Tenable Network Security Podcast - Episode 22

Welcome to the Tenable Network Security Podcast - Episode 22

Announcements

• A new blog post has been released titled "HNAP Protocol Vulnerabilities - Pushing The "Easy" Button" that covers how this protocol can be used to collect information from devices on the network. Marcus Ranum also published a series of his now infamous Afterbytes posts, where he discusses everything from data leakage to Russian stealth fighters.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Ron Gula - Security Center Version 4

Stories

• ShmooCon: P2P Snoopers Know What's In Your Wallet - While many associate P2P networks with the trafficking of illegally downloaded copyrighted material, such as movies and music, researchers have uncovered that other valuable information is also being shared. Most likely unbeknownst to the user, sensitive information such as tax documents, personal cell phone numbers, and information about an informant who wanted to help U.S. forces in Iraq has been shared. Special tools are being used to search through files being shared on common P2P networks. Having used some of these tools myself to test out this process, I can say that this is a scary thing. Depending on how well the search engines are indexing data, this could be used in a targeted attack. I would suggest making sure this software is not in use in your environment, and use credentialed checks to look for sensitive information in places where it should not be. However, an employee that uses this software from home could expose sensitive information even though you have put defensive measures in place on the corporate network. This is where user education becomes key to protecting your company's information.
• Microsoft Scheduled To Fix 26 Vulnerabilities - Patches will include fixes for a local privilege escalation exploit that uses a 17 year old vulnerability in the Virtual DOS Machine. Patches for a new vulnerability discovered in Internet Explorer will not be released (but workarounds are available), and a DoS vulnerability in Windows 7 and Windows Server 2008 will also remain unpatched.
• Verizon MiFi - Authentication & Security Matter - The Verizon MiFi is a small, compact device that provides you devices with a WiFi connection, then routes your connection over the Versizon cellular Internet. As for a convenience, this device is pretty neat as you can have multiple devices (for example, a cell phone and a laptop) communicating over the WiFi and being able to access the Internet. However, the web interface suffers from a problem where certain CGI scripts bypass authentication. This means an attacker on the wireless network can send requests, without any authentication, and re-configure the router. You may be wondering just how secure the wireless networking is on the MiFi. Going from "bad" to "worse", Josh Wright has an article posted showcasing how the default WPA passwords can be guessed, and accelerates the process using a CUDA device (a password brute force method that uses the computing power found on graphics cards).
• Who Should Infosec Report To? - I've been in this position many times, working as a security professional and being moved around within IT, outside of IT, etc... One point I would like to make is that if you are to separate operational security from just plain security, you need the appropriate level of staff. By level, I mean number of employees and skill level. For example, the networking team needs someone who can manage firewalls, intrusion detection systems, log analysis systems, etc... The systems administrators need someone who can also review logs, implement desktop defenses, and apply patches. There needs to be security minded people in the IT department, people with security in their title, and people who, and this is a big one, are held accountable for security breaches. I'm not saying fire people, but security should be part of their jobs. This leaves the security department to focus on strategy, vulnerability scanning and management, penetration testing, policy, procedures, and incident response. So, I do agree with the points Dave Shackleford makes in this article, but certain things need to be in place in order to have this separation. Otherwise, you've got security in one corner saying, "We need security!", and IT saying, "We don't have time for that security stuff".