Reconfiguring Access Points

Wireless threats come in many different forms, such as disclosure of cleartext credentials, breaking encryption schemes such as WEP and attacking wireless drivers on client systems. While you can extend the range of wireless signals, for the most part these attacks require that the attacker be in close physical proximity of the wireless network and/or client to execute. This is the primary reason why most organizations do not assign a high priority to defending against these attacks. There are far more attackers on the Internet than will be in close proximity to your wireless deployment.

However, something that worries me greatly are wireless attacks that break down these physical barriers. What if attackers could remotely attack a system and then use it to perform local wireless attacks? There have been some papers posted about using the local client system to enumerate wireless networks, but not much in the way of launching attacks. Malware that embeds itself in wireless routers has received limited exposure (except for the infamous "Chuck Norris" worm, that may have been due to the popularity of the "Chuck Norris Facts" web site).

In an effort to stay ahead of attackers, I recommend that organizations place a higher priority on protecting wireless clients and access points. There are several very concerning vulnerabilities in access points that are trivial to exploit. One example is the D-Link DCC Protocol Security Bypass.

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Integrating Nikto with Nessus":

When installing Nikto on Linux systems, here are a few tips:

Welcome to the Tenable Network Security Podcast - Episode 55

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Risky Business #173 Interview with Ron Gula - Process Accounting and El Jefe
  • Deloitte Names Tenable as one of America’s Fastest Growing Companies - Again!
  • Nessus Reaches Plugin 50000
  • Integrating Hydra with Nessus Video
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

I was interviewed for episode #173 of the Risky Business information security podcast.

The previous Risky Business episode that discussed the recent release of the open source El Jefe project by Immunity Inc, focused on how process execution tracking for Windows can be a great source of security data - especially compared to raw network traces.  

During my interview with Patrick Gray, we covered how many SIEMs already have this sort of capability, but most SIEM users don't enable these features because they are complex. I also covered how Tenable's Log Correlation Engine can collect logs from both Unix and Windows computers that reflect process execution traces and how they can organized for attack detection, change detection, forensics, alerting, reporting and anomaly detection.  

Tenable Network Security was ranked 251st on the Deloitte 2010 Technology Fast 500™ program (15th in Greater Washington DC area). This program ranks the fastest growing companies in technology, media, telecommunications, life sciences and clean technology in North America. Rankings are based on the percentage of fiscal year revenue growth during the past five years. Tenable’s revenue grew 363% during this period.

This is the second year in a row that Tenable Network Security has been named on this list!

I am often astonished as to just how many vulnerability checks are included with Nessus. There is something to be said for the scope of the nearly 40,000+ plugins (the numbering of the plugins started at 10001). On October 19, 2010, Nessus plugin number 50,000 was published into the feed. Let's go back and take a look at some of the first plugins:

The "official" first numbered Nessus plugin in the feed is ColdFusion Multiple Vulnerabilities (File Upload/Manipulation) - Plugin ID 10001. I found some interesting information about this vulnerability:

"Although this vulnerability has been known for a while we think it is worse than originally thought. Users can upload and potentially execute files on the web server. Furthermore, few sites seem to have fixed the problem. Major commercial, government, and military sites have been found to still be vulnerable. We hope this advisory helps get the word out to all those webmasters.

-weld"

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Integrating Hydra with Nessus":

When installing Hydra on Ubuntu-based systems, here are a few tips to get all of the modules working properly:

Welcome to the Tenable Network Security Podcast - Episode 54

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Continuous SSL Certificate Monitoring - not just for HTTPS
  • Microsoft Patch Tuesday Roundup - October 2010 - "Nightmare" Edition
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

Does your organization use “secure communication” channels, such as HTTPS? Has your IT staff placed trusted certificates on all of your critical and important web services? What about your SMTP, FTP, IMAP, LDAP, POP3, ACAP, NNTP and XMPP servers? Have any of your certificates expired? Have hackers compromised your servers and replaced them with fake certificates? Secure communications with SSL is a lot more complicated than simply going to sites that have an “https” in front of them. This blog entry discusses how active scanning with the Nessus vulnerability scanner and network monitoring with the Passive Vulnerability Scanner (PVS) can be leveraged for continuous monitoring of your SSL certificate infrastructure.

