SAINT 7.9 Product Release
From Saint Newletter:
Key New Features in SAINT 7.9
Vulnerability Scanner
Microsoft Patch Tuesday scan policy – This scan policy checks for the latest published Microsoft Patch Tuesday vulnerabilities (2nd Tuesday of each month)
New Vulnerability Check Type Coverage now includes –
Blind SQL injection
Flash application –
- Flash application allows object access from all domains
- Flash application contains database connection string
- Flash application debugging output
- Flash application FlashVars cross-site scripting
- Flash application cross-site scripting via GET request to javascript
- Flash application LocalConnection cross-site scripting
- Flash application contains MD5 hash
- Flash application contains SHA-0 or SHA-1 hash
- Flash application text field cross-site scripting
PCI Special Notes for the PCI Executive report format (Part 3b) can be customized
Multitasking improvements –
- Increased scanning threads from 10 to 20
- Compute optimal number of concurrent processes in every iteration
- New formula uses more granular CPU speed benchmark and takes process size and available swap space into account
Check Login button – Instantly reports whether the provided Windows authentication credentials are correct
Improved host type fingerprinting – Uses Nmap in conjunction with full port scan for the best possible fingerprint
Nmap Progress bar – Displays Nmap progress in the control panel during long Nmap runs
Ability to simultaneously select/deselect all scheduled scans (including scans set up as part of a scan window) on the scan schedule page that are related to the same scan
Custom email “display name” for email alerts of scans
Run local Unix/Linux/Mac checks using successfully guessed SSH login/password pairs
Penetration Testing
| Mac Camera Image Capture Exploit Tool – This tool attempts to retrieve an image file captured by an iSight camera such as the one built into a MacBook. If it is successful, the picture is displayed. |  |
Mac OS support in Download Connection exploit tool
Phishing improvements –
- Ability to automatically replicate a real site
- Ability to customize the message which is displayed after form submission
Easier, more intuitive exploit setup – Mouse over any input option on the exploit setup form to see hints.
SAINTmanager®
Load-balanced Discovery – Added support for the discovery portion of load balanced scans to also be load balanced.
SCAP/OVAL/XCCDF
Added support for file behaviors
Added OVAL detail report that provides the following details –
- Why a vulnerability was found
- Why a patch was not found
- Why a configuration check was not compliant
- List of non-evaluated and erroneous definitions
- List of definitions found not to be vulnerable, or being compliant
Added an OVAL definition detail viewer that allows users to see what checks will be run for the selected definition file, also provides details as to what each definition checks for on the target system
Added support for two more OVAL Operations (XOR, ONE, AND, OR are all now supported)
Added support for CPE-OVAL and CPE-DICTIONARY files contained in scap-data-streams (e.g., Vista system no longer scanned by XP benchmark)
ZIP files containing multiple data-streams can now be imported (e.g., USGCB-Win7)
Added XCCDF multi-target summary reports
Added new easier to use more organized XCCDF/OVAL results view page
Removed duplicates in system_characteristics output and added some other disk space saving features
Added OVAL multi-target report that provides below information –
- ratio of hosts with no vulnerabilities to the number of hosts and the non-vulnerable host list
- definitions with vulnerabilities and the hosts list who have these definitions
- ratio of 100% compliant hosts to the number of hosts and which hosts they are
- definitions with non-compliance and the host list who have these definitions
- only 3 defintion classes are considered: compliance, vulverability, and patch
SAINTwriter®
Phishing Assessment Report improvements (View sample report) –
- state what the parameters of the phishing test were
- a pie chart that shows the total number of addresses targeted with the test and the number of addresses that executed on the phishing attempt.
- details show who was targeted and identify which one is executed (PASS/FAIL).
Security Innovation Introduces Software Security Summer Series
WILMINGTON, Mass. – July 12, 2011 — Security Innovation today introduced its inaugural Software Security Summer Series, where the company will offer six free eLearning courses from its industry-leading curriculum over the next six weeks. The courses are part of TeamProfessorTM, the company’s computer-based training library with an emphasis on the software development lifecycle and defensive coding techniques. The courses were developed to train developers, architects, designers and group managers on how to build security into the core, fixing the systemic issues of insecure software.
