Guests:
Brian Krebs – @briankrebs - http://www.krebsonsecurity.com/

VRT Blog Post:

http://vrt-sourcefire.blogspot.com/2010/03/apt-should-your-panties-be-in-bunch-and.html

Eric Chien, Symantec
Zeus, King of the Bots: http://www.noryak.net/papers/zeus.pdf

Chat with us on IRC at irc.freenode.net #securabit

Announcements

• Two new blog posts have been released titled "The Value Of Credentialed Vulnerability Scanning and Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview - Ron Gula - CCDC Recap

Ron Gula and I discuss our experiences at the 2010 Collegiate Cyber Defense Exercise held this past weekend in Columbia, MD.

Stories

• Six Steps To "Cloud" Security - Nothing New - A researcher published a paper in the International Journal of Services and Standards titled "A 'cloud-free' security model for cloud computing". In it she outlines six security considerations for cloud computing, which to me represent nothing really new. The first, resource sharing on "cloud" providers could lead to your data being accessed. This is similar to VLANs on switches, which are essentially software, which means you need to carefully design your network to be certain your most critical assets are not on the same switch as something less critical. This is a risk decision, and should be constantly evaluated, whether you are using a "cloud" provider or designing VLANs on a switch. Second, she points out that since data is held off-site, ownership may have become compromised. This is another issue which I have dealt with when I worked for an ISP/hosting provider. Physically being separate from your data means that you need to make yet even more risk-based decisions. If the data you are hosting off-site is public anyway, then there is little need for concern. However, if the data is sensitive or confidential, you may want to take extra pre-cautions to safeguard it at remote sites (encryption, physical security, etc...). How is this different than using a remote storage facility for your backup tapes? There are more, and my advice is to look at the "cloud" security information and relate it to similar security and risk decisions in your organization and I believe you will find that you are well equipped to handle securing your organization, whether its cloudy or sunny.
• Security Policy Gone Wrong - This story centers around the following quote from a client: "Ok, how about this: We take an image of your hard drive when you enter the building. When you leave in the evening, we take another image and see what data changed. This way, we know if any sensitive data leaves the company." I like coming up with creative solutions, but this one just doesn't stick!
• Network Analysis Of A Logitech Mouse Server - While this may not sound particularly concerning, the protocol that allows you to control the keyboard and mouse of a system running this software does not authenticate the commands. This means a packet crafting tool, such as scapy, can be used to send keystrokes to the device. Most users find this type of technology convenient, but fail to realize the security risks. In your environment you have to control the installation of this type of software.

(Note: Please ignore the opening when I incorrectly refer to this as episode 25, whoops!)

Download Tenable Podcast Episode 26

One point Vik wanted to make that didn’t make it into the podcast is that the 0day that was used in the Aurora attack is not just being used against corporate targets.  It’s being used against consumers as well, so it’s important that the average home user be aware that their AV product may not be protecting them at this point.  What is part of the podcast is a discussion of how many AV vendors are trying to protect against the payload that malware is attempting to deliver, not the exploit itself.  Both are important points people need to be aware of.

Network Security Podcast, Episode 189, March 16, 2010
Time:  39:56

Show Notes:

• Vulnerability-based protection and the Google “Operation Aurora” attack
• NSS Labs’ Questionable Report – Note that the screen shot shown is of the Firefox browser, not IE in any form
• AVG & The Aurora Exploit
• Questionable Questions (and some answers)
• 7th Annual ISSA Security Conference
• Please take our short listener survey to help us create a better podcast!

