The video below is part 4 in our series of the top ten things you didn't know about Nessus and covers Nessus licensing and usage:

Further Reading:

• Tenable Charitable Organization Subscription Program
• Tenable Information Security Training Organization Subscription Programs

The video below is part 5 in our series of the top ten things you didn't know about Nessus and covers how to schedule scans from within Nessus:

Further Reading:

• Nessus 4.4.0 Released! (This post quickly covers Nessus scan scheduling as it was introduced in version 4.4.0.)
• Security Metrics - How Often Should We Scan?

Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3.

In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled "SCADA Network Monitoring" and the original release for Nessus titled "SCADA Checks For Nessus 3"). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more).

Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security.

Below is a sample of some of the new SCADA plugins:

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations.

With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. 

Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference:

• 10006   Symantec pcAnywhere Status Service Detection (UDP)
• 10794   Symantec pcAnywhere Detection (TCP)               
• 10798   Symantec pcAnywhere Service Unrestricted Access       
• 20743   Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation
• 32133   Symantec pcAnywhere Access Server Detection Service
• 35976   Symantec pcAnywhere CHF File Pathname Format String Denial of Service
• 57795   Symantec pcAnywhere Installed (local check)
• 57796   Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

In addition, running a credentialed scan with Nessus plugin 20811 provides the ability to detect installed software on Windows computers, which can be useful to find instances of pcAnywhere that may be installed, but not actively running. Note that strings and versions vary from release to release. An example string as reported by a recent Nessus scan is “Symantec pcAnywhere [version 11.5.0]”.

Network traffic can also be monitored with the Passive Vulnerability Scanner to identify instances of pcAnywhere on the network. A current list of passive plugins to detect pcAnywhere is shown below. 

• 03306 Symantec pcAnywhere Detection
• 06087 Symantec pcAnywhere Detected

Finally, Tenable’s Log Correlation Engine, will normalize logs from the PVS for observed pcAnywhere sessions in real-time with an event name of “PVS-PCAnywhere_Detected”. These sessions are automatically detected and analyzed for anomalies and connections from known botnets.

External Nessus scans can be performed to determine if your network has any Internet facing instances of pcAnywhere. The Nessus PerimeterService is ideal for this type of scanning as it can scan an unlimited number of Internet-facing IP addresses very rapidly. Users of the Passive Vulnerability Scanner have automatic detection of any Internet-facing service, including pcAnywhere.

An in-depth Nessus Discussions Forum post details how SecurityCenter, Passive Vulnerabiltiy Scanner and Log Correlation Engine users can track pcAnywhere vulnerabilities and usage in realtime.  

The video below is part 6 in our series of the top ten things you didn't know about Nessus and covers information related to IPv6 scanning using Nessus:

Further Reading:

Nessus - IPv6 Scanning

Nessus has several different plugins and techniques for helping you with the fight against malware. The video below is part 7 in our series of the top ten things you didn't know about Nessus and covers 3 different ways Nessus can be used to help detect malware:

Below are a few more examples of how Nessus can detect malware:

1. Nessus Network Checks

Nessus plugins in the "Backdoor" plugin family detect certain types of generic behavior on listening services that are indicative of malware. For example, plugin #35322 detects the presence of an HTTP backdoor. Nessus detects the web server remotely and identifies a condition where the web server, regardless of the request, returns a Windows executable:

Welcome to the Tenable Network Security Podcast Episode 110

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• PVS 3.6.0 for Linux now Available - Added the "Strip VLAN tags" setting to ignore the VLAN header, Nessus V2 report output format support, Deprecated the "failure-threshold" configuration setting, Improved stability when parsing PASL scripts, New license format (Requires a new license)

New & Notable plugins

Welcome to the Tenable Network Security Podcast Episode 109

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released Nessus plugin 57462 to detect that nasty FreeBSD TELNET bug we touched on last week.
• PVS plugin released to detect Google Chrome < 16.0.912.75 Multiple Vulnerabilities
• Nessus plugin 57558 detects unsupported MySQL and feeds right into this dashboard.

