Three Types of Client-side Exploits

by Ron Gula on February 28, 2012

We often hear about vulnerabilities in client software, such as web browsers and email applications, that can be exploited by malicious content. The repeated stories about botnets, infected web sites, and viruses which infect us with malicious documents, movies, and other content have ingrained the concept of an exploitable client in our minds. Unfortunately, client software can also be targeted with attacks from compromised servers accessed by the clients, and some client software actually listens for connections. In this blog entry, we will discuss auditing client software for vulnerabilities and describe the three different types of client-side exploits and how they can impact the risk of your network.

Using Nessus 5 to Raise the Value of Penetration Testing

by Ron Gula on February 23, 2012

Cross referencing the results of your vulnerability scans with the list of public exploits helps identify likely targets for authorized penetration testing teams. Removing these vulnerabilities significantly raises the value of a penetration test since the team will have to work much harder to find issues that aren’t found through automation. There are many subtle issues to consider when correlating available exploits with vulnerabilities. In this blog entry, we’ll highlight these issues by considering exploit correlation with attacks available from the Metasploit project, Core, and Immunity with the results of a very large Nessus scan of several thousand web servers.

Exploitable Since 2002: New Nessus 5 Filters

by Ron Gula on February 21, 2012

With Nessus 5, the results from a single vulnerability scan can be filtered to show which hosts have ancient vulnerabilities, which hosts aren’t being managed, and also which hosts have been exploitable for long periods of time. This blog entry discusses the new Nessus 5 filters, how they can be used to track high-risk vulnerabilities, and how enterprise users of Tenable SecurityCenter can leverage these filters for dashboards and asset-based reporting.

New SCADA Plugins for Nessus and Tenable PVS

by Paul Asadoorian on January 31, 2012

Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3. In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled " SCADA Network Monitoring " and the original release for Nessus titled " SCADA Checks For Nessus 3 "). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more). Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security. Below is a sample of some of the new SCADA plugins:

Scanning for pcAnywhere

by Ron Gula on January 30, 2012

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations. With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference: 10006 Symantec pcAnywhere Status Service Detection (UDP) 10794 Symantec pcAnywhere Detection (TCP) 10798 Symantec pcAnywhere Service Unrestricted Access 20743 Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation 32133 Symantec pcAnywhere Access Server Detection Service 35976 Symantec pcAnywhere CHF File Pathname Format String Denial of Service 57795 Symantec pcAnywhere Installed (local check) 57796 Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

Mobile Devices, Your Network, and Passive Sniffing

by Paul Asadoorian on November 30, 2011

Do you know how many mobile devices reside on your network? Is your security architecture designed to secure the mobile platform and protect your users and the network from the threats they pose? Mobile devices are a security concern for many reasons. Mobile devices are typically unmanaged – meaning they may or may not be running AV software, a firewall, or conform to enforceable security policies. Yet, whether they are provided to your employees as part of your operations or not, they are likely accessing resources on your network. To compound the problem, many mobile devices connect to your local network and the Internet directly on two separate mediums. For example, the device may associate to a wireless belonging to your organization and a 3G/4G connection to the Internet.

4 out of 5 CISOs Don't Scan for Off-Port Web Servers

by Ron Gula on June 27, 2011

An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.

Microsoft Patch Tuesday Roundup - March 2011

by Paul Asadoorian on March 10, 2011

Another Microsoft Patch Tuesday is upon us. This month I was surprised that two vulnerabilities making headlines recently were not included in this Microsoft Patch Tuesday, namely the 0-day Windows SMB Vulnerability and the reported “Pwn2Own” IE vulnerability . The best way to remediate any vulnerability is to apply a patch provided by the vendor, and it’s puzzling why Microsoft is delaying the release of patches for these widely publicized vulnerabilities. To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month: MS11-015 - Vulnerabilities in Windows Media Could Allow Remote Code Execution - Nessus Plugin ID 52583 (Credentialed Check)

Nessus "Exploitable With" Field Updated

by Paul Asadoorian on February 16, 2011

Over the past few months, fields in Nessus reports indicating whether or not an exploit exists for a given vulnerability have continued to evolve. We first announced this feature in October 2010 in a post titled New Nessus Feature: Public Exploit Availability . Ron Gula then wrote a follow-up post called ”If an exploit falls in the forest, does anyone hear it being patched?” , that described the usefulness of the information contained within the "Exploit available" and "Exploitable With" fields in Nessus plugins. The Nessus interface has now received an update that will display the "Exploitable With" field directly in the report (prior to the latest version, this field was only contained in the HTML export). Click for larger image

Microsoft Patch Tuesday Roundup - February 2011

by Paul Asadoorian on February 9, 2011

And the race is on to apply patches to the Microsoft Windows systems in your environment! One of the bulletins this month, MS011-04 , fixes remotely exploitable issues in the IIS FTP service. To me, FTP falls in the same category as Telnet, which is "You should be using SSH instead". Despite the lack of security that FTP offers, it still appears to be wildly popular decades later. I performed some searches using " SHODAN ", "The Computer Search Engine", which scours the Internet looking for open ports, services and banners. I told it to find systems with port 21 (FTP) open and got the following results: United States: 27,355 China: 15,341 India: 11,122 Egypt: 10,476 Thailand: 10,068