Tenable Network Security Podcast - Episode 16

Welcome to the Tenable Network Security Podcast - Episode 16

Announcements

• A new blog post has been released that covers the December Microsoft Patch Tuesday roundup. In it we analyze some of the wording, details, and software vulnerabilities released in the December security bulletins from Microsoft.
• Hotfix02 for Security Center 3.4.5 has been released and addresses several small bug fixes. Customers can download the update from the Tenable support portal.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

George Theall heads up Tenable's Research group and shares with us some interesting thoughts about vulnerabilities, Nessus plugins, and more!

Stories

• Metasploit Project New Releases: Airpwn added - I wanted to use this story as a talking point to underscore a type of attack that not too many people know about. It debuted at Defcon years ago and is still a perfectly valid attack vector on open wireless networks. It allows an attacker to insert content into data streams using raw 802.11 frames. I've demonstrated this attack at conferences in the past, and had HTML code running on 50 people's browsers within a few minutes. The fix, use WPA!
• Adobe Flash Security Perspectives -Adobe, like Microsoft and other popular technologies, gets hit hard by attackers and many vulnerabilities are exposed as a result. This article covers both sides of the story, and offers some hope for Adobe as they realize that the popularity of their software has grown, and so should their security program and software development lifecycle.
• Be careful what you post online! - Employees, potential employees, and employers really need to take a hard look at what's being exposed through social networking sites. I'm not suggesting that companies "spy" on employees or potential employees, but to monitor what is available publicly.
• Cloud Security Public Announcement From Chris Hoff - If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to Cloud.
• Thunderbird 3.0 Released - While I'm not an earlier adopter of new software versions, it appears that version 3.0 of Thunderbird also fixes some newly discovered vulnerabilities. I'm still adjusting to the new features, but did perform the upgrade so that I could take advantage of any security fixes as well.