Tenable Network Security Podcast Episode 116 - "Detecting IPv6, iTunes vulnerabilities, Security is dead?"

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager

Announcements

• Tenable Network Security Certified as Approved Scanning Vendor (ASV) by PCI Security Standards Council.
• Available for download in the Tenable Support Portal: "The Tenable Event Correlation Paper."
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The "Top Ten Things You Didn't Know About Nessus" videos have been posted from #10 through #2, so check them out!
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

SecurityCenter:

• Dashboard: IPv4 Systems with IPv6 Interfaces and Addresses - You will hear many in the security industry say, "You have more IPv6 on your network than you think, in fact Windows and Linux hosts come with it enabled by default!" Now, using SecurityCenter and Nessus, you can reach out and see just how many systems on your network have an IPv6 interface. One note, I believe plugin 14788, IP Protocols Scan, requires that "Thorough checks (slow)" be enabled in your Nessus scan policy.

Nessus:

• VMSA-2012-0003: VMware VirtualCenter Update and ESX 3.5 patch update JRE - Patches to your virtual infrastructure are increasingly important. For example, I read this from the VMware website: "It [vCenter] provides unified management of all the hosts and VMs in your datacenter from a single console." I immediately put myself in the attacker's shoes, and the crosshairs would be firmly placed on the virtual infrastructure. Why compromise one host when you can compromise 10,000? In terms of priority, the backbone of your servers needs to be protected, hardened, and patched.
• iTunes < 10.6 Multiple Vulnerabilities (uncredentialed check) - The list of CVE entries associated with this vulnerability is very long. Makes me wonder what the actual issue is with iTunes and Webkit. Apple says, "A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution." In any case, you can use Nessus to find hosts vulnerable to this vulnerability using either a credentialed or uncredentialed check.

Passive Vulnerability Scanner:

• Detection of possible Apple's iCloud service - Several PVS plugins look for potential policy violations. For example, I was trying to share a 1.37GB file with someone this week via Dropbox. Dropbox was being blocked, so the person just waited until they got home, downloaded the file, then brought it to work with them the next day. iCloud is just another service in a string of "cloud-based" applications that let you share and store files. However, if you choose to block these services, consider providing a service to your users that is similar to avoid the "sneakernet," which is much harder for PVS to monitor. (NOTE: Dropbox could be used by Spammers!)
• Apple iOS 3.0 through 5.0.1 Multiple Vulnerabilities - I still think it's really neat that you can passively monitor your network and detect vulnerable iOS devices. My suggestion is to monitor the ingress point of your wireless network, as that is where these devices will start magically appearing.

Stories

1. You Know What’s Dead? Security… - Hoff makes some really great points in this article: "The reality is that if we (as operators) are constrained to passive defense and are expected to score progress in terms of moving the defensive line forward versus holding ground, albeit with collateral damage, then yes…we’re losing." Also, many believe that we are "losing" just because security breaches are in the news all the time. This is a very poor measure of the overall security of every organization on the planet. Instead, it could mean that more people are attacking us. It could also mean that more people are using technology and have fallen into the "I can be attacked over the Internet" category. More business are on the Internet. More people carry technology with them, and information is easier than ever to share, and lose. So, before you go proclaiming that we are "losing," try to think about all the factors.
2. Proper Equipment Disposal - This article goes through some of the SCADA devices that were purchased online, for a fraction of the price, and what information can be gathered from them. Reid Wightman has several success stories in this area. He was able to obtain line protection units used by electrical companies, complete with their external IP addresses still on the flash memory, substation names, addresses, and more. Reid explains the difficulties of wiping data from embedded systems using the following example: "One network switch that I tinkered with stored the administrator password in plaintext, and if the password was blanked, the first byte of the storage location in memory was literally just overwritten with a single 0. So if the original password was ‘password,’ that location would have 0×00, followed by ‘assword’ when a reset was performed."
3. Support, Technical - I love these images that describe what people do. Basically, if you are in tech support, your friends think you use a multi-meter all day, your Mom thinks you are a Nobel prize-winning scientist, you think you are an engineer for the Starship Enterprise, your boss thinks you sleep all day, society thinks it's just like the "IT Crowd," and what you actually do? Google searches. Brilliant!
4. Cisco Zine: Cisco Linksys WAG54GS CSRF Change Admin Password - The exploit is simple: Put this HTML code on a website and get people to visit the page. When they load the HTML, their password will be changed. Of course, a better usage of this exploit would be to change the DNS servers. Don't forget, while I have not tested this particular exploit, typically it requires that either the user be logged into their router while visiting the malicious page or that you have a default password set on your router. So, again, keep your embedded devices up-to-date on firmware and change the default passwords. In reality, I see organizations and individuals struggle to do this on a regular basis.
5. Five ways to protect yourself from Wi-Fi honeypots - First, for all of those reading this in the press lately, this appears to be a heavily modified Wi-Fi attack based on Karma. For those that may not know, Karma works on a very limited number of devices, as its original intention was to exploit Windows systems which have since been patched. There are some variations. However, the success rate of this style of attack is now very limited. Of course, you can always just bank on that you are broadcasting "free Wi-Fi" and people will join, which likely has a higher degree of success. Some of the defensive recommendations could use some clarification, such as, turning off your Wi-Fi and using 3G or 4G. That may work for a little while, but some day, you will see a similar device that works with those protocols as well. Except it won't be in the news because of the regulations surrounding reverse engineering 3G and 4G and the FCC. While you should avoid open wireless networks, it doesn't mean that a WPA network cannot be malicious (don't forget, for WPA PSK, all users still share the same key). I think the real problem is that your computer trusts Wi-Fi networks based on SSID. All it would need to do in order to reduce these attacks is remember an SSID and BSSID (the MAC address of the wireless interact used by the access point). Of course, there would need to be a warning if it changed, which users would ignore, and roaming could be difficult.
6. Playing with Network Layers to Bypass Firewalls' Filtering Policy - This was a talk at the CanSecWest conference and covers how attackers could exploit some of the "smart" firewalls to bypass rules. Slides and example videos can be found in this post, as well as some fixes for the problem.