It's important to get the funds to support a security initiative - but even more important that these funds are well spent. In the article titled "$90M err-ports" from the New York Post Murray Weiss writes:

A nearly $90 million security system designed to thwart terrorists trying to get onto runways at the metro area's four major airports still isn't up and running four years after it was purchased by the Port Authority -- and it may never work, officials told The Post.

The safety network -- dubbed the Perimeter Intrusion Detection System, or PIDS -- was supposed to provide state-of-the-art electronic fencing complete with sensors and closed-circuit cameras that would immediately pinpoint someone trying to get on a runway to attack a plane at JFK, La Guardia, Newark and Teterboro airports.

Sources: Questions about a new airport security system, $90M err-ports, Raytheon Wins $100 Million Contract for Airport Perimeter Security

This story came to my attention while watching the news the other day. The term "Perimeter Intrusion Detection System" sounded familiar and triggered further investigation on my part. The New York Port Authority signed a more than $100 million contract with Raytheon to build and install perimeter fencing, sensors and cameras around the four major airports in New York (John F. Kennedy International and LaGuardia) and New Jersey (Newark Liberty International and Teterboro). The system is designed to prevent a potential terrorist from accessing a runway to attack a plane. The article states:

"provide state-of-the-art electronic fencing complete with sensors and closed-circuit cameras that would immediately pinpoint someone trying to get on a runway to attack a plane"

Tenable Network Security will shortly release SecurityCenter 4. It embodies our entire Unified Security Monitoring^TM strategy. SecurityCenter 4 places everything you need to know about vulnerabilities, missing patches, intrusion events, anomalies, log searches, configuration audits, file integrity auditing and much more right at your fingertips. It centralizes all system and event alerting for any type of security, IT or compliance regulations. But most of all, it makes your job as an auditor, a “risk mitigator”, a compliance monitor, a security analyst or even an IT executive, much easier. This blog post discusses the major functions of SecurityCenter 4 and provides several screen captures to illustrate them.

As always we are excited to announce a new release of the Nessus vulnerability scanner. This is a point release (moving from 4.2.0 to 4.2.1) and introduces changes to the scanning engine only. The GUI has not been updated in this release, however GUI changes will be implemented and released independently from a point release.

From a user perspective, the biggest changes in 4.2.1 are the two performance items that improve the speed of the GUI and lower the memory overhead when doing a scan. With regards to the GUI, interaction between the GUI and the database has been improved to better handle browsing reports with thousands of hosts or thousands of open ports per host. Memory consumption has been designed to take better advantage of the allotted memory used by Nessus. For example, in previous versions there was a 5 MB overhead per host being scanned. This meant that if max_hosts was set to 100, you'd "lose" 500 MB of memory. In Nessus 4.2.1 the memory overhead per host has been reduced to less than 500 KB, which allows the user to dramatically raise 'max_hosts'.

Welcome to the Tenable Network Security Podcast - Episode 24

Announcements

• Two new blog posts have been released titled "Not Just for Health Care Providers Any More - HITECH for Business Partners" and Nessus Plugin Spotlight: Linksys Router Detection.
• Come see us at RSA - Booth #956! I, Ron Gula, Renaud Deraison and many others from Tenable will be there demonstrating SecurityCenter 4.0 along with Nessus 4.2, the latest Passive Vulnerability Scanner and the Log Correlation Engine.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Tenable will be participating in a variety of events at this year's RSA show in San Francisco next week. 

We are in booth #956. Renaud Deraison, Paul Asadoorian and I will be attending the show, working the Tenable booth and meeting as many people as we can. 

We will be demonstrating SecurityCenter 4.0 along with Nessus 4.2, the latest Passive Vulnerability Scanner and the Log Correlation Engine. SecurityCenter 4 has many new features that simplify the process of collecting security information about a network and tracking security events in real time. Please stop by to see how easy it is to pivot from analyzing Microsoft patches, to tracking CIS configuration settings, to looking for anomalies in your firewall logs and correlating attacks in one easy to use interface. 

Example SecurityCenter 4 dashboard displaying events and vulnerabilities

Embedded devices are often connected to a network with no regard given to security. The market has been saturated with devices such as web cameras, wireless routers, VoIP phones and more. Manufacturers are in a race to see who can produce the cheapest and most user-friendly device. Of course, when you make something cheap and easy to use, security is often one of the last considerations. We are left with consumer devices that come with default credentials, common web application vulnerabilities, and no encryption support on management protocols (HTTP vs. HTTPS, and Telnet vs. SSH).

