Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Tenable Network Security Podcast Episode 116 - "Detecting IPv6, iTunes vulnerabilities, Security is dead?"


  • Paul Asadoorian, Product Evangelist
  • Carlos Perez, Lead Vulnerability Researcher
  • Ron Gula, CEO/CTO
  • Jack Daniel, Product Manager


New & Notable Plugins


  • Dashboard: IPv4 Systems with IPv6 Interfaces and Addresses - You will hear many in the security industry say, "You have more IPv6 on your network than you think, in fact Windows and Linux hosts come with it enabled by default!" Now, using SecurityCenter and Nessus, you can reach out and see just how many systems on your network have an IPv6 interface. One note, I believe plugin 14788, IP Protocols Scan, requires that "Thorough checks (slow)" be enabled in your Nessus scan policy.


  • VMSA-2012-0003: VMware VirtualCenter Update and ESX 3.5 patch update JRE - Patches to your virtual infrastructure are increasingly important. For example, I read this from the VMware website: "It [vCenter] provides unified management of all the hosts and VMs in your datacenter from a single console." I immediately put myself in the attacker's shoes, and the crosshairs would be firmly placed on the virtual infrastructure. Why compromise one host when you can compromise 10,000? In terms of priority, the backbone of your servers needs to be protected, hardened, and patched.
  • iTunes < 10.6 Multiple Vulnerabilities (uncredentialed check) - The list of CVE entries associated with this vulnerability is very long. Makes me wonder what the actual issue is with iTunes and Webkit. Apple says, "A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution." In any case, you can use Nessus to find hosts vulnerable to this vulnerability using either a credentialed or uncredentialed check.

Passive Vulnerability Scanner:

  • Detection of possible Apple's iCloud service - Several PVS plugins look for potential policy violations. For example, I was trying to share a 1.37GB file with someone this week via Dropbox. Dropbox was being blocked, so the person just waited until they got home, downloaded the file, then brought it to work with them the next day. iCloud is just another service in a string of "cloud-based" applications that let you share and store files. However, if you choose to block these services, consider providing a service to your users that is similar to avoid the "sneakernet," which is much harder for PVS to monitor. (NOTE: Dropbox could be used by Spammers!)
  • Apple iOS 3.0 through 5.0.1 Multiple Vulnerabilities - I still think it's really neat that you can passively monitor your network and detect vulnerable iOS devices. My suggestion is to monitor the ingress point of your wireless network, as that is where these devices will start magically appearing.


  1. You Know What’s Dead? Security… - Hoff makes some really great points in this article: "The reality is that if we (as operators) are constrained to passive defense and are expected to score progress in terms of moving the defensive line forward versus holding ground, albeit with collateral damage, then yes…we’re losing." Also, many believe that we are "losing" just because security breaches are in the news all the time. This is a very poor measure of the overall security of every organization on the planet. Instead, it could mean that more people are attacking us. It could also mean that more people are using technology and have fallen into the "I can be attacked over the Internet" category. More business are on the Internet. More people carry technology with them, and information is easier than ever to share, and lose. So, before you go proclaiming that we are "losing," try to think about all the factors.
  2. Proper Equipment Disposal - This article goes through some of the SCADA devices that were purchased online, for a fraction of the price, and what information can be gathered from them. Reid Wightman has several success stories in this area. He was able to obtain line protection units used by electrical companies, complete with their external IP addresses still on the flash memory, substation names, addresses, and more. Reid explains the difficulties of wiping data from embedded systems using the following example: "One network switch that I tinkered with stored the administrator password in plaintext, and if the password was blanked, the first byte of the storage location in memory was literally just overwritten with a single 0. So if the original password was ‘password,’ that location would have 0×00, followed by ‘assword’ when a reset was performed."
  3. Support, Technical - I love these images that describe what people do. Basically, if you are in tech support, your friends think you use a multi-meter all day, your Mom thinks you are a Nobel prize-winning scientist, you think you are an engineer for the Starship Enterprise, your boss thinks you sleep all day, society thinks it's just like the "IT Crowd," and what you actually do? Google searches. Brilliant!
  4. Cisco Zine: Cisco Linksys WAG54GS CSRF Change Admin Password - The exploit is simple: Put this HTML code on a website and get people to visit the page. When they load the HTML, their password will be changed. Of course, a better usage of this exploit would be to change the DNS servers. Don't forget, while I have not tested this particular exploit, typically it requires that either the user be logged into their router while visiting the malicious page or that you have a default password set on your router. So, again, keep your embedded devices up-to-date on firmware and change the default passwords. In reality, I see organizations and individuals struggle to do this on a regular basis.
  5. Five ways to protect yourself from Wi-Fi honeypots - First, for all of those reading this in the press lately, this appears to be a heavily modified Wi-Fi attack based on Karma. For those that may not know, Karma works on a very limited number of devices, as its original intention was to exploit Windows systems which have since been patched. There are some variations. However, the success rate of this style of attack is now very limited. Of course, you can always just bank on that you are broadcasting "free Wi-Fi" and people will join, which likely has a higher degree of success. Some of the defensive recommendations could use some clarification, such as, turning off your Wi-Fi and using 3G or 4G. That may work for a little while, but some day, you will see a similar device that works with those protocols as well. Except it won't be in the news because of the regulations surrounding reverse engineering 3G and 4G and the FCC. While you should avoid open wireless networks, it doesn't mean that a WPA network cannot be malicious (don't forget, for WPA PSK, all users still share the same key). I think the real problem is that your computer trusts Wi-Fi networks based on SSID. All it would need to do in order to reduce these attacks is remember an SSID and BSSID (the MAC address of the wireless interact used by the access point). Of course, there would need to be a warning if it changed, which users would ignore, and roaming could be difficult.
  6. Playing with Network Layers to Bypass Firewalls' Filtering Policy - This was a talk at the CanSecWest conference and covers how attackers could exploit some of the "smart" firewalls to bypass rules. Slides and example videos can be found in this post, as well as some fixes for the problem.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.