Welcome to the Tenable Network Security Podcast Episode 122
New & Notable Plugins
- Intuit QuickBooks Help System Multiple Vulnerabilities - QuickBooks contains sensitive information, such as financials and potentially employee/contractor SSNs. Ensuring this software is patched and up to date is extremely important.
- Juniper Junos CPU Utilization Denial of Serice - This vulnerability is a bit scary for me, as it could be triggered by non-malicious users. Sending data to an HTTP port is an activity which may not look suspicious, however, I've seen where this DoS condition can be triggered by a scanner, monitoring tool, or even an end user.
- Juniper SSH TACACS+ Incorrect Permissions - One of the first papers I wrote on security was on the subject of configuring TACACS+. I have to say, it's not a simple task, and there are many options, some of which could lead to either locking users out of a device or giving people too much access. This is a bug in the configuration, which could further complicate things.
Passive Vulnerability Scanner (PVS)
- Skype client detection - Skype just fixed a bug in the API which allows anyone to map a Skype username to an IP address. Vulnerabilities such as this, in addition to potential bandwidth consumption, are reasons to limit usage of this software in your environment.
- Rockwell Automation Service Detection - Rockwell is a popular manufacturer of SCADA devices. Nice to see PVS adding signatures. Not only is a great way to monitor sensitive equipment, it helps raise awareness of security issues.
SecurityCenter Report Templates
- Software Inventory - I think it's great you can work with this level of information and use it to detect policy violations.
- Netstat Active Connections - Yet another great component. Not only can you see what software is installed, but which connections are being made. I see this being used to monitor in real time, as well as a vital piece of information when doing incident response.
- Exploits By Platform - Great view of the percentage of exploitable vulnerabilities and which exploit frameworks contain them.
- How To Hide From Face-Detection Software - "...here's what you might wanna wear to a party this weekend: A funny hat, asymmetrical glasses, a tuft of hair that dangles off your nose bridge and, most likely, a black-and-white triangle taped to your cheekbone." And why you might ask? To hide yourself from surveillance cameras, of course! A researcher from New York University is working on ways to hide your face from cameras. This could be a way to protect your privacy or evade detection to commit crimes. The current methods have you, well, looking like a futuristic warrior from your favorite Sci-Fi flick. Other than Halloween, it's not very practical. However, the researcher is "trying to come up with a hat that will look cool and still could conceal his identity - at least from the computers."
- Skype divulges user IP addresses - The H Security: News and Features - Using the Skype API, you can enter a username of someone using Skype and it will report back an IP address.
- NfSpy – ID-spoofing NFS Client Tool – Mount NFS Shares Without Account - "NfSpy is a FUSE filesystem written in Python that automatically changes UID and GID to give you full access to any file on an NFS share. Use it to mount an NFS export and act as the owner of every file and directory." That's really neat! I always look for open NFS and SMB shares on the network when doing a penetration test, as it could yield some interesting data. This tool takes it a step further and gives you full access.
- Who's tracking phone calls that target your computer? Stay Tuned to the ISC - This is yet another account of social engineering: Someone calls pretending to be from Microsoft, tells you you're infected with malware, then directs you to install their malware. The question being posed is just how frequent this attack is? I'm not certain how it scales, or how easy/difficult it would be to track down and defend against. A blanket warning to all computer users to "never install software from stingers" might help protect people, but who would listen?
- Nissan Confirms Cyber Attack and Network Breach - "Nissan believes that no sensitive customer, employee or proprietary data was compromised, but acknowledged that some account login credentials may have been exfiltrated." First, I think it's okay to keep a breach private for 7-10 days while you perform incident response. You just don't need that level of headache until you have all the facts. Furthermore, I want to know what techniques you are using to determine which data was accessed and if it was transmitted out of the organization. Is this a digital forensics issue? Do you look at the file system and see which files were accessed? Network logs? How do you know your data wasn't encrypted going out?
- Vulnerability Management Evolution: Evolution or Revolution? - Some great tips in this article, such as "Start by revisiting your requirements, both short and long term. Be particularly sensitive to how your adversaries’ tactics are changing." I find a lot of people overlook this step or don't put in enough thought behind it. The products you use should align with the goals of your department and overall with your organization.
- Google staff knew for years about Street View data breach - Is this information public already, and therefore not a big deal, or is Google being evil?
- Inception | Break & Enter - If you need to unlock a system, Windows or Linux, this is the tool for you. Provided there is a Firewire port, you can gain direct access to memory and unlock a system.
- CVSS – Vulnerability Scoring Gone Wrong « Neohapsis Labs - Some great points in this article on how to use CVSS: "Nobody cares that the distance between goal lines on an American football field is 3600 inches. Why? Because it is a useless unit of measurement when we are talking about football. Nobody cares if someone has made 2 inches of progress on the field, as yards are the only thing that matters. Similarly, what is an organization supposed to take away from a CVSS score that can take on 100 potential values? Is a 7.2 any better than a 7.3 when it comes down to whether someone is deciding to fix something or not?" He also talks about using CVSS data to determine High, Medium, and Low severity, stating your vulnerabilities could all be 6.9 and 7 or above is a high severity, and you are only fixing high vulns. It's a good idea to create some queries, dashboards, and report filters and look at your CVSS scoring in different ways to gauge risk and prioritize.