Re: Nessus wx-1.4.5a communication protocol tracer password revelation

[Kevin Davis]

Why can't all the config files have the credentials encrypted?  (This 
includes NeWT the last time I checked too).  If the application is storing 
the credentials, it should at least partially responsible for protecting 
them.  At bare minimum it should be spelled out plainly to anyone who may 
use it that their credentials are being stored locally in plaintext.

Other scanners like ISS keep locally encrypted credentials (they have a 
related unresolved issue in their GUI, though).  I know of a couple 
organizations that are not able to use Nessus (but would like to) because 
their security policy prohibits the use of any application that stores 
credentials in plaintext.

----- Original Message ----- 
From: "Michel Arboi" <[EMAIL PROTECTED]>
To: "Kevin Davis" <[EMAIL PROTECTED]>
Cc: <nessus@list.nessus.org>
Sent: Monday, March 07, 2005 7:03 PM
Subject: Re: Nessus wx-1.4.5a communication protocol tracer password 
revelation


On Tue Mar 08 2005 at 00:52, Kevin Davis wrote:
Why bother?  Over a year ago I brought up the issue that both Nessus
and NessusWX store these credentials locally in plaintext in a config
file.  No one seemed think (aside from CERT) it was a big deal then.
There are ways to protect those "nessusrc" files, e.g. store them on a
removable media or an encrypted disk.
Any trick at the Nessus client level would be security by obscurity.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus