Tenable Network Security Podcast - Episode 54

Welcome to the Tenable Network Security Podcast - Episode 54

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Continuous SSL Certificate Monitoring - not just for HTTPS
  • Microsoft Patch Tuesday Roundup - October 2010 - "Nightmare" Edition
• Be certain to check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• "The Evil Maid Attack" - Here's the scenario: you've left your laptop in your hotel room while you went out around town, to a conference or out to dinner. Because you know that there are attacks that can use the Firewire bus to steal your hard disk encryption keys, you've powered down your laptop. An evil maid comes in, plugs in a USB thumb drive with special code on it, powers up your laptop and infects it with malware. The next time you log onto the system and enter your password to decrypt the drive, the malware records it and stores it to disk or sends it to the attacker. The next day or at some point in the future, the attacker can steal your laptop and now has the code to decrypt your drive. Moral of the story: never leave your laptop in the hotel room unattended.


• Half Of UK Homes Have Open Wifi - A study was conducted to seek out just how bad the security of wireless networks is in the UK. They found that just about half the homes in the UK had open access points or used WEP to protect their networks. I just want to point out that as if WEP wasn't bad enough, there are several ways in which to crack it today that are vendor or implementation specific. For example, Verizon FIOS, the Neesus Datacom 21-bit attack, and aircrack PTW. Despite these attacks, you can still find manufacturers using WEP by default, unless smart users re-configure their routers to use WPA. Even WPA-PSK with a long random passphrase is adequate to stop most attackers from accessing your wireless network. Why isn't that the default?


• India's Operating System - As to not rely on Western technology, India has decided to write its own operating system. Good luck with that. Microsoft has been at it for a while now, and just fixed 49 security vulnerabilities. I think operating systems are like encryption; anyone who tries to write one themselves will suffer enormous security problems because it will be largely untested. Also, I'd hardly call Linux "Western" technology.


• Do we really know what we're doing? - I find this Fishnet Security study to be compelling. Let's look at some of the data that was collected. For example, the top security concerns according to the survey are: mobile computing 69%, social networks 68%, and Cloud computing platforms 35%. Now, let's take a look at the spending percentages, which are firewalls 45%, antivirus 39%, authentication or anti-malware 31%. Hrm, something doesn't add up here! I'm not saying ditch your firewalls, but you have to adapt to the ever-changing threat. Just what does that mean? It means different things to different organizations. For some, it may mean outsourcing your firewall management and maintenance. For others, it may mean not upgrading your firewalls this year. Security needs to be tuned for your needs according to the current threats, not attacks from 1990.


• Facebook to issue one-time passwords - When I read the title, I thought this was a great idea! One-time passwords could work to help solve the user security problem. For example, it's really hard to stop an attacker from getting on a system and installing a keystroke logger and stealing the user's password. If the password is only valid for a short period of time, this greatly limits the risk. However, sending it via TXT message to your cell phone is not such a great idea. What if your cell phone is compromised?


• Newer operating systems are more secure? - Not sure if I'm buying this one, but statistics from Microsoft show that new operating systems such as Vista and Windows 7 have lower infection rates. I think it's just because XP is still more popular in terms of number of seats and attackers have tried and true exploits for them. It will take some time for attackers to catch up and get around to creating exploits that work well on the new platforms and bypass the new security measures.