Tenable Network Security Podcast - Episode 95

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #10".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Ron Gula on using SecurityCenter's report iterator to create "cooler" detailed reports based on correlated events from the LCE (Log Correlation Engine)

Stories

• OpenSSH 5.9 arrives - New features include a new SHA256-based HMAC (Hash-based Message Authentication Code) transport integrity mode (which will end up being the default) and sandboxing of child processes to prevent communications with other hosts (currently experimental). Its nice to see the OpenSSH project continuing to take security seriously and building in new features.


• Control 14: Wireless Device Control - Over time I've noticed a decreased awareness of wireless security concerns. If you run a network you should be concerned about actively hardening your end-user systems, actively monitoring the wireless network, and using a tool, such as Nessus (referenced in this article) to detect rogue access points. The problem is compounded by all of the newer wireless technologies that have made their way into your infrastructure, including Bluetooth, ZigBee, 900MHz communications, RFID, and more! The good news is a large percentage of these attacks require an attacker to be in physical proximity of your users or buildings, still making it quite a journey from China or Romania.


• The Register Gets Hacked Hijacked - Turns out this was DNS hijacking, and affected many more web sites. This shows that security is not only an internal facing activity, but external as well. Here's a good exercise to go through, make a list of all external companies and services that you rely on to run your business. Then, run through exercises to see what would happen if one was compromised. You need to build defenses against these attacks, which is the difficult part.


• VMware's vShield dash; Why It’s Such A Pain In the Security Ecosystem’s *aaS… - Hoff gives us some insight into how vShield compares to some of the 3rd party vendors products that are similar.


• More on Microsoft’s response to the DigiNotar compromise - I have to hand it to Microsoft, they have built-in several different checks to prevent someone from being able to control the update process for all Windows computers. The attackers even attempted to issue certificates for "Windowsupdate.com", however since that domain is not in use, the attack was not successful. Microsoft also removed DigiNotar from the CA list immediately.


• Tech Insight: Three Hardware Tools For Physical Penetration Testing - John Sawyer covers some of the popular methods to performing physical penetration testing, primarily visiting a site and maintaining a backdoor. The tougher part is detection. If an attacker were to drop off a device that plugs into the network, and accepts no incoming connections (layer 3/4 anyhow) and uses 3G to connect back, how would you detect this? You would be limited to physical survey, layer 2 analysis, and cell phone jammers. Not all that attractive options, however it would be neat to review the new MAC addresses coming up on your network and compare them to a list of known access points or network devices (such as the pwn plug). Then again, attackers may just change the MAC address to hide the device type...


• 4 simple steps to bulletproof laptop security - The list reads like this: Passwords, fingerprint readers, full-disk encryption, and after-the-fact theft protection. No question, you should have "good passwords". You probably should only have two passwords, one for the BIOS and one for the OS itself. Sounds simple, but convenience often wins in the battle for "good passwords". Biometrics can help add another layer, but people tend to put too much faith in this technology, which is easily bypassed with Play-Doh. Full-disk encryption is just a good idea, provided what you are protecting is worth the expense of implementation. You should think about theft protection, rather than reaction. It's simple, when you are not in the office and traveling with your laptop it should never leave your hands or your sight. I follow this rule, however I'm not perfect, and I'd be lying if I said I hadn't ran out of a restaurant realizing I left my laptop in the car that I just handed the keys to the valet.


• Diebold demos cloud-based ATM - To the cloud! Working with VMware, Diebold has developed an ATM that has no on-board computer: "Virtualisation removes the onboard computer from the ATM, tying each terminal single server running many "virtual" ATMs. This consolidation allows greater control and therefore better security, at least in theory. Far from offering a single point of failure, this approach would also allow faster failure recovery and more rapid software upgrades and services deployment, leading to an overall increase in ATM uptime, according to Diebold."


• Apple loses iPhones, seeks security experts - Apple is still suffering from the problem of "leaks", as is the case with the latest revision of the iPhone. Should this top Apple's concerns or should they focus on securing their platforms instead? I wonder if it's more a concern of public image rather than competition, as I believe it would be difficult to replicate the iPhone's features if you got a pre-released phone a month before launch. Or, is this just all publicity by Apple to build buzz before a product's release?