By making portions of the industry’s largest application security training curriculum available for free, Security Innovation is delivering on its corporate strategy to be the authority on application security. The company firmly believes that providing the expertise and knowledge around how to identify and remediate software vulnerabilities, that this will help drive organizations to shift their strategy from reactive to proactive with the ultimate goal of eliminating software vulnerabilities in the development phase.
Courses will be available beginning Wednesday, July 20, when users will have 24-hour access to one of TeamProfessor’s eLearning courses. The series will continue every Wednesday for six weeks. Interested parties can register for access for up to six courses on the Security Innovation website (www.securityinnovation.com). The course titles and schedule follow:
- July 20: Fundamentals of Application Security
- July 26: Fundamentals of Secure Development
- August 3: How to Perform a Security Code Review
- August 10: How to Test for the OWASP Top Ten
- August 17: SDLC Gap Analysis & Remediation Techniques
- August 24: Architecture Risk Analysis
“We’re declaring 2011 as the first Summer of Software Security. Offering free access to some of our most popular courses is our way helping the software world be a more secure place, ” said Fred Pinkett, Vice President of Product Management at Security Innovation. “We feel that extending these courses to developers, architects, designers, group managers and even security teams will drive home the need for building security in as an integral component throughout development process.”
More than 100,000 Security Innovation users from the industry’s largest financial services, energy and technology Fortune 500 organizations leverage TeamProfessor to build internal security expertise. By educating developers on how to code defensively, Security Innovation is helping enterprises and government entities protect critical data and cut costs. Security Innovation has the industry’s largest application security training curriculum with more than 40 courses and 65 hours of computer-based training content.
About Security Innovation
Security Innovation is an established leader in the application security and cryptography space. For over a decade the company has provided products, training and consulting services to help organizations build and deploy more secure systems and improve the process by which their applications are built.
Security Innovation built upon its core competencies in application security with the acquisition of NTRU CryptoSystems in 2009, a company that developed proprietary, standardized algorithms. This resulted in the strongest and fastest public key cryptography available and the means to overcome historical performance barriers that have plagued the encryption industry. With these core strengths intact, Security Innovation is in a position to help organizations protect their data at two critical points: while applications are accessing it and during transmission. The company’s flagship products include TeamProfessor, the industry’s largest library of application eLearning courses; and TeamMentor, a web-based secure development methodologies product.
Security Innovation is privately held and is headquartered in Wilmington, MA USA.
Note to Editors: Security Innovation, NTRUEncrypt, TeamMentor, TeamProfessor and the Security Innovation logo are trademarks of Security Innovation. All other brand names may be trademarks of their respective owners.
Mobile Security Summit l Free Online Event
Consumer-oriented devices are used to access the enterprise network, email and applications on the move. While the productivity gains and strategic opportunities of accessing data remotely are real, enterprise decision makers are increasingly challenged by cost and security.
Join industry experts, analysts and end users as they identify the key vulnerabilities you should be aware of and the solutions that will allow you to keep your business running securely.
Sign up to attend the live interactive webcasts on Wednesday, July 13, 2011, or view them afterward on demand here: http://www.brighttalk.com/r/
Presentations include:
‘Thriving in the Era of the Mobile Workforce’
Christian Kane, Forrester Research; Gaston Brown, Hobart Brothers Co.; Matthew Dieckman, SonicWALL
‘Strategic Mobile Security: A Practitioner Panel’
Chenxi Wang, Forrester; Anil Karmel, Los Alamos Nat’l Lab; Terrell Herzig, UA Medical Center
‘The Composition of Mobile Security – Risks and Results’
Daniel Miessler; Principal Security Consultant, HP Application Security
‘Top 10 Mobile Risks’
Vladimir Jirasek, Senior Enterprise Security Architect, Nokia
‘Leveraging Mobile Devices for Strong Authentication’
David Mahdi, Product Manager, Entrust
You can view the full lineup and sign up to attend any or all presentations at http://www.brighttalk.com/r/
Morgan Cantrell, Marketing Program Manager
501 Folsom Street, 2nd Floor, San Francisco, CA 94105
www.brighttalk.com
T: +1.415.625.1523 F: +1.415.625.1555 E: mcantrell@brighttalk.com
PRIVACY PAPERS FOR POLICY MAKERS 2011
The Future of Privacy Forum (FPF) invites privacy scholars and authors with an interest in privacy issues to submit papers to be considered for FPF’s second edition of “Privacy Papers for Policy Makers.”
