Welcome to the Tenable Network Security Podcast - Episode 60

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• A new blog posts has been published this week:
  • Scanning For Default & Common Credentials Using Nessus
• Don't forget to sign up for Advanced SIEM Webinar Series - November through December


• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• SSL: the sites which don't want to protect their users - With it being "Cyber Monday", I thought this post was timely.
• Whacking Moles - It's neat that defenders still like to play the process "whacking" game, even though you can execute everything in memory using an already existing process. It does make for fun command line kung fu though, which I still think is handy if you are a systems administrator.
• Windows "0-Day" Flaw Bypasses UAC - There are many users who believe either one of two things about UAC: 1) "Wow, this really helps me be secure!" or 2) "Wow, this is annoying, turning it off now". In either case, the user is in a bad situation. Believing that something can keep you secure often leads to a quick downfall.
• You're Only As Secure As Your DNS Servers - As Secunia found out, you should have some pretty tight security around your DNS server, especially if you run a service where users can scan their PCs for outdated software. Wow, wouldn't that be a neat database for an attacker to get their hands on!
• Apple iOS Networking Packet Filter Rule Invalid Pointer Access Local Privilege Escalation - Remote attacks against iPhones would be bad as they are easy to identify on the network. You could even target just AT&T address space.
• ZeuS variant only infects super-fast PCs - Malware authors are looking to evade detection and analysis, rather than just harness computing power. Even a bunch of slow PCs can do a lot of "evil bidding".

Download Tenable Podcast Episode 60

Default vs. Easily Guessable Credentials

There are several Nessus plugins that test various common username and password combinations. I tend to put these into three different categories:

1. Default Credentials - Known usernames and/or passwords associated with a specific device or application. (E.g. Linksys WRT54G username "admin" password "admin")
2. Common Credentials - Commonly used username and/or passwords that are valid regardless of the application or device type (e.g. username "root" / password "toor")
3. Brute Force Guessing - User supplied list of accounts and passwords fed to Nessus via Hydra

There are 70 plugins beginning with "account_*" that try to login via telnet and/or SSH. These plugins test for generic common credentials or credentials that are known to be associated with a particular device or application.

Targeting Credentials

If you want to specifically target credentials you can use the Nessus GUI to create a custom policy to perform a very specific scan. This is a great policy to schedule on a weekly or daily basis as it is low impact (essentially just uses the login functionality of the targets) and will find critical vulnerabilities.

Welcome to the Tenable Network Security Podcast - Episode 59

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Special Guest: Carlos Perez, Lead Vulnerability Research Engineer

Announcements

• Don't forget to sign up for Advanced SIEM Webinar Series - November through December
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Welcome to the Tenable Network Security Podcast - Episode 58

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Advanced SIEM Webinar Series - November through December
  • Nessus 4.4 Introduction Webinar - November 17th 1:00PM EST
  • Nessus 4.4.0 Released!
  • Microsoft Patch Tuesday Roundup - November 2010 - "Stuck In The Mud" Edition
  • Advanced Web Application Scanning Using Nessus Video

• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

During the months of November and December, Tenable CEO Ron Gula will be running four webinars focused on advanced analysis of network traffic, system logs and user tracking. Please visit the registration page for each of these to sign up. 

Passive Realtime Web Server Monitoring
November 22, 2010 1:00 PM EST
https://www1.gotomeeting.com/register/649650513 

Continuous User Activity Monitoring
December 1, 2010 1:00 PM EST
https://www1.gotomeeting.com/register/651487424

Tracking Application Execution for Compliance and Security 
December 13, 2010 1:00 PM EST
https://www1.gotomeeting.com/register/280241224

Monitoring Users and Botnets with DNS
December 15, 2010 1:00 PM EST
https://www1.gotomeeting.com/register/435011097

These webinars will demonstrate many different approaches to monitoring networks and users by gathering system logs and network activity. Tenable's Unified Security Monitoring set of solutions will be used to highlight technologies such as: 

• passive logging of DNS queries
• associating log data to user IDs
• analyzing Unix and Windows process execution logs
• tracking insider file sharing over SMB, HTTP and FTP
• tracking malicious code from download, to infection to spreading  
• passive discovery of Internet activity and social networking usage
• turning process execution and DNS query logs into actionable events

If you would like to learn more about Tenable's set of logging, passive monitoring and user tracking products, please feel free to visit our web site, watch our demonstration videos or contact our sales staff. 

