Tenable will be hosting a webinar about the new SANS Consensus Audit Guidelines commonly known as the "CAGs". Tenable CEO Ron Gula will discuss the main points and recommendations of the CAGs with industry experts Rich Mogull, CEO of Securosis, and Dr. Eric Cole, a Fellow at the SANS Technology Institute, noted author and president of Secure Anchor.

Your organization's network is a never-ending source of vulnerability information. New systems and applications are constantly being added, making the job of consistent vulnerability identification and risk management difficult. Tenable provides several tools to assist in this process. Nessus, combined with the Security Center, can provide detailed information about the vulnerabilities in your environment. The problem that many administrators face is that they are not always successful in getting management to recognize problems and provide resources for remediation. This blog post describes some tactics I have compiled over the years to help expedite this process.

At one of the research sites that we monitor, an analyst noted that a few servers were consistently making a large number of IRC connections. These connections occurred in a periodic manner and appeared to be automated. This blog entry describes the various steps taken in analyzing the connections and historical data. We used Tenable’s log analysis, network monitoring and passive profiling solutions to perform this analysis, but the principals could be applied to various SIMs, NBADs and analytical tools.

In past columns here and elsewhere, I've been pretty derisive of the notions of "cyberterror" and "cyberwar." Most particularly, I think cyberwar is probably not a useful adjunct to the toolbox of statecraft. But, in discussions about cyberterror, I've always admitted that I'm puzzled by how little creativity has been shown in that arena. That may be about to change, and for the weirdest of reasons.

The full story hasn't been told, yet, but apparently AT&T decided that the amount of traffic/amount of attacks/general tastelessness/whatever of 4chan was just too much to bear, and began blocking traffic to a few of the 4chan servers.

AT&T Blocks 4chan, Stirs Internet Hornet's Nest
http://www.pcworld.com/article/169079/atandt_blocks_4chan_stirs_internet_hornets_nest.html

What everone at AT&T appears to have forgotten is that the people who hang out at 4chan are amused by, and capable of, a great deal of creative mayhem. Example: it didn't take very long at all before there was a fake press release on Digg, announcing the death of AT&T CEO.

AT&T CEO Randall Stephenson was found dead in his multimillion dollar beachfront mansion, say official sources. 
http://digg.com/tech_news/AT_T_CEO_Dead_outside_his_home_iReport_com?OTC-kff

Disinformation, coupled with a "meat cloud" to diggbot the fake report, and it's possible that AT&T's stock will take a hit. When you're a publicly-traded company, a little hit can equate to a lot of bleeding. As I said, this is going to get interesting. It's already, by far, a vastly more intellectually sophisticated attack than the usual "let's get a big botnet and do some DDOS" nonsense. As of right now, the attack doesn't appear to have worked.

A few years ago, some of us were discussing the potential for using asymmetric attacks to produce a "death of a thousand cuts"-style campaign. This could be the beginning of a very interesting chain of events.

I recently had a customer report they were experiencing Nessus “over reporting” when compared to his Windows patch auditing tool. This blog reviews some of the many reasons you can get different results with different tools, especially on Windows operating systems.

On July 21-22, 2009 Renaud and I attended the New York City Infragard CTF event. It was a great experience being able to participate in the games, learn and teach people about security. Below is a breakdown of how the event was organized, including several examples of attack and defense techniques we performed.

Day 1 - The Game

The game is divided into two areas; one for attackers ("Red Cell") and one for defenders ("Blue Cell"). The Blue Cell is further divided into teams, each defending a set of machines that represents a real company. The attackers can use whatever tools they have at their disposal. The defenders must defend everything from mock SCADA systems, VoIP, Microsoft Exchange and web servers running several different web applications. It is a good representation of what a real company may look like, which makes this type of exercise particularly educational.

We had a great turnout for the Webinar we held on July 15, but don’t worry if you missed it – the webinar and slides are now online! In this presentation we covered:

• How Nessus performs a wide variety of web application security tests such as cross site scripting, remote file includes, and SQL injection.
• Scanning web application testing platforms, such as Moth.
• The recent web application security testing updates which provide a wider attack surface and give the end user more control over the web application testing options.
• How Nessus can also perform patch and configuration auditing of the underlying OS, web server and SQL databases.
• How to create custom compliance checks to audit your web server configurations.

