Tweet this weekend that describes GSM as Telnet and 3G as SSH. This is pretty scary as GSM is still in widespread use.
• VxWorks Vulnerability Details Released - VxWorks is a very popular embedded operating system. Vulnerabilities were recently discovered that allow a remote attacker to read memory from a device over a UDP port. This also allows you to gain access to the device and trivially crack the password hash that uses proprietary encryption (which is a no-no). I also found this to be the scariest part: "it became obvious that an unknown party had already spent most of 2006 scanning for this service". While we all hem and haw about disclosure, I've always had a sneaking suspicion that the real bad guys are one step ahead of us, and in this case they were about four years ahead.
• Malware for Nintendo DS and Wii - Researchers demonstrated how they could upload code into these devices and then in turn cause them to attack the network. Most people don't think about their gaming console getting a "virus", but I am glad someone is doing this research and publishing it because I've always speculated about this attack vector.
• Android Rootkit - Really cool use cases, like reading all phone history and text messages, make calls on the phone without the user knowing (e.g. 900 numbers). The rootkit is a Linux kernel module that can hide its presence.
• Marcus Ranum: Be Serious About "Cybersecurity" - Pretty neat interview with Marcus covering a lot of different topics. One thing that bothers me though is the two-factor authentication and using to protect endpoints. I think if the endpoint is compromised, it doesn't matter how many factors of authentication you have: your data is compromised. Since I can compromise an endpoint and gain direct access to memory, the network traffic, and keyboard strokes it means I can bypass all the security you have in place.

Download Tenable Podcast Episode 44/a>

]]> paul@nessus.org Mon, 02 Aug 2010 16:38:36 -0400 Podcast tenable-network-security-podcast-episode-43 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/07/tenable-network-security-podcast---episode-43.html.html Welcome to the Tenable Network Security Podcast - Episode 43

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Tenable Reaches 100th Employee
  • Detecting ALL of Your Websites Passively and Continuously
  • Unlimited Discovery Scanning with SecurityCenter and Nessus
  • Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick Edition"
  • Detecting Recurring Vulnerabilities
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 9 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, show Nessus plugin statistics and more!

Stories

• Token Kidnapping Still Alive - Token kidnapping allows for privilege escalation on Windows platforms, and word is that this vulnerability still has no fixes and ways to bypass existing protections will be released at this year's BlackHat security conference. I find this interesting because each month, Microsoft puts language in several of their security bulletins that downplays vulnerabilities that do not automatically lead to Administrator or SYSTEM privileges.
• New Microsoft Windows LNK vulnerability - This one is a bit scary for a lot of reasons. All versions of Windows are vulnerable to an attack when loading LNK (shortcut files) in Windows Explorer. This means USB drives, CDs/DVDs, or SMB shares could contain an exploit that only need the user to view the file in Explorer (not even open it, just view the icons). Tenable has released a couple of related plugins:
• Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (2286198) - This plugin detects the LNK vulnerability by using credentials and looking in the registry for the registry value that disables the displaying of icons for shortcut files (.LNK).
• Siemens SIMATIC WinCC Default Password Security Bypass Vulnerability - Detects the default password vulnerability that was being exploited by the malware using the LNK vulnerability.
• Physical Security — Some Quick Observations - Simple techniques are often used to bypass physical security. This article outlines how tools can be used to bypass interior doors, motion sensors and door alarms. I'd really like to see more research in the area of tying in physical security into your security event management systems. Of course, cameras are a good option to see when someone bypasses a door or sensor, but those can be subverted as well (especially the wireless camera systems that use 2.4 GHz wireless frequencies).
• Mozilla Ups Security Bounty from $500 to $3,000 - This is an interesting move by Mozilla; finding a bug now could pay you $3,000. I think we're going to see more of this as the black market could yield the highest payment for a vulnerability, especially in a popular product such as Firefox.
• Blackhat/BSides/Defcon Talks - Chris's Picks - Are you attending these upcoming conferences? It seems there are more talks than ever! Other than attending Tenable's party, visiting our booth and going to some of our researcher's talks at DEF CON, Chris has a great list!
• PE-Scrambler Is Now Open-source - This is a great tool used to obfuscate binaries, it can be used to prevent disassembly and evade antivirus programs.

Download Tenable Podcast Episode 43

]]> paul@nessus.org Mon, 02 Aug 2010 16:37:30 -0400 Podcast tenable-network-security-podcast-episode-42 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/07/tenable-network-security-podcast-episode-42.html Welcome to the Tenable Network Security Podcast - Episode 42

You may even find an answer to the ultimate question of life, the universe and everything in this very episode!

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this week, including:
  • Tenable at Black Hat USA 2010!
  • Research Spotlight: Oracle Patch Auditing
  • Nessus and the Fight against Viruses
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 9 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!



Interview - Jeremy Brown



Jeremy Brown is a research engineer for Tenable Network security. He is giving a presentation at the upcoming Defcon 18 conference "Exploiting SCADA Systems":

"SCADA systems are just as vulnerable to attack today than they were ten years ago. The lack of security awareness by SCADA software vendors, combined with the rush of hacking these systems, make them very attractive to hackers today. The focus of this presentation will be showing the disconnect between SCADA software and secure programming. There will be a live demonstration of Sploitware, a framework dedicated to vulnerability analysis of SCADA systems. This framework could be thought of as a proof of concept, although you will see it is more than mature enough to prove the point."

Interview questions and topics were as follows:

• For our listeners, describe SCADA systems, what they do and what they control
• What are the different components of SCADA systems? (Supervision, PCL, HMI, etc...)
• What types of vulnerabilities could exist in SCADA systems? What impact could they have?
• What is the best way to detect vulnerabilities in SCADA systems, since many of them (hardware or software) are only sold to certain organizations?
• Have there been any known attacks against SCADA systems that have impacted operations of a facility? (http://www.scadasecurity.org/index.php/Incidents)
• What is "Sploitware" and how does it aid in the detection of vulnerabilities specific to SCADA systems?

Download Tenable Podcast Episode 42

]]> paul@nessus.org Mon, 02 Aug 2010 16:36:45 -0400 Podcast tenable-network-security-podcast-episode-41 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/07/welcome-to-the-tenable-network-security-podcast---episode-41.html.html Welcome to the Tenable Network Security Podcast - Episode 41

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Research Spotlight: The Evil That Bots Do
  • Event Analysis Training - Analyzing Outbound SQL Queries
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 10 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Social Security Number Format - Some interesting information about the Social Security number. I think it's important for us, meaning security professionals, to understand how the number is used, formatted, and what the numbers mean. For example, the first three digits of the SSN indicate in which state your card was issued (for the most part) and the last four are used for many things, so deductive reasoning and some guessing could lead to your SSN being "cracked".
• CiscoWorks TFTP directory traversal exploit - This is a good example why you should take the vendor's description and impact of a vulnerability with a grain of salt (or maybe a whole box of salt). Cisco says, "A successful exploitation of this vulnerability may allow an attacker unauthorized access to view or modify application and host operating system files. Modification of some system files could result in a denial of service condition." The blog post linked to above tells a different story, and shows how to remotely upload files to gain remote command execution. If this is your CiscoWorks server, it means the attacker can control the devices on your network that are reporting to it, including obtaining management keys (SSH/Telnet/SNMP).
• Stored XSS Vulnerability on YouTube - Stored XSS (or persistent XSS) is worrisome for a few, ignored by many, and deadly for attackers. The ability to execute code in someone's browser in the context of a site they "trust" is very powerful. Dave Kennedy has developed some code that allows you to include a Java applet that runs executables on a person's system and finds it very successful when penetration testing.
• Tabnapping Attack On The Increase - This is a really neat attack that takes advantage of tabs in most browsers. Tabs are awesome, but in this case are being used against the user, mostly to steal credentials.
• Stego beats NSA detection - Pretty neat story of Russian spies getting caught (I mean, anything with Russian spies is fun stuff ala James Bond!). Turns out they were using information hidden in images (steganography) to hide information.
• Adobe's protection against embedded scripts incomplete - Apparently double quotes can be used to bypass the checks put in place by Adobe to prevent script execution.


Download Tenable Podcast Episode 41

]]> paul@nessus.org Tue, 06 Jul 2010 22:04:36 -0400 Podcast tenable-network-security-podcast-episode-40 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/06/tenable-podcast-episode-40.html Welcome to the Tenable Network Security Podcast - Episode 35

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• One new blog posts has been published this week (several more are in the queue!):

  • Tenable Black Hat USA 2010 Party !

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Dennis Brown - Evil Malware, PDF Attacks, and more!