PURPOSE
• To highlight important research and analytical work on a variety of privacy topics for policy makers
• Specifically, to showcase papers that analyze current and emerging privacy issues and either propose achievable short-term solutions, or propose new means of analysis that could lead to solutions.
REVIEW PROCESS
• Academics, privacy advocates and Chief Privacy Officers on FPF’s Advisory Board will review the submitted papers to determine which papers are best suited and most useful for policy makers in Congress, at federal agencies and for distribution to data protection authorities internationally.
• Two papers selected by the chairs of the Privacy Law Scholars Conference will be included in the publication and will receive a cash award from the International Association of Privacy Professionals.
• The Future of Privacy Forum will announce the selected papers at an event with privacy leaders in September and will provide a printed digest to policy makers in the United States and abroad.
SUBMISSION
Paper Submission Deadline: July 29, 2011
Please include: author’s full name, phone number, current postal address and e-mail address.
Send via e-mail to papersubmissions@futureofprivacy.org with the subject line “Privacy Papers for Policy Makers 2011,” or send by mail to:
Future of Privacy Forum
919 18th Street, NW, Suite 925
Washington, D.C. 20006
The entry can provide a link to a published paper or a draft paper that has a publication date. FPF will work with the authors of the selected papers to develop a digest.
Visit www.futureofprivacy.org/the-privacy-papers to view the 2010 edition of Privacy Papers for Policy Makers.
Source: http://www.futureofprivacy.org/2011/06/02/privacy-papers-for-policy-makers-2011/
Fox News Politics Twitter Account Hacked, Reports President Obama Had Been Assassinated
On Monday July 4th, a hacker group called the “Script Kiddies” hacked into the Fox News Politics Twitter account and posted six tweets reporting that President Obama had been assassinated.
The “@foxnewspolitics” Twitter account has a badge with a check mark, which means it has been verified by Twitter for authenticity and also has more than 34,000 followers. Data pertaining to the twitter account shows the tweets were first posted at 2 a.m. Eastern Time.
George Ogilvie, a spokesman for Secret Service stated they would look into the false postings and “conduct the appropriate follow-up.” The Secret Service ensures the safety of current and former national leaders and their families, such as the President, past Presidents, Vice Presidents and 
presidential candidates.
The false postings about President Obama’s assassination remained visible to the public for at least six hours before Fox News system administrators apparently regained control of the Twitter account and deleted the tweets.
Jeff Misenti, vice president and general manager of Fox News Digital, said FoxNews.com is working with Twitter to address the situation as quickly as possible. He later added, “We will be requesting a detailed investigation from Twitter about how this occurred, and measures to prevent future unauthorized access into FoxNews.com accounts.” Then closed by stating,”FoxNews.com regrets any distress the false tweets may have created.”
Due to privacy reasons, officials at Twitter stated they would not comment or provide information on specific accounts, but added that users should follow its strong password advice.
SecurityOrb.com, an information security and privacy organization published a guideline to creating strong passwords for online accounts. We regard passwords as the first line of defense when it comes to protecting computers and information assets.
On a brighter note, President Obama actually spent the holiday at a barbecue at the White House with military families and administration staffers.
FCC and FTC holds Location-Based Services Forum
The Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) is holding a public forum on privacy concerns about cell phones and their ability to track the location of users.
The forum is being held between 9 a.m. to 3 p.m. EDT at the FCC Headquarters, 445 12th Street, SW, Washington DC 20554.
Audio/video coverage of the meeting will be broadcast live with open captioning over the Internet from the FCC’s web page at www.fcc.gov/live. The FCC’s webcast is free to the public. Those who watch the live video stream of the event may email event-related questions to livequestions@fcc.gov. Depending on the volume of questions and time constraints, the panel moderators will work to respond to as many questions as possible during the workshop.
Those hearings came about due to an investigation by security researchers and the Wall Street Journal that found Google’s Android devices; Apple’s iPhones and other similar devices track customers’ locations without their knowledge. At the hearing, senators called on Congress to pass new laws to protect smartphone users from having their locations tracked without their consent.
In bringing awareness to this issue, the federal government is making a statement about the need to preserve some level of privacy in the digital age. Concern over security and privacy is growing as the Internet and mobile devices play larger and larger roles in our work and play.