The insecurity of embedded systems may not seem to be a big deal; what could someone possibly do if they compromised such a device? If the device is a router, the potential for traffic sniffing and DNS cache poisoning attacks are high. Other devices such as web cameras can be used to gather intelligence, used as jumping off points (such as printers as depicted in the book "Stealing the Network: How to Own a Continent") or even used as part of a botnet. There is one report of a botnet being built solely on embedded systems including wireless routers in particular. Vulnerable embedded systems are plentiful on the Internet, as uncovered by Columbia University researchers in October 2009 when they released vulnerability scanning data of 130 million IP addresses. Nearly 300,000 devices presented a management interface, with 21,000 of those devices using default passwords. I believe this poses a significant threat to our infrastructure and plan to talk in more detail about this topic at SOURCE Boston in April of this year. As I research embedded systems I regularly feed the Tenable research team information about my findings.

Enacted on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act, was designed to protect the security and privacy of Personal Health Information (PHI). Although related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act expands on the requirements to protect health information and has a wider scope for the entities that it covers. Under the HITECH Act, business partners of health care providers are now subject to HIPAA requirements and the penalties for violating the requirements. These new requirements for business partners become effective on February 17, 2010; one year to the day after the HITECH Act was signed into law by President Obama.

When many people think about data breaches and personal information, they tend to think about the loss of credit card information or Social Security numbers rather than medical information. However, over 220 data loss incidents recorded by the DataLossDB involved medical information over the last several years and there are certain to be countless other incidents that were either not publicly reported or have not yet been cataloged in the database. To this end, the HITECH Act will also establish a new breach notice requirement that will go into effect in September of 2010:

Sec. 13402. Notification In The Case Of Breach.
(a) In General.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

It should be noted that many states do not include medical information in their data breach notification laws, but since the HITECH Act is federal legislation, all health care entities and their business partners are required to disclose a breach if it can be treated as “discovered”. Notification may include not only individual notices to those people affected, but also possibly notice to “prominent media outlets” and, where applicable, the Department of Health and Human Services.

Welcome to the Tenable Network Security Podcast - Episode 23

Announcements

• Two new blog posts have been released titled "Microsoft Patch Tuesday - February 2010 - "From Microsoft with Love" Edition" and Shmoocon 2010 Security Conference.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

ShmooCon has always been one of my favorite conferences. It is very well run and provides a small, intimate environment to discuss all things related to hacking and information security. You truly feel a part of this conference in every way. For example, you are encouraged to throw small stress balls called "Shmooballs" at any speaker you disagree with. The conference founders felt that many conferences had talks that were complete nonsense yet no one would stand up to say anything in opposition. As a speaker at ShmooCon you may literally find yourself running for cover. This year there was even a "Shmooball Launcher" contest,
that scored the homemade launchers in several different categories.

Larry Pesce participating in the Shmooball launcher contest at ShmooCon 2010 in Washington, DC. Larry's Shmooball launcher proudly displayed the Nessus banner throughout the conference and received a lot of attention from curious conference attendees.

This year's ShmooCon had some excellent presentations and workshops, including one that reportedly used Nessus to find a directory traversal vulnerability in VMware (more to follow on that one). Some of the other highlights include:

Patch Tuesday Gives Birth to "Zombie Wednesday"

The Tenable research team spent the night writing 14 new plugins to check for the latest round of Microsoft patches. While many will have to schedule patch installations, those who run with full automatic updates enabled are theoretically all patched by now. However, it doesn't hurt to check with a quick Nessus patch audit.

Microsoft is in Love With the Word "Could"

There are several terms used by Microsoft throughout their advisories that spread uncertainty about the risk of the vulnerabilities presented. The excessive use of the world "could" is one such example. In the MS10-002 bulletin Microsoft states:

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

I “could” also win the lottery, inherit millions of dollars and walk on water. In the case of this exploit "could" is an exceptionally bad word choice as there are several example videos showcasing the exploit in action using open-source software. The other issue with the above statement is the obligatory "users with less rights on the system will be less impacted". Someone should tell the Microsoft PR team that there are two privilege escalation exploits on the list this month, and one has been widely publicized for almost a month. On that note, let’s take a closer look at the 14 bulletins and 26 vulnerabilities that were patched this month.

