Tenable Network Security Podcast - Episode 67

Welcome to the Tenable Network Security Podcast - Episode 67

Hosts: Paul Asadoorian, Product Evangelist & Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Nessus: Mythbusters Edition
  • Tenable and SCAP 1.1
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials, including the new 3D Tool Beta.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Shmoocon Preview - Twice the Mobile (in)Security - The trend has been heating up for a while now, and it's just about ready to boil over and send people screaming, panic stricken, as attackers take hold of their mobile devices. I believe Google's Android and Apple's iPhone have put the "smartphone" front and center as the most popular piece of technology we use in our everyday lives. For the attackers and the security community alike, this means we must find ways to hack it. The motives are of course different: the security community wants a safer place, and the attackers want to profit.




• Getting Started With Corporate iPad and iPhone Mobile Security - This is a great list of features in iOS that can really help you get a hold on the i<Devices> in your environment. iOS supports remote wiping, AES encryption of the phone backups and offers control on firmware updating and application installation and updates. Your organization must have a mobile computing policy!


• Who's Who Of Bad Password Policies - It should come as no surprise, but many web sites do not do a good job of implementing good password policies. We're often quick to blame the user, but many popular sites do not require SSL, allow special characters, limit length and more. One site even displayed your password in clear-text on the web site!


• Apple Appoints David Rice as CSO - This is great news for Apple and it has been a long time coming too. Apple really needs to step up its game when it comes to security. Random security updates, insecure architecture in OS X, and more have contributed to a ticking time bomb. As they gain market share, these issues will become important. David is extremely knowledgeable about information and software security and may be just what Apple needs to improve its security posture.


• Brute Force Safe Cracking - I find that security leaks its way into almost every conversation, oh wait, maybe that's just me. In any case, someone made a robot that will try every possible combination on a safe. While that's great, most thieves know that if you can flip the safe over and hit the bottom with a sledge hammer, you win. Also, the doors on safes are typically really hard to break through, but the sides are sometimes flimsy and easy to cut through with the right tools. Of course, there is something to be said for getting into the safe and leaving no trace behind that you were even there.


• Nessus Plugin: HP OpenView Network Node Manager Remote Execution of Arbitrary Code - If you run HP Node Manager, use this plugin. If you think that you may have Node Manager installed somewhere, use this plugin. If you run a network, use this plugin to scan the network and look for instances of Node Manager! This vulnerability (well, several actually) manifests itself as a command injection vulnerability in software that does not require authentication by default, and could lead to attackers gaining control of a system that manages the network. Just a bad combination!