Network Security Podcast, Episode 188, March 9, 2010
Time:  32:01

Show Notes:

• Great coverage of Martin’s RSA panel on disclosure. One of the first with an actual user on the panel.
• Government declassifies parts of the Comprehensive National Cybersecurity Initiative.
• Police get webcam pictures in school spy cases.
• Experts dismiss end to end encryption claims. Bunch of gross generalizations.
• Oops- Vodaphone distributes infected phone.
• … and Energizer distributes malware in USB battery software.
• Tonight’s music: 

NSP-RSAC2010-Sourcefire.mp3

NSP-RSAC2010-ISC2.mp3

NSP-RSAC2010-KasperskeyLab.mp3

NSP-RSAC2010-AstaroSecurity.mp3

NSP-RSAC2010-FSecure.mp3

* I’m with @CSOAndy who believe the A in APT should stand for Adaptive, not Advance.  It’s much more descriptive of what’s really happening.

NSP-RSAC2010-PandaSecurity.mp3

Announcements

• Two new blog posts have been released titled "Implementing Perimeter Intrusion Detection" and SecurityCenter 4 Introduction". Also, Nessus 4.2.1 was released with support for Solaris and some significant performance enhancements.
• Come see us at RSA - Booth #956! I, Ron Gula, Renaud Deraison and many others from Tenable will be there demonstrating SecurityCenter 4.0 along with Nessus 4.2, the latest Passive Vulnerability Scanner and the Log Correlation Engine.
• The webinar performed on February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" in which Tenable CEO Ron Gula and Tenable CSO Marcus Ranum discussed strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks is available for download.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!


• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Stories

• Detecting the TDSS/TDL3/Tidserv rootkit with Nessus (Login Required) - This is really great usage of an audit file! It searches the Windows registry for keys associated with the rootkits and alerts on it. This is the rootkit that was causing the "Blue Screen Of Death" problems when users applied some of the recent Microsoft patches. Nessus ProfessionalFeed customers can download the audit file and use it to detect this rootkit in your environment before applying the patches from Microsoft.
• New Internet Explorer Vulnerability - This is perhaps one of my favorite vulnerability write-ups in a long time. First it states, "a user on the target system needs to be convinced to press the F1 key in response to a pop up dialog box on a specifically prepared website" and then goes on to say "As of now all users need to remember is to not press F1 when they are accessing websites." Can we just remove the F1 key from the keyboard?
• SCADA Devices on Verizon and Other Wireless Networks - This is interesting, as I have been doing some of my own research in this area. Many SCADA security tactics rely on the so-called "air-gapped" network. This usually does not work out so well when stuff needs to actually talk to other stuff. So slowly they creep onto the network, but since the assumption is that it's "Air-gapped" no one really bothers to look for these devices on the network. Also, since it's a "harmless" embedded system people will assume that they do not have to secure it, so they leave default passwords. This is just a bad combination! Take time to secure everything in your environment and apply your security strategy to all systems, even the embedded ones.
• GuestStealer Information Wrapup - This is a great summary post of all of the information surrounding the guest stealing vulnerability released at Shmoocon. Nessus was used to detect a directory traversal vulnerability that lead to multiple vulnerabilities in VMware systems that could allow an attacker access to download the entire collection of guest operating systems on the host. Nessus has new checks that look for this specific vulnerability as well.

Download Tenable Podcast Episode 25

Listen in as we discuss Sunbelt Software’s CWSandbox and other products, along with in-depth malware detection and analysis!

#BSidesSF – Tuesday/Wednesday, March 2-3, 2010 @ 10am – 5pm
#BSidesAustin – Saturday, March 13, 2010
#BSidesBOS – Saturday/Sunday, April 24-25, 2010
Chat with us on IRC at irc.freenode.net #securabit

Hosts:
Anthony Gartner – @anthonygartner
Christopher Mills – @thechrisam
Chris Gerling – @chrisgerling
Jason Mueller – @securabit_jay
Andrew Borel – @andrew_secbit

Guests:
Brian Jack – Sunbelt Software
Chad Loeven – Sunbelt Software

Links:

http://www.sunbeltsoftware.com/

http://www.sunbeltsoftware.com/Malware-Research-Analysis-Tools/Sunbelt-CWSandbox/

http://www.securitybsides.com/