Commentary
Content posted in January 2008
Page 1 / 2   >   >>
Does This Storage Make My Butt Look Big?
Commentary  |  1/31/2008  | 
This is a curious link to follow if you agree that women as storage buyers: A) Are aliens B) Constitute a completely different species C) Need to be spoken to like prostitutes (the "Pretty Woman" Julia Roberts kind, not that Theresa Russell sort)
Toward Buffer Overflow Extinction
Commentary  |  1/31/2008  | 
The first time a buffer overflow was used as part of an attack on information systems, at least the best I can find, was the infamous 1988 Morris worm. While the Morris worm propagated across Unix, buffer overflows have been the bane of Windows security for years. Microsoft is furthering its efforts to push this problem into the history books.
When Criminal Intent Lurks One Cube Away
Commentary  |  1/31/2008  | 
The ongoing Société Général fraud story is a case study in insider threats. The costs, north of $7 billion for the French bank, are high and likely to go higher. For the rest of us, it leaves an uneasy question: Do we have a rogue in our organization? And if so, what do we do about it?
Federal Government To Spend $30 Billion On New Security Efforts
Commentary  |  1/30/2008  | 
One of the most interesting IT security news stories to hit this week is that the Bush administration is apparently proposing $6 billion (maybe this is an increase on existing spending. That's not yet clear) be invested to shore up federal network security next year, and up to $30 billion across seven years. This is good news. Maybe.
The Four (Non) Myths Of IT Security
Commentary  |  1/30/2008  | 
Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.
Are You SCAP Ready?
Commentary  |  1/29/2008  | 
In case you missed it, about a year ago the Office of Management and Budget issued policy memorandum M-07-11, aka the Implementation of Commonly Accepted Security Configurations for Windows Operating Systems. Essentially, this mandates that all federal agency systems must adhere to the Federal Desktop Core Configuration (FDCC) by February 2008. That's this Friday.
Free Identity Theft Webinar Tomorrow
Commentary  |  1/29/2008  | 
This week's release of a new report on Identity Theft (and strategies for avoiding and combating it) will be accompanied by an online Identity Theft Webinar tomorrow, Thursday, January 31, at 2 pm EST.
Point. Click. Phish.
Commentary  |  1/29/2008  | 
Are you ready to launch your own phishing scam, but don't know where to start? Too tired from your day job to copy write your own fraudulent e-mails? Or, are you like millions of others who just don't know how to leverage Facebook or Orkut for illicit profit? These are no longer problems for you.
Should Your IP Address Be Private?
Commentary  |  1/29/2008  | 
The European Union has just ruled that Spain's Telefonica SA doesn't have to hand over the identities of file sharers on its networks . At least, not simply because the allegedly aggrieved party asks for such information.

 
Whoops: $73 Billion In Fraudulent Trades Just Slipped By Us
Commentary  |  1/28/2008  | 
While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.
IT Security Vs. Censorship
Commentary  |  1/28/2008  | 
In a memo distributed to employees, Tribune Co. owner Sam Zell called for all of Tribune's business units to yank the use of content filters. Now, I'm not sure anyone, myself included, would list content filters among their most favorite things. Yet, I'm not so sure Zell made a good move -- at least not for Tribune's IT security.
Happy Data Privacy Day!
Commentary  |  1/28/2008  | 
We're less than a week away from finding out whether Punxsutawney Phil predicts six more weeks of winter. While we wait for him to make his annual weather forecast, we've got time to squeeze in another holiday. You may not be as familiar with this one -- there's no parades, gift-giving or time off from work. Frankly, it's a shame we have to acknowledge it at all. But it's a testament of the kind of world we live in. Today is Data Privacy Day.
Recent Vista Metrics: Don't Be Fooled
Commentary  |  1/26/2008  | 
Microsoft's security strategy director, Jeff Jones' recent report card bestowing high marks on the security of his employer's most recent operating system release has garnered plenty of ink. But what's it mean?
Beauty, Sex, Love, And Your Mobile Phone
Commentary  |  1/25/2008  | 
That's the hook for a mobile phone virus that at least one antivirus vendor says is currently spreading in the wild.
Time to Implement Security as a Service?
Commentary  |  1/25/2008  | 
Software as a Service (SaaS) has been gaining acceptance among small and medium businesses because it eases maintenance and deployment requirements. Having been widely implemented in areas, such as Customer Relationship Management, it is now advancing into the security market.
FCoE Enigma Wrapped In A Riddle
Commentary  |  1/24/2008  | 
And buried inside a mystery: It's where my mind goes when the subject turns to Fibre Channel over Ethernet (FCoE). And apparently I'm not alone.
Hey Joe, What Are You Doing With That Resume In Your Hand?