This week we are jumping right into an interview with Tenable security researcher Dennis Brown. Dennis and Paul talk about some of the more popular malware being used in the wild and how to use Nessus configuration auditing to detect the malware on systems. Below are the articles on the Nessus Discussion boards that we reference (links below require a free registration):

• Auditing Adobe Reader JavaScript Settings
• Warbot Audit now available
• Audit for Storm/Pecoan.AG
• SpyEye Leak, Nessus Audit
• Update to the Blacklist Perl Script/TASL
• Detecting the TDSS/TDL3/Tidserv rootkit with Nessus
]]> paul@nessus.org Mon, 28 Jun 2010 14:29:39 -0400 Podcast tenable-network-security-podcast-episode-39 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/06/tenable-network-security-podcast---episode-39.html Welcome to the Tenable Network Security Podcast - Episode 39

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Penetration Testing Summit 2010
  • Nessus Cisco Compliance Checks
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 9 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!



Stories

• Using DNS to Find High Value Targets - It never ceases to amaze me how much depth there can be in a protocol such as DNS. It sounds simple, right? Take an IP address and associate it with a name and vice versa. However, ever since my first lessons on network security I've looked upon it as a gateway of information, something to control and manipulate, and found all sorts of ways to make it evil. For instance, if you can find a large hosting provider in the cloud and associate it with a single industry or large conglomerate of corporations, by using DNS you can deduce that most of their systems reside on the same hosting server IP or IP addresses. By taking control of the underlying architecture, you can compromise several systems at once, giving you "more bang for your buck".
• Bypassing Restrictive Proxies Part 1, Encoded Executables and DNS Tunneling - Pretty neat way to "shovel a shell". First, you can create a VB script that can be downloaded and executed by the client. Then you can use some readily available tools to tunnel a connection to that malicious script over DNS. If you can't detect this in your network it should be a goal for you because you can be certain that attackers are using these very same techniques.
• The Untold Story of the World's Biggest Diamond Heist - 10 layers of security bypassed, inside jobs, insurance fraud, hairspray to bypass motion sensors, random garbage... this story has it all! It's a very lengthy and detailed article but shows two things: you are never as secure as you think you are, and most people get caught. It's the ones that don't get detected or caught that worry me.
• UnrealIRCd Trojaned Distribution - I've called this a nice way to build a Linux botnet. If you can compromise software that is included in all of the popular Linux distributions, then you can compromise any server installing that software. The more popular the software project you compromise, the bigger your botnet. Defensively, SHA-1 baby! This is scary, From the original advisory: "It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now."

• More Distributed SSH Attacks - So many systems on the Internet have weak passwords that attackers still spend time looking for them, and why not? A weak password on an already encrypted service, such as SSH, is a great way to gain control of a system. No exploits, no software vulnerabilities, memory protections, or return pointers. Just a good ol' fashioned default or weak password. We need to secure SSH; it's not that hard to tell SSH how to not use passwords in favor of keys, change the port, and change weak passwords. In fact, we'll learn how to do configuration auditing for that in the advanced Nessus course!
• Getting Into The Vault - Windows 7 comes with a password vault to keep your passwords "safe". However, if you've compromised a system, you have the same access to the vault as the user. This means you can log in to the same resources as the currently logged in user!

Download Tenable Podcast Episode 39

]]> paul@nessus.org Tue, 22 Jun 2010 13:51:35 -0400 Podcast tenable-network-security-podcast-episode-38 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/06/welcome-to-the-tenable-network-security-podcast---episode-38.html Welcome to the Tenable Network Security Podcast - Episode 38

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this week, including:

  • Microsoft Patch Tuesday Roundup - June 2010 - “Everything is Vulnerable” Edition
  • June 17th Webinar - Continuous Network Monitoring with Nessus and Tenable's Unified Security Monitoring solution
  • Detecting the Recent Adobe 0-Day (APSA10-01) with Nessus

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 9 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Josh Corman on Rugged Software



Josh and Paul talk about software security, getting developers to write "secure" code, embedded systems security challenges, and the Rugged Software initiative.

Download Tenable Podcast Episode 38
]]> paul@nessus.org Wed, 16 Jun 2010 12:59:16 -0400 Podcast tenable-network-security-podcast-episode-37 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/06/tenable-network-security-podcast---episode-37.html Welcome to the Tenable Network Security Podcast - Episode 37

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:

  • OWASP: From FROC to SecurityCenter
  • Getting ‘lucky’: When Nessus Finds 0-Days
  • SecurityCenter Webinar in French! (June 15th)

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 8 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Ron Gula - Cisco Configuration Audits

Stories

• Attack Of The Credit Card Cloners - While phishing attacks from the comfort of your own home (or parents' basement, as the case may be) are well-known and used, sometimes you just have to go to the source. Attackers know that retailers are handling consumers' credit cards and swiping them at every moment. New devices are implanted in the network and used to steal the credit card information, then transmit the data over a modified cell phone over GSM using SMS. Pretty sweet! It is difficult to detect the GSM data transfers, but certainly not impossible.
• Adobe Flash 0-day! - Flash has become something as common as a web browser. I mean, what is a browser if it can't view YouTube or Hulu? Therefore, attackers are all over Flash, finding flaws and exploiting it just like it was Internet Explorer itself. I use a Firefox plugin called "Flashblocker" which I feel helps give time to decide if I want to run Flash on a particular web site.
• Commoditizing Penetration Testing? - I really like how this post defines what a commodity is: something that is the same no matter where it is produced, like paper. You don't want your pen test to be like paper; penetration testing is more dynamic and custom. If you commoditize it, you may end up with a report that is about as useful as a blank piece of paper.
• Smartphones, Apps and Malware - I believe there will come a time when the smartphone is just as bad as the desktop in terms of viruses. As we put more functionality on these devices and phones, attackers will take notice and use them for evil. When we start doing more banking, paying for goods from our phones, starting our cars, etc... the smartphone will become even more of a target. I don't see the botnet model being brought to smartphones, but I do see malicious apps working their way into the ecosystem to spy on people and steal information. Its just a way of life, so how do we deal with it? Clearly anti-virus is not the answer, and unfortunately I don't have many good answers to the problem.
• Zone-H Defacement Statistics Report for Q1 2010 - Web defacements go beyond web application vulnerabilities! I am glad this study backs this statement up. It's something that I have been telling people for years. A friend of mine, who teaches some popular courses in web application security, told me a long time ago that one of the first things to test in a web application assessment is the security of the platform. If an attacker can gain a shell via a hole in Apache or weak SSH credentials, then it's game over! It's important not to have tunnel vision when attacking (and securing) your web applications.
• Top 10 Things You May Not Know About Tcpdump - Tcpdump is one of my favorite tools for troubleshooting, packet analysis, and incident response (among other things!). Take the time to learn the command line version as you can run it just about anywhere, and once you get good with it you will be able to troubleshoot problems very quickly!

Download Tenable Podcast Episode 37

]]> paul@nessus.org Tue, 08 Jun 2010 16:39:15 -0400 Podcast tenable-network-security-podcast-episode-36 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/06/tenable-network-security-podcast---episode-36.html Welcome to the Tenable Network Security Podcast - Episode 36

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:

  • Nessus Spotlight: su+sudo Feature
  • SecurityCenter Webinar in French!

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Ron Gula - Security Architecture Summit

Stories

• Tips On Choosing Which Vulnerabilities to Test - This article makes some good points in regard to prioritizing vulnerabilities and how it applies whether you are an attacker or a defender. As an attacker, you want to go after what is likely to be easiest to exploit (publicly available, no credentials required, etc.). As a defender, you need to prioritize your remediation the same way!
• Fraud Bazaar Carders.cc Hacked - This story could be good and bad. On one hand, it shows that the bad guys are human like we are and their sites get hacked too. On the other hand, so-called "blackhat" skills are now being spilled out into the public eye.
• A reminder that CSRF affects more than websites - While most only consider CSRF in HTTP (i.e., web sites), it can apply to other protocols as well! This is also true for XSS vulnerabilities; the protocol doesn't really matter for these attack vectors, as long as you can make them work.
• iPhone vulnerability leaves your data wide open, even when using a PIN - I never felt comfortable using a four-digit PIN, but they are all too common in things such as garage door opener panels, ATM PINs and your beloved iPhone. In this case the PIN can be completely bypassed just by plugging the phone into an Ubuntu Linux system. This is the thing that gets me about security: just because people have a security control in place, they seem to forget that it can be bypassed. I can just hear people now, "I have my email on my phone, but I have a PIN so it's secure". Data encryption plus a PIN is far better, but when are we ever truly safe?
• Is Security A Design Problem? - We all tend to say that security is a design problem, and if the Internet was designed to be secure in the first place we wouldn't have this mess. Few things are designed to be secure from the start. Most things are designed to work and function, and then the impacts of security are taken into account. Unfortunately, this is the way of the world and we're left to clean up the mess. I like this quote on the matter:"In absence of other solutions, an intelligence driven incident response model is your best bet."
• Time for a new mantra - Jack has a point - we're all told to "think like an attacker". However, there is something to be said for experiencing what it feels like to be under attack, which is equally as important.