Welcome to the Tenable Network Security Podcast - Episode 22

Announcements

• A new blog post has been released titled "HNAP Protocol Vulnerabilities - Pushing The "Easy" Button" that covers how this protocol can be used to collect information from devices on the network. Marcus Ranum also published a series of his now infamous Afterbytes posts, where he discusses everything from data leakage to Russian stealth fighters.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

BERLIN/ZURICH (Reuters) - A Swiss lawmaker likened German attempts to buy data on cross-border tax evaders to bank robbery on Tuesday and the Swiss banking lobby said Berlin was acting as a receiver of stolen goods.

Reference: Swiss lawmaker accuses Berlin of "bank robbery"

This could be the start of an interesting trend: targeting information for theft and disclosure. We've already seen that the underground is willing to monetize data leakage, but if governments get involved we'll see organizations getting penalized on both sides: you're fined for leaking the data, and the data is used against you when it does get leaked.

In the next 5 years or so, we can expect to see the data leakage problem come to a head; I think that our law-makers, regulators, and 'the powers that be' still haven't realized the extent of how exposed and distributed our sensitive data has become. We're in the early stage of the game and I believe that the problem has gotten worse - faster - than almost anyone is willing to admit. What is going to happen? It's too late to put the worms back into the can, but putting them back in the can is the only option that actually would work. The next decade is going to see a fascinating collision between reality and fervently held wishes.

Moscow, Russia (CNN) -- Russia tested its fifth-generation Sukhoi fighter jet in the Russian Far East on Friday. The plane, provisionally called T-50, is the country's first fighter jet based on the stealth technology and is viewed by military experts as the Russian answer to the American F-35 and F-22 jets.

References: Russia tests its first stealth fighter jet

Congratulations, Sergey, for flying the new T-50 Russian Stealth fighter - the one that is not based on the Joint Strike Fighter plans that allegedy are being stolen from the US by Chinese cyber-spies.

Do I need to belabor the obvious, or have I already made my point?

For those of you who need back-fill, it ought to be pretty clear that the leaks which brought us Russian stealth technlogy (no, they did not invent it themselves) are neither recent nor related to the alleged Chinese "cyberwar" that we've been hearing so much about. Experienced security practitioners have been saying for years that technology intelligence is a strategic problem, and that it's not a simple matter of 180,000 script kiddies running exploits against Google. It's a serious problem, and it involves embedded intelligence assets compromising extremely expensive advanced development efforts. I don't want to seem snarky, but I'll bet that a lot of the stealth technology in the T-50 comes from the Los Angeles area, not Tibilisi.

When we see "see" Chinese stealth aircraft will they be chalked up to the leak of the Joint Strike Fighter plans, or to the leak that brought us the T-50? As a taxpayer, I have to wonder if our extremely expensive-to-develop stealth technology has been auctioned with "Buy It Now" on Ebay, or something. Fortunately, super-powers aren't likely to be going mano-a-mano any time soon, but life is going to suck for some people when the North Koreans get a Paypal account and buy a copy.

Meanwhile, the computer security "old guard" has been consistenty banging the drum about insider threat, counter-intelligence, need to know, reducing the scope of accsess to sensitive technologies, and so forth, until we're ready to scream. We have been saying, "what, do you think we're dealing with amateurs?" while you're being regaled with accounts of Google getting swamped with a human wave of 180,000 script kiddies. What do you think matters: strategic technologies or Google's advertiser database?

It used to be that when I said "I told you so!" I got a warm feeling, but now I just feel dumb and helpless.

Title: Critical Infrastructure Computer Systems Under Constant Attack

Date: January 28 & 29, 2010

According to a report from The Center for Strategic and International Studies, utility companies’ and other critical infrastructure components’ computer systems are constantly under attack worldwide. The report, which was commissioned by McAfee, compiles information gathered from 600 IT and security executives at companies around the world. More than half of respondents believe that their countries’ laws are not effective in deterring cyber attacks, and nearly half believe that their countries do not have the ability to prevent cyber attacks.