Welcome to the Tenable Network Security Podcast Episode 108

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released Nessus plugin 57462 to detect that nasty FreeBSD TELNET bug we touched on last week.
• Nessus plugin 57461 was recently added to scan for Apple iOS Lockdown services
• PVS can now detect systems reaching out to .xxx domains, enhanced OS identification.

The first round of security bulletins from Microsoft this year raises some interesting questions about the vulnerabilities being patched. I found the following three advisories particularly interesting:

From MS12-002:

The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

MS12-002 is ranked by Microsoft as important. Sure, it does require that the user browse file systems, however users can be baited, or even forced, to browse to a network share. Social engineering attacks can lure victims to specific sites, and SMB share paths can be embedded inside web pages and URLS, forcing the user to browse to a share or even a specific file.

Welcome to the Tenable Network Security Podcast Episode 107

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!

• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released plugins to discover VMware Vsphere servers, check installed patches, and enumerate active and inactive virtual machines.
• PVS plugin 6125 will now passively discover the version information of Windows systems

Stories

Tenable has published a new video which covers the major features in the Nessus vulnerability scanner. You can view the video below:

This video shows you how-to get started using the Nessus vulnerability scanner, including:

• Where to download Nessus
• Introduction to policies, scans, and reports
• Performing an asset discovery scan
• Running a network-based vulnerability scan
• Configuring a patch auditing scan
• Performing a configuration audit
• Detecting sensitive data (SSN & credit cards)
• Running web application tests
• Reporting & filtering
• Risk analysis and compliance (PCI DSS)

The video runs almost 38 minutes, but covers several major features for those who may be new to using Nessus.

This is the first post in a two-part series that will cover how to configure Nessus and/or SecurityCenter to integrate with Microsoft's patch management software.

WSUS Patch Management Integration

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. WSUS server 3.0 SP2 supports management of patches for the products listed here, as well as Windows 7 and Windows server 2003 SP2 patches. If you are not familiar with WSUS it is freely available to Microsoft customers as part of your Windows server licensing agreement. A great article that covers all aspects of planning, deployment, and configuration is Windows Server Update Services Learning Roadmap Community Edition.

Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter. When performing scans with the WSUS patch management plugins enabled and configured please note the following:

• Credentials entered into the policy take priority - If you've entered credentials into the scan policy and they are valid for a target system, Nessus will login and perform credentialed scanning without querying the WSUS server data.

• WSUS is queried when credentials fail - If credentials are not valid for a target system, or credentials are not entered at all into the policy at all, the WSUS server will be queried to obtain patch information for those targets. This also applies to other policy settings that may cause a credentialed scan to fail, such as the remote registry or administrative shares settings.
• The WSUS plugin communicates only with the WSUS server - The WSUS plugin makes a connection to the WSUS server IP/hostname and port specified in the policy configuration (see below in the "Patch Management WSUS Preferences"). This is an important point, as the Nessus server(s) will require access to your WSUS server, which could mean making firewall rule changes to allow the connections. However, this is a significant advantage as your target systems do not need to communicate with the Nessus server directly, which means host firewalls and remote registry settings will not get in the way of a patch audit.
• Patch information is only as up-to-date as your WSUS server - The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

"From Redmond with Love"

Recently, I had a chance to talk with Katie Moussouris, leader of the Security Community Outreach and Strategy team at Microsoft. The interview helped me realize that Microsoft has a lot to offer when it comes to not just fixing vulnerabilities in their own products, but other companies' software as well:

• Microsoft has a team of people on the MSVR (Microsoft Vulnerability Research) who look for vulnerabilities in third-party software and help the third-parties fix the issues.
• MSVR practices Coordinated Vulnerability Disclosure, a term coined by the team and encompasses a philosophy for vulnerability disclosure (and one that omits the word "responsible" due to its misconstrued meanings).
• Microsoft is showing others how to create more secure software through their SDL program (I hope Adobe is adopting this, and if they have, their implementation is falling short).
• Microsoft has attempted to tell us where they document security vulnerabilities found internally, but this article seems to talk about variants, which are an off-shoot of the publicly disclosed vulnerabilities, not new vulnerabilities discovered internally by Microsoft. However, I am told that Microsoft does in fact document internally discovered vulnerabilities, but it's not as widely publicized as the monthly bulletins.
• If you have the skills to come up with the next latest and greatest memory protection design, Microsoft could give you as much as $200,000 as part of the Blue Hat Prize contest.