Download Tenable Podcast Episode 36

]]> paul@nessus.org Wed, 02 Jun 2010 15:12:28 -0400 Podcast tenable-network-security-podcast-episode-35 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/05/tenable-network-security-podcast---episode-35.html Welcome to the Tenable Network Security Podcast - Episode 35

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:

  • Common Platform Enumeration (CPE) with Nessus

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Reclaim Your Privacy? - There is no question that some people share way too much information on Facebook. Social networking is so popular that attacks and penetration testers alike are using it for information gathering and social engineering when attacking an organization. The techniques are quite useful and often very successful. One good example is to guess or brute force user passwords (for example, I can view a user's Facebook page, obtain the name of your dog, and try that as your password). It sounds too easy, but unfortunately for the security of enterprise networks, it works. The site linked here claims to help Facebook users with their privacy settings. Now, this could be completely legitimate, but in the words of Admiral Ackbar, "it could be a trap!" Don't trust programs or web sites that claim to check your computer settings or Facebook settings as you could unknowingly be allowing an attacker access to your information.
• Fun With Printers - Part 3 - If there is one thing I love, its printer hacking! This three-part blog post (See Part 1, and Part 2) details how to use printers to steal documents being printed, use printers as relays for idle port scanning, and a complete re-write of the Hijetter tool that allows you to send commands to the printer using PJL and upload files. It's nice to see some focus on this and I can't wait to test out these new tools. Printers are one of those device types that no one pays attention to, but should be part of your overall security program.

• Analyzing MIT Wireless Traffic - I think it's really neat that MIT showed this particular student the proper way to obtain permission and analyze traffic. I really like the use of simple command line tools to gather network traffic information. You can gain great insight into your network and find out all sorts of information, even security related, just by reviewing the layer 3 protocol information.
• Default Database Passwords Still In Use - Default passwords really annoy me and I can't understand why they are still in use! Especially when it comes to databases... why not just let the database admin choose a password that isn't the default?
• FBI seizes $143 million of fake Cisco hardware - I have a growing concern that while we are all so concerned with software security, it may be the case that hardware is now being compromised. This may be the case with fake Cisco hardware originating from China. You may not be able to tell that that brand new router is a fake until it's too late. If you place it in your network, what if under the covers it is compromised and uses a backdoor to re-route traffic or letting attackers connect remotely? This is scary, especially because it falls outside the scope of many security programs.
• Why compliance is chosen over security - I believe that compliance and security is a delicate balance. Let's not forget about making good business decisions either!

Download Tenable Podcast Episode 35

]]> paul@nessus.org Thu, 27 May 2010 15:12:28 -0400 Podcast tenable-network-security-podcast-episode-34 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/05/tenable-network-security-podcast---episode-34.html Welcome to the Tenable Network Security Podcast - Episode 34

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:

  • Microsoft Patch Tuesday Roundup – May 2010 – Language Barrier Edition

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• CVE Details - A nice view of the CVE data, with pretty graphs!
• What's Hiding In Your Copier?It seems that there are many reasons why people are not jumping to fix security problems on embedded systems. First, they buy them, plug them in, and they work. Audits and regulations often do not apply to embedded systems such as printers/copiers/fax machines/scanners, which are often excluded from vulnerability scans to avoid problems. The best reason for this problem persisting throughout time is that many times people don't even know they are connected to the network.
• Host Enumeration Via DHCP - This is a neat little Python script that sends out a DHCP discover and waits for responses. DHCP servers are more than happy to tell you information about the network, such as IP address information, DNS server IP addresses and more. This script can also be used to sniff out rogue DHCP servers.
• Testing Your Anti-Virus Program - Someone recently posted a question on a mailing list stating that they wanted to run "Netcat" on a host and bypass the installed anti-virus software, preventing it from identifying "nc.exe" as malware. If you run anti-virus software in your environment I think its a good idea to test it. I recommend the following three methods to test your anti-virus software:
  • UPX - A packer used more for compression than bypassing anti-virus, but still works in some cases.
  • PE-Scrambler - Used in the "Defcon Race-To-Zero" competition where players were tasked with bypassing anti-virus software.
  • Metasploit Msfencode - Metasploit has many encoders that can be used to alter a binary program in an effort to evade detection.
  Using these methods above, you can test not only if your anti-virus software is working properly but how difficult it would be to bypass. Also, you can test between releases and updates to be certain the behavior has not changed. Finally, these tools will help you test how your defense's react when something does slip past anti-virus software. If the answer is "nothing", then you've got some work to do in order to build more defenses.
• New Attack Bypasses Anti-Virus Software - This method uses the old "bait and switch" technique to bypass anti-virus software. It feeds a good binary to the A/V system, then when execution happens, swaps it out for the evil binary. Pretty neat stuff!
• Car hackers can kill brakes, engine, and more - This story really scares me! I recently bought a new car. It's not brand new (2007) but has the totally keyless entry and ignition system. The best I can tell is that it uses RFID to sense when my key fob gets in proximity of the door, then the door opens. The ignition works the same way; if the key fob is in range I can push the button to start the car. It has become clear to me that cars are implementing a lot of technology, which means people are going to hack it. The security falls out of scope for most businesses, but what happens when attackers are hacking into cars and listening in on all conversations that happened in the car? Many of us conduct conference calls and talk about business and sensitive information. Of course, until an attacker can figure out how to make money off of hacking cars, I don't think we will see widespread adoption. When the time comes when taxi cab drivers are replaced by computers, someone will figure out how to hack it to get a free ride (and yes, I watch way too much science fiction).
• Software Security Is The Problem - It may sound strange, but centralized control and management may just be what the doctor ordered to solve some of our software security problems. I went through this when I worked for a university. Most universities are very decentralized, and to a certain extent so are most corporations. This can be a double-edged sword. On the one hand, centralized management provides uniformity and control, and therefore vulnerabilities and exposures can be mitigated on a grand scale. However, having central control is more difficult because policies must satisfy the masses, not just one particular group. For example, maybe the finance department can handle a password change per week, but the general community would incur too much support and can only handle a 180-day password change. Now we're in management hell, things get complicated, and once we've complicated things, compromises usually follow. In the case of software security, I say we should create that central office. Let it create, support, and govern software for the government, and maybe, just maybe, we'll improve slightly.

Download Tenable Podcast Episode 34

]]> paul@nessus.org Wed, 19 May 2010 15:12:28 -0400 Podcast tenable-network-security-podcast-episode-33 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/05/tenable-network-security-podcast---episode-33.html Welcome to the Tenable Network Security Podcast - Episode 33

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:

  • SOURCE Boston Re-Cap
  • Nessus Spotlight: Scan Template Feature

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Why buffer overflow exploitation took so long to mature - I am a big believer in learning from history, otherwise you are doomed to repeat it. As we all know, buffer overflow exploitation is commonplace today, even bypassing some of the more advanced defenses against it such as ASLR and DEP. What troubles me is that there are all kinds of new attack tactics and methodologies that just haven't caught on yet (such as last week's network card firmware malware). Most people ignore these attacks until they are commonplace, but by then it's too late! Defenders need to start getting ahead of the curve, and as time goes on this is a heavy requirement for success in defending against the modern attacker.
• Privilege Escalation Without Exploits - This mini-tutorial shows you how to use Metasploit to use the SA account on MSSQL to escalate privileges to SYSTEM. There are two critical mistakes made in the system configuration. One, the cleartext SA password is left in an ASP script, and two, MSSQL is running as SYSTEM. This is a common method of privilege escalation that proves that system hardening should not be a lost art.
• ATM Rootkit to Appear at Blackhat - Barnaby Jack has done some testing with ATMs and found security vulnerabilities. He used to work for Juniper, who would not let him speak because the vendors had not patched the flaws. He now works for IOActive and they are happy to have him speak on the topic. A year has passed since being silenced, and he now has two working exploits for ATMs from different vendors. Jeff Moss has the best quote in the article: "Apparently you can make all the money come out".
• Little Snitch - Little Snitch is a neat little program for Mac OS X that tells you which applications are making outbound TCP/IP connections. I believe it's important for users to be aware of this behavior and understand why an application is making a connection. I will caution that this is not for the average user, but advanced users should run this tool and keep tabs on what applications are doing. There is so much software out there that we cannot analyze all of its behavior, but if we split up the workload and share information, we can seek out evil or Trojaned applications and cut the malicious behavior short.
• It Can Happen To Anyone - A well-executed phishing attack can be successful against even the most cautious users. It's scary to think that this is true, but it most certainly is. Even if you keep everything all patched and up-to-date, attackers are going after your credentials and the security of a web application is completely out of your control. For example, a persistent XSS attack is all I need to harvest user credentials on a web site (similar to the Apache breach last week).
• Phpnuke compromised! - As if PHP security wasn't difficult enough, a content management system called "phpnuke" had its web site compromised. It was discovered to be distributing malware via a hidden iFrame. Scary quote of the week: "The downloaded executable is detected by 12% of antivirus products, according to VirusTotal."

