Tenable Network Security Podcast Episode 115 - "Hacking sprinklers, vulnerability remediation, photo slurping"

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Tenable had a great presence at the recent RSA Security Conference. Several of us gave presentations, provided demos at the booth, and participated in panels. Check out the Tenable Blog for full coverage.
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The "Top Ten Things You Didn't Know About Nessus" videos have been posted from #10 through #2, so check them out!
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Nessus:

• DNSChanger Malware Detection
• HP Printer Firmware Signing Disabled
• Patch Management: SCCM Report

Passive Vulnerability Scanner:

• IBM iSeries FTP service detection
• Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution
• Mozilla Thunderbird 10.x < 10.0.2 'png_decompress_chunk' Integer Overflow

Stories

1. Wardriving for Zigbee - The first question many people are asking when they see this title is, "What do you find when wardriving for Zigbee?" In one example, evidence points to either lighting or a lawn sprinkler system. Zigbee can also be found on buses used for what appears to be tracking purposes. Much of this research will fly under the radar, as the reason WiFi is such a big deal is because it potentially leads back to the corporate network. In the case of Zigbee, it's mostly control systems of some kind, but not limited to "industrial," so if you want to re-create the Bellagio fountains show, this may be your ticket.
2. Fixing Vulnerabilities On A Shoestring - A study found that a much smaller percentage, 29% to be exact, of the time spent remediating vulnerabilities was spent actually fixing the vulnerability. Lots of other time is spent setting up a development environment and testing to make sure the vulnerability is remediated. While this article is a bit light on other details, it does present a very common problem in our industry. People want an easy, point-and-click way to get rid of vulnerabilities, when in reality, it's a process. I believe this is one of the largest problems we face in our industry, and strongly believe organizations that have a solid vulnerability discovery AND remediation process are the ones staying out of the headlines when we talk about breaches.
3. US e-voting system cracked in less than 48 hours - "We successfully changed every vote and revealed almost every secret ballot." I just can't help but think that online voting is a BAD idea. However, it sounds like the company providing the system did not even try to implement security: "Even the Linux kernel used in the project proved to have a well-known vulnerability. They were also able to use the PDFs generated by the system to trick the encryption mechanism, while unsecured surveillance cameras provided additional insights into the infrastructure."
4. Nmap Iptables Shell Script - Really neat iptables rules that log and drop certain tcp flag combinations associated with Nmap scanning. If someone is using Nmap against one of your systems, it might be a nice thing to log and add into your SIEM for correlation.
5. Most organizations take months -- or years -- to discover a breach - There are few findings in the Verizon report that really stand out as sending a solid message. One statistic is pretty clear, 60% of organizations discovered breaches months or years later. To me, this means detection mechanisms are not being used properly. This can stem from several different problems, and begs yet even more questions, such as why? Not enough staff? Not the right staff? Do you have the right tools? Are the tools not configured properly?
6. How GitHub handled getting hacked - At the surface, it may sound like a lot of back-and-forth between a security researcher and a large project. However, it goes to show you, listen to the people disclosing vulnerabilities and do not dismiss them. I'm not saying they are right to exploit a vulnerability to make a point. I'm saying they may do that, and the only one that loses is the one who is vulnerable, and well, your customers too.
7. Polycom Web Management Interface Command Injection - First off, these systems run Linux (PPC chipset). The beauty of a web interface command injection is that you don't need shell code, so the operating system architecture and any stack overflow protections mean nothing, you still get shell. This is also the classic case of the feature in the management interface that lets a user "ping" a system. It often leads to command injection. It's such a classic case, you wonder how it got there in the first place. Did they hire a developer with no experience to code the web management interface?
8. iPhone photo-slurping loophole sparks app privacy fears - Paul's tip for the week: Don't take naked pictures of yourself with your phone and leave them there. Just sayin', other people could see them.
9. Android a photo-slurper too: report - Again, the "no naked pictures of yourself" rule applies to Android too.
10. Stolen NASA laptop had Space Station control codes - "48 different agency laptops or mobile devices had been lost or stolen between April 2009 and April 2011 (that NASA knows of). The kit contained sensitive data including third-party intellectual property and social security numbers as well as data on NASA's Constellation and Orion programmes." That's a lot of laptops. Seems they need more than data encryption, how about some user education? We've all heard the reports that NASA has received less funding, maybe this is a side result?
11. NASA lost 'full control' to hackers, pwned 13 times last year - And yet even more NASA hacking. Ouch. Though we do get some insight: "Paul Martin told a Congressional panel on information security at the space agency that NASA spent $58m of its $1.5bn annual IT budget on cyber security." Was that not enough, or is it more about how you spend your money?