Tenable Network Security Podcast - Episode 96

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest video is titled "Top Ten Things You Didn't Know About Nessus #9".
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Ron Gula on using SecurityCenter's report iterator to create "cooler" detailed reports based on correlated events from the LCE (Log Correlation Engine)

Stories

• 15 Years of Software Security: Looking Back and Looking Forward - First a look back: Remember "Smashing the Stack for Fun and Profit"? Buffer overflows were all the rage and resulted in what the author calls "undesired functionality" in applications. Vendors tended to ignore the vulnerability disclosure process, and many more vulnerabilities and associated exploits floated around the Internet until vendors decided to patch them (or not). The security community as a whole grew up, many companies were created to sell products, and many got bought and folded into larger companies. Before we look into the future, what has really changed? Web applications have provided us with a newer form of the buffer overflow, as the vulnerabilities lead to "undesired functionality", and are as plentiful, if not more, than traditional buffer overflows were. The difference is that they are now spread across thousands of applications and many require end-user interaction. The author then looks into the future, which is dangerous depending on how you look at it. Since it hasn't occurred yet, you can make predictions and it doesn't matter if you were correct or not... it was just a prediction.

• Rubbing an iPhone on your face won't cure acne - FTC - I wonder how many people fell for this one: "The Federal Trade Commission has fined two developers who claimed their mobile apps could cure acne with flashing colour, but there's still plenty of snake-oil on sale." We rely on technology for many things; removing pimples with your iPhone is not one of them.
• Hacker claims he can exploit Windows Update - "I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc.," - That's a bold statement, begging the question could someone issue patches using stolen certificates? Of course, for this attack to work, you would have to first perform a MiTM attack against the targeted Windows systems. We hope there are enough protections in place to prevent this attack from being successful.
• Security Manager's Journal: Assessing the company's Internet-facing apps - Application testing is very important, and this article highlights some of the common problems associated with applications. Sure, physical security is important, and if all your assessment team is telling you is that "piggybacking" is possible, you should find another assessment team. The results of the web application testing were impressive, and in addition to the XSS vulnerabilities, it was found that customer data was being sent without SSL encryption, pay products could be downloaded without paying for them, and documents could be downloaded, modified, then re-uploaded. The tricky part - how do you fix these problems and make sure they are fixed on an ongoing basis?
• Inside Cisco global security operations - "That depth of intelligence enabled us, in a very specific example, to provide an update that would indicate by trajectory, IP block by IP block, who had likely already been infected. We could increase the risk associated with those IP blocks dynamically, as it propagated," The article talked in depth about communication and depth, two concepts which are very important to information security.
• Linux world in security spinout as Linux Foundation and Kernel.org remain "temporarily unavailable" - "I'm still struggling to decide quite what the Loony Linux Lovers - those who insist that Linux is immune to malware - will make of this episode. While Linux malware is not new, this is probably the closest it has ever come to the heart of their beloved operating system." I'm still amazed that Linux folks take the high ground when it comes to security. It goes to show that no one is truly immune; not that it's a new concept, but compromising kernel.org and linux.com certainly sends a message. Speaking of messages, saying that a web site is "down for maintenance" makes people believe it's compromised.
• From Logs to Hell! - Log management can be extremely effective at finding compromised systems, however, take into consideration "Unreachable devices, Supported formats, Performance impacts on the network flows, (De)commissioning of (old)devices, Overlapping in IP subnets and Procedures / follow-up".
• Early Patch Tuesday Today: Microsoft September 2011 Patches, (Fri, Sep 9th)
• Apple releases updates for DigiNotar SSL debacle - But what about iOS devices?