OWASP: From FROC to SecurityCenter

by Kelly Todd on June 7, 2010

The Front Range OWASP Conference (FROC) 2010 was held in Denver, Colorado last week and provided a full day of talks and events aimed at a wide variety of information security professionals. The event featured three speaker tracks: “App Sec/Technical”, “Cloud/Mobile/Emerging” and “Management/Executive” as well as a panel discussion and Capture the Flag (CTF) contest. Since 2003, OWASP has maintained and updated the OWASP Top 10 list to categorize and prioritize web application risks as they have evolved over the years, and the list has become a popular tool for helping organizations assess risk and formulate their remediation strategies.

Getting ‘lucky’: When Nessus Finds 0-Days

by Brian Martin on June 3, 2010

Historically, vulnerability scanners have been signature based: looking for issues based on a static signature, behavior such as banner output or service response output to certain queries. If the scanner was not specifically directed to look for a given vulnerability, it would not find it. Many in the security industry still view most network vulnerability scanners in this light. The same people consider dedicated web application scanners as the only automated tools that can intelligently discover vulnerabilities not previously disclosed (i.e., “0-day”). This is simply not the case. Nessus’ focus is on enumerating known vulnerabilities, but it also leverages a mature web application scanner capable of finding unknown vulnerabilities. Nessus’ ten-year history and over 36,000 plugins give it a solid base for finding vulnerabilities. Despite many vulnerabilities being ‘old’ and thought to be patched, vendors and OEMs have a habit of re-using code over and over. What may have been an old vulnerability in light-weight web server could reappear years later in a device with an embedded web server running an administrator interface. While most plugins are signature based, Nessus has had the ability to find undiscovered vulnerabilities since 2001. Years before the first web application scanner was released, Nessus used a handful of plugins that could find generic overflows and format strings regardless of the service or if they were known to be vulnerable. While these tests are simple, they are very effective at ferreting out software that performs no sanity checking of user-supplied input.

Nessus Version 4.2.1 Released

by Paul Asadoorian on February 22, 2010

As always we are excited to announce a new release of the Nessus vulnerability scanner. This is a point release (moving from 4.2.0 to 4.2.1) and introduces changes to the scanning engine only. The GUI has not been updated in this release, however GUI changes will be implemented and released independently from a point release. From a user perspective, the biggest changes in 4.2.1 are the two performance items that improve the speed of the GUI and lower the memory overhead when doing a scan. With regards to the GUI, interaction between the GUI and the database has been improved to better handle browsing reports with thousands of hosts or thousands of open ports per host. Memory consumption has been designed to take better advantage of the allotted memory used by Nessus. For example, in previous versions there was a 5 MB overhead per host being scanned. This meant that if max_hosts was set to 100, you'd "lose" 500 MB of memory. In Nessus 4.2.1 the memory overhead per host has been reduced to less than 500 KB, which allows the user to dramatically raise 'max_hosts'.

Not Just for Health Care Providers Any More - HITECH for Business Partners

by Kelly Todd on February 16, 2010

Enacted on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act , also known as the HITECH Act, was designed to protect the security and privacy of Personal Health Information (PHI). Although related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act expands on the requirements to protect health information and has a wider scope for the entities that it covers. Under the HITECH Act, business partners of health care providers are now subject to HIPAA requirements and the penalties for violating the requirements. These new requirements for business partners become effective on February 17, 2010; one year to the day after the HITECH Act was signed into law by President Obama. When many people think about data breaches and personal information, they tend to think about the loss of credit card information or Social Security numbers rather than medical information. However, over 220 data loss incidents recorded by the DataLossDB involved medical information over the last several years and there are certain to be countless other incidents that were either not publicly reported or have not yet been cataloged in the database. To this end, the HITECH Act will also establish a new breach notice requirement that will go into effect in September of 2010: Sec. 13402. Notification In The Case Of Breach. (a) In General.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. It should be noted that many states do not include medical information in their data breach notification laws, but since the HITECH Act is federal legislation, all health care entities and their business partners are required to disclose a breach if it can be treated as “discovered”. Notification may include not only individual notices to those people affected, but also possibly notice to “prominent media outlets” and, where applicable, the Department of Health and Human Services.

