Tenable Network Security Podcast Episode 143 - "SSL Monitoring, Good Security Habits"

Announcements

• The key to campus network security: Better risk management
• We're hiring! - Visit the Tenable website for more information about open positions.
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• You can subscribe to the Tenable Network Security Podcast on iTunes!

New & Notable Plugins

Nessus

• Patch Management: Tivoli Endpoint Manager Report
• SSL Compression Methods Supported
• TLS Next Protocols Supported
• RuggedCom Known Hardcoded SSL RSA Private Key
• ISC BIND 9 DNS RDATA Handling DoS
• TLS CRIME Vulnerability
• Firefox 16.x < 16.0.1 Multiple Vulnerabilities
• Mozilla Thunderbird 16.x < 16.0.1 Multiple Vulnerabilities
• SeaMonkey 2.13.x < 2.13.1 Multiple Vulnerabilities
• Oracle Java SE Multiple Vulnerabilities (October 2012 CPU)
• Mac OS X : Java for Mac OS X 10.6 Update 11
• MySQL 5.5 < 5.5.28 Multiple Vulnerabilities

Passive Vulnerability Scanner

• Mozilla Firefox 15.x <= 15 Multiple Vulnerabilities
• Mozilla SeaMonkey 2.x < 2.13 Multiple Vulnerabilities
• Mozilla Thunderbird 15.x <= 15 Multiple Vulnerabilities
• BigFix Server Detection
• MySQL Server 5.5.x <= 5.5.27 / 5.1.x <= 5.1.65 Multiple Unspecified Vulnerabilities

Compliance Checks

Nessus ProfessionalFeed and SecurityCenter customers can download compliance checks from the Tenable Support Portal.

• Tenable Network Security: New DISA STIG MS Office 2010 Audit...

Stories

1. Five Habits of Companies That Catch Insiders - I guess this is all we need to do to be "secure": "The most effective companies identified their important data, established strong ties with employees, spearheaded cross-disciplinary security efforts, and enforced policy with technology, states the report, released today." Sounds easy, right?
2. Apple banishes Java from Mac browsers - I just had to laugh when I read this: "Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37. This update uninstalls the Apple-provided Java applet plug-in from all web browsers."
3. Android apps get SSL wrong, expose personal data - This comes as no surprise as developers rush to get apps out the door and how low the barrier to entry is with Android apps: "Examples given by the researchers including apps that are instructed to trust all certificates presented to them (21 of 100 apps selected for a MITM test); 20 of the MITM-tested apps were configured to accept certificates regardless of its associated hostname (for example, an app connecting to PayPal would accept a certificate from another domain). Other issues included SSL stripping and “lazy” SSL implementations." I wonder how well Apple iOS apps would do?
4. 5 to-dos to maintain reputation after cyberattack | ZDNet - Tips include making sure you beat the media to the punch and be in control of the messages the public receives. Not always an easy thing to do as releasing information can be damaging to your reputation. Also, tailor your messages to different audiences, don't delay your apologies, be open and honest, and help your customers deal with the repercussions. Coincidentally, this is all good relationship advice, especially if you've done something "bad."
5. Lack of skilled security pros challenges CISOs to fill specialties - A dwindling talent pool is to blame for so few skilled IT security professionals, with the top 3 positions being: Cyber security analyst, Cyber security engineer, and Software engineer. Although I don't agree with this statement: "This talent market nearly causes you to not consider opening a new position when you may ordinarily need to. Instead you find other ways to get it done,” I believe security will fail if you "just try to get it done." In fact, that's true with many things in IT, you have to do it right or it will have a tendency to fail.
6. Pass the Hash w/o Metasploit - Part 2 - Blog - Room362.com - Really neat article on how to use the Metasploit libraries to eventually create a portable binary that will help you accomplish tasks, such as passing the hash on Windows. This makes small, useful, and somewhat evil utilities easy to port around on systems, but also runs the risk of getting caught by anti-virus signatures. However, there are several tricks to evading, and it typically only takes a few tries to bypass AV. The real kicker is that few are checking the AV logs to see how many times people are trying.