Tenable Blog

Afterbites is a blog segment in which Marcus Ranum provides more in-depth coverage and analysis of the SANS NewsBites newsletter. This week Marcus will be commenting on the following article:

Gartner Report Says Two-Factor Authentication Isn't Enough
(December 14, 2009)

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.

References: 2-Factor Authentication Falling Short for Security, Gartner Says & Strong Authentication Not Strong Enough

I found this article interesting because it typifies, for me, the end result of the "whack-a-mole" approach to computer security. Certain technologies are sold as "security enablers" but customers don't seem to understand (and/or aren't informed) of the reality: security is a top-to-bottom problem that doesn't have any single place where you can add a widget that'll magically make you safe.

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all Microsoft security bulletins.

"Specially Crafted"

I have always wondered what the term "specially crafted" really means. What is "special"? Merriam-Webster defines it as "distinguished by some unusual quality". "Unusual" is relative, and means that someone has defined what "usual" means. This is where we start to enter a grey area. How do we determine what is "special" if the "usual" is not clearly defined? In this case, I'm talking about RFCs, the documents used to define what "usual" means with respect to Internet protocols. One of the vulnerabilities this month has to do with IPSec and specifically ISAKMP, the key management protocol. Apparently a "specially crafted" packet will cause this service to eat up CPU cycles and cause a DoS condition. These flaws are common, but my concern is that this condition may not always be caused by a malicious attacker using a tool such as Scapy. For example, a VPN client might send "specially crafted" packets because the programmer, who wrote the client software, misinterpreted the RFC. I wish that Microsoft would be a little more forthcoming regarding the details of the flaw, particularly how difficult it is to exploit.

"Could Allow"

I am also somewhat puzzled by the term "could allow". When using it in the context of remote exploits, it’s even more confusing. A vulnerability either allows or does not allow remote code to be executed. Sure, there are mitigating factors, but if the vulnerability does allow for remote code execution, then Microsoft should just come out and say it. When you are reading security bulletins from Microsoft, keep in mind that "could allow" really means "allows under certain circumstances".

Severity Is Multi-Dimensional

Vulnerability scanning tools, such as Nessus, can produce reports and assign discovered vulnerabilities a severity rating. The problem I always had with these reports was in evaluating these ratings. Like many other administrators, I found that vulnerabilities with “high” severity ratings always caught my attention first. Sometimes it would take a week’s worth of effort to evaluate and remediate the high- severity vulnerabilities. Although I knew that I should also investigate the low or medium severity level alerts, I never seemed to have time. These were most often given a low priority when it came time to assign tasks and would most often end up going months, years or never getting fixed at all unless a security incident occurred that involved one of the low-severity vulnerabilities. This is a problem that many organizations face, and the following particular Movable Type vulnerability is a great example that I hope underscores the point that “lower severity rating” does not mean "forget about them and never fix them". I recommend that organizations take a multi-dimensional approach to vulnerability remediation and take into account not only the overall severity, but also the level of effort to fix the problem. For the Movable Type vulnerability in question, the severity level is relatively low (for example, it’s not remotely exploitable to gain shell), but the remediation is simple: remove the file from the web server (which has no impact on the operation of the web application.)

Another Milestone, Nessus 4.2

Long-time users of Nessus have probably noticed that significant improvements have been made over the past several years. For example, Nessus version 3 introduced many performance enhancements due to an overhaul of the NASL interpreter. Nessus version 4 introduced several more improvements, including multi-threading and 64-bit support, in addition to unifying the code base across multiple platforms (Windows, Linux, and Mac OS X). Tenable is proud to introduce the next evolution to the Nessus vulnerability scanner with version 4.2, which includes several enhancements including an all-new Flash-based interface. With the new Nessus 4.2 interface, scan results and policies are stored on the server instead of in a client. Multiple users can log into the web-based interface concurrently and can use a “compare” function to show differences against a previous scan. It is now possible to log out of the interface and log back in without disrupting scans that are in progress,and an administrative user now has the ability to pause or stop the scan of another user. I strongly recommend that everyone view the video preview below to see the new Nessus interface in action:

Welcome to the Tenable Network Security Podcast - Episode 13

Announcements

• A new video has been released that covers how to use Nessus 4.2, the latest version of Tenable's Nessus vulnerability scanner.
• Tenable Network Security's CEO, Ron Gula, is featured in SC Magazine as one the entrepreneurial visionaries who have launched successful IT security companies in the last 20 years.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions! We also have a new Facebook Group called Tenable Security Is Hiring where you can go to get more information about open positions (Requires Facebook account to view)
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!
• Tenable is pleased to announce the release of the Log Correlation Engine version 3.4. This release has many new enhancements and features, plus some new functionality such as IDS correlation from various sources and new options in the LCE clients to monitor file integrity. For more information on new features in this release, please see the LCE 3.4 Release Notes. Tenable CEO Ron Gula and I had a chat about the features in this new release.

Interview: Marcus Ranum - CSO, Tenable Network Security

Marcus Ranum hacking up computers and challenging us to think differently about security..