Brucon is a security conference held in Brussels, Belgium. This was the second year of Brucon and it was comprised of two days worth of training and two days worth of presentations. It’s a decent sized conference of about 300 people total, including speakers and attendees. Everyone at the conference was extremely nice and very hospitable. The organizers went above and beyond to make sure that attendees had a good time, were able to get around the city and (most importantly) share ideas about information security in an open environment.

Welcome to the Tenable Network Security Podcast - Episode 51

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this past week, including:
  • Apple Security Update 2010-006, File Sharing and Mac OS X defaults
  • Announcing The Nessus iPhone App
  • Microsoft Patch Tuesday Roundup - September 2010 - "Silent but deadly" Edition
  • Nessus ‘Here You Have’ Worm Detection Plugin Released



• Please join Tenable's own Ron Gula, Renaud Deraison, Marcus Ranum and Paul Asadoorian for a Security Showcase on October 6, from 8:30am to 2:00pm at the New York Marriott East Side, 525 Lexington Ave. at 49th Street in New York City. Breakfast and lunch will be provided during this half-day FREE event. Contact Donal McRae (dmcrae -at- tenablesecurity.com) to reserve your seat (space is limited for this event).
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Paul talks about the Brucon security conference, including Nessus training, presentations, and more!

On Monday, Apple released Security Update 2010-006, which fixes an “error handling” issue in the AFP (Apple Filing Protocol) server that may allow an attacker to log in as another user with a malformed password, provided he has “knowledge of an account name” on the remote system:

We see enough Mac OS X systems with AFP enabled in universities to spend some time on this given flaw and revisit the Mac OS X file sharing abilities and  default settings.

Tenable is pleased to announce the official release of the Nessus App for iPhone! The application can be downloaded for free on the App Store and contains the following features:

• Connect to a Nessus server (4.2 or later)
• Launch existing scan templates on a server
• Start, stop or pause running scans
• Create and execute new scans and scan templates
• View and filter reports

You will need iPhone® or iPod touch® iOS 4.0 or later in order to run the app. Following are some screenshots of the application in action:

The first thing you will need to do is add a new Nessus server:

"Silent" Worms: Stuxnet

The vulnerability patched with MS10-061 is perhaps one of the most interesting we've covered in a "Patch Tuesday" post this year. The vulnerability was discovered when antivirus researchers at Kaspersky Lab analyzed malware called "Stuxnet". The malware was one of the first worms to use the LNK vulnerability, and contained code to exploit three other vulnerabilities, the print spooler vulnerability patched by MS10-061 and two other unnamed privilege escalation vulnerabilities that have yet to be patched. Its not everyday that we hear of malware in the wild exploiting 4 0-day vulnerabilities.

I am not easily impressed (in fact, I am even less than impressed) with the capabilities of most malware in the wild. However, there are some facts about the "Stuxnet" malware that do impress me:

• Stuxnet also contains an exploit for a vulnerability from 2008. It will only execute this exploit if it determines it is inside an organization using SCADA systems and not a typical corporation.
• Stuxnet was written specifically to attack control systems, and is the first publicly known malware to contain a rootkit for PLCs, devices that control SCADA systems. The rootkit silently waits for commands.
• Stuxnet gains access to control systems using default passwords and is rumored to have compromised 14 different control systems-based organizations.
• Stuxnet was first thought to primarily use USB devices to propagate (likely to get around "air gapped" security measures)

There was an interesting quote from Symantec that stated, "Symantec gained control of the domain used to send commands to infected machines shortly after Stuxnet was discovered". Apparently, this turned over control of Stuxnet-infected systems to Symantec. I just don't understand the logic behind the malware authors; if they had used fast flux, they may still have control over the botnet they seemed to have worked so hard to implement.

Many corporations spent last weekend playing “Whack-a-Worm”, attempting to eradicate the “Here You Have” worm. The major problem with viruses and worms is that once you think you have removed them from your network, another outbreak pops up. Nessus plugin 49211, “Here You Have Email Worm Detection”, has been added to the plugin feed and is available for both ProfessionalFeed and HomeFeed users. This plugin examines a Microsoft Windows system to detect the presence of the “Here You Have” worm. Note that you will need credentials on the target system for this plugin to work.

Security professionals first observed the worm on Thursday or Friday. Over the weekend, the worm spread considerably, infecting organizations such as the Florida Department of Transportation, ABC, Comcast, AIG, Disney and Proctor & Gamble. The worm primarily spreads via e-mail and requires a user to click a link in the e-mail. This action loads a web page that prompts the user to open a file that appears to be a PDF, WMV or other presumably “safe” file type. In reality, the file is a .scr file (screensaver) and once executed, will infect the system. While known as the “Here You Have” worm, based on the subject of the e-mail that propagates the worm, it may also use “Just for you” and “Hi” as the subject. Microsoft labeled the worm “Worm:Win32/Visal.B” and carries other designations, depending on the antivirus vendor.

