Tenable Blog

Welcome to the Tenable Network Security Podcast - Episode 17

Announcements

• A new blog post has been released from Marcus Ranum titled, "Afterbites with Marcus Ranum: Gartner & Two-Factor Authentication"
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions!
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Afterbites is a blog segment in which Marcus Ranum provides more in-depth coverage and analysis of the SANS NewsBites newsletter. This week Marcus will be commenting on the following article:

Gartner Report Says Two-Factor Authentication Isn't Enough
(December 14, 2009)

A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.

References: 2-Factor Authentication Falling Short for Security, Gartner Says & Strong Authentication Not Strong Enough

I found this article interesting because it typifies, for me, the end result of the "whack-a-mole" approach to computer security. Certain technologies are sold as "security enablers" but customers don't seem to understand (and/or aren't informed) of the reality: security is a top-to-bottom problem that doesn't have any single place where you can add a widget that'll magically make you safe.

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all Microsoft security bulletins.

"Specially Crafted"

I have always wondered what the term "specially crafted" really means. What is "special"? Merriam-Webster defines it as "distinguished by some unusual quality". "Unusual" is relative, and means that someone has defined what "usual" means. This is where we start to enter a grey area. How do we determine what is "special" if the "usual" is not clearly defined? In this case, I'm talking about RFCs, the documents used to define what "usual" means with respect to Internet protocols. One of the vulnerabilities this month has to do with IPSec and specifically ISAKMP, the key management protocol. Apparently a "specially crafted" packet will cause this service to eat up CPU cycles and cause a DoS condition. These flaws are common, but my concern is that this condition may not always be caused by a malicious attacker using a tool such as Scapy. For example, a VPN client might send "specially crafted" packets because the programmer, who wrote the client software, misinterpreted the RFC. I wish that Microsoft would be a little more forthcoming regarding the details of the flaw, particularly how difficult it is to exploit.

"Could Allow"

I am also somewhat puzzled by the term "could allow". When using it in the context of remote exploits, it’s even more confusing. A vulnerability either allows or does not allow remote code to be executed. Sure, there are mitigating factors, but if the vulnerability does allow for remote code execution, then Microsoft should just come out and say it. When you are reading security bulletins from Microsoft, keep in mind that "could allow" really means "allows under certain circumstances".

Severity Is Multi-Dimensional

Vulnerability scanning tools, such as Nessus, can produce reports and assign discovered vulnerabilities a severity rating. The problem I always had with these reports was in evaluating these ratings. Like many other administrators, I found that vulnerabilities with “high” severity ratings always caught my attention first. Sometimes it would take a week’s worth of effort to evaluate and remediate the high- severity vulnerabilities. Although I knew that I should also investigate the low or medium severity level alerts, I never seemed to have time. These were most often given a low priority when it came time to assign tasks and would most often end up going months, years or never getting fixed at all unless a security incident occurred that involved one of the low-severity vulnerabilities. This is a problem that many organizations face, and the following particular Movable Type vulnerability is a great example that I hope underscores the point that “lower severity rating” does not mean "forget about them and never fix them". I recommend that organizations take a multi-dimensional approach to vulnerability remediation and take into account not only the overall severity, but also the level of effort to fix the problem. For the Movable Type vulnerability in question, the severity level is relatively low (for example, it’s not remotely exploitable to gain shell), but the remediation is simple: remove the file from the web server (which has no impact on the operation of the web application.)

Another Milestone, Nessus 4.2

Long-time users of Nessus have probably noticed that significant improvements have been made over the past several years. For example, Nessus version 3 introduced many performance enhancements due to an overhaul of the NASL interpreter. Nessus version 4 introduced several more improvements, including multi-threading and 64-bit support, in addition to unifying the code base across multiple platforms (Windows, Linux, and Mac OS X). Tenable is proud to introduce the next evolution to the Nessus vulnerability scanner with version 4.2, which includes several enhancements including an all-new Flash-based interface. With the new Nessus 4.2 interface, scan results and policies are stored on the server instead of in a client. Multiple users can log into the web-based interface concurrently and can use a “compare” function to show differences against a previous scan. It is now possible to log out of the interface and log back in without disrupting scans that are in progress,and an administrative user now has the ability to pause or stop the scan of another user. I strongly recommend that everyone view the video preview below to see the new Nessus interface in action: