Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Network Security Podcast - Episode 41

Welcome to the Tenable Network Security Podcast - Episode 41

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements


Stories

  • Social Security Number Format - Some interesting information about the Social Security number. I think it's important for us, meaning security professionals, to understand how the number is used, formatted, and what the numbers mean. For example, the first three digits of the SSN indicate in which state your card was issued (for the most part) and the last four are used for many things, so deductive reasoning and some guessing could lead to your SSN being "cracked".
  • CiscoWorks TFTP directory traversal exploit - This is a good example why you should take the vendor's description and impact of a vulnerability with a grain of salt (or maybe a whole box of salt). Cisco says, "A successful exploitation of this vulnerability may allow an attacker unauthorized access to view or modify application and host operating system files. Modification of some system files could result in a denial of service condition." The blog post linked to above tells a different story, and shows how to remotely upload files to gain remote command execution. If this is your CiscoWorks server, it means the attacker can control the devices on your network that are reporting to it, including obtaining management keys (SSH/Telnet/SNMP).
  • Stored XSS Vulnerability on YouTube - Stored XSS (or persistent XSS) is worrisome for a few, ignored by many, and deadly for attackers. The ability to execute code in someone's browser in the context of a site they "trust" is very powerful. Dave Kennedy has developed some code that allows you to include a Java applet that runs executables on a person's system and finds it very successful when penetration testing.
  • Tabnapping Attack On The Increase - This is a really neat attack that takes advantage of tabs in most browsers. Tabs are awesome, but in this case are being used against the user, mostly to steal credentials.
  • Stego beats NSA detection - Pretty neat story of Russian spies getting caught (I mean, anything with Russian spies is fun stuff ala James Bond!). Turns out they were using information hidden in images (steganography) to hide information.
  • Adobe's protection against embedded scripts incomplete - Apparently double quotes can be used to bypass the checks put in place by Adobe to prevent script execution.

Download Tenable Podcast Episode 41

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.