Commentary
Content posted in October 2010
State Sues WellPoint Over Data Breach Notification
Commentary  |  10/31/2010  | 
The state of Indiana's attorney general is suing insurer WellPoint Inc. for $300,000 for not notifying customers in a timely enough manner that their data was at risk.
Java Worm Targets Mac OS X
Commentary  |  10/30/2010  | 
A just uncovered Trojan horse is employing an old social engineering ploy on social networks to lure Mac users.
The Futility Of A Single Storage Platform
Commentary  |  10/28/2010  | 
Every storage supplier wants to be your only vendor. It sounds like a good idea. It would simplify storage management, simplify purchasing and make it easier to train new IT staff and protect you if the current staff has some turnover. While meeting with users at SNW Europe, I was reminded just how futile of a goal this really is.
Talk About Evasion
Commentary  |  10/28/2010  | 
Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.
Talk About Evasion
Commentary  |  10/27/2010  | 
What's new is old and what's old is still news
Why Windows Phone 7 Could Be Most Secure Smartphone At Launch
Commentary  |  10/25/2010  | 
One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.
More Patient Data Dumps
Commentary  |  10/25/2010  | 
Yet another case where patient medical records are left in a dumpster and out in plain sight.
What Business Data Should Be In The Cloud?
Commentary  |  10/25/2010  | 
In our last entry we discussed different ways that you can move data into the cloud, something I call onramps. In theory the ability now exists to put all your data types on a cloud storage platform, but is that the right choice for your business? How do you determine which data you should put in the cloud?
How To Get Data To The Cloud: Onramps
Commentary  |  10/22/2010  | 
As we discussed in our last entry, deciding when to use cloud storage is an important decision that data center mangers are now trying to make. While adding the capabilities to your own software was an early approach most were waiting for an easier way to get to the cloud and it comes in the form of software that allows near seamless access. We call these onramps.
Apple FaceTime Mac Beta Ships With Pedestrian Security Flaw
Commentary  |  10/21/2010  | 
On Wednesday Apple announced its FaceTime for Mac beta. Problem is the beta software shipped with a security flaw that could enable attackers to access iTunes accounts. However, the flaw could be indicative of much more systemic problems.
Does Compliance Drive Patching?
Commentary  |  10/20/2010  | 
A thought-provoking comment was made in response to Ericka Chickowski's recent article "Best Practices For Oracle And Database Patching."
Schwartz On Security: Can Apple Minimalism Stop Botnets?
Commentary  |  10/20/2010  | 
Why applying Steve Jobs' iPhone "walled garden" model to limit what PCs can do makes sense for combating cybercriminals.
How To Use Cloud Storage
Commentary  |  10/20/2010  | 
This entry kicks off a new series on cloud storage. In this series we will look at cloud storage and what it means from a number of different view points; the storage manufactures, the service providers, the providers of the tools that onramps data to the cloud and of course the people that will actually use cloud storage. This first set of entries will look at you the users and provides some ideas on how you can use cloud storage.
An SMB Guide To Credit Card Regulations, Part I: PCI DSS Q&A
Commentary  |  10/20/2010  | 
This article is the first in a short series designed to help small businesses understand the regulations around securing credit card transactions, specifically the PCI DSS (Payment Card Industry's Data Security Standard) requirements.
Social Media Best Practices For Healthcare
Commentary  |  10/19/2010  | 
It's no secret that there have been instances of medical workers abusing social networking sites and violating patient privacy rights. A medical association has recently published a social media toolkit designed to help with more responsible use of social media.
It's About The User
Commentary  |  10/19/2010  | 
E-commerce was born 15 years ago when a bunch of us, thrilled by all of the possibilities and promise of the Web, said, "Let's adapt this new medium to do business." Even at that early moment, it was clear that user authentication would have to play an essential role if the adaptation was going to be successful.
Disk Backup Challenges
Commentary  |  10/18/2010  | 
In most enterprises, disk is looked to as a cure for all your backup woes. The goal of adding disk to the process is to reduce backup windows, improve recovery windows and make the whole process more reliable. Reality is though that while it does help the situation it seldom cures the backup problem and fails to fully address any of these problems.
