Tenable Network Security Podcast - Episode 45
Welcome to the Tenable Network Security Podcast - Episode 45
Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst
Announcements
- Several new blog posts have been published this week, including:
- The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
- Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
- We're hiring! - Visit the web site for more information about open positions. There are currently 10 open positions listed:
- You can subscribe to the Tenable Network Security Podcast on iTunes!
- Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!
Stories
- Crack The Hashes! - There are several tools available to crack hashes, including John The Ripper and Ophcrack. This new tool called "Hashcat" looks really nice! It's able to crack multiple hashes (MD5, SHA, MySQL, NTLM, etc.), is multi-threaded, and claims a high rate of password cracking. I think it's important to note that someone could easily buy a fast server "in the cloud" and use this software to crack lots of passwords, lowing the time and cost associated with password cracking. This should cause you to implement more and better defenses than just an MD5 hashes password protecting your database. Don't forget to check out oclHashcat which uses graphics cards' CPU to crack the passwords!
- Tinkering With Registry Allows LNK Patch to install on XP SP2 - Neat little trick! Of course, you could just install SP3...
- Windows Kernel Bug 0-Day - Exploitable? - I tend not to base my risk decision too much on the "exploitability" factor. The truth is there could be people out there with the knowledge and skills to exploit a vulnerability that most are saying is next to impossible to exploit. Also, maybe they are just stringing us along and really do have a working exploit. In any case, if there is a bug or vulnerability, it should be patched. If patches break things, well, you should test them first. If you run software that is easily broken by a patch, then you should buy new software because there is a greater risk (and cost) of running bad software to run your business then there is that it will be exploited.
- "Smartphone Security" - First, what the heck is a smart phone? I heard someone ask the question earlier today, and I began to think about that it really was. At the end of the day, a smartphone a computer with a cell phone built-in. I mean, its clunky to carry around a laptop and hold it to your ear to talk, so they just made them smaller. In all facets, it's just a small computer. In that sense, it should come as no surprise that it will be attacked just like your computer. Chris Wysopal stated that smartphones are now at the point the PC was in 1999. Amen brother, this is just the beginning.
- Auditing your Kiosks - iKat is a great tool to audit your Internet terminals and Kiosks. It's a web site that you browse to when using a kiosk and provides several different ways to break-out of the kiosk environment and get to the operating system. The new version adds some features, such as newer exploits, Silverlight, and an "emo-kiosking" which crashes the kiosk in an attempt to break out. I suggest that organizations use this tool in your lab to test how difficult (or easy) it would be for someone to walk up to one of these machines and install malware on it or use it to attack the rest of the network.
- Fuzzing Barcode Readers With LED - This is so cool: "The LED is turned on for sections of the barcode that should be white (this simulates reflected light), and off for black sections of the barcode (very little reflected light)." It could be a really neat kind of attack if you could create a barcode that were to inject malicious code into the system. You could create barcodes and stick them anywhere, hoping to get your code to run!
Related Articles
NIST Cybersecurity Framework Adopted by Thirty Percent of US Organizations
February 18, 2016In the February 18, 2016 Risky Business podcast, Cris Thomas speaks with Patrick Gray about the NIST Cybersecurity Framework. Gartner recently announced that 30% of all US organizations - both public...
Tenable Network Security Podcast Episode 206 - "PCI, Breaches and more!"
September 15, 2014
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Podcast