Sources: Global Critical Infrastructure Networks Regularly Under Attack , Government's Cybersecurity Role Gets Mixed Reaction, Study Finds Growing Fear of Cyberattacks

Wow, did you realize that if you connect to the internet, you might come under attack?

Once again, we see the reality disconnect that is computer security. Are we to infer from the article that executives expect their government to somehow protect their internet connected systems from so many attacks? It's starting to sound like it's time to put the signs back up that read "Must be _ this tall to ride this ride." It is now and has always been the case that:

• Anyone connecting to the internet should expect to be attacked
• You pretty much can't "do anything" about the attacks
• The attacks will appear to come from someplace you have no jurisdiction over

The bottom line is as it's always been: it's your job to defend yourself, and you're crazy if you expect any kind of help from anyone. You're on your own, in other words. Of course your country's laws aren't going to deter cybercriminals - the people who are causing your problem aren't subject to your laws. Of course your government isn't going to be able to help you - the people who are causing your problem do not fear your government. It's that simple: you must be this tall to ride this ride.

Besides, the best that the government can do for anyone, at this point, is write an official harsh letter.

Since the cyberattack hype bandwagon is in full swing, I figured it wouldn't take long before corporations started looking for a cybersecurity bail-out; remember how much money was going to be saved by remote-linking those power-grid nodes over the Internet? Maybe it was a false saving after all. A couple of months ago I was chatting with a pretty clueful fellow who had worked on some of the power-grid systems, and he was bemoaning how much it was going to cost to beef up the security and flog the deeply embedded hackers out - "the customers are not going to want to foot the bill for this one!" he said. I couldn't help but reply, "well, why can't the power companies pay for it from the money that they saved by using the internet instead of private dedicated links?"

Here's another prediction for you: the corporations will be next in line with their hands out for a cybersecurity bail-out. And, let me tell you another trade secret of how to be an industry "thought leader": predict things that are already happening,

A couple of months ago, when I started tracking the "Chinese cyberwar" kerfuffle I said that it sounded like budget pumping, to me, and I stand by what I said. The recent announcement that the U.S. Navy has established a "cybercommand" like the other branches of the DoD, and thanks to the new red scare the budget faucet is flowing merrily.

Recently, I had the chance to be interviewed for two different podcasts. 

In Risky Business #138, I had the opportunity to chat with show host Patrick Gray about the recent Google hack, why they may have been using IE6 and what this means for information security in general. This episode also features an interview with Dan Geer on the future of computing which I highly recommend. 

In OWASP #58, I was interviewed by the show's producer, Jim Manico. Jim received several questions from the Internet and Twitter about the similarities between web application firewalls and intrusion detection systems which we covered in depth. We also spoke at great length about web application penetration testing, how web application security can be managed and leveraging technologies such as file integrity checking and process accounting for detecting and responding to incidents.

Ease and Security Don't Mix

In the eternal quest to create easy ways for systems to communicate with people and other systems, embedded device manufacturers have created new protocols. One of the first was UPnP, or Universal Plug and Play, which has had its share of security problems. The latest protocol to emerge is called HNAP, or Home Network Administration Protocol. Its goal is to "allow advanced programmatic configuration and management by remote entities." The protocols primary purpose is to aid device manufacturers in supporting remote devices such as printers and wireless routers. HNAP allows remote configurations to be both viewed and changed remotely using an HTTP SOAP-based protocol. While this sounds wonderful, someone decided to push the "easy" button:

"HNAP was designed to be a simple, light weight protocol that is easy to implement inside of small cost-constrained hardware such as network routers, cameras and other small devices. Because the protocol is based on existing HTTP-SOAP standards, it is very flexible and easily extensible."

The first phrase that raises a red flag for security-minded people is "simple, light weight". This almost always means that in order to simplify the design to make it "light weight", the first thing to go is security. Further reading of the Cisco Systems whitepaper on HNAP reveals an entire section dedicated to "Protocol Security", which states:

Welcome to the Tenable Network Security Podcast - Episode 21

Announcements

• A new blog post has been released titled "New Nessus Videos - Scanning With Credentials" that covers how you can provide credentials to Nessus for both network-based and web application scanning. Kelly Todd also published an article titled, "Understanding The New Massachusetts Data Protection Law".
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats webinar" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!