Tenable Network Security Podcast Episode 104

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Jack Daniel, Product Manager
• Ron Gula, Tenable's CEO/CTO and media expert!

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• Tenable's Ron Gula Discusses Protection of University Data
• ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution - A lot of places still use FTP to share files. Sometimes it's to allow partners or contractors to upload files, sometimes it's part of the production process and used to automatically transfer files between systems, and other times it's just because people are too lazy to use SSH/SCP. Whatever the reason, FTP is still in use, so being able to monitor for vulnerabilities is still valid. This signature is part of Tenable's Passive Vulnerability Scanner (PVS), which allows you to find vulnerabilities in FTP server you may not have previously known about. I've found that people will often use ACLs, firewalls, and the FTP configuration itself to try to hide the shameful fact that they are using a protocol that does not encrypt the login or data.
• Oracle Report Server - 2-Cent Hack Trick - I just love flaws like this. Its not traditional XSS or SQLi, but using the functionality of an application in a way it was not intended. Hacking in its purest sense. I often find that these are the problems that go unfixed, because it's a logic thing, not a patch thing.
• Mobile Security Can Be a Major Pain - Now doctors are walking around with my health information on a mobile device, and guess what? Sometimes their devices get lost, along with my information. So, as we get more mobile with our computing, let's not forget to use encryption. Also, PCs are cheap, why can't we have one in every room and put the pertinent patient information in the hands of doctors? Oh wait, we can. There were a couple of guys that made software to do this, based on object oriented programming. They got bought by Microsoft and are used in thousands of hospitals across the globe.
• Firms Slow to Secure Flaws in Embedded Devices - Ron Gula has come great comments in this article as well (he's all over the media this week!). One thing the article failed to mention was why security doesn't get baked into embedded systems in the first place. Typically there are severe limitations on processing power and storage, which forces developers to just make things work and not add-in any extra security measures, such as using SSH vs. TELNET.
• iTunes Security Vulnerability had been Present for Over Three Years - If Apple knew about this one, why didn't they patch it? Software update vulnerabilities are a big deal, and three years is way too long to let one go.
• Six Myths of Risk Assessment - Some interesting points in this article. One jumps out at me, and that is a risk assessment will determine that you should not implement security. I think many may look at this backwards, and try to use a risk assessment to get more security, when in fact it should prove that you need less. I think one aspect left out is WHERE you should put your security, not how much or little you implement as a whole.
• $200 Kit Smashes Intel's HD Video Encryption - Now, I don't encourage people to break the law, but I do get a kick out of people who break the rules. Any time you stand up a technology that limits people's ability to do, well, anything, someone will break it. The real kicker comes when they break it by spending less than $500, because that means it's in the hands of the masses and you've failed to protect anything with it from that point forward.
• US Police use Radio Encryption to Stop iPhone Eavesdropping - So just now the police are going to encrypt communications? I remember when I was growing up, several people had police scanners and I always thought it was kind of silly that anyone could just listen in. But now you can do it from a smart phone, so it's a real threat.
• Siri Hacked to Remotely Start a Car - Look, I can't get Siri to call my wife or even spell "cigar" in a TXT message. So, hack it all you want, it likely won't start my car on the first try, or second, or third….
• Hacker Says Texas Town Used Three-Character Password to Secure Internet Facing SCADA System - I wanted to take a moment to tell people to run regular scans against your perimeter. Your regular scans should include some form of password brute-force guessing. Nessus does some of this for you, but take the time to come up with a repeatable process for testing Internet-facing systems for easily guessable passwords. Right now, you can integrate Hydra into Nessus and test your systems using a custom dictionary. You should do this on the inside and outside. Every sysadmin I've every spoken to has that one password, or more, that they've used all over the place and swear they've changed it. You need to test and make sure they have.
• Hackers Target IPv6 - One more reason to stay on IPv4.
• Hacking Printers - Again
• The New (and Old) .htaccess Attacks – Now Using .in Domains - If someone is changing your configuration files, like .htaccess, you should notice. This should be part of your basic defenses.
• Apache mod_proxy/mod_Rewrite Bug Lets Remote Users Access Internal Servers