Tenable Network Security Podcast - Episode 34

Welcome to the Tenable Network Security Podcast - Episode 34

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup – May 2010 – Language Barrier Edition
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• CVE Details - A nice view of the CVE data, with pretty graphs!
• What's Hiding In Your Copier?It seems that there are many reasons why people are not jumping to fix security problems on embedded systems. First, they buy them, plug them in, and they work. Audits and regulations often do not apply to embedded systems such as printers/copiers/fax machines/scanners, which are often excluded from vulnerability scans to avoid problems. The best reason for this problem persisting throughout time is that many times people don't even know they are connected to the network.
• Host Enumeration Via DHCP - This is a neat little Python script that sends out a DHCP discover and waits for responses. DHCP servers are more than happy to tell you information about the network, such as IP address information, DNS server IP addresses and more. This script can also be used to sniff out rogue DHCP servers.
• Testing Your Anti-Virus Program - Someone recently posted a question on a mailing list stating that they wanted to run "Netcat" on a host and bypass the installed anti-virus software, preventing it from identifying "nc.exe" as malware. If you run anti-virus software in your environment I think its a good idea to test it. I recommend the following three methods to test your anti-virus software:
  • UPX - A packer used more for compression than bypassing anti-virus, but still works in some cases.
  • PE-Scrambler - Used in the "Defcon Race-To-Zero" competition where players were tasked with bypassing anti-virus software.
  • Metasploit Msfencode - Metasploit has many encoders that can be used to alter a binary program in an effort to evade detection.

  Using these methods above, you can test not only if your anti-virus software is working properly but how difficult it would be to bypass. Also, you can test between releases and updates to be certain the behavior has not changed. Finally, these tools will help you test how your defense's react when something does slip past anti-virus software. If the answer is "nothing", then you've got some work to do in order to build more defenses.



• New Attack Bypasses Anti-Virus Software - This method uses the old "bait and switch" technique to bypass anti-virus software. It feeds a good binary to the A/V system, then when execution happens, swaps it out for the evil binary. Pretty neat stuff!


• Car hackers can kill brakes, engine, and more - This story really scares me! I recently bought a new car. It's not brand new (2007) but has the totally keyless entry and ignition system. The best I can tell is that it uses RFID to sense when my key fob gets in proximity of the door, then the door opens. The ignition works the same way; if the key fob is in range I can push the button to start the car. It has become clear to me that cars are implementing a lot of technology, which means people are going to hack it. The security falls out of scope for most businesses, but what happens when attackers are hacking into cars and listening in on all conversations that happened in the car? Many of us conduct conference calls and talk about business and sensitive information. Of course, until an attacker can figure out how to make money off of hacking cars, I don't think we will see widespread adoption. When the time comes when taxi cab drivers are replaced by computers, someone will figure out how to hack it to get a free ride (and yes, I watch way too much science fiction).


• Software Security Is The Problem - It may sound strange, but centralized control and management may just be what the doctor ordered to solve some of our software security problems. I went through this when I worked for a university. Most universities are very decentralized, and to a certain extent so are most corporations. This can be a double-edged sword. On the one hand, centralized management provides uniformity and control, and therefore vulnerabilities and exposures can be mitigated on a grand scale. However, having central control is more difficult because policies must satisfy the masses, not just one particular group. For example, maybe the finance department can handle a password change per week, but the general community would incur too much support and can only handle a 180-day password change. Now we're in management hell, things get complicated, and once we've complicated things, compromises usually follow. In the case of software security, I say we should create that central office. Let it create, support, and govern software for the government, and maybe, just maybe, we'll improve slightly.