Traditional buffer overflow vulnerabilities require specific conditions to be met on the system, payload to be written for the target platform and an exploit smart enough to get around system execution protections in memory. Some of the most dangerous exploits rely on vulnerabilities that can be triggered in a varying number of conditions and circumstances. A far more reliable approach is to take over a process or manipulate a protocol to gain access to the system that does not require that a buffer overflow vulnerability be present.

This brings us to the HP Discovery & Dependency Mapping Inventory (DDMI) agent, which runs on a variety of platforms, including Windows and Linux, to provide central inventory management. HP's DDMI agent contains a flaw that allows an attacker to connect to it without credentials and manage the agent. The agent fails to check for a valid SSL certificate from managing DDMI servers, which means anyone can pretend to be the server and control the agent, providing the ability to:

Our very own Brian "Jericho" Martin appears on episode 115 of Risky Business. Brian discusses the latest Microsoft DirectShow ActiveX bug, the workarounds, the process, and controversy surrounding this vulnerability.

We also hear from Brian "Jericho" Martin -- he's the maintainer of the open source vulnerability database and he also works for Tenable Network Security, our sponsor. He'll be along in this week's sponsor interview to have a chat about that nasty DirectShow ActiveX bug that's doing the rounds at the moment -- did Microsoft drop the ball on this one? Well, the answer is maybe, as you'll hear.

You can download the full episode from the http://risky.biz website.

The Story:

--US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)
A variant of MyDoom is believed to be behind the distributed denial-of-service (DDoS) attacks that took down US and South Korean government, military and private industry websites last week. Some reports have speculated that North Korea may be behind the attacks, which have been described as unsophisticated and "a nuisance." Brian Krebs of the Washington Post reports that the virus that is causing PCs to attack these sites will overwrite the files (including the operating system) of the infected computers.
http://isc.sans.org/diary.html?storyid=6757
http://voices.washingtonpost.com/securityfix/2009/07/pcs_used_in_korean_ddos_attack.html?wprss=securityfix
http://www.nextgov.com/nextgov/ng_20090708_6262.php
http://www.computerworld.com/s/article/9135279/
Updated_MyDoom_responsible_for_DDOS_attacks_says_AhnLab?taxonomyId=17 ...

Once again, we have a "cyberwar" that only registers as a blip on the radar screen for most of us. Other than that, it's an inconvenience for government or commercial sites that didn't think about capacity when they built out their internet connections. It's far from a disaster; in fact, it's hardly news-worthy. It's only remotely interesting because, once again, the cyberwar pundits attempted to link the attacks to state sponsorship. Like with the attacks on Estonia in 2007, ("Russia accused of unleashing cyberwar against Estonia") will it turn out to be a few civilians operating under their own initiative? Another way of phrasing that question is "is the North Korean intelligence service a bunch of wimps?"

Browsing the web is increasingly hazardous, especially given the recently released vulnerabilities and associated exploits. It’s interesting how the vulnerabilities are being referred to as "remote". While they are remotely exploitable, there are differences in how they are executed. One form of remote exploit requires no user interaction. A process listens on a port and is exploited over the network without the end user having to perform any action. The ActiveX vulnerability referenced in this plugin is remote, but does require that the user have a web browser loaded and actually be browsing the web. The exploit can be embedded into different web pages and executed without the user's knowledge or interaction on that particular page. Exploits that are “remote” in this context, but require a user to perform an action, are called “context dependant” by several vulnerability databases. Tenable has developed a plugin to detect a vulnerability that can be exploited in this manner.

Attackers have access to a great deal of public information about your organization. Public web sites, domain records, routing information and several other sources can provide an attacker with useful information to launch attacks. Public documents posted on your web site contain metadata that can be very useful to an attacker. Metadata, in the context of the documents created within your organization, is information about the document itself. This can include who created it, their email address, the creation date, the software used to create and publish it and the software version and platform. This information can then be used to create client-side attacks that specifically target individuals and the software they are using.

Implementing Different Scan Types

Often, Nessus and Security Center users ask how often they should run a vulnerability scan, and what kinds of scans should be run. In a previous post we explored some of the different scan types, including network checks, local checks and configuration auditing. I often encourage people to run all three types of scans against their network with different frequency. All three types provide interesting and useful results that should be included in your vulnerability management program. In this post we will explore the differences, and benefits, of running the first two types of scans mentioned: network-based scans and local checks.