Tenable Network Security Podcast - Episode 89

Hosts:

• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Facebook blocks a second contact export tool - Information, in the right context, can be quite powerful and expose your privacy. Facebook recently blocked Google+ from exporting your list of Facebook friends' names (not email addresses). When you put this in the context of attacks, knowing the names of someone's friends on Facebook could be quite valuable for social engineering.

• Space Shuttle: good riddance - I won't pretend to know the details of the space program, but Robert Graham does a nice job of relating it to information security. The problem is preservation and complexity. In the Space Program model, they implemented the preservation and re-use model, trying to re-use as many parts as possible. However, this makes things much more complex. We tend to do the same thing with security and information technology. I hope that we are seeing a shift from permanent client desktop computers and servers, to "throwaway" workstations and virtualization. The simpler you make the environment, the easier it is to implement security. For example, if client desktops can be re-imaged quickly, that's a huge advantage.
• Microsoft to fix critical vulnerability in Windows 7 and Vista - More critical vulnerabilities to patch, including a remotely exploitable hole that affects Windows Vista and 7.
• Jailbreakme Takes Advantage of 0-day PDF Vuln in Apple iOS Devices - The security of your phone is increasingly more important. I was talking to some folks yesterday and they were talking about how your phone will be the only thing you carry. It will replace your wallet, serve as your connection to the Internet for email/web, and allow you to communicate (if it's with anyone under the age of 30 it will be text messaging). The security of this platform is important, and even more so allowing the users operate them securely, which right now is difficult.
• Abusing Password Resets - Simple things, such as building in account lockouts and generic login failure messages, go a long way to protecting your web application. Of course, you should also be able to easily detect and respond to brute force attempts as they are pretty "noisy".
• Cisco VPN Client Unsafe Permissions Lets Local Users Gain Elevated Privileges - Making it difficult for attackers to escalate privileges on your systems is important to your defensive strategy. I have run into systems that are secured in this way, and it can go a long way to protecting your information. It forces the attacker to leave a larger fingerprint when multiple attempts fail. However, it's not an easy thing to accomplish as it only takes one client software program to have a bug in order to circumvent your security.