Download Tenable Podcast Episode 33

]]> paul@nessus.org Mon, 10 May 2010 13:40:00 -0400 Podcast tenable-network-security-podcast-episode-32 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/05/tenable-network-security-podcast---episode-32.html Welcome to the Tenable Network Security Podcast - Episode 32

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:

  • SecurityCenter 4 Released - Taking Unified Security Monitoring to a higher level

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. We would love to hear your feedback, questions, comments and suggestions! We put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 6 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Using "grep" to Find Vulnerabilities in Web Applications - Most tend to believe that finding vulnerabilities requires a degree in computer science and knowledge of assembly language (I tend to picture the person's keyboard as having only two keys, one labeled with a "0" and the other with a "1"). However, this is certainly not the case as shown in this post from the folks over at Bonsai Sec (the creators of w3af). They searched through a software package's source code using Bash commands and were able to uncover a remote command execution vulnerability. Pretty sweet!
• Remotely Exploitable Network Cards! - This attack works by sending packets to a system, which in turn exploits a buffer overflow vulnerability on the network card itself. The network cards have their own memory and RISC-based processor. This means that code can survive a reboot, and potentially access memory directly before the operating system (or even boot loader) loads. The result is a system compromise that can work its way around several layers of protection, and say "so long" to the days where you can just reformat the machine and start fresh. What do we do now? Do we have to include a re-flash of the hardware as well? Is this even possible on such devices as network cards? (For example, some printers ship with static firmware, meaning the end-user is given no means to update it unless they are handy with a soldering iron!).
• Apache.org's Write-Up of How They Got Hacked - I believe that all organizations that suffer a security breach should do this type of write-up. I'm not saying that you have to post it publicly, but circulate it internally for sure. The four most important questions that you should be answering are "What Happened?", "What Worked?", "What didn't work?" and "What are we changing?". The list of what didn't work is usually much longer than the list of what did work. The most important thing is to change something for the better and really pay close attention to the "lessons learned". Otherwise, the breach is just going to happen again! Too many organizations rush through incident response and "just get it cleaned up" without analyzing the incident and truly understanding why it happened and applying those lessons to their security strategies. This applies in different scenarios such as martial arts. It's inevitable that no matter how good you are, if you are in a fight you're going to get hit. The best defense is to just not be there in the first place to get hit. When that fails, you have to be conditioned to take the hit without absorbing too much damage. Once the match is over, your coach should analyze why you got hit and adjust accordingly (for example, maybe you were too slow and should cut back on your beer consumption).
• How to Get Started In Information Security, the New School Way - There is a lot to be said on the topic of getting your start in information security. I wrote an article on this subject some time ago and hoped that it helped people. There have been several other articles on this topic and I strongly suggest that if you are new to the field that you read them, and take from them the items that will help you the most. Each person is different; some people make certifications work for them, others are good programmers and contribute code, and some prefer to contribute to existing projects. The most important thing to know is to do what works best for you, and there is nothing wrong with trying something and failing or deciding you don't like it. It's all part of the process.
• Vulnerable Sites Database - This is an interesting site that has been posting information about sites that contain web application vulnerabilities. They post the main URL to the site along with the vulnerability that was found, but no further information. This is a slippery slope in my opinion. On one hand, they are publicly pointing out vulnerabilities, which can be effective in getting things fixed. On the other hand, they are also giving attackers a way to easily find targets. Furthermore, there is no way to know if the owners of the sites are aware that their web application is vulnerable.

Download Tenable Podcast Episode 32

]]> paul@nessus.org Tue, 04 May 2010 14:16:33 -0400 Podcast tenable-network-security-podcast-episode-31 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/04/tenable-network-security-podcast---episode-31.html Welcome to the Tenable Network Security Podcast - Episode 31

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:

  • Microsoft Patch Tuesday Roundup - April 2010 - Superman Edition
  • Nessus Version 4.2.2 Released
  • Event Analysis Training – Passive Worm Detection
  • Afterbytes: The "Cyberwar Battlefield"
  • Tenable at SOURCE Boston
  • PVS 3.2 Released – Enhanced vulnerability discovery, real-time forensics and file share and database activity monitoring
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. We would love to hear your feedback, questions, comments and suggestions! We put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 6 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Ron Gula, CEO of Tenable Network Security

Ron comes on the show to give us an update on several new Tenable software releases:

47. The recent Nessus 4.2.2 release
48. The Passive Vulnerability Scanner 3.2
49. SecurityCenter 4.0 release

Ron also presented at SOURCE Boston last week and provides a brief overview of his talk.

Stories

• Can switching to Linux protect your online identity? - The answer is of course, "No". The article makes a good point that the operating system plays a smaller role than the browser in terms of protecting your identity online. As more services move to the "cloud", the OS becomes even less important, and I couldn't agree more. The most secure operating system (in my opinion) is the one that you are most comfortable maintaining, updating, using, and performing forensics against. For me, this happens to be Apple's Mac OS X. It is probably not the most secure, but I am comfortable using and maintaining it, which makes it the safest choice for me as I can gain insight into the system to identify any security problems (to the best of my ability). If Linux is the best choice for you I applaud your efforts; for me, I spend too much time maintaining my OS which takes away from more productive work, like producing podcasts!
• Stagger Your Anti-Virus Updates - Given the recent McAfee blunder, it's a good time to review your processes that surround anti-virus updates. I've always preached that you should keep your anti-virus signatures and software up-to-date. However, this is not an easy task. Virus definition and software updates can cause problems, so it's best to first deploy updates to test systems before releasing them into production. The next test group should be the IT department because if something does go wrong they are the best equipped to handle the problems. Not to say it should be the entire IT department, but a group at a time could be selected to weed out potential issues. Then you can begin to apply the updates to groups within your organization, and maybe even wait 12 hours before starting the process to be certain there are no problems reported by other organizations. The big question I have is, why didn't McAfee test this update before it went out the door?
• Stuffing JavaScript into DNS - This is a neat little attack vector as it has the potential for executing script code in some interesting places. Management consoles and log management systems could be vulnerable, as is any web-based tool that displays results from a DNS query. For example, some firewalls will allow the user to review the logs and translate IP to names, and if the name is a Javascript inject, then code will execute on the firewall administrator's browser. This reminds me of a flaw in the DD-WRT web interface that had a similar problem when displaying neighboring SSIDs.
• A Wake Up Call For Embedded Systems - Have you ever wondered why your wireless routers, printers, and network cameras come with default passwords and weak management protocols? Isn't it time for a change? Care to share your experiences with insecure embedded systems to help move towards change? This is a new project that will aim to highlight common vulnerabilities and implementation flaws that have plagued embedded systems for year. The site provides users with a platform to write about embedded systems insecurity.
• 9-year old boy accused of hacking Blackboard - If your web applications, especially those that run student grades and online courses, can be hacked by a 9-year old you've got some serious problems. While you can't manually test every web application in your environment, you can target the important ones. Of course, you'll need vendor support for the problems that you find, but the first step is to identify the issues.

