Tenable Network Security Podcast Episode 146 - "Is AV Dead?, Auditing Firewalls"
Announcements
- Tech Check for 11-12-12 on WYPR's Maryland Morning
- Tenable Network Security Awarded Common Criteria Certification for Continuous Monitoring Platform
- Tenable Network Security Caps Momentous Year With Deloitte Technology Fast 500 Recognition - With 552% growth over the last five years, Tenable was ranked 171st on the list overall and listed as the 9th fastest-growing company locally.
- We're hiring! - Visit the Tenable website for more information about open positions.
- Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
- Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
- Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
- You can subscribe to the Tenable Network Security Podcast on iTunes!
New & Notable Plugins
Nessus
- Opera < 12.10 Multiple Vulnerabilities
- Oracle Forms Recognition Multiple ActiveX Control Arbitrary File Overwrite Vulnerabilities
- Adobe AIR 3.x <= 3.4.0.2710 Multiple Vulnerabilities (APSB12-24)
- Flash Player <= 10.3.183.29 / 11.4.402.287 Multiple Vulnerabilities (APSB12-24)
- Adobe AIR for Mac 3.x <= 3.4.0.2710 Multiple Vulnerabilities (APSB12-24)
- Flash Player for Mac <= 10.3.183.29 / 11.4.402.287 Multiple Vulnerabilities (APSB12-24)
- Google Chrome < 23.0.1271.64 Multiple Vulnerabilities
- QuickTime < 7.7.3 Multiple Vulnerabilities (Windows)
- SolarWinds Orion NPM < 9.5 Login.asp Blind SQL Injection
- Traq admincp/common.php authenticate() Function Authentication Bypass Remote Code Execution
Passive Vulnerability Scanner
Compliance Audit Checks
- Auditing Check Point GAiA Configuration Compliance
- Auditing Juniper Junos Configuration Compliance
- New CIS Debian Linux Audit Policy
Stories
- Hack.me – Build, Host & Share Vulnerable Web Application Code - Looks like a pretty neat free service to let you practice web application scanning. I cannot stress this enough, the best way to learn how to find web application vulnerabilities is just to dive in and do it. Practice makes (almost) perfect. While applications are very different, the techniques to find vulnerabilities only vary slightly.
- Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines - Don't go running to pull all of your systems and applications out of the cloud just yet. This represents a highly-sophisticated attack at the moment, but one you should be aware of if you're using cloud services and/or virtualization, which at this point, is everyone.
- Apple's iOS 6.0.1 still has Wi-Fi bugs - The real kicker here is that if you don't upgrade to 6.0.1, you'll miss out on security fixes. If you do upgrade, you may experience severe problems with your Wi-Fi. Try to be secure all you want, function will win over security every time.
- Cisco TACACS+ Authentication Bypass - It's always fun to actually dig into the details of a given vulnerability to see what it's all about. If it's your job to evaluate risk of the vulnerabilities affecting your organization, you've got a heavy dose of reading to do on a regular basis. I dug into this one and found that if you're using TACACS+ in conjunction with LDAP on Cisco ACS platform, an attacker can do this: "…exploit this vulnerability by sending a special sequence of characters when prompted for the user password." That means there's a "magic" password. Any guesses as to what that value could be? 1-2-3-4 anyone?
- Is AV Dead? - "I just think it's lazy developers." This is a very light-hearted look at the problem of AV software and a bit about malware. "The world isn't just black and white anymore. But it's all binary…"
- One in four don't clean their stinky old browsers - especially Firefoxers - Keep in mind where the study comes from: "The statistics were drawn from the web usage patterns of 10 million randomly selected Kaspersky Lab consumer customers worldwide, collected during August 2012. The data from business customers does not feature in the study." Your job this holiday season is to convert grandma from Firefox to Chrome and teach her how to keep it updated...
- Antivirus Firm Founder John McAfee Accused of Murder, Says He's Innocent - I couldn't not talk about this story, it's the headline of the week for sure. Seems like John is a pretty eccentric guy, and I'm not sure you can believe everything you hear about this story as the facts change daily. However, sounds like he has a chemistry hobby that got out of control...
- A history of hacking: Documentary captures essence of Def Con - Can't wait to see this one, the culture of hackers always makes for great fun!
- Microsoft Updates November 2012 - IE, Kernel+Shell, and .NET Critical Patches - Microsoft updates this week, as usual, get patching…All plugins for the vulnerabilities are in the plugin feed.
Related Articles
Tenable Network Security Podcast Episode 198 - "PCI Discussion Featuring Jeffrey Man"
February 13, 2014<p></p>
Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
November 22, 2024Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics
November 21, 2024A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.
- Podcast