Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Paul Asadoorian

Profile picture for user Paul Asadoorian
As founder and CEO of Security Weekly, Paul remains one of the world’s foremost experts on all things cybersecurity. Security Weekly is a one-stop resource for podcasts, webcasts and other content, informing community members about penetration testing, vulnerability analysis, ethical hacking and embedded device testing. Previously, Paul served as a lead IT security specialist for Brown University, and as an instructor with The SANS Institute.
Blog Post

Do Passwords Matter?

Password Breaches Are Nothing New You don't have to look very hard to find an article discussing password breaches. Recently, there was a lot of buzz around LinkedIn, LastFM, and eHarmony, three very large sites suffering from passwords being leaked to the public. This is not a new phenomenon (earlier this year everyone was all up in arms about the Zappos password breach), but one that continues to garner attention in the media. However, what most journalists are saying about password breaches is likely different from what I am about to tell you -- it simply does not matter how strong your password is, how it is encrypted when stored by the provider, or how the transport layer is encrypted (e.g., SSL). Here's why: How It's Encrypted Matters, but No One Does It Right Many websites today, primarily for performance reasons, are using traditional one-way hashing algorithms to store your passwords (such as MD5 or SHA1). This means you give the website a password, it computes a cryptographic hash and stores it in a database of some kind. The plaintext password should never be written to disk. The next time you login, the website computes the hash in the same manner and compares it to the value stored in the database. This is all well and good, until someone obtains a copy of the password hashes. Obtaining the hashes, without any other protections, such as password salting, two or more users with the same password will have the same hash value. This allows attackers to generate very large databases of already-hashed passwords and make a comparison. Hardware on graphics processing units (GPU) can help accelerate the process. There are also websites that will provide hash-cracking services (submit the hash to a website and get the cleartext password in return). Several of these sites also use “Rainbow Tables,” a form of lookup tables which takes a bit longer, but allows for smaller tables. A ‘salt’ will help slow down this process, a little. Salts are a random string appended to the password such that user's passwords are different. However, sometimes developers implement salts incorrectly, and use the same salt for each user or store the salt where attackers can obtain it (or calculate it). Even if salts are implemented correctly, the processing power of GPUs can be used to crack the salted password hashes in more time, using even larger pre-computed password dictionaries than ones without a salt. What does all this mean? Likely, at least a few websites (internal to your organization or external) are storing your password using a hash that can be reversed in a relatively short timeframe, depending on the hash used and computing power of the attacker.

Blog Post

Remote Access Woes: Microsoft Windows Remote Desktop Protocol (RDP)

The Trouble with Remote Access Remote access protocols are certainly one of the long-standing topics discussed when it comes to information security. Most security practitioners have had to deal with the threats and risks posed by the wide range of protocols used to remotely manage and access systems, including Telnet, SSH, RDP, and even third-party providers such as GoToMyPC. Convenience is heavily weighed against security, as users and administrators require access to the systems, yet security in the forms of authentication and encryption seemingly "get in the way." This debate has come up in my career more times than I care to remember. When I first set out to help make systems more secure, one of the first actions I proposed was to remove Telnet from all of my UNIX (Solaris and Linux at the time) systems. Turns out it was a valuable lesson for me as I learned that while technically not so challenging, convincing 25 or more developers that they had to use an SSH client rather than the built-in Telnet utility was the most challenging aspect of that project. The same debate occurred later in my career when I was tasked with helping the newly-created Windows systems administrators group secure their brand-new Windows domain environment. I had a similar conversation about Microsoft Terminal Services, which uses the RDP (Remote Desktop Protocol). At the time, in the default configuration, an attacker could perform MiTM attacks to obtain the username and password, in addition to logging the keystrokes sent to the systems being managed. Again, technically there was an easy fix (change some settings on the servers, and use a compatible client on the management systems). However, the real challenge was persuading the administrators to make the switch, as they had always just used the default configuration and, by their own account, "nothing bad ever happened." In this case, I had to use a demo and perform an attack, with permission, of course, against an administrator. Once they saw it, the progression to a properly-configured and more secure RDP implementation was underway immediately.

Blog Post

Tenable Network Security Podcast Episode 128 - "Password Breaches & RDP Vulnerabilities"

Announcements We're hiring! - Visit the Tenable website for more information about open positions. Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more! Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more! You can subscribe to the Tenable Network Security Podcast on iTunes! New & Notable Plugins Nessus Symantec Endpoint Protection Manager Versions less than 11 RU7 MP2 (credentialed check) ImageMagick Versions less than 6.7.6-4 Heap-Based Buffer Overflow Pretty Link Plugin for WordPress url Parameter XSS Cobbler xmlrpc API Remote Shell Command Execution Firefox 12.x Multiple Vulnerabilities (Mac OS X) Adobe AIR for Mac OS X 3.x Multiple Vulnerabilities Flash Player for Mac OS X Multiple Vulnerabilities (APSB12-14)

Blog Post

Tenable Network Security Podcast Episode 127 - "IPv6 Day, Defense-In-Depth?"

Announcements Tenable Network Security's Jack Daniel to Present at Gartner Security & Risk Management Summit We're hiring! - Visit the Tenable website for more information about open positions. Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more! Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more! You can subscribe to the Tenable Network Security Podcast on iTunes! New & Notable Plugins Nessus Sharebar Plugin for WordPress status Parameter XSS Citrix XenApp Unspecified Remote Denial of Service Atlassian JIRA Version 5.0.1 XML Parsing Vulnerability Ecava IntegraXor DLL Traversal Arbitrary File Overwrite HP SAN/iQ Root Shell Command Injection Tornado version 2.2.1 or Less HTTP Response Splitting

Blog Post

Tenable Network Security Podcast Episode 126 - "Detecting Malicious Processes and the 'Flame' Malware"

Announcements Detecting Malicious Processes Using Nessus Configuration Mistakes Make for Costly Security Gaps Concerns Raised About Time Taken to Detect "Flame" We're hiring! - Visit the Tenable website for more information about open positions. Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials. Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more! Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more! You can subscribe to the Tenable Network Security Podcast on iTunes! New & Notable Plugins Nessus phpMyAdmin Function Information Disclosure phpMyAdmin SQL Query Bookmarks Arbitrary SQL Query Execution Cisco ASA Cut Through Proxy Authentication Vulnerability Symantec Web Gateway Shell Command Injection (intrusive check)

Blog Post

Detecting Known Malware Processes Using Nessus

Keeping Malware in Check A limitation of anti-virus (AV) agents is they often do not evaluate the entire known malware sample found running on a system. Polymorphic and mutating viruses make it possible for one AV vendor to detect a malicious sample and another to completely miss it. It's not feasible to run every AV program available on the market today in your network to make up for gaps in coverage. Nessus already helps you with malware detection, for example: Nessus reports if the scanned host is on a known botnet list, communicating with a known botnet IP, or hosting malicious content associated with botnet propagation. Nessus audits your anti-virus agent by reporting if it’s misconfigured or has out-of-date rules. Tenable's research team recently added new functionality to Nessus which will detect known malware running on your Windows scan targets. Below is an overview of how this new feature works: Nessus authenticates to the Windows system. Nessus enumerates the list of running processes on the system. For each process, a cryptographic hash is generated and looked up against Tenable's cloud-based database If the process is found to be malicious, the plugin logs the results with information about the malware found. You can watch a short video on how to configure and run this plugin below:

Blog Post

Tenable Network Security Podcast Episode 125 - "Detecting Quicktime Vulnerabilities, Hotel Hackers"

Announcements New Nessus Feature Added: CSV Export Tenable Network Security Named Top ‘Cyber Warrior’ at Baltimore SmartCEO VOLT Awards Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials. We're hiring! - Visit the Tenable website for more information about open positions. You can subscribe to the Tenable Network Security Podcast on iTunes! Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more! Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more! New & Notable Plugins Nessus QuickTime for Windows Versions prior to 7.7.2 Vulnerabilities - A long list of stack, heap, and integer overflows in Quicktime is fixed with this set of patches for Quicktime running on Windows. I'm curious to see if there are exploits available and how modern protections against them will work, or not. SolarWinds Storage Manager Server LoginServlet SQL Injection - This is usually bad: "The version of SolarWinds Storage Manager running on the remote host has a SQL injection vulnerability in the 'loginName' parameter of the 'LoginServlet' page." This typically means you don't need credentials to exploit the vulnerability, and access to the database via SQL injection can lead to shell access and the ability to download the data contained on the system. Pidgin OTR (Off-the-Record) Format String Vulnerability - I've used OTR for some time now to prevent attackers from snooping on my IM conversations. It sounds like this could be exploited if you accepted a key from someone who was sending a malicious OTR key, thus triggering the format string vulnerability.

Blog Post

File Integrity Auditing with Nessus

Tenable has added a compliance check for Windows which allows users to compare file hashes using a .audit script (Windows compliance checks v2.0.32 or later). By default, MD5 is used to compare two versions of a file, however, users can compare hashes generated with SHA1, SHA256, SHA384, SHA512, or RIPEMD160 algorithms.

Blog Post

Plugin Spotlight: Mac OS X FileVault Plaintext Password Logging

Encryption is Only as Strong as the Key In this case, encryption breaks down because the OS X user's password (used to unlock an encrypted volume) is logged in clear-text via debugging function to a system-wide readable log file. In this scenario, a user running Mac OS X 10.7.3 would encrypt their drive using File Vault, which is included with OS X and encrypts the entire contents of your hard drive. When your system boots up, or you access your files over AFP (Apple's File Sharing Protocol), the system uses your password to decrypt the contents of the drive and your home folder. Debugging in vulnerable versions was enabled such that the password was logged in plain-text to /var/log/secure.log, as follows: 25/04/2012 13:12:12.340 authorizationhost: DEBUGLOG | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:usernam e:] | about to call _premountHomedir. url = afp://mymacbookpro, userPathComponent = paul, userID = 001, name = paul, passwordAsUTF8String = mysupersecretpassword

Blog Post

New Nessus Feature Added: CSV Export

Exporting To CSV Nessus now supports the ability to export your reports into a comma-delimited file format (CSV). Using this export format, you can import the results into your favorite spreadsheet program. Tenable recommends using the following software: Microsoft Excel 2010 or later Apple iWork Numbers To export a CSV-formatted report, select any of your existing Nessus results, click "Download Report," and then choose "CSV" as shown below. Select the "CSV" Reporting Format

Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for free Contact sales

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology security you need.

Reduce the risk you don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
in action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management in action

Know the exposure of every asset on any platform.

Get a demo of Tenable Enclave Security

Please fill out the form with your contact information and a sales representative will contact you shortly to schedule a demo.

Try for free Buy now

Try Tenable Nessus Professional free

Free for 7 days

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
now available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select your license

Buy a multi-year license and save.

Add support and training
Buy Now
Renew an existing license Find a reseller
Try for free Buy now

Try Tenable Nessus Expert free

Free for 7 days.

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select your license

Buy a multi-year license and save more.

Add support and training
Buy Now
Renew an existing license Find a reseller