Commentary  |  1/24/2008  | 
A buddy of mine called today. He's (we'll call him Joe) chief security officer at a fairly large public company in the health field. I hadn't spoken with Joe in a while, and he was sounding somewhat down. "What's wrong, Joe?" I asked.
CyberWar! Not So Much
Commentary  |  1/24/2008  | 
It's looking more like the distributed denial-of-service attacks that crippled the Web site of the Estonian Reform Party last spring were not the result of grim-faced Russian warriors vigorously clicking their mice. No.
Trusted Web Site? Not So Fast
Commentary  |  1/23/2008  | 
It's not been a great year for Web security, so far. First we learn that HackerSafe isn't so hacker safe, after all. Then we find out that hackers have found a way to automatically redirect most home routers to wherever they
Drive-By Pharming: This Nasty Attack Technique Looks Significant
Commentary  |  1/23/2008  | 
The first time I learned of the concept of drive-by pharming was when reading about a presentation given by application security expert Jeremiah Grossman at Black Hat in mid-2006. It's a concerning attack technique, not just because it enables an attacker to do nasty things, but also because of how passively Web users can become victimized. Until very recently, this attack was merely theoretical.
Bank Failure Spawns New Regulations
Commentary  |  1/22/2008  | 
Few may have noticed, but during the real-world summer stock slump Ginko Financial, a bank within Second Life, went bust. And ever since its failure, Second Life citizen complaints of interest-rate scams seem to have soared. "Since the collapse of Ginko Financial in August 2007, Linden Lab has received complaints about several in-world "banks" defaulting on their promises. These banks often promise unusually high rates of L$ return, reaching 20%, 40%, or even 60% annualized, reads a recent blog
Vote. Get Your Identity Stolen
Commentary  |  1/22/2008  | 
Fortunately, the stolen notebook was recovered. Unfortunately, it's now up to the forensics experts to determine if any of the data, including the names and Social Security numbers of register voters, was accessed or tampered with. I'm talking about the notebook that was allegedly stolen from the Election Commission in the Nashville area last month. According to this report, the notebook held the names and Social Security n
Protecting Bob In Accounting, From Himself
Commentary  |  1/21/2008  | 
Of the hundreds of data loss incidents in 2007, it seems the majority involved some type of lost storage media or notebook. If only the companies had used, or were certain that encryption had been in place, then the customers of GE Money, Accenture, the Department of Veterans Affairs, and too many others to list would be sleeping better. It's a problem that's only going to get worse as more data is held on portable storage devices, such as USB devices, smartphones, and even MP3 players.
RIAA Attacked: The SQL
Commentary  |  1/21/2008  | 
The Recording Industry of America's (RIAA) Web site was attacked -- again -- over the weekend. According to numerous breaking news stories, it seems a lack of proper security controls enabled some to take parts of the site down, and tweak its pages. Get serious.
Hackers Threaten Power Grid. FERC Strengthens Security Standards
Commentary  |  1/19/2008  | 
While I enjoyed the first two Bruce Willis Die Hard movies, Live Free or Die Hard was a different story. The coordinated, near simultaneous cyberattacks of the power grid, financial systems, government databases, and media satellites was so over-the-top that I couldn't suspend my disbelief long enough to enjoy the movie. Maybe that's because I've long been suspicious of the terms cyberterrorism and cyberwarfare. In fact, the threats of thunderstorms, tornadoes, and overgrown trees
Yahoo Users Get OpenID: No Game Changer
Commentary  |  1/18/2008  | 
There seems to be plenty of buzz surrounding Yahoo's decision to choose OpenID as a way to enable users to sign on once and seamlessly access all of their Yahoo services, as well as any other Web site that supports the OpenID Web authentication standard. It's not going to change much.
650,000 More Customer Records Lost: It's The Physical Security, Too, Stupid
Commentary  |  1/18/2008  | 
A data tape containing 650,000 J.C. Penney and other retailers' customer records including Social Security numbers, has been missing since last October, but notification of all affected customers has yet to be completed. Lots of lessons in this one.
Don't Do As Bruce Does
Commentary  |  1/17/2008  | 
I'm talking about encryption and security expert, speaker, book author, and restaurant critic Bruce Schneier. Don't follow his security advice. At least when it comes to securing home wireless networks.
Identity Theft Is A Drag For Everyone
Commentary  |  1/17/2008  | 
There's yet more evidence that privacy and security concerns, when it comes to online shopping, are on the rise. This time it's from a phone survey, released today, conducted by the University of Southern California's Center for the Digital Future.
Excel Security Flaw Poses Mac And Windows Risk
Commentary  |  1/16/2008  | 
A Microsoft security advisory warns that some Excel users are at risk of attacks specifically targeting the vulnerability. Users who've installed Excel 2003 Service Pack 3, or who are running Office 2007 (Windows) or 2008 (Mac) should be protected.
