Uncategorized

OWASP: From FROC to SecurityCenter

by Kelly Todd
June 7, 2010

The Front Range OWASP Conference (FROC) 2010 was held in Denver, Colorado last week and provided a full day of talks and events aimed at a wide variety of information security professionals. The event featured three speaker tracks: “App Sec/Technical”, “Cloud/Mobile/Emerging” and “Management/Executive” as well as a panel discussion and Capture the Flag (CTF) contest. Since 2003, OWASP has maintained and updated the OWASP Top 10 list to categorize and prioritize web application risks as they have evolved over the years, and the list has become a popular tool for helping organizations assess risk and formulate their remediation strategies.

Getting ‘lucky’: When Nessus Finds 0-Days

by Brian Martin
June 3, 2010

Historically, vulnerability scanners have been signature based: looking for issues based on a static signature, behavior such as banner output or service response output to certain queries. If the scanner was not specifically directed to look for a given vulnerability, it would not find it. Many in the security industry still view most network vulnerability scanners in this light. The same people consider dedicated web application scanners as the only automated tools that can intelligently discover vulnerabilities not previously disclosed (i.e., “0-day”). This is simply not the case. Nessus’ focus is on enumerating known vulnerabilities, but it also leverages a mature web application scanner capable of finding unknown vulnerabilities.

Nessus’ ten-year history and over 36,000 plugins give it a solid base for finding vulnerabilities. Despite many vulnerabilities being ‘old’ and thought to be patched, vendors and OEMs have a habit of re-using code over and over. What may have been an old vulnerability in light-weight web server could reappear years later in a device with an embedded web server running an administrator interface.

While most plugins are signature based, Nessus has had the ability to find undiscovered vulnerabilities since 2001. Years before the first web application scanner was released, Nessus used a handful of plugins that could find generic overflows and format strings regardless of the service or if they were known to be vulnerable. While these tests are simple, they are very effective at ferreting out software that performs no sanity checking of user-supplied input.

Nessus Version 4.2.1 Released

by Paul Asadoorian
February 22, 2010

As always we are excited to announce a new release of the Nessus vulnerability scanner. This is a point release (moving from 4.2.0 to 4.2.1) and introduces changes to the scanning engine only. The GUI has not been updated in this release, however GUI changes will be implemented and released independently from a point release.

144x144TN.png

From a user perspective, the biggest changes in 4.2.1 are the two performance items that improve the speed of the GUI and lower the memory overhead when doing a scan. With regards to the GUI, interaction between the GUI and the database has been improved to better handle browsing reports with thousands of hosts or thousands of open ports per host. Memory consumption has been designed to take better advantage of the allotted memory used by Nessus. For example, in previous versions there was a 5 MB overhead per host being scanned. This meant that if max_hosts was set to 100, you'd "lose" 500 MB of memory. In Nessus 4.2.1 the memory overhead per host has been reduced to less than 500 KB, which allows the user to dramatically raise 'max_hosts'.

Not Just for Health Care Providers Any More - HITECH for Business Partners

by Kelly Todd
February 16, 2010

Enacted on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act, was designed to protect the security and privacy of Personal Health Information (PHI). Although related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act expands on the requirements to protect health information and has a wider scope for the entities that it covers. Under the HITECH Act, business partners of health care providers are now subject to HIPAA requirements and the penalties for violating the requirements. These new requirements for business partners become effective on February 17, 2010; one year to the day after the HITECH Act was signed into law by President Obama.

When many people think about data breaches and personal information, they tend to think about the loss of credit card information or Social Security numbers rather than medical information. However, over 220 data loss incidents recorded by the DataLossDB involved medical information over the last several years and there are certain to be countless other incidents that were either not publicly reported or have not yet been cataloged in the database. To this end, the HITECH Act will also establish a new breach notice requirement that will go into effect in September of 2010:

Sec. 13402. Notification In The Case Of Breach.
(a) In General.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

It should be noted that many states do not include medical information in their data breach notification laws, but since the HITECH Act is federal legislation, all health care entities and their business partners are required to disclose a breach if it can be treated as “discovered”. Notification may include not only individual notices to those people affected, but also possibly notice to “prominent media outlets” and, where applicable, the Department of Health and Human Services.

Afterbytes - Ranum on Google Considering Leaving China

by Marcus J. Ranum
January 21, 2010

Title: Google Considering Leaving China Date: January 12, 2010

In the wake of the attacks on Google and other companies, Google has indicated that it may no longer cooperate with Chinese censorship rules and that it may consider pulling out of China altogether. When Google opened operations in China in 2006, it operated under an agreement with the Chinese government that it would remove banned subject matter from search results.

Sources: Google, Citing Attack, Threatens to Exit China, Update: Google may pull out of China because of cyberattacks, Google's response to being attacked by China

Paired with this fascinating piece by Gerald Posner.

The ongoing story of the Chinese "cyberwar" just keeps popping up in the news, again and again, like a zombie that takes repeated blows with a shovel and just won't stop moving. Am I talking about it too much? Perhaps, but it's one of those nodal point issues that I think tells us an incredible amount about what's going on in information security at the government and major corporation level. What do I mean? It's becoming a litmus test, for me, as to who has a clue and who doesn't. But if you want to be a paranoid skeptic, ask yourself "why are people with clues acting as if they have none?"

PaulDotCom interview with Renaud Deraison

by Ron Gula
August 19, 2009

Episode #162 of the PaulDotCom show featured an interview with Renaud Deraison. Renaud discussed creating Nessus, performing network scans, the evolution of Nessus, what it takes to keep Nessus up to date with the latest vulnerability checks and some of the new features of Nessus 4.2 which is currently in development.

Audit the Cloud with Passive Scanning

by Ron Gula
May 27, 2009

Imagine a scenario where you are tasked to audit the security of an organization’s efforts to “cloud-source” applications, operating systems, databases and other aspects of IT infrastructure. You want to fire up your favorite network scanner, Nessus, but are warned that some of the outsourced companies have clauses that prevent auditing, network scanning or security testing. Even still – some of the technology is at the API or SQL level and there isn’t even an identifiable OS to scan. Last, even though you may be able to perform a scan quickly, some of the cloud resources get charged at an hourly rate and the act of auditing costs your company money that the application group did not budget for. Fortunately, passive vulnerability scanning can help audit remote resources that are now off your network and “in the cloud”.

Detecting Conficker with Nessus

by Ron Gula
March 30, 2009

Nessus plugin #36036 performs a network based check for Windows computers infected with a variant of the Conficker virus. The scan does not need credentials, but does require ports 445 or 139 to be open between the Nessus scanner and your scanned systems. The plugin is based on research from the University of Bonn in Germany.

Auditing PHP Settings to OWASP Recommendations with Nessus

by Ron Gula
March 16, 2009

Tenable recently released an audit policy for Linux servers running PHP which tests for hardening recommendations from the Open Web Application Security Project (OWASP). OWASP maintains a set of guidelines for hardening web servers, with specific attention given to PHP and Cold Fusion technologies.

Pages