InfoSec News

Dell on Tuesday reported a 177% year-over-year increase in net income for its fourth fiscal quarter of 2011, driven by growth in enterprise server and PC sales.
Oracle Java SE and Java for Business NTLM Credentials Information Disclosure Vulnerability
Oracle Java 'Applet2ClassLoader' Class Unsigned Applet Remote Code Execution Vulnerability
A prominent encryption expert at the annual cryptographer's panel at RSA Conference 2011 said poorly implemented encryption deployments are being stymied by employee errors.

Add to digg Add to StumbleUpon Add to Add to Google

In the face of heightened cyberthreats, the Pentagon is pursuing a multi-pronged defense strategy that includes a reliance on private sector participation, William J. Lynn, III, U.S. Deputy Secretary of Defense, said in a keynote Tuesday at RSA Conference 2011.

“To this point, the disruptive attacks we’ve seen are relatively unsophisticated in nature. In the future, more capable adversaries could potentially immobilize networks on a wide scale for much longer time,” he said.

It’s not impossible to imagine attacks on military networks or critical infrastructure that could cause severe economic damage or even loss of life, Lynn said.  The nation must prepare for the likelihood that a cyberattack will be part of a conventional attack, he said. Al-Qaida hasn’t yet launched a cyberattack but it has vowed to, he adds.

nd at an important junction of development of cyberthreats… most malicious actors haven’t laid their hands on the most harmful capabilities. But this situation won’t last forever,” he said. “We need to develop stronger defenses before this occurs. We have a window of opportunity to gird our networks against more serious threats.”

For the past two years, the Defense Department has deployed specialized defenses to defend military networks, officially recognizing cyberspace as a domain of warfare, he said. The Pentagon’s cyberstrategy relies on “active defenses” — a more dynamic approach that Lynn described as operating at network speed and using sensors to stop malicious code before it executes.

The military is also working to build collective defenses with its allies to cooperatively monitor networks for cyberdefense, he said. But a major part of the strategy is working with the private sector through information sharing and working with key technology companies to improve cybersecurity, he said. To that end, the Defense Department announced a expanded IT exchange program that Lynn said will allow for exchange of IT and security personnel between government and industry.

It also is adding half a billion dollars in funding for research into cloud computing, encryption and virtualization technologies, Lynn said.

“Over the long term, we must develop technology that reverses the advantage of those seeking to steal our secrets and cause us harm. … The challenge we face today in cybersecurity — it’s global in scope and requires government working closely with industry.”

Add to digg Add to StumbleUpon Add to Add to Google
Not sure if you have seen our latest pet project - HTTP Headers. This is ISC's effort to track HTTPresponse headers by major sites on the Internet. Our main goal at this point is to monitor the use of security related headers. However, we are collecting all headers in part to monitor changes over time in the way administrators configure web servers.
Browsers have been somewhat ignored in the past when it came to web application defense. In part, because an application can't count on the user using any particular browser (or any browser for that matter). However, attacks on the other hand increasingly use the browser as an offensive tool to reflect attacks via cross site scripting, cross site request forging or click jacking. In all these attacks the browser is playing a major role.
The different attention to browsers is understandable. An attacker can be perfectly happy if an attack only works for a small percent of the population. If only users with Internet Explorer 6 on Windows XP are affected: Still a successful attack. For the defender on the other hand, the picture is different: If a particular browser protection is only enabled in 90% of browsers: One out of 10 visitors will still be affected by the attack.
This changes however if one is willing to accept browser defenses as an added defensive layer instead of a replacement for good application security. In addition, standards are emerging to make it easier for browser to provide meaningful protection. But none of this will work if it is not used.
We periodically reach out to the sites listed in the Alexa Top sites and track the HTTPheaders returned by the web servers. We intend to track the changes over time and see how security related HTTPheaders are used in real-world sites.
Some of the preliminary findings are as follows,

