Archive for September, 2012

U.S Law Enforcement Agencies Increase Warrantless Electronic Snooping

Data obtained by the ACLU through litigation shows pen register and trap-and-trace orders jumped by more than 14,000 between 2009 and 2011.

 U.S. law enforcement snooping of email and Internet communications has increased dramatically during the last two years, according to information obtained by the American Civil Liberties Union.

After months of litigation, the civil rights group was able to get information about the number of pen register and trap-and-trace orders issued by federal law-enforcement agencies between 2009 and 2011. According to the figures, the number of orders jumped from 23,535 in 2009 to 37,616, an increase of 60 percent.

“Pen register and trap-and-trace devices are powerfully invasive surveillance tools that were, 20 years ago, physical devices that attached to telephone lines in order to covertly record the incoming and outgoing numbers dialed,” blogged Naomi Gilens, legal assistant with the ACLU’s Speech, Privacy, and Technology Project. “Today, no special equipment is required to record this information, as interception capabilities are built into phone companies’ call-routing hardware.”

“Pen register and trap and trace devices now generally refer to the surveillance of information about—rather than the contents of—communications,” she explained. “Pen registers capture outgoing data, while trap and trace devices capture incoming data. This still includes the phone numbers of incoming and outgoing telephone calls and the time, date, and length of those calls.”

“But the government now also uses this authority to intercept the “to” and “from” addresses of email messages, records about instant message conversations, non-content data associated with social networking identities, and at least some information about the Websites that you visit (it isn’t entirely clear where the government draws the line between the content of a communication and information about a communication when it comes to the addresses of Websites),” she added.

During that past two years, some of the increase in pen register and trap-and-trace orders has impacted email and network communications. While this type of Internet surveillance tool remains relatively rare, its use is increasing exponentially, Gilens wrote. According to the figures, the number of authorizations issued by the Justice Department to use these devices on individuals’ email and network data has increased 361 percent between 2009 and 2011. 

“During that same time period, the number of people whose telephones were the subject of pen register and trap and trace surveillance more than tripled,” Gilens noted. “In fact, more people were subjected to pen register and trap and trace surveillance in the past two years than in the entire previous decade.”

Gilens argued that the legal standard for pen registers is lower than for wiretaps because they are not used to capture actual telephone conversations or the content of emails.

“Specifically, in order to wiretap an American’s phone, the government must convince a judge that it has sufficient probable cause and that the wiretap is essential to an investigation,” she noted.  “But for a pen register, the government need only submit certification to a court stating that it seeks information relevant to an ongoing criminal investigation. As long as it completes this simple procedural requirement, the government may proceed with pen register or trap and trace surveillance, without any judge considering the merits of the request. As one court noted, the judicial role is purely “ministerial in nature.”

“In every instance cited here, a federal judge authorized the law enforcement activity,” a DOJ spokesperson said in a statement. “As criminals increasingly use new and more sophisticated technologies, the use of orders issued by a judge and explicitly authorized by Congress to obtain non-content information is essential for federal law enforcement officials to carry out their duty to protect the public and investigate violations of federal laws.”

Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/hWmpOdt6UFo/

,

No Comments

Laws to act against data breach

ALTHOUGH the Personal Data Protection Act (PDPA) has yet to be enforced and a commissioner yet to be appointed, Malaysians can still lodge their grouses to the Personal Data Protection Department (JPDP) in Putrajaya.

“If you think an organisation or a person has broken the law and caused a data breach, or if you are not satisfied or happy with their response to your grouse (about the misuse of your personal details), you can file a complaint with the department.

“Even though the PDPA has not been enforced yet, there are other relevant laws that can be used to take action against the offenders and we will forward the complaints to the specific agencies, like the Malaysian Communications and Multimedia Commission (MCMC), to help those who feel that their privacy has been violated,” said its director-general Abu Hassan Ismail.

Personal data is the new currrency of the digital world. That is why people are concerned about privacy, especially when they transact online. – Abu Bakar Munir

These legislations include the Communications and Multimedia Act (CMA) 1998 and the Credit Rating Agency Act 2010.

For example, a person who intentionally infiltrates and gets without permission the personal data of an individual can be jailed up to one year or fined up to RM50,000 or both, if found guilty under the CMA.

However, Abu Hassan advised complainants to seek redress with the companies or individuals in question before considering the courts.

“If you are still not satisfied with the response or the action taken by the particular organisation, you can lodge a complaint directly to the JPDP,” he added.

Created in June 2011, the department that is aimed at facilitating the enforcement of the Act was officially launched in February this year.

To date, the department has received more than 100 complaints related to personal data, out of which only eight are of offences directly related to the PDPA.

To lodge a complaint with the department, all one has to do is to send a letter or email stating their case to the department.

The statement will have to include the name of the organisation or person that you are lodging a complaint against, the reason for your grouse, the actions that have been taken or responses made by the “offender” after you have complained to them, and copies of the correspondence about the issue that you made with the organisation or individual in question.

Abu Hassan declined to comment on the delay of the PDPA’s enforcement. Ministry sources, however, said that enforcement details would be announced as early as next month.

Universiti Malaya cyber law expert Prof Abu Bakar Munir believes that the JPDP should be converted into a commission to speed up the enforcement of the PDPA.

“It is practical that the department take time to train personnel and prepare the rules and regulations for the enforcement of the Act. The Act does not state in detail things such as registration fees and processes that companies will need to undergo.

“However, it is imperative that the Act is enforced soon as people need to an avenue to seek redress for violations of their personal data and privacy,” he said.

Abu Bakar added that the delay could also impact direct foreign investment and Malaysia’s free trade agreements.

To lodge your personal data complaint, call 03-8911 5000 / 7901 or email [email protected]

Article source: http://thestar.com.my/news/story.asp?file=/2012/9/30/nation/12105331&sec=nation

,

No Comments

Decorated soldiers’ SSNs exposed online – Army News | News from Afghanistan …

Decorated soldiers’ SSNs exposed online

The Army is investigating how a defense contractor’s data breach left vulnerable the Social Security numbers of Army’s most highly decorated soldiers, when a comprehensive awards database was posted online.

The exposed database contains the 31 Social Security numbers for six Medal of Honor recipients — including former Staff Sgt. Sal Giunta, Sgt. 1st Class Leroy Petry and four posthumous recipients — and 25 Distinguished Service Cross recipients.

“That super sucks,” Giunta told Army Times when contacted about the breach Sept. 28. “Just the people it encompasses and who’s included, it’s like an attack on America. But people make mistakes. I wish it wouldn’t have happened.”

The database, which contains 518 records of award recipients since 2001, appeared to have been posted online by an employee of Brightline Interactive, a creative services firm in Alexandria, Va.

The database also included records of Silver Star recipients, including their names, ranks, unit information, and the date, place and a description of their action. But the Social Security numbers for the 487 Silver Star recipients were not included on the website.

The breach raises serious questions about how service members’ personal information is protected, said Joe Kasper, deputy chief of staff for Rep. Duncan Hunter, R-Calif., chairman of the House Committee on Armed Services.

“It’s a concern that their identifying information is compromised,” Kasper said. “We shouldn’t allow a mistake of this significance to happen.”

Ironically, the careless handling of information comes as the Army has rebuffed requests to share nonsensitive information about award recipients and their actions, even with members of Congress.

“I can’t overstate the resistance we’ve had trying to get a comprehensive record that appears to have been available all along,” Kasper said. “We think that there are more people who are deserving of the Medal of Honor, but trying to work with the Army’s awards branch to learn who these individuals are, we’re told this information isn’t available.”

Army Times waited to break the news of the breach until after it was corrected Sept. 28. Army Times notified Army officials of the breach, and the Army notified the contractor. Within hours, the file that contained the sensitive information was removed, said Col. Jonathan Withington, an Army spokesman at the Pentagon.

“We take these matters very seriously, and we took immediate action,” Withington said.

The Army’s Chief of Public Affairs office has provided Brightline on an annual basis with the names, pictures and award citations for all recipients of the Silver Star, Distinguished Service Cross and Medal of Honor since Sept. 11, 2001. The public affairs office obtained the information from Human Resources Command.

The firm for several years built OCPA’s “Gallery of Heroes” kiosk at the Association of the United States Army biannual conventions. However, as the Army scales back its presence at shows this year, the kiosk will not be present at the October convention, Withington said.

