The Tenable research team recently published a few new plugins that contribute to how Nessus performs OS identification. When scanning devices and systems I am always amazed at how many different services will hint at, or even flat out reveal, the operating system and version.

OS Identification : HNAP

HNAP is the Home Network Administration Protocol developed by Cisco Systems. It is designed to allow remote support personnel to manage devices on users networks using a SOAP-based protocol. An unfortunate side-effect is the information being leaked across the network that can be accessed without authentication. A new plugin was developed to collect this information and use it to determine the remote operating system:

Welcome to the Tenable Network Security Podcast - Episode 80

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher, Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• The Latest Adobe 0day

Welcome to the Tenable Network Security Podcast - Episode 79

Announcements

• Several new blog posts have been published this week, including:
  • Tenable All-Star Security Showcase - New York City 2011
  • Microsoft Patch Tuesday Roundup - April 2011
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Please join Tenable's CEO/CTO Ron Gula, Tenable CRO & creator of Nessus, Renaud Deraison and Tenable CSO Marcus Ranum, and Paul Asadoorian for a Security Showcase on May 17, from 8:30am to 2:00 pm at the New York Marriott East Side, 525 Lexington Ave. at 49th Street in New York City.

Breakfast and lunch will be provided during this half-day FREE event.

Topics covered will include:

• The current status and future development plans for Nessus and Tenable's Unified Security Monitoring products including SecurityCenter, Passive Vulnerability Scanner, and Log Correlation Engine


• “How I Learned to Stop Worrying and Love Regulatory Compliance”


• Advanced Persistent Threat


• Foiling Web Application Attacks

During lunch you will also be given a live demonstration of our enterprise solutions as they relate to the themes above.

Space is limited for this event. We hope you can make it as the showcase is a rare opportunity to receive firsthand insight from four leading experts. RSVP to dmcrae -at- tenable.com or call (410)-872-0555 x 224.

It's very exciting (depending on your perspective) when there is a record-breaking Microsoft Patch Tuesday! April 2011 is the largest Patch Tuesday release in history, with 17 bulletins covering 64 different vulnerabilities across several products. While everyone is beating the "Microsoft Patch Tuesday Crisis Drum", attackers are continuing to have success breaking into major organizations using the "exploit du jour", some social engineering methods or a combination of both.

What I would like to suggest is a weekly, or even daily, "patch rally". Patching needs to be an ongoing process of checking to see if patches are available, applying the patches, and then verifying that the patches have been applied and installed properly. I don't think we need to "take time to stop and patch"; we just need to patch as a normal, everyday, regular business operation. It's sad that we have to install more software to fix broken software, but it has become the way of the IT world. If your business cannot sustain being patched, the you've probably chosen the wrong software and configurations and your business will likely be negatively affected. The negative effects happen in two ways: 1) you install the patches and your system and/or software fails as a result of a bug in either the software or the software patch or 2) you don't apply the patch and attackers compromise the system and ruin the integrity of the system and the data contained therein. So, hence my cry to "rally to the patch"!

Welcome to the Tenable Network Security Podcast - Episode 78

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • New Nessus Scan Policy Templates Added in the Plugin Feed
  • "LizaMoon" Detection Added to Nessus, PVS and LCE
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

We are pleased to announce that four new Nessus policy templates will be distributed to Nessus ProfessionalFeed and HomeFeed users via the Nessus plugins feed. This is first time we've used "push" functionality to send down scan policy templates.

Click for larger image

The four new Nessus scan policy templates will appear in the "Policies" tab once your Nessus installation has updated the plugins:

• External Network Scan - This policy is tuned to scan externally facing hosts, which typically present fewer services to the network. The plugins associated with known web application vulnerabilities (CGI Abuses and CGI Abuses: XSS plugin families) are enabled in this policy. Also, all 65,535 ports are scanned for on each target.

Nessus plugin 29871 has been updated to look for the presence of malicious JavaScript on a remote web site.

(See Attack on ASP site that uses a SQL server database)

Below is an example of the plugin report:

Click for larger image

Welcome to the Tenable Network Security Podcast - Episode 77

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher, and Ron Gula, Tenable CEO/CTO

Announcements

• Preventing & Detecting Malware: A Multifaceted Approach
• Tenable Releases New SCADA Plugins
• Tenable All-Star Security Showcase - San Francisco 2011
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

Successful Attacks from Automated Malware

Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news:

Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center.

From LizaMoon SQL Injection Attack Hits Websites

LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

Supervisory Control And Data Acquisition, or SCADA, generally refers to the computers that control industrial and infrastructure systems. These include systems found in power plants, nuclear reactors, commercial buildings and more. The last few weeks have seen another serious blow to the perception of SCADA security.

On March 21^st, Luigi Auriemma posted to the Full-Disclosure mail list announcing his research and vulnerability findings in SCADA products from vendors such as Siemens, Iconics, 7-Technologies and DATAC. Auriemma’s post included links to 34 advisories ranging from overflows to denial of service. Due to the sensitive nature of SCADA systems and the resources they control, his research made the news. A day later, Ruben Santamarta (aka reversemode) announced the availability of vulnerability information in SCADA vendors including Advantech/BroadWin and CSE-Semaphore. The next day, US-Cert issued an advisory about SQL injection vulnerability in Ecava IntegraXor, another SCADA system.