Written in Visual Basic, the worm will infect the host and promptly disable any antivirus software on the system. It will then use contacts from Microsoft Outlook and Yahoo! Messenger to send copies of itself to as many users as possible. Locally, it will attempt to spread via removable media (e.g., USB drives) and network shares.

Nessus plugin 49211 detects the worm’s presence by examining several files on the system for indication that they were placed there by the worm. If detected, Tenable recommends you follow Microsoft’s directions for the safe removal of the malicious software. While Nessus does not focus on anti-malware, it can help provide a layered approach to dealing with virus and worm outbreaks by verifying that remediation measures have been comprehensive. No one wants to spend another weekend playing “Whack-a-Worm.”

For more information:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B

http://www.nessus.org/plugins/index.php?view=single&id=49211

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MEYLME.B&VSect=T

Welcome to the Tenable Network Security Podcast - Episode 50

Announcements

• Several new blog posts have been published this past week, including:
  • Making Penetration Testers Lives Awful
  • Tenable Network Security Podcast - Episode 49 - Interview with Dennis Brown
  • Passive Vulnerability Scanner Network Licensing
• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Awful, awful, awful.....Magic!

It was my wife’s turn to choose a movie the other night, which means there were no kung fu fight scenes, sword fights or car chases. Instead, there was a scene that depicted a father-to-be talking to a father of three children. The father with three children was explaining to the father-to-be what parenthood was really like and stated: "Parenthood is awful... awful… awful... but then there is this magical moment that makes it all worth it… then awful... awful... awful and repeat". Parents reading this, especially ones with small children, are probably laughing. However, I thought that the "awful, awful, awful, magic!" analogy also very accurately described penetration testing.

Welcome to the Tenable Network Security Podcast - Episode 49

Announcements

• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Interview: Tenable Security Researcher Dennis Brown

In this interview Dennis and Paul discuss:

• New PVS rules to detect database queries
• TASL script that looks for common SQL detection such as Basic SQL Injection Attacks, Logging Data to a File, User/Password Dumps, Detect Locally Executed Commands
• Why the passive monitoring approach is different from what is commonly seen with WAFs and the like

Related discussion forum posts:

• PVS 3.2 SQL Query Detection (April 2010)
• Auditing SQL with PVS and LCE (May 2010)
• Monitoring Suspicious SQL with PVS and LCE (May 2010)

Dennis and Paul also discuss the new Fast Flux detection TASL. More information about this script can be found in the discussion forum posting titled: Fast Flux Network Detection with LCE

Download Tenable Podcast Episode 49

Based on customer demand, Tenable Network Security is introducing two new license types for the Passive Vulnerability Scanner. These are: 

• Unlimited PVS sensor deployments within a Class B
• Unlimited PVS sensor deployments within a Class C

Tenable will continue to offer an unlimited network monitoring license for a single PVS sensor. 

The additional license types allow an organization to consider deploying passive network monitoring without having to know exactly how many sensors they need. Tenable has many customers that deploy PVS sensors on the perimeter of their network before realizing that they could also benefit from direct passive monitoring of internal systems. 

We've received requests for a PVS license of this type to help monitor SQL databases, VPN termination points, virtual server farms, web sites subject to PCI DSS, segmented VLANs and users or offices deployed behind NAT devices.

If you would like to learn more about PVS pricing for these new license models, please contact our sales staff. 

Please join Tenable's own Ron Gula, Renaud Deraison, Marcus Ranum and Paul Asadoorian for a Security Showcase on October 6, from 8:30am to 2:00pm at the New York Marriott East Side, 525 Lexington Ave. at 49th Street in New York City. Breakfast and lunch will be provided during this half-day FREE event.

Topics we will cover include:

During lunch you will also be given a live demonstration of our enterprise solutions as they relate to the themes above.

Contact Donal McRae (dmcrae -at- tenablesecurity.com) to reserve your seat (space is limited for this event). We hope you can make it as the showcase is a rare opportunity to receive firsthand insight from four leading experts.

Tenable Network Security recently received a patent for monitoring network traffic and analyzing it to perform discovery of systems, applications and vulnerabilities. This is the core function of Tenable's Passive Vulnerability Scanner and also a core component of our Unified Security Monitoring strategy.