A Web developer who lists his employer as Brightline on the networking site LinkedIn appeared to have posted or had access to the database on a public server alongside more than a dozen more innocuous files apparently related to his work. It was unclear why the information was there.

Erik Muendel, CEO of Brightline, told Army Times he was previously unaware of the breach and did not know how the file wound up online, but he said he was investigating what was posted and how it got there.

He said his firm is only meant to receive unclassified information, and he was surprised the firm was provided with sensitive information.

“I’m assuming that that file was a derivative of information that was provided to us, but I do not know,” Muendel said Sept. 28.

The database was discovered by Doug Sterner, the curator of Military Times’ online database of valor and award citations, “Hall of Valor.” Sterner said separate searches for award recipients repeatedly led him to the Brightline database, and he downloaded it to investigate further.

Sterner said the database appears to contain records of every recipient of those awards for actions since the start of the war in Afghanistan. He called it “the most complete, correct database of its kind,” and more accurate than the Defense Department’s public database at http://valor.defense.gov.

Sterner said while the leak of personal information was unfortunate, the database represents a watershed for his mission, to publicize information about award recipients to honor them and for posterity.

“I felt like I just found buried gold on the Philippine Islands,” Sterner said of finding the database. “This was one of the single biggest award finds in my 15 years of researching awards. I was so thrilled to find this.” Ë

Article source: http://www.armytimes.com/news/2012/09/army-decorated-soldiers-data-breach-092812w

,

No Comments

Decorated soldiers’ SSNs exposed online

Decorated soldiers’ SSNs exposed online

The Army is investigating how a defense contractor’s data breach left vulnerable the Social Security numbers of Army’s most highly decorated soldiers since 2001, when a comprehensive awards database was posted online.

The exposed database contains the 31 Social Security numbers for six Medal of Honor recipients — including former Staff Sgt. Sal Giunta, Sgt. 1st Class Leroy Petry and four posthumous recipients — and 25 Distinguished Service Cross recipients.

“That super sucks,” Giunta told Army Times when contacted about the breach Sept. 28. “Just the people it encompasses and who’s included, it’s like an attack on America. But people make mistakes. I wish it wouldn’t have happened.”

The database, which contains 518 records of award recipients, appeared to have been posted online by an employee of Brightline Interactive, a creative services firm in Alexandria, Va.

The database also included records of Silver Star recipients, including their names, ranks, unit information, and the date, place and a description of their action. But the Social Security numbers for the 487 Silver Star recipients were not included on the website.

The breach raises serious questions about how service members’ personal information is protected, said Joe Kasper, deputy chief of staff for Rep. Duncan Hunter, R-Calif., chairman of the House Committee on Armed Services.

“It’s a concern that their identifying information is compromised,” Kasper said. “We shouldn’t allow a mistake of this significance to happen.”

Ironically, the careless handling of information comes as the Army has rebuffed requests to share nonsensitive information about award recipients and their actions, even with members of Congress.

“I can’t overstate the resistance we’ve had trying to get a comprehensive record that appears to have been available all along,” Kasper said. “We think that there are more people who are deserving of the Medal of Honor, but trying to work with the Army’s awards branch to learn who these individuals are, we’re told this information isn’t available.”

Army Times notified Army officials of the breach, and the Army notified the contractor. Army Times waited to break the news of the breach until after it was corrected Sept. 28. Within hours, the file that contained the sensitive information was removed, said Col. Jonathan Withington, an Army spokesman at the Pentagon.

“We take these matters very seriously, and we took immediate action,” Withington said.

The Army’s Chief of Public Affairs office provided Brightline on an annual basis with the names, pictures and award citations for all recipients of the Silver Star, Distinguished Service Cross and Medal of Honor since Sept. 11, 2001. The public affairs office obtained the information from Human Resources Command.

The firm for several years built OCPA’s “Gallery of Heroes” kiosk at the Association of the United States Army biannual conventions. However, as the Army scales back its presence at shows this year, the kiosk will not be present at the October convention, Withington said.

A Web developer who lists his employer as Brightline on the networking site LinkedIn appeared to have posted or had access to the database on a public server alongside more than a dozen more innocuous files apparently related to his work. It was unclear why the information was there.

Erik Muendel, CEO of Brightline, told Army Times he was previously unaware of the breach and did not know how the file wound up online, but he said he was investigating what was posted and how it got there.

He said his firm is only meant to receive unclassified information, and he was surprised the firm was provided with sensitive information.

“I’m assuming that that file was a derivative of information that was provided to us, but I do not know,” Muendel said Sept. 28.

The database was discovered by Doug Sterner, the curator of Military Times’ online database of valor and award citations, “Hall of Valor.” Sterner said separate searches for award recipients repeatedly led him to the Brightline database, and he downloaded it to investigate further.

Sterner said the database appears to contain records of every recipient of those awards since the start of the war in Afghanistan. He called it “the most complete, correct database of its kind,” and more accurate than the Defense Department’s public database at http://valor.defense.gov.

Sterner said while the leak of personal information was unfortunate, the database represents a watershed for his mission, to publicize information about award recipients to honor them and for posterity.

“I felt like I just found buried gold on the Philippine Islands,” Sterner said of finding the database. “This was one of the single biggest award finds in my 15 years of researching awards. I was so thrilled to find this.” Ë

Article source: http://www.airforcetimes.com/news/2012/09/army-decorated-soldiers-data-breach-092812w/

,

No Comments

Datahouse Cloud Backup: Most Cyber Security Data Breaches are Inside Jobs

Finance


    <!– end javascript to email the article

    –>
     style=”font-weight:normal; font-size:14px; font-family:verdana,helvetica, arial, sans-serif; text-align:left”

    PR Web

    Birmingham, AL (PRWEB) September 28, 2012

    While it’s true that hacker collectives like “Anonymous” dominate the media with their high-profile data breaches, it turns out that a breach is three times more likely to be an inside job perpetrated by a company’s own employee. This helps to explain why software developers and systems integrators are beginning to realize the value in making sure that their partners and end-users are protecting their data properly. Properly meaning, by having not only a protected local copy of system data, but more importantly an offsite Datahouse cloud backup copy to access in the event of a disaster.

    According to theinformationdaily.com new research from Forrester, only 25% of data breach cases are the work of external attackers. That leaves a whopping 75% coming from inside the company. Of these, 12% were breached with ill intent according to the research. 63% of the issues were caused by something more mundane, like losing or misplacing corporate assets the report found.

    Most small to medium sized businesses do not think about the importance of their data until they have a disaster or hardware failure. It is often a piece of the puzzle that is never taken seriously.

    Not only is it important for data to be properly protected, meeting government regulatory requirements for their industry is just as important. Acts Regulatory requirements like such as: Sarbanes Oxley (SOX), U.S. Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry Data Security Standard (PCI DSS) are just a few that require data protection.

    Most efficient business owners are beginning to demand managed online backup solutions and partners that offer the very latest in technology and benefits. According to the experts over at Datahouse Cloud Backup, the majority of their clients are seeking benefits like:

    Agent-less Interaction resulting in safer, easier to maintain and painless backups.
    Free software and no charge for maintenance fees.

    Data de-duplication and Compression prior to being sent offsite (minimizes the data stored and transmitted).

    Only being charged for the data that they store.

    A data center that is SAS70 Type II Certified with all data being encrypted in transit and at rest.

    Restores that are available at any time with no limits and no charges.

    A partner who will personally work with you to setup and verify that your backups work and you are protecting the data that is important to your business. This includes someone that picks up the phone when you need help restoring lost or corrupted data.

    Thanks partially to media monitoring and reporting of events, there’s been a recent explosion in the number of companies seeking to strengthen their data recovery plan. Datahouse Cloud Backup is looking for resellers and partners interested in offering their Asigra powered system to their users. The company will not only work with software resellers and technical support companies by helping them deliver a hybrid cloud backup and recovery solution to their customers, but their program also gives resellers a way to generate monthly recurring revenue.

