Being Pro-Active Against the "0-Day" Threat

by Paul Asadoorian on January 21, 2010

Recent investigations into the Google "Aurora" incident uncovered evidence that Chinese attackers used a 0-day exploit for Internet Explorer to gain access to Google employees’ computer systems. This event has sparked the release of Microsoft Security Bulletin MS10-002 - Critical , and a public exploit for the vulnerability. To mitigate this vulnerability, Microsoft originally recommended that customers upgrade to Internet Explorer 8, and enable DEP (Data Execution Prevention) . On January 21, 2010 Microsoft released an "out-of-band" patch for the vulnerability, which fixes the problem on Internet Explorer version 6, 7 and 8. Methods exist to reliably exploit Internet Explorer versions 6 & 7, and there are several people who have working exploits for IE version 8, including Dino Dai Zovi , a well-respected vulnerability researcher. (A concise list of the details surrounding this issue can be found in this article ). Being Proactive Many organizations are likely to implement the patch released by Microsoft since the issue has been receiving a lot of media attention. Patching because of a media event is an all-too-common mistake made by many organizations that cannot be convinced to implement new security measures until exploits make the news. Patching systems needs to be part of an organization’s overall strategy – not just a reaction to a media event. When new technologies become available as upgrades to your existing systems, put a plan in place to test and migrate to them, especially if they offer increased security. The organizations doing this today are looking at the latest exploit and implementing their patch strategy as part of the standard operating procedure.

Marcus Ranum Presents "Internet Nails" at TED

by Paul Asadoorian on November 11, 2009

Marcus presents an awesome story about the Internet, software, and security. Watch as he goes into detail on how protocols work, problems with FTP, HTTP, and much more! The purpose was to show how small mistakes made in the design of software and the Internet have shaped the security industry. You can watch the full version of the talk below: You can also find a full size high quality version of the above video on YouTube's site.

Cyberdawn - A Diverse Cyber Exercise - Part II

by Paul Asadoorian on October 9, 2009

Passwords are just so easy to abuse... It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required. Hacker "ftp" at work, winning the game using built-in tools such as bash, python and SSH.

Cyberdawn - A Diverse Cyber Exercise - Part I

by Paul Asadoorian on October 7, 2009

Cyber Exercise Over this past weekend I attended Cyberdawn, a cyber exercise that was hosted by Battlefield High School in Haymarket, Virginia. Sidebar: What is a Cyber Exercise? “A cyber exercise is a live computer network attack and defense event. A typical exercise runs at least one day for a small team and up to five days for large organizations or multiple teams. Teams generally fall into two categories: attackers (Red Team) and defenders (Blue Team). Defenders are scored on their ability to keep their IT systems up and functional in support of their business processes. Attackers are scored on their ability to disrupt business operations.” See for more information.

Risky Business 119 - Featuring Paul Asadoorian

by Paul Asadoorian on August 17, 2009

Last week I made an appearance on epispde 119 of the Risky Business podcast with Patrick Gray. I spoke with Patrick about training and certification, specifically how it applies to the Information Security field and its importance in your career development. We're also joined by a special guest in our sponsor segment this week, Paul Asadoorian, the host of the PaulDotCom Security Weekly podcast. Paul's dayjob is as Tenable's "Evangelist". He won't be evangelising anything this week though, he's popping by to talk about training. Paul did work for SANS, and we'll be asking Paul what he thinks...

SANS Consensus Audit Guidelines Webinar - August 13th

by Ron Gula on July 31, 2009

Tenable will be hosting a webinar about the new SANS Consensus Audit Guidelines commonly known as the "CAGs". Tenable CEO Ron Gula will discuss the main points and recommendations of the CAGs with industry experts Rich Mogull, CEO of Securosis , and Dr. Eric Cole, a Fellow at the SANS Technology Institute, noted author and president of Secure Anchor .

Risky Business 115 - Featuring Brian "Jericho" Martin

by Paul Asadoorian on July 14, 2009

Our very own Brian "Jericho" Martin appears on episode 115 of Risky Business. Brian discusses the latest Microsoft DirectShow ActiveX bug , the workarounds, the process, and controversy surrounding this vulnerability. We also hear from Brian "Jericho" Martin -- he's the maintainer of the open source vulnerability database and he also works for Tenable Network Security, our sponsor. He'll be along in this week's sponsor interview to have a chat about that nasty DirectShow ActiveX bug that's doing the rounds at the moment -- did Microsoft drop the ball on this one? Well, the answer is maybe, as...

Webinar - Control System Auditing with Nessus

by Ron Gula on May 14, 2009

Tenable CEO, Ron Gula will interview Digital Bond Researcher Jason Holcomb about project Bandolier. Bandolier is a project funded by the Department of Energy which focuses on securing a wide variety of SCADA and Control System applications through configuration hardening. The project has produced several configuration auditing polices for Nessus ProfessionalFeed and Security Center users. Mr. Holcomb will discuss the specific types of Control System technologies that have been audited, how they can be obtained, the types of Nessus audit functions that have been used and also demonstrate how...

ShmooCon 2009 - Playing Poker for Charity

by Ron Gula on February 12, 2009

Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees and scheduled "guest" players such as Paul Asadoorian from PaulDot.Com , Simple Nomad from NMRC , Jericho from Attrition , Chris Hoff and many others. Playing poker with self proclaimed hackers, security experts, CIOs, CSOs, and students was very enlightening. There was at least one joke about "risk management" each hour. A lot of players liked the chance to get to sit down with some of the other...

"Winning at the Compliance Game" Webinar, Feb 3

by Ron Gula on January 28, 2009

Will 2009 bring newer and more comprehensive versions of regulations such as PCI or FDCC? Is your organization already positioned to leverage the benefits of configuration management and transparent audit of IT resources? With a focus on configuration and vulnerability management for enterprise networks, Tenable CTO Ron Gula, will discuss the latest trends in compliance standards, strategies for a positive audit experience and how this process can lower your organization's operational costs and maximize availability. Title: "Winning at the Compliance Game" Date: Tuesday, February 3, 2009 Time...