Tenable Network Security Podcast Episode 107

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released plugins to discover VMware Vsphere servers, check installed patches, and enumerate active and inactive virtual machines.
• PVS plugin 6125 will now passively discover the version information of Windows systems

Stories

1. Microsoft releases MS11-100 for Security Advisory 2659883 - I'm not sure I get it, there are 0day vulnerabilities (and exploits) running around for Microsoft platforms all the time, for which Microsoft does not release an out-of-cycle-patch. However, this DoS issue in ASP.NET gets an out-of-band patch. I was on this kick where I was praising Microsoft for its handling of security vulnerabilities, then they do this. Isn't exploitation worse than DoS?
2. WPS Security on Wireless Access Points pwn3d: VIDEO - Ever since the first time I read about this technology, and even tried to use it, I somehow knew it was a really bad idea. It combines those two things in the world that are never supposed to be brought together (similar to crossing the streams, oil and water, or "N' Sync" and "Reunion Tour"). This is, of course, usability and security. The goal of systems such as WPS is to make it to easy to apply security to your wireless network that all you have to do is push a button. Its a lofty goal, and too bad they've misinterpreted the word "random" here and made a system that can be brute forced fairly easily. "Easy Button" for the win!
3. When to Give Your Girlfriend Your Password - I have to say, technology has really impressed me lately. Maybe I'm just getting old (although when I think I'm getting old I turn to my good friend, remember he was alive during the Cuban missile crisis, and feel better). However, Xbox with Kinect is so super cool and makes you feel like you are on Star Trek, the remote for my TV has a touch screen, my office has high resolution monitors that are twice the size of my first TV, and the sound in my new Toshiba laptop is better than my first two stereo systems put together. The real measure of technology and how heavily we rely on it, is the question of whether or not to give your password to your girlfriend. I'm not sure which password would be in question, and hopefully you have more than one, but where do you start? Is a sign of love sharing your Netflix password? Is your email password the same as asking her to marry you? Goes to show just how important your password is when it's being used as a measure of your relationship status.
4. Hacking Group Releases More Stratfor Subscriber Data - I think its great that we start out the year talking about a fresh new data breach. It goes to show that large companies still are not paying enough attention to security, at least in the right ways. I really don't want to get into the password debate, I think I still need a break from talking about passwords. I do want to talk about how a company was able to drop the ball enough to leak subscriber information of information security folks, military, government, and executives.
5. The Most Influential Voices in Security Bruce Schneier is tops on this list, and his latest research is sounding like the voice of reason: "There will always be a dishonest minority and there will always be a need for security to protect the honest majority from the machinations of the dishonest. What Schneier is examining now is how the information age affects the security systems society puts in place and what changes will be needed in the future."
6. Multi Purpose Brute Forcing Tool - A new tool has been released, written in Python, that is aiming to improve upon the existing code out there for password brute forcing. The new tool, called "Patator" was created because the author felt existing tools were too slow, inaccurate, and lacked features. "Patator" is modular, multi-threaded, and allows for response logging and interactive runtime command mode. I also wanted to take a moment to tell people to be smart about password brute forcing, and learn the password complexity requirements, account policies, and account lockout timers BEFORE you start to password brute force.
7. Hacking Google for Fun and Profit - Some really neat bugs that were discovered by a researcher who discovered them, reported them to Google, and got paid for them! Lots of CSRF in Google's Gmail, including the ability to read information about the user and delete all future emails. I though deleting future emails was a feature?