    Companies or individuals interested in becoming a reseller should contact 205-972-9270 or visit Datahouse Cloud Backup

    About Datahouse
    For over two decades, Datahouse has delivered multi-platform services and solutions for a variety of industries. From individuals needing a small system to large organization needing a higher level of control, the company will design and customize a backup system to meet your data backup needs and requirements. Using the most reliable, flexible and secure system, Datahouse will tailor any combination of offsite, on-premise and/ or replicated system. With 25 years of experience and extensive knowledge of security compliances, Datahouse is familiar with industries’ legal requirements and will accommodate any corporate mandates. We provide more than insightful technology solutions, we provide peace of mind.

    This information is being distributed for the client, by Philip Cardwell at Universal Media Consultants. From top magazines to leading TV stations, UMC has been very effective at distilling client’s messages in the major national media. The aim is simple. To multiply message impact and client exposure in highly targeted markets, quickly, imaginatively, and cost-effectively. For more information visit: Universal Media Consultants

    Read the full story at http://www.prweb.com/releases/2012/9/prweb9958233.htm

    Article source: http://www.equities.com/news/headline-story?dt=2012-09-28&val=537531&cat=finance

    ,

    No Comments

    MoH, DSC recipients’ Social Security numbers exposed

    MoH, DSC recipients’ Social Security numbers exposed

    A defense contractor’s data breach left vulnerable the Army’s most highly decorated soldiers when a comprehensive awards database — including Social Security numbers — was available online, Army Times has learned.

    The exposed database contains 31 Social Security numbers for six MoH recipients — including former Staff Sgt. Sal Giunta and Sgt. First Class Leroy Petry and four posthumous recipients — and 25 Distinguished Service Cross recipients since Sept. 11, 2001.

    “That super sucks,” Giunta said when notified by Army Times. “It’s like an attack on America.”

    The database, which contains 518 records of award recipients, appeared to have been accessed online by an employee of Brightline Interactive, a creative services firm in Alexandria, Va.

    The database was closed to the public after Army Times notified Army officials, who notified the contractor of the breach. Army Times withheld reporting the breach until after the data was closed to the public.

    The Social Security numbers for the other 487 award recipients were not included in the website.

    A web developer who lists his employer as Brightline on the networking site LinkedIn appeared to have the database alongside more than a dozen more innocuous files on a public server.

    Erik Muendel, chief executive officer of Brightline, told Army Times he was unaware of the breach and did not know how the file wound up online, but he was investigating what was posted and how it got there.

    He said Brightline makes use of such data as part of a contract with the Army Chief of Public Affairs office to build a “Gallery of Heroes” exhibit at the Association of the United States Army conventions.

    He said his firm is meant to receive only unclassified information, and he was surprised the firm was provided with sensitive information.

    “I’m assuming that that file was a derivative of information that was provided to us, but I do not know,” Muendel said.

    According an operations order obtained by Army Times, Human Resources Command was tasked with providing OCPA with the names, pictures and award citations for all recipients of the Silver Star, Distinguished Service Cross and Medal of Honor since September 2011.

    An Army spokesman did not immediately respond to a request for comment.

    The database was discovered by Doug Sterner, the curator of Military Times’ own online database of valor and award citations, “Hall of Valor.”

    The database included records of Medal of Honor, Distinguished Service Cross and Silver Star recipients, including their names, ranks, unit information, and the date, place and a description of their actions.

    Sterner said the database appears to contain records of every recipient of those awards since the start of the Global War on Terror and called it the most complete database of its kind.

    Article source: http://www.armytimes.com/news/2012/09/army_breach1_092812w

    ,

    No Comments

    What’s the Meaning of This: Adobe Certificate Attack

    The news yesterday that Adobe had been compromised and that the attackers were able to get valid Adobe signatures on a pair of malware utilities is one of the more worrisome and troubling stories in what has become a year of huge hacks and historic change in the security industry. Adobe was forthcoming with many of the details of the attack, but the ones that were omitted are the ones that really make a difference in this instance.

    As in most of these cases, what we know is mostly the results of the attack. We know that the attackers found a weak spot somewhere on Adobe’s corporate infrastructure and found a way in. Adobe has not identified what the vulnerability was, where the compromised machine sat on its network or how the attackers were able to compromise it in the first place. Was it a phishing email, a la the RSA hack? Or was it something less pedestrian? We don’t know.

