Tenable Blog

Title: Critical Infrastructure Computer Systems Under Constant Attack

Date: January 28 & 29, 2010

Ease and Security Don't Mix

In the eternal quest to create easy ways for systems to communicate with people and other systems, embedded device manufacturers have created new protocols. One of the first was UPnP, or Universal Plug and Play, which has had its share of security problems. The latest protocol to emerge is called HNAP, or Home Network Administration Protocol. Its goal is to "allow advanced programmatic configuration and management by remote entities." The protocols primary purpose is to aid device manufacturers in supporting remote devices such as printers and wireless routers. HNAP allows remote configurations to be both viewed and changed remotely using an HTTP SOAP-based protocol. While this sounds wonderful, someone decided to push the "easy" button:

"HNAP was designed to be a simple, light weight protocol that is easy to implement inside of small cost-constrained hardware such as network routers, cameras and other small devices. Because the protocol is based on existing HTTP-SOAP standards, it is very flexible and easily extensible."

The first phrase that raises a red flag for security-minded people is "simple, light weight". This almost always means that in order to simplify the design to make it "light weight", the first thing to go is security. Further reading of the Cisco Systems whitepaper on HNAP reveals an entire section dedicated to "Protocol Security", which states:

Providing credentials to Nessus so that it can log into the systems being scanned is a very effective method of vulnerability scanning. It enables the scanner to provide a patch audit, perform local operating system identification, portscanning, and audit the configuration files present on the target. For web application testing, credentials allow Nessus to enumerate and detect vulnerabilities inside the application, ensuring that a larger percentage of functionality is tested. The following two videos cover how to perform both network-based credentialed scanning, and provide credentials for web application scanning using Nessus 4.2.

Network-based Credentialed Scanning & Patch Auditing

Welcome to the Tenable Network Security Podcast - Episode 20

Announcements

• A new blog post has been released titled "Being Pro-Active Against the "0-Day" Threat" and covers how you can more effectively defend your network given that the bad guys have "0-day" exploits. Marcus Ranum also published an article titled, "Afterbytes - Ranum on Google Considering Leaving China" where he weighs in on the Google Aurora incident. Brian Martin also contributed an article titled, Putting OSVDB to work for Nessus Vulnerability Management where covers how to use OSVDB to provide additional references to give system administrators more information about a particular vulnerability.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Mike Murray

Title: Google Considering Leaving China Date: January 12, 2010

In the wake of the attacks on Google and other companies, Google has indicated that it may no longer cooperate with Chinese censorship rules and that it may consider pulling out of China altogether. When Google opened operations in China in 2006, it operated under an agreement with the Chinese government that it would remove banned subject matter from search results.

Sources: Google, Citing Attack, Threatens to Exit China, Update: Google may pull out of China because of cyberattacks, Google's response to being attacked by China

Paired with this fascinating piece by Gerald Posner.

The ongoing story of the Chinese "cyberwar" just keeps popping up in the news, again and again, like a zombie that takes repeated blows with a shovel and just won't stop moving. Am I talking about it too much? Perhaps, but it's one of those nodal point issues that I think tells us an incredible amount about what's going on in information security at the government and major corporation level. What do I mean? It's becoming a litmus test, for me, as to who has a clue and who doesn't. But if you want to be a paranoid skeptic, ask yourself "why are people with clues acting as if they have none?"