Web application testing with automated scanners can be tricky business. While testing various target web servers, I found that some targets seemed to finish in a relatively short period, while others took days - or never seemed to complete at all. This occurred despite the fact that I often used identical test settings and relatively conservative scan settings for the different targets.

While troubleshooting this apparent disparity, I came across a useful plugin that helped me see a little of what was going on in the background. The plugin is Nessus Plugin ID 33817 “Web Application Tests : Load Estimation”.

Cars, Cell Phone, GPS, and Blenders.... Oh My!

1. Your Car - Your company may have vehicles, and certainly a good percentage of your employees drive to work every day. The security implications surrounding company vehicles are not something you need to lose sleep over now, but you may want to keep an eye on this for the future. I had some fun with injecting audio into Bluetooth systems on cars some time ago. While this is a neat “party trick", there is no immediate security threat to your organization's data via audio injection attacks. However, what if I told you I was able to listen to conversations happening in the car? This might be a threat, especially if your executives like to have conversations on the way to work with clients, potential customers or each other. If we take this a step further, what if Wifi systems inside cars could be compromised and used as a trojan horse to get within wireless proximity of a secure building? I don't think this is something that most organizations need to take proactive steps to prevent today, but high security facilities could possibly be infiltrated this way some time in the near future (of course, you could also attach a device to the car that is authorized to enter the secure facility).

Welcome to the Tenable Network Security Podcast - Episode 43

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Tenable Reaches 100th Employee
  • Detecting ALL of Your Websites Passively and Continuously
  • Unlimited Discovery Scanning with SecurityCenter and Nessus
  • Microsoft Patch Tuesday Roundup - July 2010 - "Jedi Mind Trick Edition"
  • Detecting Recurring Vulnerabilities

For the past several months, Tenable Network Security has been creating and filling new positions within the company. As we continue to grow, Tenable has been steadily working to improve Nessus and its line of Enterprise products, and we have recently added our 100^th employee to our roster… but we’re not done yet. Tenable currently has nine open positions listed on our Careers page, including career opportunities in Development, Engineering, Training and Sales.

Among the positions listed is a “Digital/Web Strategy Coordinator”, which is designed to develop and maintain Tenable’s customer-facing websites. The ideal candidate for this position will have a unique blend of technical and marketing skills, excellent communication skills and the ability to work on multiple strategic projects simultaneously. This position reports to the Director of Marketing and will work closely with our Sales, Development and Content groups to improve our existing online presence and complete new online projects.

Tenable’s Director of Marketing, Susan Corbin, says, "This position is a great opportunity for someone who enjoys taking an idea or concept, formulating a marketing strategy around that concept, and then working the project through to completion. It is a very hands-on role with a lot of room for learning and growth potential, which is perfect for someone who wants to get some real-world marketing experience under their belt”.

Web application auditing is really difficult if you don’t know about the presence of a website or specific application. You may not know about a web server. You may not know what applications run on that single web server. You may even have malicious websites installed on your network by malware or Trojans. Nessus is great for scanning and finding web servers, even on uncommon ports, but you need to scan often to get the most benefit. Fortunately, Tenable’s Passive Vulnerability Scanner (PVS) can discover new web servers and all of their active web sites in real-time and without any impact to your network. This blog discusses how the PVS can be used to audit networks to find all authorized and malicious websites in use.

With the recent release of SecurityCenter 4.0.1, Tenable has modified the IP-based licensing to include unlimited discovery scanning. This means organizations that make use of SecurityCenter can perform routine ping sweeps of their backbones and network blocks without it counting against their licensed IPs.

Which Vulnerabilities Are You Looking For?

When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as:

In MS10-042: "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad. Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer.

One of the advantages of Tenable’s suite of Unified Security Monitoring products is that continuous vulnerability monitoring can be used to find reintroduced security issues. Vulnerabilities that were once mitigated but are now back again represent process and organizational issues that must be handled differently. Simply reporting the vulnerability again and waiting for it to be patched does not address the fundamental flaw in the process. This blog entry discusses how recurring vulnerabilities are detected, some of the reasons why they may be recurring and how you can track and report on them with Tenable’s SecurityCenter.

Welcome to the Tenable Network Security Podcast - Episode 42

You may even find an answer to the ultimate question of life, the universe and everything in this very episode!

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this week, including:
  • Tenable at Black Hat USA 2010!
  • Research Spotlight: Oracle Patch Auditing
  • Nessus and the Fight against Viruses
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions. There are currently 9 open positions listed, including a Digital/Web Strategy Coordinator.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

July hasn’t been hot enough for me and some of the other Tenable staffers, so we will be heading to the desert of Las Vegas in a few weeks to attend Black Hat USA 2010! Since 1997, the Black Hat conference has provided a neutral ground for security researchers, government agencies and information security professionals to integrate their varied perspectives. This will be my ninth year at Black Hat and I’ve always found it to be an intense couple of days meeting up with almost everyone I know in the Infosec field. I’m delighted that Tenable will be represented in the Black Hat Trainings, Black Hat Briefings, Black Hat vendor area and DEF CON this year.

