Tenable Network Security Podcast - Episode 39

Announcements

• Several new blog posts have been published this week, including:
  • Penetration Testing Summit 2010
  • Nessus Cisco Compliance Checks
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 9 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Using DNS to Find High Value Targets - It never ceases to amaze me how much depth there can be in a protocol such as DNS. It sounds simple, right? Take an IP address and associate it with a name and vice versa. However, ever since my first lessons on network security I've looked upon it as a gateway of information, something to control and manipulate, and found all sorts of ways to make it evil. For instance, if you can find a large hosting provider in the cloud and associate it with a single industry or large conglomerate of corporations, by using DNS you can deduce that most of their systems reside on the same hosting server IP or IP addresses. By taking control of the underlying architecture, you can compromise several systems at once, giving you "more bang for your buck".
• Bypassing Restrictive Proxies Part 1, Encoded Executables and DNS Tunneling - Pretty neat way to "shovel a shell". First, you can create a VB script that can be downloaded and executed by the client. Then you can use some readily available tools to tunnel a connection to that malicious script over DNS. If you can't detect this in your network it should be a goal for you because you can be certain that attackers are using these very same techniques.
• The Untold Story of the World's Biggest Diamond Heist - 10 layers of security bypassed, inside jobs, insurance fraud, hairspray to bypass motion sensors, random garbage... this story has it all! It's a very lengthy and detailed article but shows two things: you are never as secure as you think you are, and most people get caught. It's the ones that don't get detected or caught that worry me.
• UnrealIRCd Trojaned Distribution - I've called this a nice way to build a Linux botnet. If you can compromise software that is included in all of the popular Linux distributions, then you can compromise any server installing that software. The more popular the software project you compromise, the bigger your botnet. Defensively, SHA-1 baby! This is scary, From the original advisory: "It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now."
• More Distributed SSH Attacks - So many systems on the Internet have weak passwords that attackers still spend time looking for them, and why not? A weak password on an already encrypted service, such as SSH, is a great way to gain control of a system. No exploits, no software vulnerabilities, memory protections, or return pointers. Just a good ol' fashioned default or weak password. We need to secure SSH; it's not that hard to tell SSH how to not use passwords in favor of keys, change the port, and change weak passwords. In fact, we'll learn how to do configuration auditing for that in the advanced Nessus course!
• Getting Into The Vault - Windows 7 comes with a password vault to keep your passwords "safe". However, if you've compromised a system, you have the same access to the vault as the user. This means you can log in to the same resources as the currently logged in user!