Tenable Network Security Podcast - Episode 48

Welcome to the Tenable Network Security Podcast - Episode 48

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Tenable Network Security on the Inc 5000 List
  • The Three Legged Stool Of Vulnerability Management
• New Nessus training is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.


• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.


• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Ron Gula

Ron and Paul discuss web application testing using Nessus!

Stories

• Cisco IOS XR BGP DoS - Any time there are vulnerabilities with a product that implements BGP, it is a cause for concern. BGP is the routing protocol that runs the Internet, and we've been fortunate that there have been no known attacks against it that have caused any serious damage. Well, I guess if you consider Pakistan taking down YouTube serious, then there has been one serious "attack". However, this was a misconfiguration, not a vulnerability in a product or the BGP protocol itself. Well okay, there was a presentation at Defcon 16 that demonstrated a weakness in the protocol that allows for snooping of data in transit. So, maybe BGP is a little broken but my bet is that people will not DoS the Internet. It's too important.
• New Windows Meterpreter Search Functionality - This is a great feature. Once you compromise a machine, you can use the built-in indexing service to more efficiently search the computer for sensitive information. You can also perform specific searches for things like IE browser history. This is the equivalent of breaking into a house and using the homeowner's flashlight to find the valuables.
• CEO, CFO, Pants on Fire? - An interesting article that looks at public audio from publicly traded companies' meetings with shareholders. Now, CEO/CFO lying aside, I think it's both interesting and useful to be able to tell when someone is lying (like when your users tell you, "I picked an awesome password" or the systems administrators tell you, "I applied all available patches to all of our systems"). After analyzing the data gathered from CEO/CFOs, the researchers came up with a few common phrases that indicate when they may be lying, such as "They make more references to audience or general knowledge – “As you know…”" and "They use more words linked to extreme positive emotions – “The outlook for the company is fabulous!”". So, when your IT manager says, "As you know, our password policy for the company is fabulous!", he or she could be lying.
• HTTP Strict Transport Security - Here's a solution to this problem: if someone goes to a page using HTTP, when they should have used HTTPS, rather than automatically re-direct them, put up a static page WITHOUT any HTML links, that states: "For your own safety, Please go to the HTTPS version of this site." No? Right? Maybe?
• Home Security Tips - For the most part, good security applies to both information and your home, and Rich provides some good tips for home security. However, I do disagree with the video surveillance suggestion, which Rich says, "The one thing I'm not really big on is cameras. For my home I worry a lot more about someone getting in than capturing them after the fact. And we live in a densely populated subdivision with neighbors we know well and inform before we leave on big trips. That and an alarm sign out front are better than any crazy camera system." While I am not too worried about capturing a burglar, I do want to keep an eye on things. For one, even if you know your neighbors well, there could be an "insider" attack. Furthermore, a burglar is even more likely to skip over your house if they see alarm signs AND a camera pointing at them. You can even get fake cameras that will do the job just fine. With respects to network security, there are lessons to be learned. First, intrusion detection and monitoring is extremely important and should be in every network. Second, two defensive measures are better than one.
• Attackers go after the DLL injection vulnerability - There's lots of information out there about this. It's interesting how the NSA issued a warning against this vulnerability 12 years ago and was a voice in the wilderness. Nessus has plugins to cover this vulnerability as well, one titled "Insecure Library Loading Could Allow Remote Code Execution" and another called "Microsoft Windows 'CWDIllegalInDllSearch' Registry Setting"