One thing is for sure, I don't believe that Microsoft isn't trying to create more secure software. In fact, this month's MSRC post shows that critical vulnerabilities reported by outside parties continue to be on the decline. Some may argue that it's because people are not disclosing the vulnerabilities to Microsoft, and while that could be true, they deserve some of the credit for making efforts to improve software security.

Welcome to the Tenable Network Security Podcast Episode 106

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Ron Gula, Tenable's CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!

• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

Today, Tenable Network Security announced integration between Nessus and a variety of patch management systems that will simplify scanning in cases where credentialed scans are difficult or impossible. The integration allows Nessus and SecurityCenter users to establish direct links to patch management systems. This simplifies patch audits as the systems in your environment do not all have to contain credentials in order to be scanned. You simply need to give Nessus credentials to your patch management server. This integration enhances compliance programs and helps eliminate confusion about the patch status of systems between IT operations and network security teams.

With Nessus patch management integration, you can:

• Retrieve patch manifests and status information from Red Hat® Network Satellite Server, Microsoft® Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM), and VMware® Go (formerly known as Shavlik).
• Quickly generate patch compliance reports in Nessus and SecurityCenter, based on the data returned from patch management systems. Presentation of records in the well-known Nessus format can speed auditors’ reviews, and simplify resolution of discrepancies between management systems.
• Retrieve accurate patch status information for systems that can’t be fully scanned by vulnerability assessment tools because of a lack of credentials. Credentials are only required for access to the patch management system.
• Retrieve patch status in environments where scanning is not available due to other constraints, such as limited networking.
• Help eliminate false positives caused by back ported patches in Red Hat Satellite environments.

This integration is available today in the case of Microsoft and VMware Go (Shavlik) systems, and is expected no later than Friday of this week for Red Hat. You’ll find the plugins in the ProfessionalFeed. Configuration documentation is available in the Patch Management Integration documentation. If working with patch management systems is a challenge for you, watch this space – I’ll be posting more details on how this integration works, and you can take advantage of it in your environment.

Welcome to the Tenable Network Security Podcast Episode 105

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager
• Ron Gula, Tenable's CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Patch Management Integration

Paul, Jack, Ron, and Carlos talk about Tenable's new integration with patch management platforms such as Microsoft's WSUS, SCCM, Vmware Go, and Red Hat Satellite server.

Download Tenable Podcast Episode 105

Do you know how many mobile devices reside on your network? Is your security architecture designed to secure the mobile platform and protect your users and the network from the threats they pose?

Mobile devices are a security concern for many reasons. Mobile devices are typically unmanaged – meaning they may or may not be running AV software, a firewall, or conform to enforceable security policies. Yet, whether they are provided to your employees as part of your operations or not, they are likely accessing resources on your network. To compound the problem, many mobile devices connect to your local network and the Internet directly on two separate mediums. For example, the device may associate to a wireless belonging to your organization and a 3G/4G connection to the Internet.

Welcome to the Tenable Network Security Podcast Episode 104

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager
• Ron Gula, Tenable's CEO/CTO and media expert!

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

Welcome to the Tenable Network Security Podcast Episode 103

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

One of the primary ways SecurityCenter allows you to visualize the overall security and compliance posture of your network is through the use of dashboards. The SecurityCenter section of Tenable’s Discussion Forums now provides index lists for all of the available Tenable-produced SecurityCenter dashboards grouped by category.

SecurityCenter dashboards are easily customizable to give snapshot information on scanning, vulnerabilities, and events. Tenable provides dozens of dashboard templates in the SecurityCenter Dashboards section of the Tenable Blog. Categories such as “PCI, CIS, & SANS CAG”, “Advanced Persistent Threats & Malicious Software”, and “Vulnerability Tracking, Trending, & Scoring” are split out so SecurityCenter customers can easily find sample dashboards related to each topic. In addition, each post includes a link to a Tenable-produced dashboard XML file that can be imported into SecurityCenter.

