Tenable Blog

The Story:

--Pentagon Official Charged with Espionage Conspiracy
(May 13 & 14, 2009)
A Pentagon official has been charged with espionage conspiracy for
allegedly leaking confidential documents to a Chinese government
operative. James Wilbur Fondren Jr. has been on administrative leave
from his job as Deputy Director, Washington Liaison Office, US Pacific
Command (PACOM) since February 2008. Fondren was allegedly able to
access the sensitive information through his security clearance. If he
is convicted of the charges against him, he could face five years in
prison and a fine of US $250,000.
http://www.nextgov.com/nextgov/ng_20090514_7707.php
http://www.scmagazineus.com/Defense-Department-insider-charged-with-espionage/article/136743/
http://www.usdoj.gov/opa/pr/2009/May/09-nsd-469.html
[Editor's Note (Northcutt): Limiting access rights based on roles is essential.]

My comment on this (which didn't get posted along with Northcutt's) was: "

Is this where I get to say "I told you so"??

The Story:

This has been tried before and - it should come as no surprise to anyone - the software industry has some mighty powerful lobbyists. Indeed, some of them speak out in this little tidbit. I think it would have been more honest if Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance had said "Good luck, bwaaaahaaahaaahaaaa!" instead of hewing the ridiculous party line that the software industry has been spouting for decades. I like intellectual honesty when I encounter it.

Web sites have a way of evading vulnerability scanners in the form of virtual hosting. It is a common practice to host multiple web-sites (and associated applications) on a single web server using only one IP addresses. This causes problems for vulnerability scanners, including Nessus, as they look for vulnerabilities on the single IP or hostname provided. The remote server directs this traffic to a specific virtual host or web application, leaving a considerable amount of virtual real-estate untouched. The problem is that Nessus has no easy way to enumerate the domain names or additional IP addresses associated with a given system. Scanning every hostname, domain name and IP address associated with the server could reveal additional vulnerabilities in the web applications or hosts associated with the given server. For example, when scanning just a single IP address in the lab, I received the following result:

I get the chance to speak with many different types of customers and potential customers. I am particularly interested in how they want to monitor and report on their network activity. I am frequently asked what type of metrics can be tracked for upper management. Trending charts are very popular, but what goes in them can be deceiving. Let’s consider some examples.

I was recently working with a Log Correlation Engine customer who had gone through a typical deployment. Tenable advises customers to carefully consider which system and application logs they want their LCE Clients to send to the LCE server, in addition to a variety of Snort, Firewall and network activity logs. In this case, the customer had recently configured their system to send SSH logs to the LCE whereas before, they were only getting "network" events. When I had the opportunity to chat with them, they were very concerned about various worms or potential intruders performing a network scan such as those shown below: