Welcome to the Tenable Network Security Podcast - Episode 35
Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst
- Several new blog posts have been published this week, including:
- New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
- Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
- We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.
- You can subscribe to the Tenable Network Security Podcast on iTunes!
- Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!
- Reclaim Your Privacy? - There is no question that some people share way too much information on Facebook. Social networking is so popular that attacks and penetration testers alike are using it for information gathering and social engineering when attacking an organization. The techniques are quite useful and often very successful. One good example is to guess or brute force user passwords (for example, I can view a user's Facebook page, obtain the name of your dog, and try that as your password). It sounds too easy, but unfortunately for the security of enterprise networks, it works. The site linked here claims to help Facebook users with their privacy settings. Now, this could be completely legitimate, but in the words of Admiral Ackbar, "it could be a trap!" Don't trust programs or web sites that claim to check your computer settings or Facebook settings as you could unknowingly be allowing an attacker access to your information.
- Fun With Printers - Part 3 - If there is one thing I love, its printer hacking! This three-part blog post (See Part 1, and Part 2) details how to use printers to steal documents being printed, use printers as relays for idle port scanning, and a complete re-write of the Hijetter tool that allows you to send commands to the printer using PJL and upload files. It's nice to see some focus on this and I can't wait to test out these new tools. Printers are one of those device types that no one pays attention to, but should be part of your overall security program.
- Analyzing MIT Wireless Traffic - I think it's really neat that MIT showed this particular student the proper way to obtain permission and analyze traffic. I really like the use of simple command line tools to gather network traffic information. You can gain great insight into your network and find out all sorts of information, even security related, just by reviewing the layer 3 protocol information.
- Default Database Passwords Still In Use - Default passwords really annoy me and I can't understand why they are still in use! Especially when it comes to databases... why not just let the database admin choose a password that isn't the default?
- FBI seizes $143 million of fake Cisco hardware - I have a growing concern that while we are all so concerned with software security, it may be the case that hardware is now being compromised. This may be the case with fake Cisco hardware originating from China. You may not be able to tell that that brand new router is a fake until it's too late. If you place it in your network, what if under the covers it is compromised and uses a backdoor to re-route traffic or letting attackers connect remotely? This is scary, especially because it falls outside the scope of many security programs.
- Why compliance is chosen over security - I believe that compliance and security is a delicate balance. Let's not forget about making good business decisions either!