Only very few sites use the X-FRAME-OPTIONS header. This is a reliable way to deal with Clickjacking attacks in newer browsers, but it will also block framing of web sites by friendly sites. The option allows for very little adjustment as it is currently implemented.
X-XSS-Protection is used rarely by top sites (about 450 of the top sites). This is a IE 8+supported header to enable/disable XSSprotection feature on the browser. Only a few sites out of the hundreds turn off XSSprotection by setting the value of this header to 0. Vast majority of the sites using this header enable the protect by setting value to 1 and mode=block, which makes the page blocked from the browser instead of browser sanitizing the content of the page.
Set-Cookie2 is only used by two sites that we query. This is a largely ignored way of setting cookie, as specified in RFC2965.
X-Hacker caught our eyes. This is actually a job ad from the guys who developed Wordpress blogging software.

If you spot any interesting security related headers on our list and want to share with us. Please write in using the ISCcontact form. (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Hundreds of thousands of KWh are being consumed by the use of memory components in servers today. By adopting more energy-efficient components in optimized server architectures, such as lower voltage DRAMs and advanced solid-state drives (SSDs), data centers can drastically reduce power consumption and associated energy costs.
Juniper Networks has begun unifying products from its acquisition of Altor Networks, combining vGW Virtual gateway with SRS Series Services Gateway for virtual machine security.

Add to digg Add to StumbleUpon Add to Add to Google
Oracle Java SE and Java for Business Java Runtime Environment Remote Code Execution Vulnerability
Researchers and analysts say IBM's Jeopardy-playing Watson supercomputer could mark the start of a period of significant advances in artificial intelligence research.
Asus' ultrathin U41JF is designed to be both powerful and portable, with a chassis around one inch thick and a Nvidia graphics card. Unfortunately, the entire notebook looks cheap, despite obvious attempts to make it look otherwise. This notebook has all the right parts, from the brushed-aluminum cover to the chiclet-style keyboard and fancy graphics card (though no Sandy Bridge processor or Blu-ray drive), but it's still very obviously a budget machine.
Since his appointment as Yahoo's CTO last June, Raymie Stata has been on an intense ride. He is part of the executive team charged with building Yahoo's technology strategy and spurring innovation to drive growth and attract more users to the site. Stata has been with Yahoo since 2004 and was previously its chief architect. Other members of the team include Chief Scientist Prabhakar Raghavan and Stata's boss, Chief Product Officer Blake Irving, both of whom report to CEO Carol Bartz.
Oracle Java SE and Java for Business CVE-2010-4475 Remote Java Runtime Environment Vulnerability
Oracle Java SE and Java for Business CVE-2010-4465 Remote Java Runtime Environment Vulnerability
Oracle Java SE and Java for Business Java Runtime Environment CVE-2010-4454 Remote Vulnerability
Oracle Java SE and Java for Business CVE-2010-4463 Remote Java Runtime Environment Vulnerability
Solera Networks has updated its OS network forensics platform, adding reporting of malware threats, new application classification and tools to give more visibility into the network.

Add to digg Add to StumbleUpon Add to Add to Google
IBM continues to roll out new components for the zEnterprise 196, the mainframe it released last summer.
Dell on Tuesday reported a 177% year-over-year increase in net income for its fourth fiscal quarter of 2011, driven by growth in enterprise server and PC sales.
OpenSSL OCSP Stapling 'ClientHello' Handshake Message Parsing Security Vulnerability
Zscaler launched its mobile device security service to provide continuity of each user's security policy across a variety of devices including iPhones, iPads and Android devices.

Add to digg Add to StumbleUpon Add to Add to Google
Fidelis Security Systems and CloudShield Technologies Inc. have entered into an agreement to offer Fidelis' data breach prevention solutions on CloudShields bladecenter.

Add to digg Add to StumbleUpon Add to Add to Google
Lieberman has announced a new version of Enterprise Random Password Manager that integrates with ArcSight ESM, RSA enVision and Q1 Labs QRadar.