Download Tenable Podcast Episode 31

]]> paul@nessus.org Tue, 27 Apr 2010 08:58:42 -0400 Podcast tenable-network-security-podcast-episode-30 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/04/tenable-network-security-podcast---episode-30.html.html Welcome to the Tenable Network Security Podcast - Episode 30

Announcements

• Several new blog posts have been published this week, including:
  • Plugin Spotlight: SMB Insecurely Configured Service
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 8 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Don't Change Your Password - I have mixed feelings about this article. The security professional in me, with experience in implementing security in the trenches at several different corporations and universities, wants to shred it until it cries "uncle". Changing your password on a regular basis does have some benefit, doesn't it? I remember being on a penetration test and compromising an older server that contained a whole bunch of Windows password hashes (stored in LANMAN format, none the less). They were easy to crack because they were stored in an older format, but the problem was that they were old passwords. Fortunately, they had no password reset policy. And fortunately for me, one of the passwords I cracked belonged to a user in the domain admin group within the domain. So, as crazy as it sounds, changing passwords does help. On the flip side the argument is that changing passwords is too hard for users and takes too much time. In most cases I agree with this statement. I believe that IT departments need to make it easy for end-users to implement this security measure, which really only protects you from a dedicated attacker. Making users spend too much time implementing a defensive measure that has little impact doesn't make much business sense.
• Escaping From the PDF - This is a really neat technique developed by Didier Stevens that uses the "/Launch" feature in a PDF to execute a command. Recently Didier figured out that Foxit released a patch, but that the Adobe exploit now worked in Foxit! Crazy stuff happening here and I'm wonder just what legitimate purpose the "/Launch" feature has in a PDF document! Why does a user need to launch an executable when reading a PDF document (or any document for that matter)?
• Sun Solaris now on a Quarterly Patch Cycle - Is it enough? We see major companies (Microsoft, Cisco, Oracle, Adobe and others) whose software and hardware make up a large percentage of the install base across the globe, and patches are released monthly at best, sometimes quarterly, and bi-yearly if you are Cisco. If you're an evil bad guy, patch cycles that are driven by the vendor provide a nice window of exploitation. If you can find and exploit vulnerabilities before the vendor issues the patch, you're golden... that is, if you can get in and stay in without getting caught. Shortening this window of exploitation would prevent a lot of attacks. Of course we still have to get the organizations to apply the patches, but that's a whole different story.
• Too Much Money Spent on Compliance - Frequency of an incident versus the level of damage are two factors that seem to never be taken into consideration properly. It's a tough call; the incidents that are least likely to occur can cause the most damage and have the most financial impact. The more frequently successful attacks are typically of low impact. For example, lots of malware is installed on computers that become part of a botnet and the malware doesn't even look at the data on the system. However, an attacker targeting your organization can do serious damage and maybe even collect sensitive information, take your network hostage, and leak trade secrets. This occurs less frequently than automated malware, but is far more damaging. Compliance seems to be a good guideline to help prevent automated malware, but does not go deep enough to protect against more serious threats.
• Cisco WLAN Flaws & The Bigger Picture - Proprietary and usually embedded systems are often weak links when it comes to security. Cisco's implementation is no exception. Researchers have found that they are still using LEAP in some capacity and the management interfaces contain SNMP and web application flaws. An attacker could exploit these vulnerabilities to obtain encryption keys. I believe that wireless attacks are most beneficial to attackers, as it allows for an easier MiTM attack to take place because you can access all wireless clients in one fell swoop. Also, many devices, especially in the medical field, only use wireless where these types of attacks are especially useful. Everyone spends time to secure desktops and servers, but then ignore the embedded systems (which is a good example of this failure). What will happen when computing as a whole moves to using more embedded systems over the desktop? The researchers also state that the vulnerabilities were not as easy to find as using a standard Nessus scan. Remind me some time to tell you the story of a vulnerability I found on a wireless controller by doing an operating system fingerprint using Nmap.

Download Tenable Podcast Episode 30

]]> paul@nessus.org Wed, 07 Apr 2010 08:58:42 -0400 Podcast tenable-network-security-podcast-episode-29 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/04/tenable-network-security-podcast---episode-29.html.html Welcome to the Tenable Network Security Podcast - Episode 29

Announcements

• Several new blog posts have been published this week, including:

  • Using Nessus Thorough Checks for In-depth Audits
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST

• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Why I Use Firefox - At the recent "Pwn20wn" contest at CanSecWest security conference, a researcher known as "Nils" successfully exploited Mozilla Firefox 3.6.2, bypassing Windows operating system defenses such as ASLR and DEP. This is truly quite the accomplishment, and as the article states: a motivated attacker will find ways to bypass defenses. All browsers were exploited in the "Pwn20wn" contest, including Internet Explorer and Safari (but possibly not Chrome... we're still researching!). However, Mozilla has already fixed the bug that led to this vulnerability and released the patch. Both Microsoft and Apple are still "taking it into consideration". This is why I run Firefox; there is so such thing as a truly "secure" web browser, so I go with the one who can crank out patches the fastest.
• The Most Depressing Post of the Week - WHID - The Web Hacking Incidents Database is a project run by OWASP in order to track incidents that have occurred as a result of web application attacks. The post linked here is a sample of some of the entries, which include stories such as, "A mentally ill woman exploited a loophole in D.C. tax office online systems to gain unauthorized access to taxpayer accounts."
• Scraping Time Servers - HD Moore has published a Metasploit module that will execute a DoS attack using the NTP protocol, which can be initiated with a single packet. I first heard of the NTP work HD was doing on the Risky Business podcast. At a Security B-Sides event held along side the RSA conference HD presented his research into NTP. He figured out that there are some neat features built into NTP that are not associated with keeping time. The most useful are the ability to query an NTP server and receive a list of clients that are using it to keep time, in addition to any peers of the NTP server. This allows you to map and discover many hosts on the Internet. Very cool research!
• Certified Pre-0wned - There have been several reports of devices shipping from the factory with malware installed on them . The latest is the "Energizer trojan", which infects systems, adds itself to the startup registry key, appears to contain Chinese-created software and sets up a listener on TCP port 7777. The lesson to learn here is that no matter how well your systems are protected, malware may find its way into your network. If you are not looking for it, this does not mean it will not exist. Simply relying on anti-virus software alone is a huge mistake, as there are many factors that contribute to the effectiveness of anti-virus software (such as keeping the software and definitions updated). Regular scans using a vulnerability scanner such as Nessus (which can detect several different kinds of malware) is a good measure to add to your overall security strategy.
]]> paul@nessus.org Wed, 07 Apr 2010 08:58:42 -0400 Podcast tenable-network-security-podcast-episode-28-1 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/03/tenable-network-security-podcast---episode-28.html Welcome to the Tenable Network Security Podcast - Episode 28

Announcements

• Several new blog posts have been published this week, including:
  • "Cloud" Security Recommendations
  • New Content Audit Policy File - PHI/PII for Unix Systems
  • Afterbytes: Chinese Academics Paper on Cyberwar Sets Off Alarms in U.S.
  • Treating Software as a Strategic Technology
• New Nessus training now being offered at conferences! - A new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview with Ron Gula - Vulnerability Scoring





Review the low/medium/high scoring used by Nessus

• How does Nessus determine if a vulnerability is Low, Medium, or High?
• Should you only focus on the "High" rated vulnerabilities?
• How can the ratings be perfect for every company in the world? (For example, what is "High" for some may be "Low" for others)

NIST CVSS scores and how two people can look at the same vulnerability and come up with different results

• What is the magic behind the CVSS scores?
• How do different organizations come up with different CVSS scores if they're based on math? (Ex. OSVDB gives a vulnerability a higher score, but vendors seem to always score their own vulnerabilities much lower)

Applying CVSS scores to systems, applications, and when evaluating a network

• How can security professionals apply the scoring and ratings systems to operational security?

Download Tenable Podcast Episode 28

]]> paul@nessus.org Tue, 30 Mar 2010 07:39:43 -0400 Podcast tenable-network-security-podcast-episode-28 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/03/tenable-network-security-podcast---episode-28.html Welcome to the Tenable Network Security Podcast - Episode 28

Announcements

• Several new blog posts have been published this week, including:
  • "Cloud" Security Recommendations
  • New Content Audit Policy File - PHI/PII for Unix Systems
  • Afterbytes: Chinese Academics Paper on Cyberwar Sets Off Alarms in U.S.
  • Treating Software as a Strategic Technology
• New Nessus training now being offered at conferences! - A new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview with Ron Gula - Vulnerability Scoring





Review the low/medium/high scoring used by Nessus

• How does Nessus determine if a vulnerability is Low, Medium, or High?
• Should you only focus on the "High" rated vulnerabilities?
• How can the ratings be perfect for every company in the world? (For example, what is "High" for some may be "Low" for others)

NIST CVSS scores and how two people can look at the same vulnerability and come up with different results

• What is the magic behind the CVSS scores?
• How do different organizations come up with different CVSS scores if they're based on math? (Ex. OSVDB gives a vulnerability a higher score, but vendors seem to always score their own vulnerabilities much lower)

Applying CVSS scores to systems, applications, and when evaluating a network

• How can security professionals apply the scoring and ratings systems to operational security?

