Tenable Network Security Podcast Episode 204 - "OpenSSL Again, Back to Basics"
Announcements
- We're hiring! - Visit the Tenable website for more information about open positions.
- Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
- You can find links to subscribe to Tenable's Podcast feed, YouTube Channel, Twitter and Facebook accounts at http://www.tenable.com/podcast!
- Your devices Heartbleeding - again
- 'Son Of Heartbleed' Hits Android And WiFi Networks
- Compliance: The Surprising Gift Of Windows XP
- Linux users at risk as ANOTHER critical GnuTLS bug found • The Register
- Safely Storing User Passwords: Hashing vs. Encrypting
- New OpenSSL Vulnerability - Carlos and I discuss the new OpenSSL MITM Flaw, how you can detect OpenSSL with Tenable products and the threats posed by this new set of vulnerabilities.
- Back To Basics - This article states:
Consider the Adobe breach, which leaked 38 million records and some of the company's source code. It's been alleged, though not officially confirmed, that the point of entry was a public-facing web server that was lacking available patches. The leaked account records were not properly protected with a strong one-way hash algorithm designed for passwords. (Instead, they were encrypted with 3DES, a symmetric encryption algorithm not built for the purpose.) That the attackers could get from a public-facing web server to the company's confidential source code repository implies that the network was not properly segmented, nor access properly controlled and monitored between segments.
Tenable's products can help bring you back to basics. Lets just say for a moment that everything in the above is true, how would you use Tenable's products to help? Also, Carlos and Paul discuss hard drive encryption:Other noteworthy breaches in recent years can be chalked up to dropping the ball on encrypting laptop hard drives or flash drives, restricting and monitoring access to management tools, and protecting encryption keys.
- McAfee ePolicy Orchestrator OpenSSL Information Disclosure (Heartbleed)
- Mac OS X : Safari < 6.1.4 / 7.0.4 Multiple Vulnerabilities
- IBM Domino 9.0.0 < 9.0.0 Interim Fix 4 iNotes Buffer Overflow (credentialed check)
- IBM Domino 8.5.3 < 8.5.3 Fix Pack 5 Interim Fix 1 iNotes Buffer Overflow (credentialed check)
- IBM Domino 9.0 < 9.0.0 Interim Fix 4 iNotes Buffer Overflow
- IBM Domino 8.5.x < 8.5.3 Fix Pack 5 Interim Fix 1 iNotes Buffer Overflow
- Western Digital Arkeia lang Cookie Crafted Local File Inclusion
- Western Digital Arkeia lang Cookie Local File Inclusion
- Western Digital Arkeia Virtual Appliance Unsupported Version Detection
- Western Digital Arkeia Virtual Appliance Blank Password
- Default Password (arkeia) for 'root' Account
- Western Digital Arkeia Virtual Appliance Detection
- IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.2 Multiple Vulnerabilities
- RHEL 6 : gnutls (RHSA-2014:0595)
- RHEL 5 : gnutls (RHSA-2014:0594)
- Oracle Linux 6 : gnutls (ELSA-2014-0595)
- Oracle Linux 5 : gnutls (ELSA-2014-0594)
- FreeBSD : gnutls -- client-side memory corruption (027af74d-eb56-11e3-9032-000c2980a9f3)
- IBM WebSphere Portal Apache Commons FileUpload DoS
- PHP 5.5.x < 5.5.13 'src/cdf.c' Multiple Vulnerabilities
- PHP 5.4.x < 5.4.29 'src/cdf.c' Multiple Vulnerabilities
- Sendmail < 8.14.9 close-on-exec SMTP Connection Manipulation
- Mac OS X < 10.9.3 Multiple Vulnerabilities (Security Update 2014-002)
- Mozilla Thunderbird 17 Script Execution in HTML Mail Replies
- AppleTV < 6.1.1 Multiple Vulnerabilities
- RTMP Connection Detection
- Apple iOS 7.x < 7.1.1 Multiple Security Vulnerabilities
- RTMP Connection Detection
- PC Duo Detection
- PC Duo Detection
- Multicast Source Discovery Protocol Client Detection
- Samba < 3.6.23 / 4.0.16 / 4.1.6 Multiple Vulnerabilities
Discussion
Nessus
Passive Vulnerability Scanner
Vulnerability Detection
SecurityCenter Apps
Dashboards
Reports
Security News Stories
Related Articles
CVE-2022-3786 and CVE-2022-3602: OpenSSL Patches Two High Severity Vulnerabilities
November 1, 2022OpenSSL has patched two vulnerabilities, pivoting from its earlier announcement, in version 3.0.7.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics
November 21, 2024A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.
Volt Typhoon: What State and Local Government Officials Need to Know
November 19, 2024Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
- OpenSSL
- Podcast