Web 2.0 And Social Networks Ripening Targets For Hackers And Fraudsters
Commentary  |  1/16/2008  | 
We're on the verge of an upswing in Web 2.0 and social networking security attacks and fraudulent scams. Just yesterday, Thomas Claburn reported on a serious Universal Plug and Play (UPnP) vulnerability that can be exploited through malicious SWF (Flash) files on Web sites. Successful attacks can be used to sidestep firewalls, access Web router admin pages, and alte
Hackers Targeting Microsoft Zero-Day Excel Flaw: Microsoft Offers Kludgey Fix
Commentary  |  1/16/2008  | 
Late yesterday, Microsoft confirmed in a security advisory (947563) that hackers are targeting a significant vulnerability in multiple versions of Excel. The vulnerability appears to be a previously unknown zero-day, and a successful attack could result in various levels of control over the affected system -- depending on how user rights have been configured.
The FBI Doesn't Want Your Data. Really.
Commentary  |  1/15/2008  | 
The Federal Bureau of Investigation is not after your personal information, the agency insists. If you've received e-mail seeking personal information that appears to be from FBI Director Robert Mueller or another FBI official, it's fake, the agency warned Tuesday.
The Time Is Now (Better Yet, Yesterday) For A Federal Data Breach Disclosure Law
Commentary  |  1/15/2008  | 
It'll soon be five years since the California data breach disclosure law, better known as SB 1386, went into effect. So far the law has had some success. But we need a federal standard.
A Couple More Things Apple Needs To Do To Become IT (Security) Friendly
Commentary  |  1/15/2008  | 
As Macworld kicks off, more companies, especially SMBs, are bound to be eyeing the possibility of displacing Microsoft in favor of Apple. And there are plenty of good reasons why: Vista has been a disappointment, and OS X is simply more elegant and easier to use than anything Microsoft has to offer. And if my personal experience with OS X is any indicator, OS X is a lot more stable. But when it comes to security, Apple has some work to do.
10 Threats You Need To Worry About: SANS Report
Commentary  |  1/15/2008  | 
SANS is out with its 2008 top threats report, and the outlook isn't good. While many of the threats are familiar, they're getting more sophisticated, supple, smart.
Brit Posts Bank Account Number, Gets Hacked
Commentary  |  1/10/2008  | 
The world is filled with daredevils: bungee jumpers, mountain climbers, those crazy guys who get chased by bulls in Spain. However, none of those thrill-seekers hold a candle to British columnist/TV celebrity Jeremy Clarkson. Fearless to the core, Mr. Clarkson decided to publish his own personal bank account number in the paper, confident that no one would be able to do anything with it.
Have You Been Victimized By Malware?
Commentary  |  1/9/2008  | 
Crime reporting often includes the victim's side of the story. This seems to be less common with cybercrime reporting. There are several reasons: Many of those with computer viruses are unaware that they've been victimized, and IT workers don't want the world to know that their systems have been compromised. I'm hoping some of you, anonymously or not, will be willing to e-mail me (or post here if you prefer) and share your experience with malware. With ne
Who's In Charge -- Really In Charge -- Of Your Security? Anybody?
Commentary  |  1/9/2008  | 
If your small or midsize business has a designated Chief Security Officer, well-done. If you don't, welcome to the club -- but it's not a club you want your business to be part of.
Hackers Count On Unpatched Problems -- How Patched Are Yours?
Commentary  |  1/8/2008  | 
The lesson of the mass-hack that tagged 70,000 Web pages over the past week is be careful what you ask for on your Web site -- and be even more careful that you're completely patched before you ask.
Privacy Skeptic Gets Robbed Online And Recants
Commentary  |  1/7/2008  | 
Not everyone believes privacy matters. Take U.K. journalist and TV presenter Jeremy Clarkson, who hosts a show called Top Gear. Clarkson, according to the BBC, believed that the furor over the U.K. government's loss of optical discs containing the personal information of more than 25 million U.K. citizens was much ado about nothing.
Privacy Lawsuit Against Sears Is Ridiculous
Commentary  |  1/7/2008  | 
Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.
Let's Raise The Stakes For Data Loss Culpability
Commentary  |  1/4/2008  | 
After a year of unbelievable (and in some cases incomprehensible) data loss among corporations both big and small, I propose we adopt a brand-new catchphrase for 2008. To borrow somewhat from culinary personality Emeril Lagasse: It's time to kick the penalties up a notch.
Is There A Wi-Fi Flu Waiting To Happen?
Commentary  |  1/3/2008  | 
We've all talked a lot about wireless security (or lack thereof) and hotspot vulnerabilities and other perils of the wireless world. But researchers at Indiana University suggest that wireless routers may be a perfect medium for communicating contagious malware.
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.