Welcome to the Tenable Network Security Podcast - Episode 31

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - April 2010 - Superman Edition
  • Nessus Version 4.2.2 Released
  • Event Analysis Training – Passive Worm Detection
  • Afterbytes: The "Cyberwar Battlefield"
  • Tenable at SOURCE Boston
  • PVS 3.2 Released – Enhanced vulnerability discovery, real-time forensics and file share and database activity monitoring
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. We would love to hear your feedback, questions, comments and suggestions! We put up a call for ideas on new Nessus videos, so please give us your feedback!


• We're hiring! - Visit the web site for more information about open positions. There are currently 6 open positions listed!


• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Ron Gula, CEO of Tenable Network Security

Tenable Network Security is very pleased to announce the release of SecurityCenter 4. This major new release of our security management tool provides much greater efficiency in managing security, compliance and situational awareness for enterprise network monitoring. The process and data from vulnerability scanning, log analysis, event management, configuration auditing and much more can be managed, fused and analyzed from one central console. This is the core principal of Tenable’s Unified Security Monitoring strategy.

Tenable's web site has been updated with much more detailed information about SecurityCenter 4 and how it manages the Nessus vulnerability scanner, the Log Correlation Engine and the Passive Vulnerability scanner. We’ve also updated our solutions content that features the new capabilities of SecurityCenter 4 to enable tasks such as database activity monitoring, forensics, user tracking and anomaly detection. 

More information about the SecurityCenter is provided in the following demonstration videos and images and can also be obtained by contacting us at sales@tenablesecurity.com. 

SecurityCenter Screenshots

SecurityCenter Introduction Video

Tenable Network Security is proud to announce the release of version 3.2 of the Passive Vulnerability Scanner (PVS). This product is a network sniffer that scans for real-time vulnerability data and transmits it to Tenable’s Security Center management console along with real-time user and forensic activity transmitted to Tenable’s Log Correlation Engine (LCE). This blog entry describes many of the new features and enhancements in this release.

Tenable is again returning to the SOURCE Boston conference, held at the Seaport Hotel from April 21-23. This year Tenable will be delivering three presentations: Tenable CEO Ron Gula will be presenting a talk titled “How to Detect Penetration Testers” on Wednesday from 10:00am to 10:50 am; Carole Fennelly and Kelly Todd will be participating in the Vulnerability Management panel on Thursday from 10:00 to 10:50; and Paul Asadoorian will be presenting a talk titled “Embedded System Hacking and My Plot to Take Over the World” from 2:00 to 2:50 on Thursday. This blog provides a brief overview of these presentations.

Ron Gula’s talk, “How to Detect Penetration Testers” describes methods of detecting authorized penetration testers from a variety of technical and political aspects. Very often audit organizations feel the need to run a “surprise” audit on one of their divisions. This is intended to see how the target organization reacts to an unannounced penetration attempt, but very often results in disrupted production services and a lot of political finger pointing. This presentation provides tips and insights to make better use of firewall logs, netflow data and systems logs both to protect from situations that will embarrass the security program as well as protect resources from the real intruders.

Article Title: Navy Fleet Cyber Command Expected to Have Predictive Capabilities Within Two Years

Date: April 6, 2010

Vice Admiral Bernard McCullough, commander of the Navy Fleet Cyber Command, estimates that the command will establish a proactive defense posture by October 2010. Speaking at the Center for Strategic and International Studies, McCullough said that the military is traditionally reactive and static, but we need to be proactive, dynamic and predictive. He noted that we have to start seeing the network as a weapons system, and the domain as the battlefield. McCullough acknowledged that transforming perceptions will take time but believes the command will have predictive capabilities within two years...

Reference: Navy cyber leader expects proactive capabilities this year

I like "proactive" - it's a good dynamic buzzword, if you're the kind of person who is impressed by action-y sounding verbs. But "predictive"?

This blog entry describes a basic worm detection that triggers multiple types of correlation rules. All detections were done passively using the Passive Vulnerability Scanner (PVS) and by observing network session traffic using the Log Correlation Engine (LCE). The principals in this blog entry and others in our ‘Event Analysis Training’ blog series can be used with a variety of NBAD, IDS and SIM solutions.

As always we are excited to announce a new release of the Nessus vulnerability scanner. This is a point release (moving from 4.2.1 to 4.2.2) and applies fixes to the scanning engine itself in addition to some of the utilities. The GUI has not been updated in this release, however GUI changes will be implemented and released independently from a point release.