Add to digg Add to StumbleUpon Add to Add to Google
A security researcher yesterday disclosed a new unpatched bug in Windows that some experts believe could be used to remotely hijack a PC.
Should ISPs be the ones who keep hacked PCs off the Internet? Microsoft's chief security executive used to think so, but now he's had a change of heart.
At the kickoff of IBM's PartnerWorld conference, IBM announces new incentives for partners.
As businesses increasingly adopt tablets, Intel wants to bring those devices under control by implementing remote management and security capabilities in hardware and software, the company said this week.
Hardware and software fraud pose serious threats according to a supply chain expert who says the lack of security is flooding the market for fraudulent devices and parts.

Add to digg Add to StumbleUpon Add to Add to Google
Microsoft Vice President of Trustworthy Computing Scott Charney at the RSA Conference 2011 discussed Collective Defense, Microsoft's proposed Internet health check system for consumer computers, and how it should be implemented not by governments and ISPs, but by enterprises.

Add to digg Add to StumbleUpon Add to Add to Google
Kingston Digital has added the Data Traveler 4000 (DT4000) and Data Traveler Vault—Privacy Managed (DTVPM) to its line of portable device security products.

Add to digg Add to StumbleUpon Add to Add to Google
Oracle has released a new update for Java environment, it contains fixes for security issues. Time to get your Java environment up to date again.
The details on this update can be found at
Happy Java Patching! (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Nokia and Microsoft announced ahead of the Mobile World Congress trade show that Nokia would ditch its current mobile operating systems and use Windows Phone. Will you buy a Nokia running Windows Phone 7?
Tembria Server Monitor Weak Cryptographic Password Storage Vulnerability
Tembria Server Monitor Multiple Cross-site Scripting (XSS) Vulnerabilities
Identity Finder has added to its line of data loss prevention products with Identify Finder 5.0 for Windows and Mac operating systems, plus a new Identity Finder DLP console.

Add to digg Add to StumbleUpon Add to Add to Google
Voltage announced SecureMail v4 to make email security management easier for the user, including support for Microsoft Exchange and BlackBerry devices.

Add to digg Add to StumbleUpon Add to Add to Google
RSA, a division of EMC, has announced Cloud Trust Authority to address cloud computing security issues. It includes features from VMware and RSA's own GRC platform.

Add to digg Add to StumbleUpon Add to Add to Google
John Donovan, AT&T's chief technology officer, is making what he calls 'creepy' and 'spooky' -- but ultimately good -- predictions for wireless computing and communications in the cloud in 2020.
In a keynote address at the RSA Security Conference here, RSA chief Art Coviello struck an optimistic tone about the future of security in cloud computing environments.
A new industry group has proposed a standard that would use storage on a mobile device to preemptively download content in order to alleviate network bottlenecks and the resulting rebuffering issues.
Data center centralization and consolidation. Cloud computing. Latency-sensitive (real-time and interactive) applications such as VoIP, videoconferencing and virtual desktop infrastructures (VDI). Business continuity and disaster recovery. These enterprise trends are among those driving the need for a WAN access layer that is scalable, reliable and cost-effective.
In order view 3D without glasses, LG used applied parallax barrier technology, which puts a series of slits on the front of the LCD screen that block light. That ensures a users left and right eye see different images.
Samsung refreshed its lineup of tablets and smartphones at Mobile World Congress in Barcelona this week.
Apple today unveiled the details of its App Store subscription plan, and confirmed that it will demand its usual 30% from publishers who sell content within their apps.
Google CEO Eric Schmidt took to the stage at Mobile World Congress in Barcelona Tuesday to talk up the Android OS for tablets and phones, in addition to giving nods to Chrome, search and YouTube.
Internet censorship hurts the governments that use it, Secretary of State Hillary Clinton said in a speech at George Washington University on Tuesday.
Sony Ericsson officially debuted the Xperia Play smartphone at Mobile World Congress in Barcelona Sunday. It combines a traditional mobile phone with a portable gaming console
Aircrack-ng EAPOL Packet Processing Buffer Overflow Vulnerability
[ MDVSA-2011:028 ] openssl
ValidEdge unveiled its Network Malware Security system, designed to stop unknown zero-day malware and single-target malware attacks.