Version 4.4 of the Nessus Vulnerability Scanner features: 

• Scan scheduling
• Improved reporting
• Reduced memory usage
• Plugin reloading and configuration changes during scans 

Please join Tenable Network Security CEO Ron Gula to learn about these new features and to participate in a live question and answer session.

Title: Nessus 4.4 Introduction Webinar
Date: November 17th, 1:00 PM EST
Register: https://www1.gotomeeting.com/register/477600664

Tenable is excited to announce a new release of the Nessus vulnerability scanner! This is a major release (moving from 4.2.2 to 4.4.0) and includes several new features and enhancements, including the addition of scan scheduling and enhanced reporting. The GUI and web server have both been updated and will be released through the plugin feed. The enhancements included in the plugin feed will be backward compatible with Nessus 4.2, and some of the new features will be available in Nessus 4.2 via the plugin feed update. However all users are strongly encouraged to upgrade to the latest version to take advantage of all the new features.

The list below outlines the changes included in the 4.4.0 release, including sample reports, scheduling examples and more:

User interface

• A brand new reporting engine produces improved reports. Two new HTML reports have been added: a detailed plugin report (results displayed by plugin / vulnerability) and an "Executive Summary" report that summarizes the top 10 most vulnerable hosts on the network.

Click for larger image
An example of the "Executive Summary" report

Balancing Risk

Security continues to be a balance between providing users with features and mitigating risk. . Client-side vulnerabilities seem to be the hole that many of us are stuck spinning our wheels in.

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Advanced Web Application Scanning Using Nessus":

Tenable CEO Ron Gula will be presenting about real-time compliance monitoring and industry trends at the November 16th ISSA DC chapter meeting. Please RSVP if you plan on attending. Mr. Gula will discuss the current state of  PCI, FDCC and Cyberscope compliance regulations and also speak about how the industry is moving quickly towards continuous monitoring.  

Welcome to the Tenable Network Security Podcast - Episode 57

Hosts: Paul Asadoorian, Product Evangelist

Announcements

Interview with Dennis Brown

"Dennis Brown is a research engineer for Tenable Network Security. He specializes in malware analysis with a penchant for botnet research. Dennis has spoken previously at Defcon 18, Toorcon 10 and 11 and on the PaulDotCom security podcast. He also organizes the DC401 hacker group in Rhode Island and the QuahogCon security conference."

Dennis recently gave a presentation titled "Resilient Botnet Command and Control with Tor" at HiTB Malaysia and Toorcon 13. Dennis and I discussed the following topics:

• I was working for a University when Tor first became popular. This presented many challenges; students were using it to evade detection by the RIAA/MPAA, attackers were using it to launch attacks against us, and I even encountered a few Tor exit nodes in my time. How has the Tor network evolved over time?
• Which botnets have been observed in the wild using Tor?
• What is a private Tor network? How do you build a private Tor network? Is it easy?
• How does using Tor affect speed? Does this impact the botnet, and how so?
• What is an HTTP hidden service? Tor3web proxy? How does this all work to mask the botnet's command and control channel?
• I always thought that encryption would be the end of the good guys' fight against malware, but has that largely turned out not to be true or has it?
• It seems that masking the command and control channel produces the highest rate of success for a botnet. How does Tor help the bad guys accomplish this?
• How can we detect botnets using Tor?

Direct Download Link - Episode 57

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Basic Web Application Scanning Using Nessus":

Welcome to the Tenable Network Security Podcast - Episode 56

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Plugin Spotlight: D-Link DCC Protocol Security Bypass
  • Integrating Nikto with Nessus Video
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!