Tenable puts a cool Antivirus deployment Audit checks into it’s ground breaking Nessus tool. Compliance is the universal security obsession and I think Nessus will move more and more into this area. Quote:

For compliance, if an organization has selected one or more anti-virus solutions, being able to audit this with Nessus can prove to an auditor that a solution is indeed installed, in use and up to date.

At the time of this writing, the following anti-virus solutions are detected as installed, running and up-to-date by Nessus:

• #24232 BitDefender Check
• #20284 Kaspersky Anti-Virus Check
• #12107 McAfee Anti Virus Check
• #21608 NOD32 Antivirus System Check
• #12106 Norton Anti Virus Check
• #20283 Panda Antivirus Check
• #21725 Symantec Anti Virus Corporate Edition Check
• #14835 Symantec Norton AntiVirus Version Detection
• #16192 Trend Micro Anti Virus Check
• #24344 Windows Live OneCare AntiVirus Check

Tenable’s blog on : Auditing Anti-Virus Products with Nessus

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The other day I attended a meeting where I got hit by a new concept .It is the unfortunate brainchild of the new age of risk management and compliance obsession.

So it goes like this : Compliance = Vulnerability.

Or to put it properly : Lack of compliance will cost the same as mitigating a high risk vulnerability. I’m afraid this really means a waste of resources: tons of time and money invested in full-blown compliance audits and sooner or later reality won’t matter anymore . You’ll get your compliance certificate and that’s it : you’re safe.

Oh, I wonder where are the days when there was a clear cut between the compliance check and the hands-on, real life, substantive audit. Is it really a good direction that we’re heading ?
I really don’t think that a canned compliance audit can deliver the X-factor needed by a company who’s ultimate goal is Information Assurance.

X-Factor : Effectiveness of the security controls in place.
Am I the only one fed up with all this compliance buzz?

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The February 2007 10th issue of (IN)SECURE Magazine is out ! The topics which are covered include :

• Microsoft Windows Vista: significant security improvement?
• Review: GFI Endpoint Security 3
• Interview with Edward Gibson, Chief Security Advisor at Microsoft UK
• Top 10 spyware of 2006
• The spam problem and open source filtering solutions
• Office 2007: new format and new protection/security policy
• Wardriving in Paris
• Interview with Joanna Rutkowska, security researcher
• Climbing the security career mountain: how to get more than just a job
• RSA Conference 2007 report
• ROT13 is used in Windows? You’re joking!
• Data security beyond PCI compliance - protecting sensitive data in a distributed environment

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The (in) famous Adobe Acrobat Reader Plugin Universal PDF XSS is the scariest vulnerability discovered this year because it can turn any pdf into an XSS attack vector.

Today Cyrill Brunschwiler released the definitive fix for it. His solution is based on a mechanism to sanitize the malicious pdf link by generating unique session IDs for each pdf request and later check that session id. Because one picture is worth 1000 words here is the schema : Many thanks to the Compass Security team for this.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

beNi released 3 alarming vulnerabilities in the popular WordPress blog platform

1. Cross Site Scripting - it didn’t work for me
2. Forced Redirect - it worked for me
3. Directory Traversal - n /a

Due to the really huge install base, I really hope that the folks at wordpress.org issue a patch quickly to address these vulnerabilities. Update : It sems that the site hosting the proof of concept exploits is down for maintenance.(thanks leion)

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

David Kellogg released one of the most amazing Firefox plugins : Plain Old Webserver (POW), which adds a server to your browser.

Yes. You can run your own webserver within the browser. Although I didn’t get past the "Hello World" application, it’s amazing that this nifty tool supports Server-side JS, GET, POST, uploads, Cookies, SQLite and AJAX.

This plugin is definitely a must have tool for any web security assessment Thanks to pdp (architect) for pointing out this tool!

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Anurag Agarwal announced a series of professional portraits of the gurus in Web Applications Security .
Quoting Anurag :

Every friday i will present a major player from the web application security field and outline his contributions to the industry.

The series of mini biographies is called Reflection and this week’s security superstar was Amit Klein. RSnake is next.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The new buzz of the Google Webmaster Tools’ Link has spread like wildfire. However, this great tool had a serious vulnerability which permitted to gain access to the links statistics of any website. Now THAT would be a must-have fingerprinting tool ! Yes, the glitch has been fixed now Google Blogscoped presented the proof of concept.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Bruce Schneier released a great essay on the Psychology of Security exploring how psychology can help explain the difference between the feeling of security and the reality of security. Quote :

We make security trade-offs, large and small, every day. We make them when we decide to lock our doors in the morning, when we choose our driving route, and when we decide whether we’re going to pay for something via check, credit card, or cash. They’re often not the only factor in a decision, but they’re a contributing factor. And most of the time, we don’t even realize, it. We make security trade-offs intuitively. Most decisions are default decisions, and there have been many popular books that explore reaction, intuition, choice, and decision.

These intuitive choices are central to life on this planet. Every living thing makes security trade-offs, mostly as a species — evolving this way instead of that way — but also as individuals. Imagine a rabbit sitting in a field, eating clover. Suddenly, he spies a fox. He’s going to make a security trade-off: should I stay or should I flee? The rabbits that are good at making these trade-offs are going to live to reproduce, while the rabbits that are bad at it are going to get eaten or starve. This means that, as a successful species on the planet, humans should be really good at making security trade-offs.

Read now The Psychology of Security

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Do you need to submit personal data to a bogus site which you don’t trust? No problem , you can be whoever they want you to be . I found a cool site which serves you a fake, random ID containing : name, address, email , phone, credit card number and even a SSN. http://www.fakenamegenerator.com/

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!