Add to digg Add to StumbleUpon Add to Add to Google
LynuxWorks demonstrated its enterprise platform for secure virtualization running on multiple devices and using ValidEdge Network Malware Security (NMS) LynxSecure.

Add to digg Add to StumbleUpon Add to Add to Google

SAN FRANCISCO — It’s pretty tough to get a cynical, often paranoid, group of people to rise in unison in approval. It’s pretty tough, however, not to extend a standing ovation to cryptography and security pioneers Ron Rivest, Adi Shamir and Len Adleman, the R, S and A in RSA Security. The trio that developed the algorithm at the heart of a company and the security industry were honored this morning at RSA Conference 2011 with the RSA Lifetime Achievement Awards.

Rivest, Shamir and Adleman stood while conference founder and the award’s namesake Jim Bidzos rattled off an endless list of accomplishments and contributions to the security industry aside from the RSA algorithm. The announcement was preceded by a 20-minute video on the making of the RSA cryptosystem and included poignant memories and comments from friends, family and colleagues of all three men, in addition to their insights.

We have indeed been fortunate to stand on the shoulders of giants,” said RSA executive chairman Art Coviello.

The Rivest, Shamir, Adelman paper of 1977 “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” is the foundation for security in ecommerce; more than one billion digital certificates are validated daily in support of transactions carried over SSL, Bidzos said.

Rivest has been a professor at MIT for 35 years was one of the developers of the MD hash functions, as well as the RC4 algorithm. He is currently focusing his efforts on machine learning and electronic voting research and policy development. Shamir wrote the seminal paper “How to Share a Secret” and received the Pope’s Piux XI gold medal. The three current deans of Israel’s top technology institutes were Shamir students–at the same time. Adleman, meanwhile, is also an MIT professor known for breaking the Knapsack cryptosystem, as well as for the creation of DNA computing.

Add to digg Add to StumbleUpon Add to Add to Google
HTB22823: SQL Injection in Seo Panel
HTB22824: SQL Injection in Seo Panel
HTB22826: Multiple XSS vulnerabilities in Wikipad
HTB22830: Multiple XSS vulnerabilities in Gollos
Networking giant Cisco Systems is realigning its enterprise security strategy with a new emphasis on contextual security that seeks to protect emerging technology like the iPad.

Add to digg Add to StumbleUpon Add to Add to Google
WhiteHat announced the Sentinel PreLaunch (PL) service to detect website vulnerabilities and verify them with WhiteHat's Threat Research Center.

Add to digg Add to StumbleUpon Add to Add to Google
[USN-1062-1] Kerberos vulnerabilities
[USN-1063-1] QEMU vulnerability
Re: Linksys WAP610N Unauthenticated Root Console
Many network security professionals take the wrong approach when testing their networks, according to one prominent security expert.

Add to digg Add to StumbleUpon Add to Add to Google
PhoneFactor has been selected by Microsoft to provide multifactor authentication for HealthVault users.

Add to digg Add to StumbleUpon Add to Add to Google
You, your company and I, along with just about everybody subscribing to telephone service in the United States, is hit with a surcharge on our phone bills that goes into a Universal Service Fund (USF).
Cisco has unveiled a self-described "complicated" security architecture dubbed SecureX that it says provides a context-aware way to safeguard networks increasingly overrun with smartphones, tablets and virtualization.
Here are five key tips to help your government agency or enterprise avoid being the source of the next Wikileak.
I know what you're thinking--but hear me out. Plenty of reasons for doing an online background check exist, and not all of them are sketchy.
Motorola appears to have firmly shut the door on the possibility of using Windows Phone software.
Symantec Enterprise Protection 12 suite uses new Insight and SONAR technology to monitor executables and provide reputation scoring to its traditional malware signature approach.

