Tenable Network Security Podcast Episode 133 - "Detecting Mobile Device Vulnerabilities Using Nessus"

Announcements

• We're hiring! - Visit the Tenable website for more information about open positions.
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• You can subscribe to the Tenable Network Security Podcast on iTunes!

New & Notable Plugins

Nessus

• DB2 9.8 Less Than Fix Pack 5 Vulnerabilities
• Vulnerabilities in Microsoft Gadgets Could Allow Remote Code Execution
• DNSSEC NSEC Records Information Disclosure
• VMware ESXi update to libxml2
• MySQL 5.5 Less Than 5.5.23 Unspecified Vulnerability
• Novell GroupWise WebAccess User.interface Directory Traversal
• Pidgin Less than 2.10.5 Message Inline Image Parsing Remote Overflow

Passive Vulnerability Scanner

• Asterisk Remote Crash Vulnerability in Skinny Channel Driver
• Asterisk Remote Crash Vulnerability in voice mail application
• Evernote Client Detection
• Java version detection

SecurityCenter Dashboards

• Leveraging LCE Text Search for Specific Botnet Activity Tracking

SecurityCenter Report Templates

• Apple iPod, iPad and iPhone Report

Compliance Checks

Nessus ProfessionalFeed and SecurityCenter customers can download compliance checks from the Tenable Support Portal.

• New DISA STIG MS Office 2010 Audit
• New CIS SQL2005 Audit Policies
• New DISA STIG MacOSX 10.6 Audit Policy

Stories

1. Hacks that work just by changing the URL » Secure Solutions - This would be a good document to send to your developers, making sure they understand the threats associated with the source code presented.
2. Low Hanging Fruit (Nessus Results) - I believe there are also lessons for the enterprise in this tech tip. It's no secret penetration testers seek out the low-hanging fruit. Enterprises can search for the same conditions, and provided you have a remediation process, easily neutralize vulnerabilities that are easy to exploit.
3. If Hackers Didn't Exist, Governments Would Have to Invent Them - While the government is quick to point out that "hackers" are a problem, I'm not certain they would go to great lengths to make up stories about them, nor do they have to. I agree, we are sometimes fighting battles against the wrong adversary. However, threats come in many different shapes and sizes, including what is defined here as the "hacker."
4. 140,000 KPN ADSL customers still using default password - An ISP sets the same default passwords on customer's routers, then leaves it up to the customer to change it. This is the wrong approach.
5. Nvidia probes breach of hashed passwords - I find it ironic that Nvidia, whose hardware is used to crack passwords, suffered a password breach.
6. Vivotek Cameras Data Configuration Disclosure - I continue to be amazed that embedded device vulnerabilities are so easy to exploit.