Tenable Network Security Podcast Episode 112 - "Evil USB, Detect Unsupported Devices, & Managing Mobile Risk"

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• New iSeries and AS/400 plugins are being released this week!
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The "Top Ten Things You Didn't Know About Nessus" videos have been posted from #10 through #2, so check them out!
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Passive Vulnerability Scanner

• Android 2.3 2.3.6 Information Disclosure
• PCAnywhere Detection
• OpenSSH 5.7 Multiple Vulnerabilities

Nessus

• Squid Unsupported Version Detection
• VMSA-2012-0001 : VMware ESXi and ESX updates to third party library and ESX Service Console

Stories

1. Don’t Stick That in There – HID (Human Interface Device) - Evil USB keys persist in penetration testing and evil insider attack scenarios. Detecting is interesting, and the most difficult to detect are the devices that are HID, which really do evil things.
2. OSCommerce v3.0.2 - Persistent Cross Site Vulnerability - Every once and a while, an XSS comes along that you should pay attention to, and this is no exception. A persistent XSS in an e-commerce application is a bad thing!
3. Android and Security - Official Google Mobile Blog - Google has some work to do with respect to security, and they know it. All of the mobile device application security researchers I've spoken with tip their hat to the iOS platform for its strides in security, and then go on to say how easy it is to exploit Android.
4. FBI Conference Call Tapped By Antisec - I've seen this story also mention Anonymous, so therefore, we have to cover it to get in our Anonymous coverage. Apparently, a phone call was leaked, proving that phones can be tapped and attackers do not comply with FCC regulations.
5. Sophos 2012 Security Threat Report - Can anyone guess what's the most common malware still infecting computers? If you guessed Conficker, you'd be right.
6. Two Approaches to Managing Mobile Devices - Giving the user more control of their devices has benefits!
7. Microsoft Internet Explorer 'Forced Tweet' Cross Domain - Interesting vulnerability that allows the attacker to potentially make Tweets posing as you.
8. Apple revises Snow Leopard security update - Again, so soon?
9. 'Psycho Siri': Scariest Siri parody yet? | Crave - CNET - Really funny parody about Siri gone Psycho. Now, the first part is total science fiction, and very funny. However, in the final scenes the iPhone with Siri takes control of the person's car. Science fiction or reality? See the next story...
10. Remotely start your car using an Arduino - Freaky, huh?
11. Job-seeking Marriott hacker gets 30 months' porridge - This is the wrong way to try to land a job.
12. Satellite phone encryption cracked - Telegraph - Could this be how Anonymous hacked into FBI phones?
13. PHP 5.3.10 fixes critical remote code execution vulnerability - PHP still suffers from remote exploits, just an FYI.