    We do know that once the attackers were inside, they began moving around until they found the machine that they were really interested in: a build server. They got there by using what Brad Arkin, Adobe’s top security and privacy official, said were techniques typically seen from APT-style attackers.

    “We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” Arkin said.

    So once the attackers had access to the Adobe build server, they simply requested signatures for their malicious utilities, got them, and went on their merry way. The attack itself is somewhat interesting, but what’s most interesting is what the attackers went after once they were on the network. They weren’t so much interested in Adobe’s corporate assets or source code, but rather the company’s reputation. They wanted the authority that came along with having their utilities signed with a legitimate Adobe certificate. 

    If that sounds familiar, it’s because that tactic is similar to one used by the Flame malware authors. In that case, the attackers were able to find a hash collision that enabled them to forge a Microsoft certificate and sign some components of the malware. They then set up a Windows Update server and had clients on a compromised network connect to it, rather than the real WU server, to download the Flame malware.

    The fact that Adobe was the target of a similar kind of attack should come as no surprise, really, as those attackers have been targeting the company’s applications for years. Adobe Flash is the most widely deployed application in the world and its other apps, including Reader and Acrobat, are favorite targets of attackers looking for ways to compromise high-value systems. In the last couple of years, most of the zero-day vulnerabilities found in the company’s software have been discovered by attackers at the top of the food chain, Arkin said, and that pattern fits the attack announced yesterday, as well.

    “In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries,” Arkin said in a keynote speech at the United Security Summit last year. “These are the groups that have enough money to build an aircraft carrier. Those are our adversaries.”

    One interesting thing to come out of Adobe’s public remarks on the attack is the fact that the attackers were not able to get to the Adobe key directly. The key was stored in a hardware security module in a physically protected location, rather than in software. That’s a plus. The bad news is that the attackers found another way to get what they wanted, and a clever way at that.

    So has the attack on Adobe given us any new information or insight into the tactics of the high-level attackers working right now? Not really. We knew that they are resourceful, knowledgeable, patient and smart. And we knew that they are going after the biggest targets in the U.S.: software companies, utilities, financial services companies, government agencies and defense contractors. 

    What this latest incident does is underscore each of those points and emphasize, again, how difficult it is for even the most well-funded and sophisticated organizations to defend against these attackers. Such is life at the top of the food chain.

    Commenting on this Article will be automatically closed on December 28, 2012.

    Article source: http://threatpost.com/en_us/blogs/whats-meaning-adobe-certificate-attack-092812

    No Comments

    Mozilla’s Persona Web Authentication System Moves into Beta

    Mozilla is trying to deal a two-fisted blow to the continued use of passwords as an online authenticator, as well as the practice using social media username-password combinations as a persistent login on other sites. Its Persona project has moved into its first beta release promising developers and website users a better and more private authentication experience.

    Persona, when integrated into a website, eliminates the need for users to re-enter passwords; a one-time email address is the only authenticator required after an identity is registered.

    According to the Mozilla developer site, instead of requiring a password, the user’s browser will generate cryptographic identity assertion that lasts only a few minutes and works only for one site. This eliminates the need for sites to have to store passwords or losing them to an attacker.

    “The browser obtains credentials from the user’s email provider, and then turns around and presents those credentials to a website. The email provider can’t track the user, but websites can still be confident in the user’s identity by cryptographically verifying the credentials,” the developer site said. “Most other systems, even distributed ones like OpenID, require that the sites ‘phone home’ before allowing a user to log in.”

    Since it was introduced in July 2011 as BrowserID, Mozilla overhauled the API developers would use to integrate it onto sites, as well as enhanced first time sign-ups to simplify the process for users.

    “Our goal is simple: We want to eliminate passwords on the Web,” Mozilla’s Ben Adida wrote in a blog post. Adida leads Mozilla’s identity efforts.

    Adida said Persona Beta 1 supports all desktop and mobile browsers and can be deployed quickly, sometimes in as little as 15 minutes.

    “When you deploy Persona on your website, you’re showing respect for your users and their data,” he wrote. “You’re only asking for the data needed to log them in and users know they’re only  sharing exactly what’s shown on the screen.”

    Persona, Mozilla said, affords users the option of not using Facebook, Twitter and other social media log-ins as authenticators and being subject to the website tracking and other privacy implications of doing so. “[Persona] is also designed with the Mozilla values in mind,” Adida said.

    Commenting on this Article will be automatically closed on December 28, 2012.

    Article source: http://threatpost.com/en_us/blogs/mozillas-persona-web-authentication-system-moves-beta-092812

    No Comments

    Adobe Releases Security Bulletin About Code Signing Certificate

    Microsoft Releases Security Advisory for Internet Explorer

    added Wednesday, September 19, 2012 at 9:42 am | updated Friday, September 21, 2012 at 2:21 pm

    Microsoft has released Security Advisory 2757760 to address a vulnerability in Microsoft Internet Explorer 6, 7 , 8, and 9. This vulnerability may allow an attacker to execute arbitrary code if a user accesses specially crafted HTML documents (e.g., a web page or an HTML email message or attachment).

    US-CERT encourages users and administrators to review Microsoft Security Advisory 2757760. This advisory indicates that the workaround does not correct the vulnerability, but it may help mitigate the risk against known attack vectors.

    Additional information regarding CVE-2012-4969 can be found in the US-CERT Technical Alert TA12-262A and Vulnerability Note VU#480095.

    Update: Microsoft has released an out-of-band patch to address this vulnerability. US-CERT encourages users and administrators to review Microsoft Security Bulletin MS12-063 and apply any necessary updates to help mitigate the risk.

    Article source: http://www.us-cert.gov/current/#adobe_releases_security_bulletin_revokes

    , ,

    No Comments

    Cloud Security Vendor Qualys Goes Public

    The company, which sells its flagship QualsGuard Cloud Platform, is hoping to raise more than $98 million to invest in people, capital, sales and RD.

    Qualys, which offers cloud security solutions, is the latest tech company to go public, with an initial offering Sept. 28 that company executives hope will raise more than $98 million.

    Qualys officials talked about an initial public offering (IPO) earlier this month, saying at the time that they hoped to sell almost 7.6 million shares for between $11 and $13 a share, with the goal of raising $98.9 million. At the time, they said they wanted to use the money for capital expenditures as well as making new hires, investing in sales and marketing, and growing the company’s research and development budget.

    According to some reports, Qualys share prices hit the market Sept. 28 right in range with expectations, selling at $12 million on the NASDAQ Stock Market and rising to about $12.25 around mid-day. Aside from Qualys itself, Hewlett-Packard reportedly is the largest seller, which is selling all if its 496,066 shares of Qualys stock.

    Qualys, which was founded in 1999, offers its QualysGuard Cloud Platform, a cloud-based managed-security service that enables businesses to better understand the security issues in their infrastructures. The flagship QualysGuard offering is particularly useful to companies that run distributed data centers and IT infrastructures. Through the security-as-a-service offering, businesses can identify the various IT assets on their networks, collect and analyze the IT security data generated by their infrastructures, find and fix vulnerabilities and malware, and ensure compliance with internal policies and external regulations.

    The company’s QualysGuard Cloud Suite of solutions includes its Vulnerability Management, which automates network auditing and vulnerability management, Policy Compliance, for reducing internal and external risks, and Web Application Scanning, for identify Web application vulnerabilities.

    According to a report in MarketWatch, Qualys saw revenue jump to $43.4 million in the first two quarters, a 20 percent increase over the same six months in 2011. However, it lost $600,000, due in part to increased sale and market activities. It was profitable from 2009 to 2011.

    Qualys is the latest tech company to go public this year, with most of the others overshadowed by Facebook’s giant offering in May. Other high-profile offerings included Palo Alto Networks, which makes next-generation firewall software. Palo Alto Networks went public in July hoping to raise as much as $250 million, and reportedly has seen a 50 percent increase since.

    Another cloud IT company that has done well since its IPO earlier this year is Splunk, whose technology enables businesses to monitor the massive amounts of data being generated by IT systems and infrastructure, whether they’re physical, virtualized or in the cloud. Using Splunk’s solutions, businesses can not only monitor the data, but search, analyze and act on the data.

    According to reports, Splunk more than doubled since its initial offering in April.

    Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/2uRpEbaDIjc/

    ,

    No Comments