Tenable Network Security Podcast - Episode 62

Welcome to the Tenable Network Security Podcast - Episode 62

Hosts: Paul Asadoorian, Product Evangelist

Announcements

• Several new blog posts have been published this week, including:
  • Using Nessus For Host Discovery
  • If an exploit falls in the forest, does anyone hear it being patched?
• Don't forget to sign up for Advanced SIEM Webinar Series - November through December


• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new Nessus Perimeter scanning service.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• SQLi Cheat Sheet - It amazes me just how many different ways of doing the same thing are built into our technologies. This exists in almost every programming language; there have always been multiple ways to write different code that accomplishes the same goals. Unfortunately, attackers use this to their advantage to evade filters. This one just happens to be for SQLi, and if you are a penetration tester this is a handy reference. However, if an attacker is trying to exploit this against live systems, you should be able to detect these attempts. Also, if an attacker can run these tests offline in an environment mirroring what the target has in production, you can be very successful. To combat this threat I want to stress really securing your environment, which means plugging all those information leaks that seem to be all too common in web applications.
• j0llydmper - Attackers will use any means necessary to collect sensitive information. This includes the program j0llydmper, which runs as a Windows service and dumps selected files from USB drives to a select location on the disk for easy recovery. I believe it's going to be tough to identify malware in the coming years, as it will likely try to do things that are normal, like copying files and not doing things like writing registry entries, etc.
• BeEF - Browser Exploitation Framework Updated - BeEF is becoming one of the more dangerous penetration testing tools out there. It's nice to see it gain momentum and get updated, as it can really put context around web application attacks such as XSS. For me, it seems logical, as it quite easily evades firewalls, antivirus, patching, IDS and several other technologies. When I speak to people about defense, still to this day, many do not completely understand the attack vector, let alone tune their networks to detect and prevent browser-based attacks. Josh Wright has one of the most enlightening quotes that was posted on the PaulDotCom Mailing list: "I owned the network with a HSRP MITM attack, followed by Ettercap+etterfilter injection to serve up malicious PDFs in 1x1 iframes". This is a great example of how attackers are able to be successful, and as far as defense goes, it's not an easy answer.
• Abusing Open Web Proxies - It's weeks like this that just make me want to cry when I think about defense. The scary part is, open web proxies have been around since the beginning of time (er, "The Internet" anyhow). Attackers are using anonymous, stealthy proxies to do things like brute force login and password combinations for popular web sites. One could also use these proxies to attack web sites anonymously, giving protection mechanisms such as IDS, IPS and WAFs a run for their money. I think it boils down to: you have to have a web site that is hardened to the max to survive in today's Internet.
• Military Bans Removable Media To Curb Leaks - While this may seem logical, it's difficult to enforce. You can hide a USB thumb drive just about anywhere (pause for laughter). If you can control the computers, you can physically disable the USB ports, which forces someone to bring in their own computer to steal information.
• Gawker web site CMS and database compromised - 1.3 million users' account information has been stolen and published via Bittorrent. How did this happen? Your guess is as good as mine, and it looks like someone is in need of some application security.