"One, two, attackers are coming for you…"

In yet another record setting Patch Tuesday, Microsoft has provided fixes for 81vulnerabilities covering just about every supported Microsoft product. No matter how you slice or dice it, patches will need to be distributed throughout your environment on a large scale. There are several articles available to help you prioritize the installation of these patches. The matrix of which patches are important and the mitigating factors are simply dizzying and confusing. The Microsoft Research & Defense blog put up a post that details some of the attack vectors for each vulnerability and information about the mitigations. The blog tries to paint a prettier picture, but in the end, it’s an all-out bloodbath of vulnerabilities, exploits and patches.

Welcome to the Tenable Network Security Podcast - Episode 53

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Using Nessus for OWASP and PCI Web Audits
  • Nessus and SecurityCenter APIs and Data Internals Published
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Tenable has released a technical paper named "Demonstrating Compliance with Nessus Web Application Scans". It details how OWASP Top 10 and Payment Card Industry web audits can be performed with Nessus scanners. This is a technical paper and specific attention is given as to which Nessus plugins can be used to perform various OWASP types of testing. For example, below is an excerpt from the paper's chapter on OWASP A5 - Cross Site Request Forgery: 

Tenable has published API reference guides for the Nessus and SecurityCenter 4 XMLRPC interfaces. We've also added  a "Products APIs and Data Internals" topic area on the Tenable Discussion Forums. This area allows Tenable product users to ask questions about the APIs and share code. 

The Nessus API allows users to interact with the Nessus scanner in an automated fashion. For example, scans can be created and reports can be downloaded. The Nessus App for iPhone  as well as the flash interface in Nessus 4.2 all make use of the XMLRPC interface. 

The SecurityCenter API allows enterprise users to receive vulnerability, patch, configuration, log, alert, event and much more. Sophisticated filters can be used to obtain vulnerability or log data for custom dashboards, reports and analytics. The API also allows for static asset lists to be uploaded for integration with a variety of asset inventory devices.

In addition to the XMLRPC interface APIs, the "Products APIs and Data Internals" topic area also serves as a focal point to discuss data internals of our products. For example, Nessus stylesheets can be used to customize reports. New stylesheets have been posted to this area with recommendations and feedback from Tenable engineers and customers. 

Both APIs are available to customers on the Tenable Support Portal. The Nessus XMLRPC API is also available to the public on the Nessus documentation page. 

Welcome to the Tenable Network Security Podcast - Episode 52

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this past week, including:
  • New Tenable eCommerce Site Supporting Nessus ProfessionalFeed Renewals
  • New Nessus Feature: Public Exploit Availability
  • BruCon 2010 Training & Conference Wrap-up



• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

I'm excited to announce Tenable's new eCommerce site. This site supports:

• Nessus ProfessionalFeed purchases of 1, 2 and 3 years
• Renewals of ProfessionalFeed subscriptions of 1, 2 or 3 years
• Initiating the renewal process directly from the Tenable Support Portal

The renewal link is available for ProfessionalFeeds within 90 days of expiration and up to a year afterwards.

A new feature was introduced with the latest update to the Nessus web server (2.0.0) and Flash interface (build 20100913A) to provide "exploitability" information to the user. Each plugin now contains a field that indicates whether or not a publicly-known exploit for the vulnerability exists:

The value will either be "True" if an exploit exists or "False" if an exploit is not publicly known. Nessus checks select sources for the presence of an exploit and updates this field accordingly. I purposely chose a "Medium" level vulnerability for this example, as exploits do not only have to be associated with “High” level alerts. In the above case, the vulnerability is a denial of service condition for NTP (Network Time Protocol), which just happens to have an exploit publicly available.