Tenable’s Product Evangelist, Paul Asadoorian, will be teaching two sessions of a brand-new (seriously – we’re still editing it) Advanced Nessus Training Class.

This class is intended for those who are already familiar with Nessus and will cover special techniques and testing situations that you may not be familiar with. There will be a lot of hands-on lab work, assisted by Tenable’s lead Trainer, David Poynter (so that Paul can keep talking, one of his favorite activities). The first session will be held on Saturday and Sunday (July 24 & 25) and the second session on Monday and Tuesday (July 26 & 27). There are still a few seats open in both sessions, but they are filling up fast!

Oracle has implemented a quarterly patch release cycle for its customers. Patches for all Oracle products are released on this schedule, and typically fix dozens of vulnerabilities in their database software, Sun Java (recently acquired) and other enterprise products.. They have a similar rating system to other major vendors (such as Microsoft and Cisco) with regular patch release cycles. Oracle describes the severity of each vulnerability using the Common Vulnerability Scoring System (CVSS): "Access Vector", "Access Complexity", "Authentication", "Confidentiality", "Integrity" and "Availability". It is a great way to categorize vulnerabilities; however, this still leaves you with the important task of scheduling, testing and applying the updates.

Tenable's Research team has added the ability to perform an Oracle patch audit into the Nessus vulnerability scanner. A new plugin was created (oracle_rdbms_query_patch_info.nbin) that logs into an Oracle database and runs a set of queries to determine which patches are missing:

• Query 1 - Determines the hostname of the system the database is running on (important when Nessus is testing an Enterprise Manager Grid Controller that contains patch information of other hosts).
• Query 2 - This query pulls the installed "PatchID" and the "Oracle_home" it is installed in.
• Query 3 - If Nessus found any PatchIDs in Query 2, it looks up all the bugs that were superseded by each PatchID that was found in Query 2.

The patch information comes from the same tables that are used by Oracle Enterprise Manger and Oracle Enterprise Manager Grid Controller for patch management.

We’ve blogged many times over the past few years about how Nessus can be used to scan systems for both the presence of some viruses as well as the presence of an effective antivirus solution. This blog provides an overview of all current Nessus virus and antivirus technologies available to HomeFeed, ProfessionalFeed and SecurityCenter users.

Welcome to the Tenable Network Security Podcast - Episode 41

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Research Spotlight: The Evil That Bots Do
  • Event Analysis Training - Analyzing Outbound SQL Queries
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions. There are currently 10 open positions listed, including a Digital/Web Strategy Coordinator.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

It’s All About the Information

"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!"

The last part of the quote above always seems to play in my head during the course of an average day in information security. It really is all about information in many different aspects. One aspect I would like to highlight is collecting information about those who are attacking you. Specific information potentially useful to those defending networks and systems could be:

• The Software Itself - Perhaps the most useful information you can have, understanding what the malicious software (a.k.a. "malware") does is critical in being able to detect, prevent and remove it from your systems.
• The Users - Understanding how and why the end-user is using the software can provide some useful information (admittedly not as useful as analyzing the software itself). Malware can give an attacker a host of features. Knowing which ones are using it for denial of service attacks, and which groups are stealing bank data can help aid detection and forensics analysis (on both the system and the network).
• The Programmer - Probably the least useful to those defending networks on an everyday basis. Most authors of malware are most-likely motivated by profit, and create software to sell on the black market. Sometimes interesting things can be found in the software itself, indicating potentially where the software was created and providing hints as to the author's skill level.

I'd like to highlight some of the above information in this article (and an upcoming podcast) as it relates to botnets and malware. There is an endless supply of malware designed to perform a wide-array of "evil biddings". There is an entire economy behind botnets, including outsourcing, marketing and shady business schemes. All of this activity is happening on our networks today, leading to service disruptions from distributed denial of service (DDoS) attacks to theft of banking information.

Tenable has produced several configuration audits and updates to enterprise products, such as the Log Correlation Engine (LCE) and Passive Vulnerability Scanner (PVS), to help detect this activity in your environment. Nessus ProfessionalFeed customers can download the configuration auditing files that detect malware from the Tenable Support Portal Virus Detection Policies page (requires a Tenable Support Portal Login). For more detailed information on how Nessus is able to detect viruses, refer to the article Auditing Infected Systems for Viruses and Trojans with Nessus.