Events

Monitoring the Life of a Java Zero-Day Exploit with Tenable USM

by Randal T. Rioux
October 25, 2012

Not too long ago, CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU #636312) was issued for a flaw discovered in Oracle Java (JDK and JRE 7 U6 and before), as well as version 6 U34 and before.

This is a client-side vulnerability, which requires a user to initiate activity to be exploited. I will avoid dissecting the flaw in detail, as this information is widely available on the Web (a particularly good write-up is here).

Keep in mind that Java is platform independent, and so is this exploit. The example here uses Internet Explorer on Windows 7 (with Java SE 7u3). However, Linux and OS X users shouldn’t feel excluded on this one!

With Tenable's Unified Security Monitoring (USM) platform, comprised of SecurityCenter (SC), the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE), we can track this exploit from start to finish.

Black Hat 2012

by Paul Asadoorian
August 1, 2012

Conferences Fuel Your Passion

Few things spark your passion for information security the same way as a conference. It’s inspiring to talk to so many different people in the industry and listen to a variety of talks, all in one place. I had the chance to personally meet many readers of the Tenable blog and listeners of the Tenable podcast. I also heard some great talks as well. Here are some highlights.

Smashing the Future for Fun and Profit

I was really excited to see the folks on this panel come together and "talk shop." It’s a rare opportunity to see Jeff Moss (Dark Tangent), Adam Shostack, Marcus Ranum, Bruce Schneier, and Jennifer Granick all share the same stage! This did not happen by chance, as this panel brought back five of the original speakers Jeff Moss assembled at the first two Black Hat conferences held in 1997 and 1998.

I've had the unique opportunity to interview each of the 2012 panel members individually, so I was particularly interested to see how their thoughts, ideas, and opinions would converge. I was not disappointed. The topics ranged from software security, the government’s role in security, consumerism and how ease of use impacts security, the vulnerability market, and so much more. Jennifer Granick was an outstanding moderator (which was not an easy task by any stretch!).

The big question for me was, “What changed?” Jeff had a great anecdote. He said we don't really solve the problems, but we just run away from them and they seem to go away. We've just been able to run faster. I reviewed the topics presented at the first Black Hat conference in 1997, and I couldn't agree more. Vulnerabilities in TCP/IP, secure coding, and over-reliance on firewalls all made the list — topics we still discuss, and problems we still run from today.

Social Media: The Double-Edged Sword for the Security Community

by Jack Daniel
June 12, 2012

Social media is generally portrayed as a fast way to lose data, leak information, and ultimately end up in trouble. But social media isn’t only another pain point for the security community – it also has a lot of real assets for us, some of which have dramatically changed the way I do my job. It’s a maddeningly multifaceted issue, with many layers on both sides of the coin.

I wanted to start this post by talking about the positive contributions social media has given the security industry – the sharing of knowledge, community, etc. – but then last week’s LinkedIn breach pushed social media privacy concerns right back to the forefront.

The LinkedIn breach shows how difficult controlling all the necessary considerations can be when you’re forming and enforcing a social media security policy. You can monitor or limit employee use at work, scan regularly for malware, and educate employees on safe social media practices, but something else can go wrong – like the social network itself mishandling your password. You’re basically playing Whack-a-Mole.

Cyberwar: You're Doing It Wrong!

by Dale Gardner
May 21, 2012

Cyberwar remains a hot topic of conversation in both political and technology circles. But Tenable Chief Security Officer Marcus Ranum asserts that much of the discussion has been--and remains--misleading and inaccurate. In this presentation from the 2012 RSA Conference, Marcus outlines his thoughts on the multiple problems that comprise cyberwar to get past the hype and articulate what risks actually exist. Watch now on YouTube.

Debating Software Liability

by Dale Gardner
May 1, 2012

Combine equal parts of two of the industry's most outspoken experts, add in the controversial topic of software liability, and stand back to watch the ideas collide. The cameras were on hand at the recent RSA event to capture the debate between Tenable Network Security Chief Security Officer Marcus Ranum and BT Chief Security Technology Officer Bruce Schneier. Thought provoking doesn't begin to describe the encounter--and that's all before the audience gets involved. Watch now on our YouTube channel:

Decoding IPv6: Four Misconceptions that Security Execs Need to Know

by Ron Gula
February 29, 2012

IPv6. It’s big, unavoidable, exciting, and concerning… 

The Internet protocol that we’ve come to know and love (IPv4) is about to get a facelift (or, at least a serious shot of HGH). The tech community is bracing for a wild ride ahead -- guaranteed to be riddled with successes, failures, and security snafus as IPv6 is rolled out. In fact, we just saw the first DDoS attack targeting IPv6 networks earlier this month -- making this a very timely topic.

Not All ‘Cybers’ Are Created Equally

by Susan Brown
February 29, 2012

By Marcus Ranum, Tenable CSO

What do these four terms have in common?

Cyberwar, Cybercrime, Cyberespionage, and Cyberterror.

  • They all start with the word ‘Cyber’
  • They’re all bad stuff
  • And they’re all consistently confused with each other, despite significant differences (and sometimes conflicts) between them

    Many people already know my position on ‘Cyberwar’ but things have changed significantly over the past four years in IT and physical security, technology, the government, and the military. The actual ‘Cyber’ landscape is much more nuanced than many seem to realize, which has created an unnecessary public perception of extreme vulnerability (which can lead to fear, which can be dangerous).

    At RSA: New data reinforces intimate stories of career stress and burnout

    by Jack Daniel
    February 24, 2012

    In the last year, I’ve been part of a panel of security experts that has gathered at various security events to share what we’ve learned about stress and burnout in the IT security industry, and to help people identify when they, or somebody they know, are at risk. We’ve conducted surveys to find out more about these risks and their causes, but the heart of these sessions are the compelling anecdotes from the security professionals who share personal stories of depression or anger, as well as their scars, both emotional and physical.

    Our presentations and discussions have been a developing project, each session building off of what we learn at every event before it. I’ll be moderating a panel again on this topic at RSA, and we will be revealing original research on career burnout and the causes of stress for security professionals.

    UMD and Tenable Announce New Cybersecurity Partnership

    by Paul Asadoorian
    February 7, 2011

    Tenable is proud to announce a newly formed partnership with the Univeristy of Maryland's Cybersecurity Center. The partnership will focus on preparing the future security workforce and collaborating on cybersecurity challenges.

    Shmoocon 2011 Conference Wrap-Up

    by Paul Asadoorian
    February 1, 2011

    Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year. Despite the weather issues, I've always found it to be a conference worth attending. It features quality talks, leading security researchers sharing thoughts and ideas and several extra events such as "Firetalks" and "Hacker Karaoke".

    Nessus-Shmoo-sm.png

    From Printer to Domain Admin

    I've always been fascinated with the concept of attacking printers. The common misconception of "oh, it’s only a printer" makes them a prime target for attackers because people believe that printers pose little to no security risk. This mindset typically translates to the following conditions, which help to fuel my fascination:

    Pages