Tenable Network Security Podcast - Episode 85

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

Stories

• RSA finally comes clean: SecurID is compromised - It turns out to be true: attackers possess the seed values for the tokens and the encryption algorithm is already public. RSA says they withheld the information because they did not want to tell attackers how to implement attacks, but it turns out evil bad guys figured it out and used it to attack Lockheed Martin. RSA is now offering to replace all 40 million+ SecurID tokens worldwide. Ouch. This is a breach that cost RSA dearly, in terms of money and reputation.

• Detecting New Hardware by Ethernet Address - Detecting new hosts that have connected to your network can provide some interesting events to analyze. For example, if all of a sudden you have 30 new hosts on your servers' subnet, there may be something wrong, such as one host impersonating multiple systems or other layer 2 attacks.
• Chinese army: We really need to get into cyber warfare - I believe China gets blamed for a lot of attacks, both "cyber" and real-world. I also believe they are putting massive efforts into "cyber warfare"; whatever that means to you, they are most certainly directing attention to techniques that use computers and networks as a part of "warfare". They claim to be much farther behind than most believe, stating "Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations."
• Apple iOS: Why it's the most secure OS, period - Their reasons are far over-stated, almost as if Apple wrote this article themselves! They list five reasons why iOS is more secure than most desktop applications, and they are less than compelling (in my opinion anyhow):
• A sandbox isolates programs and iOS's memory - Okay, this may be the one thing that actually does contribute to a more secure platform. However, desktop operating systems have had similar protections (DEP, ASLR) for quite some time now. It's clear that mobile platforms are still playing catch up.
• Applications are vetted by Apple - Apple must have some serious resources dedicated to reviewing code. Even so, there is a fundamental problem with this: once an application is vetted, the code can change and updates to apps will modify the function of the app. For example, a perfectly legitimate Flashlight app may allow tethering. Sure, Apple may find it, but only after thousands of people install it. And really, how do you control what 425,000 apps are doing?
• Patches can be quickly applied - While patches can be released, there is nothing forcing the user to apply them. In fact, many people report that "non-techie" iPhone users never apply iOS updates, or even plug the phone into the computer.
• The software is regularly reviewed - Review all you want, there will still be vulnerabilities.
• Attackers still target smartphones far less than desktop systems - This has to be the most ridiculous part of the article. It's like saying, "No one breaks into the homes in my neighborhood, so I leave my doors unlocked and windows open".

• So why are senior U.S. officials using Gmail? - Turns out this problem is twofold: 1) many government agencies are moving to Gmail as their email platform and 2) many people keep two email accounts, one for corporate/government use and one for personal stuff. The problem with the latter is that people forward "work" emails to their personal accounts. I hate to say it, but I will say it anyway: sometimes PGP is the answer. Now, that only solves part of the problem, but it certainly helps.
• 8 security considerations for IPv6 deployment - I want to address just one statement in this article (which is a great article, so you should read the whole thing): Many users may be obscured behind fixed sets of addresses. Obscuring users behind large network address translation protocol translation (NAT-PT) devices could break useful functions like geolocation or tools that enable attribution of malicious network behaviors, and make number and namespace reputation-based security controls more problematic. I believe there is something to be said for not giving all your systems routable IP address space on the Internet. It makes attacking those systems just a little bit harder. I also don't believe that NAT is that difficult to implement, nor is it that tough to keep documentation of IP address mappings. I've seen large environments go from internal to external and vice versa, and the results when everyone has a routable IP address are not good.
• vCash, Crypto, and Anonymization Equals Drugs to Your Door - A new form of currency is being used called "bitcoins". It's a new digital currency, and some say it could undermine real currency and be used to buy illegal goods and services.
• MS Web Application Configuration Analyzer - The rule checks were determined by Microsoft's own Information Security & Risk Management review team, whose job it is to harden pre-production and production servers within Microsoft. These checks are now being shared with the public. We often get hung up on firewalls, WAFs, IPS, IDS, and anti-virus. I'd like to see all of us get back to basics and ask yourselves the question: "Are my systems configured properly?" as I believe this goes so much further than "stop-gap" protections.
• Worm uses built-in DHCP server to spread - It then scans for available addresses on that network and launches its own DHCP server. When another machine on the LAN makes a DHCP request, it attempts to answer before the legitimate DHCP server, sending an IP address from the pool of previously gathered addresses, the gateway address as configured on the infected system and, for DNS, the IP address of the criminals' maliciously configured DNS server. It's nice, or rather not-so-nice, to see this attack being automated in common malware. It's an attack that most penetration testers have used for years, and many have defended against in the past. However, it has always been a localized one-off type of attack. Now it's embedded inside malware so you better be able to detect and defend against it. I once knew of folks configuring their switches to detect so-called "rogue DHCP servers".
• Logging Isn't Hard -- Getting Started Is - Considering how ridiculously low-cost hard drive storage is, there's no reason why the smallest SMB can't set up a server with a 1- to 2-terabyte hard drive to serve as central collection point. I couldn't agree more. My first SEIM was a Linux server with as much disk space as I could afford. It ran syslog and I pointed logs from as many devices and systems as I could at it, and then used sed/awk/grep to find events of interest. Of course, there are better solutions that exist today, but if you can get started on the cheap, then you have a better chance of showing management the benefits and getting something with more features.
• Multiple Vulnerabilities in Cisco Unified IP Phones 7900 Series - security vulnerabilities database - Cisco Unified IP Phones 7900 Series devices are affected by a signature verification bypass vulnerability that could allow an authenticated attacker to load a software image without verification of its signature. This vulnerability allows an attacker to upload new firmware to the phone. This can be a very stealthy form of eavesdropping. Who's going to know that one of their phones is compromised?