Tenable Blog

Welcome to the Tenable Network Security Podcast - Episode 5

Announcements

• We've moved our video site! Due to some problems with Blip, all of our videos can now be found on YouTube in Tenable Security's Video Channel (http://www.youtube.com/tenablesecurity).
• New video has been released that shows the new Nessus 4.2 client and web interface. You can view the video in high definition on our You Tube channel.
• Great post by Marcus Ranum on Logs - Logs Of Our Fathers
• We are looking for feedback on the new Nessus client version 4.2, so head on over to our Nessus discussion forums and let us know what you think!
• As always be sure to check out our blog at http://blog.tenablesecurity.com

At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it here, on the TED site. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.

November, 1951

Machine Log #1

Web applications that manage sensitive data are usually protected with either basic or form-based authentication. Nessus can be configured with the appropriate credentials for these authentication schemes as they relate to web application testing. This post covers these authentication schemes in-depth, and explores some of the potential problems you may experience when scanning with credentials and how to overcome them.

Basic Authentication

For web applications, or sections of web applications, that require basic authentication, you can enter one username and password pair that Nessus can use each time it is prompted for credentials. On the "Advanced" tab in the "Login configurations" section, enter the desired username and password in the "HTTP account" and "HTTP password" fields as shown below.

Welcome to the Tenable Network Security Podcast - Episode 3

Announcements

• New whitepaper on web application testing is being released next week.
• Correction on The Tenable appliance it does support Security Center, with future support for PVS and LCE Hardware appliance has been announced as well
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Remote "0Day" IIS FTPd Exploit

On September 1, 2009 security researcher "kingcope" released an exploit for a previously undisclosed vulnerability in the Microsoft IIS 5.0/6.0 FTP Server. Microsoft had not been made aware of the problem, therefore there is no patch available at this time. The exploit is known to work against Windows 2000 servers running IIS 5.0 and 6.0, and rumored to cause a denial of service against 6.0 on Windows 2003.