Download Tenable Podcast Episode 28

]]> paul@nessus.org Tue, 30 Mar 2010 07:39:43 -0400 Podcast tenable-network-security-podcast-episode-27 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/03/tenable-network-security-podcast---episode-27.html Welcome to the Tenable Network Security Podcast - Episode 27

Announcements

• Two new blog posts have been released titled "The Value Of Credentialed Vulnerability Scanning and Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition.
• New Nessus training now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. Its a two-day course that will put the student into a real-world environment, forced to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.

• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Password Lists - Can't Get Enough - While this blog focuses on comparing some larger password lists, mostly taken from leaked accounts as a result of data breaches, its a good resource. The author links to several different passwords lists, including one called "The 500 worst passwords" (Warning: This list contains some foul language).
• Client Side Web Application Attacks - Malware authors continue to show their creative side with these attacks. The malware manipulates web pages and inserts extra fields, such as password or account numbers, into web page transactions.
• DNS Tunneling - 3 Part Series - DNS tunneling is one of those techniques that has evolved greatly over time. The initial theory was presented some time ago, and tools have been created and improved on over the years. It is now a viable option to send traffic out of a network. The DNS tunneling technique has even been packaged as an exploit payload as demonstrated by Ron Bowes.
• Finding Malware on your network via cached DNS entries - Excellent article that demonstrates use of a Perl script to find "evil" cached DNS entries. Basically, it takes a list of known malware domains, then queries your DNS servers to resolve them. If the entry comes back as cached, then someone else has already queried for that domain and you have a host that is infected.
• WMI Enabled Plugins Enumerate Anti-Virus, Anti-Spyware, and Firewalls - Tenable has released three new plugins that use WMI to enumerate software and firewall configurations on remote hosts:
  • WMI Firewall Enumeration (45052)
  • WMI Anti-virus Enumeration (45051)
  • WMI Anti-spyware Enumeration (45050)

Download Tenable Podcast Episode 27

]]> paul@nessus.org Wed, 24 Mar 2010 08:46:28 -0400 Podcast tenable-network-security-podcast-episode-26 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/03/tenable-network-security-podcast---episode-25.html Welcome to the Tenable Network Security Podcast - Episode 25

Announcements

• Two new blog posts have been released titled "The Value Of Credentialed Vulnerability Scanning" and Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition". Also,
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview - Ron Gula - CCDC Recap



Ron Gula and I discuss our experiences at the 2010 Collegiate Cyber Defense Exercise held this past weekend in Columbia, MD.

Stories

• Six Steps To "Cloud" Security - Nothing New - A researcher published a paper in the International Journal of Services and Standards titled "A 'cloud-free' security model for cloud computing". In it she outlines six security considerations for cloud computing, which to me represent nothing really new. The first, resource sharing on "cloud" providers could lead to your data being accessed. This is similar to VLANs on switches, which are essentially software, which means you need to carefully design your network to be certain your most critical assets are not on the same switch as something less critical. This is a risk decision, and should be constantly evaluated, whether you are using a "cloud" provider or designing VLANs on a switch. Second, she points out that since data is held off-site, ownership may have become compromised. This is another issue which I have dealt with when I worked for an ISP/hosting provider. Physically being separate from your data means that you need to make yet even more risk-based decisions. If the data you are hosting off-site is public anyway, then there is little need for concern. However, if the data is sensitive or confidential, you may want to take extra pre-cautions to safeguard it at remote sites (encryption, physical security, etc...). How is this different than using a remote storage facility for your backup tapes? There are more, and my advice is to look at the "cloud" security information and relate it to similar security and risk decisions in your organization and I believe you will find that you are well equipped to handle securing your organization, whether its cloudy or sunny.
• Security Policy Gone Wrong - This story centers around the following quote from a client: "Ok, how about this: We take an image of your hard drive when you enter the building. When you leave in the evening, we take another image and see what data changed. This way, we know if any sensitive data leaves the company." I like coming up with creative solutions, but this one just doesn't stick!
• Network Analysis Of A Logitech Mouse Server - While this may not sound particularly concerning, the protocol that allows you to control the keyboard and mouse of a system running this software does not authenticate the commands. This means a packet crafting tool, such as scapy, can be used to send keystrokes to the device. Most users find this type of technology convenient, but fail to realize the security risks. In your environment you have to control the installation of this type of software.

]]> paul@nessus.org Wed, 17 Mar 2010 08:46:28 -0400 Podcast tenable-network-security-podcast-episode-25 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/03/tenable-network-security-podcast---episode-25.html Welcome to the Tenable Network Security Podcast - Episode 25

Announcements

• Two new blog posts have been released titled "Implementing Perimeter Intrusion Detection" and SecurityCenter 4 Introduction". Also, Nessus 4.2.1 was released with support for Solaris and some significant performance enhancements.
• Come see us at RSA - Booth #956! I, Ron Gula, Renaud Deraison and many others from Tenable will be there demonstrating SecurityCenter 4.0 along with Nessus 4.2, the latest Passive Vulnerability Scanner and the Log Correlation Engine.
• The webinar performed on February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" in which Tenable CEO Ron Gula and Tenable CSO Marcus Ranum discussed strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks is available for download.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Detecting the TDSS/TDL3/Tidserv rootkit with Nessus (Login Required) - This is really great usage of an audit file! It searches the Windows registry for keys associated with the rootkits and alerts on it. This is the rootkit that was causing the "Blue Screen Of Death" problems when users applied some of the recent Microsoft patches. Nessus ProfessionalFeed customers can download the audit file and use it to detect this rootkit in your environment before applying the patches from Microsoft.
• New Internet Explorer Vulnerability - This is perhaps one of my favorite vulnerability write-ups in a long time. First it states, "a user on the target system needs to be convinced to press the F1 key in response to a pop up dialog box on a specifically prepared website" and then goes on to say "As of now all users need to remember is to not press F1 when they are accessing websites." Can we just remove the F1 key from the keyboard?
• SCADA Devices on Verizon and Other Wireless Networks - This is interesting, as I have been doing some of my own research in this area. Many SCADA security tactics rely on the so-called "air-gapped" network. This usually does not work out so well when stuff needs to actually talk to other stuff. So slowly they creep onto the network, but since the assumption is that it's "Air-gapped" no one really bothers to look for these devices on the network. Also, since it's a "harmless" embedded system people will assume that they do not have to secure it, so they leave default passwords. This is just a bad combination! Take time to secure everything in your environment and apply your security strategy to all systems, even the embedded ones.
• GuestStealer Information Wrapup - This is a great summary post of all of the information surrounding the guest stealing vulnerability released at Shmoocon. Nessus was used to detect a directory traversal vulnerability that lead to multiple vulnerabilities in VMware systems that could allow an attacker access to download the entire collection of guest operating systems on the host. Nessus has new checks that look for this specific vulnerability as well.

Download Tenable Podcast Episode 25

]]> paul@nessus.org Tue, 02 Mar 2010 11:46:28 -0500 Podcast tenable-network-security-podcast-episode-24 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/02/tenable-network-security-podcast---episode-24.html Welcome to the Tenable Network Security Podcast - Episode 24

Announcements

• Two new blog posts have been released titled "Not Just for Health Care Providers Any More - HITECH for Business Partners" and Nessus Plugin Spotlight: Linksys Router Detection.
• Come see us at RSA - Booth #956! I, Ron Gula, Renaud Deraison and many others from Tenable will be there demonstrating SecurityCenter 4.0 along with Nessus 4.2, the latest Passive Vulnerability Scanner and the Log Correlation Engine.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Ron Gula

Ron Gula comes on the show to talk about Security Center 4 and give some examples on how you can use the new features to manage security, vulnerabilities and alerts in your environment.



Stories

• Top five idealistic security recommendations - This article highlights some of that major downfalls in most organization's security strategies. The short of it is we expect users not to open attachments, not to surf to "bad" web sites, never use "social networking" web sites, use good passwords for everything and apply all software patches as soon as the are released. These are unreasonable expectations for sure. The nature of computing in most organizations needs to change or computers will continually be compromised by attackers. Many people have been writing and talking about revoking rights of computer users in the workplace, and this seems like the only sane notion to secure the desktop. While users will self-regulate to a point, they need more help to keep their computer from attackers because there is too much at stake. There once was a time when attackers did not have as much to gain, and you could get away with the idealistic security recommendations. Now, attackers are making big business out of Internet crime, and its time that we adapt our security policies to reflect the times.
• Beware Of The Chuck Norris Worm! - Details are light on how the infections are happening, but there is a work spreading that infects user's routers rather than the PCs. This is very timely as it will be included in my upcoming presentation at SOURCE Boston. I chose the topic for my talk well before this story broke. This further underscores my point that attacking embedded systems can yield far better results than attacking a PC and accomplish the same goals. The "Chuck Norris" worm spreads by installing itself on wireless routers that are exposed to the Internet and using default passwords. It also has been reported to exploit a vulnerability in D-Link routers, most likely the HNAP vulnerability that was posted not too long ago. I will have the full details of my thoughts, research and suggestions for improvement in the area of embedded systems security at my talk. For now, I will leave you with on of my favorite Chuck Norris quotes: "When the boogeyman goes to sleep, he checks his closet for Chuck Norris"
• Spike In Power Grid Attacks Likely In Next 12 Months - Sure its a snazzy title, but how likely are attacks and what protections are being put in place? Scarce on details, this article does have a quote that reads, "Some companies say there's never been a successful attack against the grid...". My question is, if the attack was truly successful, how would you know if there was such an attack? To me, a successful attack occurs without being detected. There are, of course, ways to attack the grid that would draw attention, such as denial of service. However, the new "Smart Grid" has a model where you can "sell back" your unused power to the utility company. So, if you are conserving energy you will get a credit on your bill. What if I trick the system into thinking my power consumption is less, when in reality I am running electric heaters and a server farm in my basement? I also found this quote very interesting, "The [traditional] power grid today is extremely vulnerable. I could turn off the lights in a major metropolitan area, and they would not come back on for a very long time. You don't need a computer -- just something you could buy at your local hardware store," he says. "Putting a smart meter on everyone's home doesn't make the grid more vulnerable. It just opens up another window that requires a higher level of sophistication [to breach]." I think one thing missing from this statement is geographic location. Sure, I could go to the hardware store and rig some stuff up in my house to disrupt power on the grid. However, with smart meters connected to the network the world is now able to access the hardware, opening up your potential attackers from thousands, to millions of people.
• Bypassing Anti-Virus
- There are many ways for attackers to bypass anti-virus software. The method documented here takes a payload and embeds it into an already trusted executable, which makes it extremely difficult to detect. You should not rely on anti-virus software as a main line of defense. In order to detect malware, you need to analyze behavior, on the system and the network, in order to detect it. For example, your chances of detecting malware using rootkit technologies on the system are pretty slim. However, if new accounts are created and/or accessed, systems are talking to the Internet on strange ports, or other activities are noticed in the logs, you have a much better chance.

Download Tenable Podcast Episode 24

]]> paul@nessus.org Mon, 22 Feb 2010 11:46:28 -0500 Podcast tenable-network-security-podcast-episode-23 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/02/tenable-network-security-podcast---episode-23.html Welcome to the Tenable Network Security Podcast - Episode 23

Announcements

• Two new blog posts have been released titled "Microsoft Patch Tuesday - February 2010 - "From Microsoft with Love" Edition" and Shmoocon 2010 Security Conference.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Josh Corman

Ron Gula interviews Josh Corman and discusses information asymmetry, compliance and more. Josh is an analysts with the 451Group and recently published a 451 Spotlight (registration required) which describes the evolution of trust between consumers and vendors the security industry has gone through over the past 15 years.

Stories

• Casual Hex and the Failure of Security Awareness Training - We've all heard that end-user security awareness training is an important piece of your security strategy. However, in this article, Larry Pesce throws a dose of reality on this strategy and states that users will ignore the training and become victims of attacks anyway. I do agree that end-user awareness training will do little to stop people from clicking on nasty stuff and is not likely to make them techno-geeks who understand how attacks work. However, this does not mean that it's a lost cause. Effective training will help people identify suspicious emails, know how some of the attacks work, be more resistant to social engineering and teach them what to do once they have become compromised. There is value in this training, and when coupled with some of the other defensive techniques, such as limiting access to Internet services, it can increase the security of your organization. For example, by teaching people about the nasty stuff out there on the Internet, they may be more inclined to accept a more stringent Internet usage policy. Furthermore, by giving up on end-user awareness training you are leaving the user to swim with the sharks when they take the corporate laptop to a coffee shop or browse the web at home.
• Reverse Engineering File Formats - A really neat article from Jeremy Brown on how to reverse engineer a file format. You may think that "reverse engineering" always requires a debugger and staring at hex code for days on end. Jeremy shows us an example of using an application's error messages to figure out the structure of the file format.
• TSA Gets Some Intelligence - Hopefully this comes with training too! I believe that providing intelligence to the TSA is a good thing, but I hope that the government also provides them with training on how to use it to profile passengers. The same is true in your organization's security strategy; it's great to have all of the information about your systems and network, but it's also important to know what to do with it. For example, if you are collecting information from all of your systems' logs but not acting upon it or analyzing it for trends, then you are not recognizing the value of the information.
• Postgres Database Default Password - Another reason why I love OSVDB

- Default passwords are a security hole that can be avoided. We need to educate developers and companies that make software to not build this into their products. Allow users to choose their own passwords! Also, Nessus Plugin 10483 will detect this default password in Postgres.

Download Tenable Podcast Episode 23

]]> paul@nessus.org Mon, 15 Feb 2010 11:46:28 -0500 Podcast tenable-network-security-podcast-episode-22 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/02/tenable-network-security-podcast---episode-22.html Welcome to the Tenable Network Security Podcast - Episode 22

Announcements

• A new blog post has been released titled "HNAP Protocol Vulnerabilities - Pushing The "Easy" Button" that covers how this protocol can be used to collect information from devices on the network. Marcus Ranum also published a series of his now infamous Afterbytes posts, where he discusses everything from data leakage to Russian stealth fighters.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Ron Gula - Security Center Version 4


Tenable CEO Ron Gula and I discuss the features of Security Center 4 in more detail, including dashboards, alerting, and reporting.

Stories

• ShmooCon: P2P Snoopers Know What's In Your Wallet - While many associate P2P networks with the trafficking of illegally downloaded copyrighted material, such as movies and music, researchers have uncovered that other valuable information is also being shared. Most likely unbeknownst to the user, sensitive information such as tax documents, personal cell phone numbers, and information about an informant who wanted to help U.S. forces in Iraq has been shared. Special tools are being used to search through files being shared on common P2P networks. Having used some of these tools myself to test out this process, I can say that this is a scary thing. Depending on how well the search engines are indexing data, this could be used in a targeted attack. I would suggest making sure this software is not in use in your environment, and use credentialed checks to look for sensitive information in places where it should not be. However, an employee that uses this software from home could expose sensitive information even though you have put defensive measures in place on the corporate network. This is where user education becomes key to protecting your company's information.
• Microsoft Scheduled To Fix 26 Vulnerabilities - Patches will include fixes for a local privilege escalation exploit that uses a 17 year old vulnerability in the Virtual DOS Machine. Patches for a new vulnerability discovered in Internet Explorer will not be released (but workarounds are available), and a DoS vulnerability in Windows 7 and Windows Server 2008 will also remain unpatched.
• Verizon MiFi - Authentication & Security Matter - The Verizon MiFi is a small, compact device that provides you devices with a WiFi connection, then routes your connection over the Versizon cellular Internet. As for a convenience, this device is pretty neat as you can have multiple devices (for example, a cell phone and a laptop) communicating over the WiFi and being able to access the Internet. However, the web interface suffers from a problem where certain CGI scripts bypass authentication. This means an attacker on the wireless network can send requests, without any authentication, and re-configure the router. You may be wondering just how secure the wireless networking is on the MiFi. Going from "bad" to "worse", Josh Wright has an article posted showcasing how the default WPA passwords can be guessed, and accelerates the process using a CUDA device (a password brute force method that uses the computing power found on graphics cards).
• Who Should Infosec Report To? - I've been in this position many times, working as a security professional and being moved around within IT, outside of IT, etc... One point I would like to make is that if you are to separate operational security from just plain security, you need the appropriate level of staff. By level, I mean number of employees and skill level. For example, the networking team needs someone who can manage firewalls, intrusion detection systems, log analysis systems, etc... The systems administrators need someone who can also review logs, implement desktop defenses, and apply patches. There needs to be security minded people in the IT department, people with security in their title, and people who, and this is a big one, are held accountable for security breaches. I'm not saying fire people, but security should be part of their jobs. This leaves the security department to focus on strategy, vulnerability scanning and management, penetration testing, policy, procedures, and incident response. So, I do agree with the points Dave Shackleford makes in this article, but certain things need to be in place in order to have this separation. Otherwise, you've got security in one corner saying, "We need security!", and IT saying, "We don't have time for that security stuff".

Download Tenable Podcast Episode 22

]]> paul@nessus.org Wed, 10 Feb 2010 11:46:28 -0500 Podcast tenable-network-security-podcast-episode-21 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/02/tenable-network-security-podcast---episode-21.html Welcome to the Tenable Network Security Podcast - Episode 21

Announcements

• A new blog post has been released titled "New Nessus Videos - Scanning With Credentials" that covers how you can provide credentials to Nessus for both network-based and web application scanning. Kelly Todd also published an article titled, "Understanding The New Massachusetts Data Protection Law".
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats webinar" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Ron Gula - Security Center Version 4


Tenable CEO Ron Gula and I discuss the features of Security Center and some of the recent enhancements being made in the new version 4.0.

Stories

• Holy RFI Batman! - Rsnake has published a list of web applications that are allowing an RFI attack to occur. This attack vector allows the bad guys to potentially run code on the remote server and clients visiting the site. These attacks can also lead to Local File Inclusion, allowing attackers to read files on the remote host. I've also found a list of remote file inclusion vulnerabilities that were harvested from the OSVDB. This is a pretty common attack vector commonly used by attackers to drop in some malicious JavaScript code into web sites.
• Google Willing to Pay For Bugs In Chrome - Google has announced that they will pay up to $1,337 for bugs that are found in the Chrome browser and $500 for lesser severity bugs. You can look at this two ways. First, my inclination is to state that Google is a large enough company that they should be implementing secure coding practices and have a team dedicated to the security of Chrome. It is likely they have this, however on the flip side, giving incentive to millions of people to find bugs is something Google could not do on their own. So, they offer a reward for bugs to harness the power of the Internet community to make their software better. The problem is two fold, if you are a "whitehat" hacker you can make more money selling it to other organizations or stand up to a moral code and provide Google the details without asking for anything in return. Regardless of where you stand on that issue, Google's bounty for vulnerabilities is not in tune with reality. The other factor is that if a "blackhat" hacker were to find a bug, they may decide to keep it for themselves and use it to compromise systems and make money through a botnet or pop-up ads. They may also decide to sell it on the black market to other "blackhats".
• Network Security Fundamentals - Default Deny - Ah yes, the wonders of firewall administration and "default deny". I remember it vividly during my time (an extended period of time, mind you) as a firewall administrator. Many subnets within the organization were implementing the reverse of "default deny", "default accept" and blocking only the exceptions. This was a bad place to be because going to a "default deny" in this situation would almost certainly break things, and lead to cranky users. It was a long process of analyzing traffic to see what needed to be allowed and adding rules. Was it worth it? Maybe, over time my opinion of firewalls is changing. I'm still in favor of using firewalls, but in many situation I believe more effort should be places on system hardening. This includes using the principal of least privilege, applying software updates, turning off unnecessary services, and tuning the configuration to be "secure" (as in enabling the security features). Lets face it, the firewall only blocks a certain class of attacks, which is important, but lets not forget about security completely because we have a firewall. I like to extend the "default deny" to other aspects of security, such as system hardening (why do we have so-called "default" passwords!), and host intrusion prevention client software (why do we allow DLL injections and embedded iFrames?).

Download Tenablepodcast-episode21

]]> paul@nessus.org Mon, 01 Feb 2010 11:46:28 -0500 Podcast tenable-network-security-podcast-episode-20 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/01/tenable-network-security-podcast---episode-20.html Welcome to the Tenable Network Security Podcast - Episode 20

Announcements

• A new blog post has been released titled "Being Pro-Active Against the "0-Day" Threat" and covers how you can more effectively defend your network given that the bad guys have "0-day" exploits. Marcus Ranum also published an article titled, "Afterbytes - Ranum on Google Considering Leaving China" where he weighs in on the Google Aurora incident. Brian Martin also contributed an article titled, Putting OSVDB to work for Nessus Vulnerability Management where covers how to use OSVDB to provide additional references to give system administrators more information about a particular vulnerability.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Mike Murray



Mike Murray is currently the managing partner of Michael Murray and Associates, as well as a founder in a new company called Mad Security. He has spent his entire career in information security, from his work in the late 90's as a penetration tester and vulnerability researcher to leadership positions at nCircle, Neohapsis and Liberty Mutual Insurance Group. Mike's interests and aptitudes are broad - he and his team at Michael Murray and Associates, LLC focus on assisting information security organizations with their human systems, from their information security awareness to their organizational design and efficiency and the career paths of the individuals within the industry. His focus at Foreground Security is to lead Foreground's security engagements and training organization, assisting with curriculum and methodology development, staff development, and security planning and execution. Mike is a widely reknowned speaker, and his talks on a wide variety of topics have been seen at major conferences like RSA, SOURCE, InfoSecurity Canada and Defcon. Mike's thoughts on security can be found on his blog at Episteme.ca, and his work on helping build careers can be found at ConnectedCareer.com. He has written technical articles in publications including BusinessWeek Online and Sys Admin, as well as a regular column on The Ethical Hacker Network.

Stories

• One Exploit Should Not Ruin Your Day - This post by Dino Dai Zovi re-itterates, quite well in fact, much of the post-Aurora Exploit banter. It boils down to this: If you let one unpatched vulnerability be the gateway to your network and all its information, you've for bigger problems than just patching that one vulnerability. Dino goes on to say that network and information segmentation can go a long way to protecting your assets.
• Undisclosed Breaches - This article details how in certain circumstances, a credit card company does not have to disclose the merchant that may have been the cause of a data breach. This seems silly to me, as a consumer I want to know which merchant was at fault, so I can find an alternate merchant to do business with. Breaches happen, and its important that we know at least who is involved so we can make intelligent decisions.
• Four Steps For Trimming Patch Management Time - This article covers some common sense tips for implementing the patch management process. How to prioritize the deployment and make sure that you test the patches. For priority, sure, you definitely want to have a sense of what can be patched, how long it takes, and what the impact will be. However, this is still just skirting the issue. Client software is the real problem, so fix it. If you are running your business and relying on Internet Explorer 6 to interact with a web application running vulnerable code, thats the real problem (not your patch management process). While there will be costs involved, your choice of the software you use has more of an impact on the security of your organization than does how fast you can patch the browser. There are other vulnerabilities lurking out there, some of which the bad guys have written exploits for, so you have to do better than just applying patches. Also, this article covers how you should go about "testing the patch". I'd also add that you need to make sure the patches have been applied to all of the systems correctly.

Download Tenable Network Security Podcast Episode 20

]]> paul@nessus.org Mon, 25 Jan 2010 11:46:28 -0500 Podcast tenable-network-security-podcast-episode-19 Paul Asadoorian http://blog.tenablesecurity.com http://blog.tenablesecurity.com tenable, security, hacking, nessus no http://blog.tenablesecurity.com/2010/01/tenable-network-security-podcast---episode-19.html Welcome to the Tenable Network Security Podcast - Episode 19

Announcements

• A new blog post has been released titled "Microsoft Patch Tuesday - January 2010 - "Aged Cheese" Edition" and covers the latest patches released from Microsoft, in addition to some useful plugins to detect deprecated operating systems. Marcus Ranum also published an article titled, "Afterbytes with Marcus Ranum - Using A Dedicated PC For Online Banking".
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Jake Kouns



Jake Kouns is the co-founder and President of the Open Security Foundation which oversees the operations of the Open Source Vulnerability Database (OSVDB) and the Dataloss DB project.. Kouns' primary focus is to provide management oversight and define the strategic direction the project.





Stories

• AT&T Network Flaw With Scary Results - The Mixed Up Sessions - Imagine logging into your favorite social networking site, such as Facebook, and being presented with someone else's page. This happened recently to select AT&T customers who appear to have been victims to the problem cause by some serious networking issues at the provider. This is scary, at least for me, because no matter how careful you are with your data, it could end up in someone else's hands. When you put potentially sensitive information on Facebook, its unlike email which can be PGP encrypted.
• Multiple Media Player Quicktime Memory Corruption - A new unpatched flaw has been revealed in several applications, such as iTunes, that occurs when a specially crafted quicktime file is processed. Details and a proof of concept are available from the exploit database entry.
• New 0-Day Vulnerability in Internet Explorer 6, 7, and 8 - Reports are being made that the exploit for this vulnerability only works reliably on Internet Explorer 6. It has also been reported that this could have been the exploit used by Chinese attackers to compromise Google employees. This exploit will not work on IE version 8 as it enabled DEP by default, which for now, is thwarting successful exploitation.

Download Tenable Network Security Podcast Episode 19

]]> paul@nessus.org Mon, 18 Jan 2010 11:46:28 -0500 Podcast http://blog.tenablesecurity.com/2010/01/tenable-network-security-podcast---episode-19.html Paul Asadoorian tenable, security, hacking, nessus no