The list below outlines the changes included in the 4.2.2 release:

• nessus-fetch binary:
• Proxy authentication now works on Windows
• Proxy authentication (NTLM) with a username and domain now works
• In some cases, the last nessus-fetch.rc statement might be ignored
• Fixes


• Fixed a memory leak in the NASL xmlparse() function


• Fixed IPv6 routing when talking to a remote host (FreeBSD, Mac OS X)


• Packet forgery was not always working on ES5 64 bits due to a gcc bug on this platform


• Fixed the Debian /etc/rc init script


• Upgraded OpenSSL to version 0.9.8n (Windows, Solaris)
• Stability improvements


• Fixed a possible crash when using a poorly written custom plugin


• Fixed a possible crash when running out of BPFs on Windows

New customers can download and evaluate Nessus for free by visiting the Nessus homepage. Current customers can download the new version from the Tenable Support Portal. Detailed instructions and notes on upgrading are located in the Nessus 4.2 Installation Guide. Please contact Tenable Support (support@tenablesecurity.com) with any questions regarding the upgrade to Nessus 4.2.2.

It’s A Bird, It’s a DoS, It’s Remote Code Execution!

I've always cautioned people about the danger of disregarding vulnerabilities that are labeled as "Denial of Service" (Such as MS10-014 from February) for a couple of reasons. First, when a bug exists in the code that allows something to "crash", there is usually a potential that the "crash" could somehow allow for code execution (remember that a buffer overflow is just a controlled crash). Second, when code is being analyzed so that the bug can be fixed, the surrounding code is often analyzed to be certain there are no other bugs or vulnerabilities. This analysis could lead to the disclosure of other vulnerabilities or a new way to turn a DoS into remote code execution. This appears to be the case with MS10-20, which was first publicly disclosed as a DoS bug in the SMB client. Microsoft is now reporting it as a vulnerability that "could” allow remote code execution. Upon further inspection, the security bulletin reports five vulnerabilities related to the SMB client that are patched in MS10-20. The first is the original DoS bug reported by Laurent Gaffie to the Full Disclosure mailing list on November 11, 2009. The general consensus was to dismiss this bug because it was "just a DoS".

Welcome to the Tenable Network Security Podcast - Episode 30

Announcements

• Several new blog posts have been published this week, including:
  • Plugin Spotlight: SMB Insecurely Configured Service
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 8 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

Misconfiguration can Lead to Compromise

As a former full-time systems administrator, I understand the pain of managing and maintaining systems. A significant amount of testing is often required to ensure that you have the correct configuration settings, not just in terms of security, but also for system stability. Once you have the correct configuration it is difficult to maintain consistency across the environment on an ongoing basis (especially across hundreds, or even thousands, of disparate systems). This problem crosses all platforms and Unix/Linux and Windows administrators alike share the same challenges. Some examples include:

• Authentication/Logon services implementing the appropriate policies
• Ensuring all services are logging properly
• Permissions on existing users and running processes
• Various configuration settings associated with installed services (and typically specific to the service)

Welcome to the Tenable Network Security Podcast - Episode 29

Announcements

• Several new blog posts have been published this week, including:
  • Using Nessus Thorough Checks for In-depth Audits
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Tenable Network Security is currently seeking talented individuals to fill several roles within the company. Tenable Network Security is a privately held company founded in 2002 by security product innovators Ron Gula, Renaud Deraison and Jack Huffard. Together with Tenable CSO Marcus Ranum, they have developed a Unified Security Monitoring approach based on the award-winning Nessus scanner engine leveraged with several other enterprise vulnerability and log management products such as SecurityCenter, the Log Correlation Engine (LCE) and the Passive Vulnerability Scanner (PVS). In 2009, Tenable was named one of Deloitte’s 500 fastest growing technology companies. This blog provides a brief description of four technical positions that are open here at Tenable:

Vulnerability Research Engineer

This position is ideal for those who like to research and test software vulnerabilities. The results of your research will present themselves as Nessus and PVS plugins, which are small scripts that are able to detect vulnerabilities. In this role, you will accurately test for vulnerabilities by manually configuring vulnerable targets in a virtual environment, analyzing the system or application to reliably understand how the vulnerability is exploited and then developing a method to test for the vulnerability with credentialed or uncredentialed access. We are looking for people with strong programming skills (knowledge of a scripting language, regular expressions, functions and source code analysis), familiarity with system configurations in operating systems, applications or network devices and in-depth knowledge of TCP/IP protocols, Linux/Unix internals and Windows internals.