  Sample SecurityCenter Dashboard for Intrusion Detection Trend and Correlation

Anyone can create a Discussion Forums account by clicking on the “Register” link on the main page and filling in the requested information. Once you have an account, log into the Discussion Forums and perform a search for “SecurityCenter Dashboards” to find dashboards of interest, find additional information related to SecurityCenter dashboards, or to start your own discussion with other SecurityCenter customers.

Why is "Cloud Storage" So Appealing?

Services such as DropBox use the cloud to enable users to share files with others and transfer work from office to home and back. The challenge is two-fold:

1. Determine how this and other cloud-based technologies align with the organization’s security policies and compliance mandates.
2. Monitor use of these solutions to ensure compliance and limit exposure while preserving benefit.

Users often turn from sanctioned file sharing methods when they reach the limits of email and internal file sharing capacity, performance, and functionality. Email was not intended to share large files, and very often restrictions are implemented on the size of an individual email and how large your inbox can grow. Users can put files on an internal file sharing service, but that limits access to local users and VPN connected users. Employees who travel or third-parties may not have access to the internal network to retrieve the files. Many IT departments do not offer an easy way to share files through more traditional methods such as public FTP servers because of security concerns.

Dropbox overcomes many of these issues and has become quite popular, as evidenced by a recent influx of $250 million additional dollars in funding. The price is right too, as you can get 2GB of storage for free and manage access to your files.

The problem is, DropBox security and usage often violate corporate policy and security best practice. Corporate policy must protect sensitive information, such as customer data and intellectual property. If this information is being transmitted insecurely to a service such as Dropbox your policies and network defenses should detect this behavior and monitor for violations and information leakage.

For example, Dropbox relies on SSL for encryption. Several attacks released this year have been reported that can circumvent SSL security, and SSL certificate authorities have been compromised, breaking down the trust that SSL relies upon for security and integrity. Client software can become the weakest link as well, even if SSL is implemented properly. The Dropbox client software has contained vulnerabilities that, when exploited, could lead to your data in the wrong hands.

To solve this problem we need to implement encryption at the file level to protect sensitive data. I have to admit, I am a Dropbox user. However, I use it with caution and implement my own security policy. Any sensitive data is sent to DropBox using file encryption (PGP in this case). Any non-sensitive information is not encrypted and I am careful to distinguish between the two.

The most interesting, and concerning, vulnerability patched this month is the remote TCP/IP code execution flaw fixed with MS11-083. The flaw can be triggered by sending a large number of UDP packets to a non-listening port on a remote host. There are several ways in which this could happen very easily, such as a poorly configured firewall, or an open port on a firewall that is allowing traffic the host is no longer listening on. The Microsoft Security and Defense team put together an article to gauge exploitability, and gave it a "2". I'm not sure that helps a whole lot, but if there is one thing that is certain, attackers will be looking to create an exploit for this flaw ASAP.

To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

• MS11-083 - Nessus Plugin ID 56736 (Credentialed Check)
• MS11-084 - Nessus Plugin ID 56737 (Credentialed Check)
• MS11-085 - Nessus Plugin ID 56738 (Credentialed Check)
• MS11-085 - Nessus Plugin ID 56739 (Credentialed Check)

Resources

• Microsoft Security Bulletin Summary for November 2011
• OSVDB Microsoft Bulletins - Complete Reference
• Microsoft hosts BlueHatv11, releases four bulletins

Welcome to the Tenable Network Security Podcast Episode 102

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Wi-Fi security do's and don'ts - I agree with most of the recommendations here. WEP is bad, WPA-PSK is not a good solution for businesses, and MAC address filtering is useless. However, WIPS is a bit overstated, and certainly Snort doesn't help you much. The fact is, if you run an open wireless network, it allows for several attacks at layer 2. I do recommend practical network security with respects to WiFi, and designing the network to be robust and manageable will certainly help. However, many think that implementing 802.11i and VPNs is all you need to do. I disagree; treat your WiFi network as hostile, assume clients are compromise and MiTM attacks are occurring, then secure it as such.
• CIA monitors up to 5 million tweets daily, report says - "A CIA team known internally as the "vengeful librarians" that numbers in the hundreds gathers information in multiple languages to build a real-time picture of the mood in various regions of the world." - I love the title. The technology used to monitor 5 million Tweets is interesting. I wish Twitter would monitor and do something about the evil things and spam that happens on Twitter.
• BOP Worried, Electronic Jail Cell Doors Vulnerable To Remote Hack - It's good to see this issue get attention. The details are light, but there was a Defcon presentation by the researchers and I've interviewed them on a podcast. The technology used by prisons to secure the doors appears to be susceptible to attacks.
• 'Nitro' hackers use stock malware to steal chemical, defense secrets - Computerworld - Attackers reportedly used Poison Ivy to compromise systems and steal intellectual property. I am familiar with this malware, and curious as to how it was able to evade even the most rudimentary defenses. Sure, you could configure it to be stealthy, but Poison Ivy tends to be somewhat loud on the systems and the network. We need to have a much better way to detect malware, especially on higher value targets.
• SecTools.Org Top Network Security Tools - Nessus takes the #3 spot, with Wireshark taking #1. This list was created and voted on by Nmap users.
• Homemade Hardware Keylogger/PHUKD Hybrid - Really neat post on how to create your own hardware key logger.
• Show Me Your DNS Logs, I’ll Learn about You! « /dev/random - Fun write-up of the analysis of the DNS logs from the 3rd annual BruCon conference. It was interesting to see that some people do not trust the DNS server provided by the ISP or conference service. You can also determine operating system type based on DNS requests to NTP servers, showing that many attendees were running Ubuntu Linux distributions. Requests to the WPAD domain leaked information about companies that owned the devices, Wordpress was the blog platform of choice, and Gmail remains king for email. There were many requests that were clearly typos, showing that "typo-squatting" could prove useful for attackers.
• Adidas Websites Hit With ‘Sophisticated’ Hack - A so-called "sophisticated" attack that didn't gain access to customer information. What did they gain access to, company secrets?
• Microsoft releases Security Advisory 2639658 - The kernel bug that "Duqu" used has been fixed.

Download Tenable Podcast Episode 102

Welcome to the Tenable Network Security Podcast Episode 101

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Chasing APT: Persistence Pays Off - One of my greatest concerns that this article reminded me of is the risk to small business. And by small I mean the number of employees, not how much money they manage. You could likely construct a lucrative business attacking small firms that manage a LOT of money, but are small and have no dedicated IT team, let alone a dedicated security person.
• Exposing the Market for Stolen Credit Cards Data - Maybe its just me but given that this article states "Liberty Reserve is the payment option of choice for the majority of the portals" can't you just follow the money and/or go after the organizations that are allowing the transactions? I'm sure its far more complicated than that, but just a thought. I'm sure that when targeting drug cartels and organized crime similar avenues are explored.
• EFF on HTTPS - Great quote from this article: "In short: there are a lot of ways to break HTTPS/TLS/SSL today, even when websites do everything right." So true! There has to be a better way to get this SSL thing fixed. One suggestion from folks at the EFF was to have users rank SSL certificate authorities to build public trust into SSL.
• US observation satellites hacked - I love this: "The article states that the nature of the attack appears to point to the Chinese military, though it stops short of making a direct accusation." Everyone is always quick to blame the Chinese, likely because people are saying "Well, if anyone would want to hack into a satellite it would be them". I'm saying who wouldn't want to hack into a satellite, thats so cool!
• Cisco WebEx Player Buffer Overflows Let Remote Users Execute Arbitrary Code - Webex is popular software, and if you were to hold a webinar and tell people they get something for free, you could probably compromise a lot of systems with this vulnerability.
• 6 Deadly Enterprise Security Mistakes - I have to say, usually when I see articles like this, I take the opportunity to rip them to shreds. I will not do that with this article because I agree with it 110%. Nicely done.
• Hackers could have TAKEN OVER Amazon Web Services - Imagine if you could take over the cloud, would that make you God for a day?
• The 8 Craziest YouTube Account Hacks - This is just fun and covers "Beiber Fever" and "Hanna Montana faking her death". Just doesn't get any better than this!
• Why You Still Can’t Teach a Machine to Hack - I wanted to again explore the debate over automation versus manual testing.
• US Government Regulations on Piracy

Download Tenable Podcast Episode 101