Afterbytes with Marcus Ranum - Russian Stealth Fighters

by Marcus J. Ranum on February 4, 2010

Moscow, Russia (CNN) -- Russia tested its fifth-generation Sukhoi fighter jet in the Russian Far East on Friday. The plane, provisionally called T-50, is the country's first fighter jet based on the stealth technology and is viewed by military experts as the Russian answer to the American F-35 and F-22 jets. References: Russia tests its first stealth fighter jet Congratulations, Sergey, for flying the new T-50 Russian Stealth fighter - the one that is not based on the Joint Strike Fighter plans that allegedy are being stolen from the US by Chinese cyber-spies. Do I need to belabor the obvious...

Afterbytes - Ranum on Google Considering Leaving China

by Marcus J. Ranum on January 21, 2010

Title: Google Considering Leaving China Date: January 12, 2010 In the wake of the attacks on Google and other companies, Google has indicated that it may no longer cooperate with Chinese censorship rules and that it may consider pulling out of China altogether. When Google opened operations in China in 2006, it operated under an agreement with the Chinese government that it would remove banned subject matter from search results. Sources: Google, Citing Attack, Threatens to Exit China , Update: Google may pull out of China because of cyberattacks , Google's response to being attacked by China Paired with this fascinating piece by Gerald Posner. The ongoing story of the Chinese "cyberwar" just keeps popping up in the news, again and again, like a zombie that takes repeated blows with a shovel and just won't stop moving. Am I talking about it too much? Perhaps, but it's one of those nodal point issues that I think tells us an incredible amount about what's going on in information security at the government and major corporation level. What do I mean? It's becoming a litmus test, for me, as to who has a clue and who doesn't. But if you want to be a paranoid skeptic, ask yourself "why are people with clues acting as if they have none?"

PaulDotCom interview with Renaud Deraison

by Ron Gula on August 19, 2009

Episode #162 of the PaulDotCom show featured an interview with Renaud Deraison. Renaud discussed creating Nessus, performing network scans, the evolution of Nessus, what it takes to keep Nessus up to date with the latest vulnerability checks and some of the new features of Nessus 4.2 which is currently in development. Full Show Notes Direct MP3 Audio

Audit the Cloud with Passive Scanning

by Ron Gula on May 27, 2009

Imagine a scenario where you are tasked to audit the security of an organization’s efforts to “cloud-source” applications, operating systems, databases and other aspects of IT infrastructure. You want to fire up your favorite network scanner, Nessus , but are warned that some of the outsourced companies have clauses that prevent auditing, network scanning or security testing. Even still – some of the technology is at the API or SQL level and there isn’t even an identifiable OS to scan. Last, even though you may be able to perform a scan quickly, some of the cloud resources get charged at an hourly rate and the act of auditing costs your company money that the application group did not budget for. Fortunately, passive vulnerability scanning can help audit remote resources that are now off your network and “in the cloud”.

Detecting Conficker with Nessus

by Ron Gula on March 30, 2009

Nessus plugin # 36036 performs a network based check for Windows computers infected with a variant of the Conficker virus. The scan does not need credentials, but does require ports 445 or 139 to be open between the Nessus scanner and your scanned systems. The plugin is based on research from the University of Bonn in Germany. Conficker exploits Windows systems vulnerable to MS08-067. Tenable has worked with many organizations to help them perform both un-credentialed network scans and credentialed patch audits with Nessus to find systems that are still vulnerable. We wrote a blog about our...

Auditing PHP Settings to OWASP Recommendations with Nessus

by Ron Gula on March 16, 2009

Tenable recently released an audit policy for Linux servers running PHP which tests for hardening recommendations from the Open Web Application Security Project ( OWASP ). OWASP maintains a set of guidelines for hardening web servers, with specific attention given to PHP and Cold Fusion technologies.