Tenable Network Security Podcast - Episode 30

Welcome to the Tenable Network Security Podcast - Episode 30

Announcements

• Several new blog posts have been published this week, including:
  • Plugin Spotlight: SMB Insecurely Configured Service
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions. There are currently 8 open positions listed!
• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Don't Change Your Password - I have mixed feelings about this article. The security professional in me, with experience in implementing security in the trenches at several different corporations and universities, wants to shred it until it cries "uncle". Changing your password on a regular basis does have some benefit, doesn't it? I remember being on a penetration test and compromising an older server that contained a whole bunch of Windows password hashes (stored in LANMAN format, none the less). They were easy to crack because they were stored in an older format, but the problem was that they were old passwords. Fortunately, they had no password reset policy. And fortunately for me, one of the passwords I cracked belonged to a user in the domain admin group within the domain. So, as crazy as it sounds, changing passwords does help. On the flip side the argument is that changing passwords is too hard for users and takes too much time. In most cases I agree with this statement. I believe that IT departments need to make it easy for end-users to implement this security measure, which really only protects you from a dedicated attacker. Making users spend too much time implementing a defensive measure that has little impact doesn't make much business sense.


• Escaping From the PDF - This is a really neat technique developed by Didier Stevens that uses the "/Launch" feature in a PDF to execute a command. Recently Didier figured out that Foxit released a patch, but that the Adobe exploit now worked in Foxit! Crazy stuff happening here and I'm wonder just what legitimate purpose the "/Launch" feature has in a PDF document! Why does a user need to launch an executable when reading a PDF document (or any document for that matter)?


• Sun Solaris now on a Quarterly Patch Cycle - Is it enough? We see major companies (Microsoft, Cisco, Oracle, Adobe and others) whose software and hardware make up a large percentage of the install base across the globe, and patches are released monthly at best, sometimes quarterly, and bi-yearly if you are Cisco. If you're an evil bad guy, patch cycles that are driven by the vendor provide a nice window of exploitation. If you can find and exploit vulnerabilities before the vendor issues the patch, you're golden... that is, if you can get in and stay in without getting caught. Shortening this window of exploitation would prevent a lot of attacks. Of course we still have to get the organizations to apply the patches, but that's a whole different story.


• Too Much Money Spent on Compliance - Frequency of an incident versus the level of damage are two factors that seem to never be taken into consideration properly. It's a tough call; the incidents that are least likely to occur can cause the most damage and have the most financial impact. The more frequently successful attacks are typically of low impact. For example, lots of malware is installed on computers that become part of a botnet and the malware doesn't even look at the data on the system. However, an attacker targeting your organization can do serious damage and maybe even collect sensitive information, take your network hostage, and leak trade secrets. This occurs less frequently than automated malware, but is far more damaging. Compliance seems to be a good guideline to help prevent automated malware, but does not go deep enough to protect against more serious threats.


• Cisco WLAN Flaws & The Bigger Picture - Proprietary and usually embedded systems are often weak links when it comes to security. Cisco's implementation is no exception. Researchers have found that they are still using LEAP in some capacity and the management interfaces contain SNMP and web application flaws. An attacker could exploit these vulnerabilities to obtain encryption keys. I believe that wireless attacks are most beneficial to attackers, as it allows for an easier MiTM attack to take place because you can access all wireless clients in one fell swoop. Also, many devices, especially in the medical field, only use wireless where these types of attacks are especially useful. Everyone spends time to secure desktops and servers, but then ignore the embedded systems (which is a good example of this failure). What will happen when computing as a whole moves to using more embedded systems over the desktop? The researchers also state that the vulnerabilities were not as easy to find as using a standard Nessus scan. Remind me some time to tell you the story of a vulnerability I found on a wireless controller by doing an operating system fingerprint using Nmap.