Tenable Network Security Podcast - Episode 65

Welcome to the Tenable Network Security Podcast - Episode 65

Hosts: Paul Asadoorian, Product Evangelist & Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Nessus Viewer v1.0.0 released - The web site states: "Nessus Viewer enables IT Security auditors and penetration testers to quickly navigate inside Nessus reports by sorting and filtering each entry. It is able to import Nessus XML v2 reports and filter them by IP, host name, plugin name, operating system, keywords… It can also parse plugin outputs to extract and build clickable lists of web servers, Windows users, missing patches and much more." I think it's great to see a tool like this to help people with with Nessus data in specific cases.
• Hacking your car for fun and profit - Researchers make an interesting statement about the various control systems in your car: they are plugged into a hub network, not a switch. This means there is no separation between systems, so if you gain access to the car, you gain access to all systems, including safety, brakes, etc. This is not a huge problem for now because cars are not connected to the Internet. Oh wait, enter the Chevy Volt, the first car to have an IP address (so I am told).
• Internet ID For All Americans - "Possible methods of creating a ‘trusted identity’ could include issuing a ‘smart card’ or digital certificates that would prove that online users are who they say they are. They could then be used to buy goods and carry out financial transactions on the Internet."
• We're Running Out Of IPv4 Address Space! - Seems that I hear this every year, that this will be the year when we run out of IP addresses. They always point to the fact that all kinds of devices, such as TVs, BlueRay players, Tivos, alarm clocks, and toasters will have an IP address. I have to say, I have a lot of devices on my home network. I love technology and get my hands on as much network-connected stuff as possible. I have a private subnet that can address 253 devices. I could use a Class A if I wanted to, and I still only need one public IP address. So, I fail to see the rush to IPv6, which I am pretty sure will not solve the security problem, but create more problems as people find more problems with IPv6 security.
• Researcher Develops Password Hacking Software for Wi-Fi Networks Using Amazon Web Services - Don't get me wrong, I think this is a very useful way to attack WPA-PSK. Using "the cloud" to brute-force passwords has lowered the security of the password even further (if that was at all possible). However, is the defense against this attack simply to generate a random 16 character string and use that as a password? Of course, this is not user-friendly, so people tend to choose weaker keys. In the end, we are exploiting the human, not the technology.
• Final Fifteen - Web Hacking Techniques - There are some really cool techniques in this list. I strongly suggest to our listeners that you review this list and learn about all of these techniques.