Add to digg Add to StumbleUpon Add to Add to Google
Mark Twain once said, "Everyone talks about the weather, but no one does anything about it." Much like the Firefox version, free Chrome extension Forecastfox Weather may not let you change the weather, but it does a great job of putting the weather at your fingertips, wherever you are on the Web.
VMWare is showing a mobile virtualization platform that will let people run a personal profile and a separate, secure profile for work applications on the same Android phone.
AT&T Chairman Randall Stephenson today prodded carriers, manufacturers and regulators around the globe to create openness and interoperability in mobile devices, platforms and networks in a keynote address at the Mobile World Congress.
The use of femtocells -- small base stations that extend mobile coverage in buildings -- is growing fast, driven in part by enterprises, executives said Tuesday during the Mobile World Congress in Barcelona.
Google Chrome prior to 9.0.597.84 Multiple Security Vulnerabilities
Google Chrome prior to 9.0.597.94 Multiple Security Vulnerabilities
The Mozilla Foundation expects to release the final code for the Firefox 4 browser for Android mobile devices in a few weeks, with one more beta version to be released in the next week or so.
Hewlett-Packard wants to manage the construction phase of its clients' data center projects, hoping to expand its revenue from this area and, it says, help customers complete projects more quickly and for as much as 30 percent lower cost.
Incentive auctions of TV spectrum in the U.S. could raise $36 billion or more, two trade groups say.
Microsoft on Monday began pushing the release candidate of Internet Explorer 9 (IE9) via Windows Update's automatic delivery service to users already running the unfinished browser.
Intel's Solid-State Drive 310 Series is one-quarter the size of a credit card, can be used in handhelds as a primary drive or in laptops, netbooks or PCs as a secondary boot drive. Diminutive in size, it offers respectable storage and performance.
The White House is proposing a big increase in cybersecurity research and development in next years budget to improve, in part, its ability to reduce the risk of insider threats and ensure the safety of control systems, such as those used at power plants.
Yoh's Tammy Browning offers some advice on making your way up the corporate ladder.
LG Electronics expects to sell more than 30 million smartphones this year, a fourfold increase over 2010, when it stumbled by being late to catch on to the smartphone trend.
WP Forum Server for WordPress Multiple SQL Injection Vulnerability
abcm2ps Versions Prior to 5.9.12 Multiple Vulnerabilities

DragonSoft DVM Receives 5-star on SC Magazine Review
Newswire Today (press release)
1 info-sec magazine published the annually report in February 2011. SC Magazine is world No. 1 info-sec magazine, the product reviews receives high recognition by international society and security professionals, the chosen products have significant ...

and more »

Posted by InfoSec News on Feb 14

Forwarded from: Yacine Zemali <yacine.zemali (at)>

[Apologies if you receive multiple copies. Please distribute this call
to interested parties.]


3rd Workshop on Intelligent Security
Security and Artificial Intelligence (SecArt-11)...

Posted by InfoSec News on Feb 14

By Jeff Chirico
CBS Atlanta Investigative Reporter
February 14, 2011

ATLANTA -- CBS Atlanta is asking Tough Questions about the credentials
of the self-proclaimed "world's No. 1 hacker." Gregory D. Evans, of
Atlanta, has appeared on numerous national and local news programs to
speak about Internet security issues. But an investigation has revealed
his questionable past, uncertain...
MIT Kerberos KDC Principal Name LDAP Request NULL Pointer Denial Of Service Vulnerability
MIT Kerberos KDC LDAP File Descriptor Leak Denial Of Service Vulnerability

Posted by InfoSec News on Feb 14

Forwarded from: Richard Forno <rforno (at)>

First off: this is the same Leon Panetta who told a Congressional
committee last week that his official estimate that Mubarak would step
down on DayX was based on "media reports."
If that's how they're dealing with real-world concerns, I'm not sure we
want to know who's...

Posted by InfoSec News on Feb 14


Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, February 6, 2011

21 Incidents Added.


DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...

Posted by InfoSec News on Feb 14

By Ben Grubb
The Sydney Morning Herald
February 14, 2011

Computers which coordinate NSW's ambulances all finally returned to
normal Monday afternoon after a virus forced staff to shut them down for
more than 24 hours.

One source who used to work closely with the Computer Aided Dispatch
System (CAD) system told this website that...

Internet Storm Center Infocon Status