« November 2009 | Main | January 2010 »

Ranum's Rants: Cloud Forum Roundtable

I recently attended the San Francisco IANS Security Forum, where Hart Rossman and I facilitated several of the roundtable sessions. I thought I'd summarize a few of the "take-aways" and useful comments from each.

Continue reading "Ranum's Rants: Cloud Forum Roundtable" »

Posted by Marcus J. Ranum on December 28, 2009 |

Top 10 Nessus Plugins For 2009

Plugins, Glorious Plugins

In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. We polled Tenable employees in our research and content groups to find some of our favorite plugins released this year,and compiled the following list:

Continue reading "Top 10 Nessus Plugins For 2009" »

Posted by Paul Asadoorian on December 24, 2009 |

Afterbytes: Thoughts on "Cyber Warfare"

The story:

US and Russia Discussing Cyber Warfare and Cyber Security

Officials from the US and Russia are meeting to discuss improving Internet security and establishing cyber warfare policy. The Russians would like to see a cyber warfare disarmament treaty between the two countries. The talks are a step forward for the US, as the previous administration refused to engage in cyber warfare discussions with Russia.

Date: December 13 & 14, 2009

Sources: In Shift, U.S. Talks to Russia on Internet Security & U.S. and Russian officials talk cyberissues

I see this as a positive step toward acknowledging that "cyberwarfare" between superpowers is stupid, unless it's done in the context of full-on conflict. We'd all rather avoid that, thank you!!

Continue reading "Afterbytes: Thoughts on "Cyber Warfare"" »

Posted by Marcus J. Ranum on December 23, 2009 |

Tenable Network Security Podcast - Episode 17

Welcome to the Tenable Network Security Podcast - Episode 17

Announcements

Continue reading "Tenable Network Security Podcast - Episode 17" »

Posted by Paul Asadoorian on December 21, 2009 |

Risky Business Episode #136

The latest episode of the Risky Business podcast is now online. Patrick Gray and I spoke about the recent SANS Incident Detection Summit and how forensics, security monitoring and the detection of advanced persistent threats is gaining more awareness and attention in enterprise networks. Episode #136 also discusses a new zero-day exploit for Cisco firmware and information security news events.

Posted by Ron Gula on December 21, 2009 |

Afterbites with Marcus Ranum: Gartner & Two-Factor Authentication

Afterbites is a blog segment in which Marcus Ranum provides more in-depth coverage and analysis of the SANS NewsBites newsletter. This week Marcus will be commenting on the following article:

Gartner Report Says Two-Factor Authentication Isn't Enough
(December 14, 2009)

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.

References: 2-Factor Authentication Falling Short for Security, Gartner Says & Strong Authentication Not Strong Enough

I found this article interesting because it typifies, for me, the end result of the "whack-a-mole" approach to computer security. Certain technologies are sold as "security enablers" but customers don't seem to understand (and/or aren't informed) of the reality: security is a top-to-bottom problem that doesn't have any single place where you can add a widget that'll magically make you safe.

Continue reading "Afterbites with Marcus Ranum: Gartner & Two-Factor Authentication" »

Posted by Paul Asadoorian on December 17, 2009 |

Tenable Network Security Podcast - Episode 16

Welcome to the Tenable Network Security Podcast - Episode 16

Announcements

programmer1.jpg
George Theall heads up Tenable's Research group and shares with us some interesting thoughts about vulnerabilities, Nessus plugins, and more!

Continue reading "Tenable Network Security Podcast - Episode 16" »

Posted by Paul Asadoorian on December 14, 2009 |

Microsoft Patch Tuesday - December 2009 - "Specially Crafted" Edition

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all Microsoft security bulletins.

"Specially Crafted"

I have always wondered what the term "specially crafted" really means. What is "special"? Merriam-Webster defines it as "distinguished by some unusual quality". "Unusual" is relative, and means that someone has defined what "usual" means. This is where we start to enter a grey area. How do we determine what is "special" if the "usual" is not clearly defined? In this case, I'm talking about RFCs, the documents used to define what "usual" means with respect to Internet protocols. One of the vulnerabilities this month has to do with IPSec and specifically ISAKMP, the key management protocol. Apparently a "specially crafted" packet will cause this service to eat up CPU cycles and cause a DoS condition. These flaws are common, but my concern is that this condition may not always be caused by a malicious attacker using a tool such as Scapy. For example, a VPN client might send "specially crafted" packets because the programmer, who wrote the client software, misinterpreted the RFC. I wish that Microsoft would be a little more forthcoming regarding the details of the flaw, particularly how difficult it is to exploit.

"Could Allow"

I am also somewhat puzzled by the term "could allow". When using it in the context of remote exploits, it’s even more confusing. A vulnerability either allows or does not allow remote code to be executed. Sure, there are mitigating factors, but if the vulnerability does allow for remote code execution, then Microsoft should just come out and say it. When you are reading security bulletins from Microsoft, keep in mind that "could allow" really means "allows under certain circumstances".

Continue reading "Microsoft Patch Tuesday - December 2009 - "Specially Crafted" Edition" »

Posted by Paul Asadoorian on December 11, 2009 |

Tenable Network Security Podcast - Episode 15

Welcome to the Tenable Network Security Podcast - Episode 15

Announcements

  • Nessus 4.2 is released! - The release is going really well, and feedback has been positive. Renaud will join us for this episode to fill us in on some more of the details.
  • A new blog post has been released titled, "Movable Type mt-check.cgi Information Disclosure" and covers a pretty serious remote information disclosure vulnerability in Movable Type.
  • We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions!
  • You can subscribe to the Tenable Network Security Podcast on iTunes!
  • Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Renaud Deraison, creator of the Nessus vulnerability scanner, joins us to talk about the changes in Nessus 4.2.


Continue reading "Tenable Network Security Podcast - Episode 15" »

Posted by Paul Asadoorian on December 07, 2009 |

Plugin Spotlight: Movable Type mt-check.cgi Information Disclosure

Severity Is Multi-Dimensional

Vulnerability scanning tools, such as Nessus, can produce reports and assign discovered vulnerabilities a severity rating. The problem I always had with these reports was in evaluating these ratings. Like many other administrators, I found that vulnerabilities with “high” severity ratings always caught my attention first. Sometimes it would take a week’s worth of effort to evaluate and remediate the high- severity vulnerabilities. Although I knew that I should also investigate the low or medium severity level alerts, I never seemed to have time. These were most often given a low priority when it came time to assign tasks and would most often end up going months, years or never getting fixed at all unless a security incident occurred that involved one of the low-severity vulnerabilities. This is a problem that many organizations face, and the following particular Movable Type vulnerability is a great example that I hope underscores the point that “lower severity rating” does not mean "forget about them and never fix them". I recommend that organizations take a multi-dimensional approach to vulnerability remediation and take into account not only the overall severity, but also the level of effort to fix the problem. For the Movable Type vulnerability in question, the severity level is relatively low (for example, it’s not remotely exploitable to gain shell), but the remediation is simple: remove the file from the web server (which has no impact on the operation of the web application.)

Continue reading "Plugin Spotlight: Movable Type mt-check.cgi Information Disclosure" »

Posted by Paul Asadoorian on December 01, 2009 |

Tenable Network Security

Subscribe to this blog's feed
Subscribe to my Podcast

Recent Posts

Search



  •

Categories

Archives