Welcome to the Tenable Network Security Podcast Episode 146
New & Notable Plugins
Passive Vulnerability Scanner
Compliance Audit Checks
- Hack.me – Build, Host & Share Vulnerable Web Application Code - Looks like a pretty neat free service to let you practice web application scanning. I cannot stress this enough, the best way to learn how to find web application vulnerabilities is just to dive in and do it. Practice makes (almost) perfect. While applications are very different, the techniques to find vulnerabilities only vary slightly.
- Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines - Don't go running to pull all of your systems and applications out of the cloud just yet. This represents a highly-sophisticated attack at the moment, but one you should be aware of if you're using cloud services and/or virtualization, which at this point, is everyone.
- Apple's iOS 6.0.1 still has Wi-Fi bugs - The real kicker here is that if you don't upgrade to 6.0.1, you'll miss out on security fixes. If you do upgrade, you may experience severe problems with your Wi-Fi. Try to be secure all you want, function will win over security every time.
- Cisco TACACS+ Authentication Bypass - It's always fun to actually dig into the details of a given vulnerability to see what it's all about. If it's your job to evaluate risk of the vulnerabilities affecting your organization, you've got a heavy dose of reading to do on a regular basis. I dug into this one and found that if you're using TACACS+ in conjunction with LDAP on Cisco ACS platform, an attacker can do this: "…exploit this vulnerability by sending a special sequence of characters when prompted for the user password." That means there's a "magic" password. Any guesses as to what that value could be? 1-2-3-4 anyone?
- Is AV Dead? - "I just think it's lazy developers." This is a very light-hearted look at the problem of AV software and a bit about malware. "The world isn't just black and white anymore. But it's all binary…"
- One in four don't clean their stinky old browsers - especially Firefoxers - Keep in mind where the study comes from: "The statistics were drawn from the web usage patterns of 10 million randomly selected Kaspersky Lab consumer customers worldwide, collected during August 2012. The data from business customers does not feature in the study." Your job this holiday season is to convert grandma from Firefox to Chrome and teach her how to keep it updated...
- Antivirus Firm Founder John McAfee Accused of Murder, Says He's Innocent - I couldn't not talk about this story, it's the headline of the week for sure. Seems like John is a pretty eccentric guy, and I'm not sure you can believe everything you hear about this story as the facts change daily. However, sounds like he has a chemistry hobby that got out of control...
- A history of hacking: Documentary captures essence of Def Con - Can't wait to see this one, the culture of hackers always makes for great fun!
- Microsoft Updates November 2012 - IE, Kernel+Shell, and .NET Critical Patches - Microsoft updates this week, as usual, get patching…All plugins for the vulnerabilities are in the plugin feed.