Network Security Blog

Private: confined to particular persons or groups or providing privacy; “a private place”; “private discussions”; “private lessons”; “a private club” … i.e. something a social network isn’t.

Not to be outdone by Dilbert, xkcd has it’s own Debian related humor today. Who ever thought that the words “encryption” and “humor” would apply to the same blog post.

Ouch! That hurts, and I don’t even run Debian. Thanks, Stepto.

If you’re using Debian or Ubuntu, it looks like you need to generate a new set of keys immediately, if not sooner! The SSH keys on those systems used the PID of the process as a seed for generating the old keys, which severely limits the randomness of the keys and has made it possible for a rainbow table of all possible keys to be generated.

There’s some debate about whether this vulnerability is related to an increase in SSH scanning on the Internet, but that’s really immaterial; it will cause a rise in SSH scans soon. Better to secure your system now and stay ahead of the curve than be one of the people unlucky enough to get compromised. As always, the real danger is not what’s happening today, but what happens in a few months when the awareness dies down and people who didn’t get the alerts leave their vulnerable machines on the Internet.

The Internet Storm Center thinks this is really important, so you probably should too.

Shortly after the end of RSA 2008, Michael Santarcangelo organized the latest Security Roundtable podcast. We were joined by a varied crowd of characters in the form of Dr. Anton Chauvakin, James Costello, and Jennifer Leggio. We had a lot of fun recording this conversation, even if poor Anton fell off fairly early due to phone problems. Luckily we let him get some of his shots in early.

Rich and I talked about this on an episode of the NSP, but there were no real ‘themes’ to this years RSA. There were a lot of interesting things going on, but it wasn’t on the showroom floor or in the key note presentations. I’m hoping that this means the industry is maturing, but it may just mean we’re in a lull between waves of marketing hype. Guess you’ll have to tune into next year’s SRT RSA podcast to find out.

Security Roundtable for May 2008 | RSA Conference - Beyond the Hype

 

 SRT May 2008 - RSA [54:34m]: Play Now | Play in Popup | Download

Rich and I got a chance to talk to Ron Gula, CEO of Tenable Network Security about the changes that were made today the the changes in the Nessus licensing model. This is a follow up to the post I wrote this morning and explains the reasoning behind the changes straight from the man in charge.

 

 Microcast: Ron Gula on the changes to the Nessus licensing model [15:43m]: Play Now | Play in Popup | Download

I don’t care if you’re a security blogger or just plain vanilla blogger, you owe it to yourself to check out WP Security Scan. This plugin will scan your WordPress installation and give you suggestions on how to make it more more secure. It found a number of permissions on my blog that had been set incorrectly (now fixed) and gave me other suggestions such as changing the names of the directories from the easily guessed defaults. I know that a lot of people have a hard enough time just keeping their blogs up to date, but given the rash of WordPress compromises I’ve heard of recently, this is something everyone running a WP installation needs to do.

Another plugin in the same vein worth checking out is WordPress Automatic Upgrade. No more waiting for your service provider to get around to the upgrade or mess with all the funky files yourself. The only problem I have with it is re-enabling the plugins after an upgrade, which is a relatively minor issue. I run the plugin occasionally just to get a backup of the blog. See, I do learn from my mistakes occasionally.

Last time Nessus changed their licensing model, there was a big uproar. Many people, including me, thought it was a huge error on their part and that it’d drive folks away from using Nessus. Luckily we were wrong; Nessus and Tenable are still around and still the most popular scanning solution available.

Tenable has come to the decision that it’s time to change their licensing model again. The Registered Feed will be going away; instead you’ll have the option of having a HomeFeed or a Professional Feed. Home Feed will only be for use on personal networks, but it will have the same vulnerability updates that Professional Feed will. If you were using a Registered Feed to scan your own network, that is no longer going to be acceptable under the new licensing and you’ll have to upgrade to a Professional Feed, which is pretty reasonable at $1200 a year. For that price you also get compliance checks, which includes my favorite, PCI.

It’s a major change for Tenable to require anyone using Nessus in a corporate setting to pay for the feeds; you used to be able to use the Registered Feed for your own business but had to pay for the Direct Feed if you used it for consulting. This is a continuation of Tenable’s desire to get paid for the incredible amount of work they put into Nessus, something I have a hard time faulting them for. There is a loophole in the licensing that will allow you to get a free license if you’re a charitable or educational organization. The exact requirements for this exemption haven’t been made public yet, but should be soon.

Nessus 2.0 is still open source. Nessus 3.0 was never open source, nor have the plugins been, though a lot of people have treated them as such through the Registered Feeds. This change in the licensing may open a gap that will allow a new open source vulnerability scanner to come to the forefront. Given the breadth of Nessus implementations, I think this is unlikely in the near future, but may happen slowly over the next few years. Most businesses are probably going to ignore Tenable’s new license until their Registered Feed expires on July 31st. The big question is will they continue using Nessus without updates, pay for the Professional Feed, switch to another product or quit scanning all together? Short term, I’m betting on scanning without updates, but long term is another question all together; is $1200/year really all that much to pay compared to what any other scanning tool is going to cost you?

Tenable made a business decision that they need to collect revenue on their plugin feeds in order to continue providing the level of support they have always given. Some people are going to complain that Tenable is getting greedy; I’d counter that they just want to get paid for the work they’ve been supplying to the community for years. I guess that’s one of the things actually meeting the people doing the work will do to you.

We’re back, me from being ill, Rich from some alone time with his wife. Nothing really interesting to talk about other than what’s in the show notes, so I’m not going to waste a lot of time writing about it.

Show Notes:

• Hacker splashes data from six million Chileans on Internet
• Three charged in Dave & Busters hacking job
• ZoneAlarm Forcefield
• Captain’s Blog, Supplemental - PCI is dead, long live PCI!
• The (ISC)2 Blog
• Tonight’s music: Sunday Eyes by Amee Chapman and the Velvet Tumbleweeds

 

 Network Security Podcast, Episode 104: Play Now | Play in Popup | Download

Network Security Podcast, Episode 104, May 13, 2008

Time: 33:12

A few weeks ago I had a chance to have lunch with Mike Smith,author of the Guerilla CISO, in Washington, DC. Mike’s area of expertise is FISMA and he’s an experienced educator in the area. Mike feels about FISMA much like I do about PCI: it’s not perfect, but it’s a heck of a lot better than what came before.

 

 NetworkSecurity Podcast: Mike Smith, Guerilla CISO [9:00m]: Play Now | Play in Popup | Download

NSP Microcast: Mike Smith, Guerilla CISO

Time: 9:00