Tenable Network Security Podcast Episode 198 - "PCI Discussion Featuring Jeffrey Man"
Announcements
- We're hiring! - Visit the Tenable website for more information about open positions.
- Want to ask questions about Nessus, PVS, SecurityCenter, and LCE, and get answers from the experts at Tenable? Join the Tenable Discussions Forum for custom scripts, announcements, and more!
- You can find links to subscribe to Tenable's Podcast feed, YouTube Channel, Twitter, and Facebook accounts at http://www.tenable.com/podcast!
PCI Discussion Featuring Jeffrey Man
- Many retailers have been breached. What could PCI do to help prevent this and arm the retailers against this threat?
- One would think that it's in the best interest of the retailers, the consumer, and the credit card companies to prevent this from happening. What can we do to suggest better regulations?
- PCI seems pretty specific to payment card systems, but many breaches involve other systems which do not fall under compliance. Do you see this changing?
Also check out our technical write-up on Trojan.Win32.FSYSNA.fej aka Chewbacca (malware targeting PoS (Point of Sale) systems).
Nessus
General
- Shockwave Player <= 12.0.7.148 Multiple Memory Corruption Vulnerabilities (APSB14-06)
- MS14-011: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390)
- MS14-010: Cumulative Security Update for Internet Explorer (2909921)
- MS14-009: Vulnerabilities in .NET Framework Could Allow Privilege Escalation (2916607)
- MS14-008: Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022)
- MS14-007: Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)
- MS14-006: Vulnerability in ICMPv6 Could Allow Denial of Service (2904659)
- MS14-005: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036)
- Web Site Client Access Policy File Detection
- Sophos Anti-Virus Engine < 3.50.1 System Objects DoS
- Cisco Secure ACS Portal Interface Session Hijacking
- Oracle Secure Global Desktop Multiple Vulnerabilities
- Oracle Secure Global Desktop Unsupported Release
- Synology DiskStation Manager (DSM) Detection
- Synology DiskStation Manager 4.0-x < 4.0-2259 / 4.1-x / 4.2-x < 4.2-3243 SLICEUPLOAD Function Remote Code Execution
- Synology DiskStation Manager < 4.3-3776 Update 2 Multiple Vulnerabilities
- Synology DiskStation Manager < 4.3-3776 Update 3 info.cgi Multiple Parameters XSS
- Synology DiskStation Manager 4.3-x < 4.3-3810 Update 1 Multiple Vulnerabilities
- Synology DiskStation Manager < 4.3-3810 Update 3 Multiple FileBrowser Component Directory Traversal Vulnerabilities
- Synology DiskStation Manager uistrings.cgi lang Parameter Directory Traversal
- Novell Client 2 Vba32 AntiRootKit DoS
- McAfee VirusScan Enterprise 8.8 < 8.8 Patch 1 DoS
- Microsoft Internet Explorer Version Detection
- IBM SPSS SamplePower 3.0.1 < 3.0.1 IF1 ActiveX Control Remote Code Execution
- Oracle Identity Manager October 2013 CPU
- Artweaver Detection
- Artweaver 3.x < 3.1.5 JPG File Handling Stack-based Buffer Overflow
- WinSCP < 5.1.6 RSA Signature Blob Integer Overflow
- Red Hat JBoss Enterprise Application Platform 6.1.0 Security Update (RHSA-2013-1843)
- Dell KACE K1000 Web Detection
- Dell KACE K1000 < 5.5 Multiple SQL Injection Vulnerabilities
- IrfanView MrSID Plugin < 4.37 Multiple Buffer Overflows
- Adobe Digital Editions 2.0.0 'rmsdk_wrapper.dll' Memory Corruption (APSB13-20)
- Adobe Digital Editions 2.0.1 Memory Corruption (Mac OS X)
- HP B-series SAN Network Advisor Installed (Linux)
- Dell KACE K2000 < 3.3.52857 Multiple Vulnerabilities
- WinSCP < 5.1.7 Multiple Vulnerabilities
- MediaWiki < 1.19.10 / 1.21.4 / 1.22.1 Multiple Vulnerabilities
Passive Vulnerability Scanner
Vulnerability Detection
- FlashCanvas <= 1.5 Reflected Cross-site Scripting Attack
- Mozilla Firefox < 27.0 / 24.3 (ESR version) Multiple Vulnerabilities
- Mozilla Firefox for Android < 27.0 Multiple Vulnerabilities
- Mozilla SeaMonkey < 2.24 Multiple Vulnerabilities
- Mozilla Thunderbird < 24.3 Multiple Vulnerabilities
- Google Chrome < 32.0.1700.102 Multiple Vulnerabilities
- Google Chrome < 32.0.1700.107 Remote Code Execution
- OID parsing
- Adobe AIR <= 3.9.0.1380 Multiple Vulnerabilities (APSB14-02)
- Flash Player (Internet Explorer) <= 11.9.900.170 Multiple Vulnerabilities (APSB14-02)
- Flash Player < 12.0.0.43 Multiple Vulnerabilities (APSB14-02)
- Flash Player <= 11.7.700.260 / 12.0.0.43 (inferred) Remote Code Execution (APSB14-04)
- Flash Player <= 11.7.700.260 / 12.0.0.43 Multiple Vulnerabilities (APSB14-04)
SecurityCenter Apps
Dashboards
Reports
Security News Stories
- Snowden's tools for hacking NSA not exactly high tech
- Evan Schuman: Get ready, IT; here comes the Internet of Things
- Patch Tuesday brings Microsoft fixes and Adobe Shockwave update
Related Articles
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
By
Jill Shapiro
and
Joseph Decker
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- PCI
- Podcast