CloudAudit Now Under Cloud Security Alliance Umbrella
Commentary  |  10/17/2010  | 
We've blogged often about the need for organizations to be able to see and understand the regulatory compliance and security efforts of their cloud providers. Now, two organizations - the Cloud Security Alliance and CloudAudit - that have been working toward exactly that are joining forces.
Stuxnet: An Amateur's Weapon
Commentary  |  10/15/2010  | 
Stuxnet, a Trojan supposedly designed to attack Iran's nuclear program, is so technically advanced that it is said to be able to remotely explode a power plant without the controller noticing. Such an advanced weapon was developed by people with means. But whoever they are, they're amateurs.
Fall 2010 SNW Recap Part I
Commentary  |  10/15/2010  | 
We just wrapped up Storage Networking World Fall 2010, and while I am packing to get ready to go to SNW Europe to speak on "The Storage Challenges Caused By Desktop Virtualization" It makes sense to review what we are seeing as emerging or maturing trends in storage for 2011.
Microsoft Steps Up To Dethrone Zeus
Commentary  |  10/15/2010  | 
Microsoft is throwing another punch at this most nasty and extremely active botnet.
The Case For Wiretapping The Internet
Commentary  |  10/14/2010  | 
The directors of National Intelligence and the FBI say tech-savvy extremists pose a growing threat, setting the stage for a national debate over the need for Internet eavesdropping.
Zero-Day Pen Testing Under Fire
Commentary  |  10/13/2010  | 
A blog post I wrote recently about using zero-day exploits for testing seems to have ruffled some feathers: I got a flood of email about why the concept is immoral, tests like that are not valid, and a host of other problems. Rather than responding to emails individually, this post answers a few common grievances with my testing methodology.
HTML 5's Privacy Problem
Commentary  |  10/13/2010  | 
Lately there's been a lot of news and concern about perceived security and privacy problems in HTML 5. But while these concerns are certainly legitimate, for the most party there isn't really anything new here.
Dragging Physical Security Monitoring Into 2010
Commentary  |  10/13/2010  | 
It is fairly common to see router, firewall, and intrusion-detection system logs in addition to server, workstation, and application logs consolidated within an enterprise security information management (ESIM) system. Logs generated from network-based devices are generally responsible for the bulk of logs monitored by an ESIM, with the remainder consisting of logs from the various endpoints and software deployed throughout the infrastructure. Perhaps one of the most overlooked sources of data t
A Peek At The Intel-McAfee Strategy
Commentary  |  10/12/2010  | 
This week is McAfee's annual customer and partner event, and the first one since the announcement that Intel would acquire McAfee. The message at Focus is that the Intel-McAfee plan to secure all parts of the emerging highly distributed and massively diverse ecosystem -- from devices such as smartphones and tablets to large-scale virtualized servers -- in what is increasingly a SaaS and virtualized environment.
It's Not (Just) About EMR Software Security
Commentary  |  10/12/2010  | 
We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.
Selecting Storage For Server Virtualization - Capacity
Commentary  |  10/12/2010  | 
In this entry we will return to our series on selecting storage solutions for the virtualized server environment focusing now on dealing with capacity, storing the virtual server images and all their related data. For most environments shared storage is a presumed need, but making sure you purchase a system that can scale to meet future capacity requirements is critical.
Monitoring With Network Flow Technology
Commentary  |  10/11/2010  | 
A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.
Insiders Still Remain Potential Powerful Threat
Commentary  |  10/10/2010  | 
While malware and hacker attacks continue to make the headlines, recent events remind us that insiders still pose a potent threat.
Record Microsoft Patch Tuesday Ahead
Commentary  |  10/7/2010  | 
Administrators, get your rest this weekend. According to Microsoft's advanced warning, next Tuesday is going to be a record-setter when it comes to software vulnerability updates.
Microsoft's PC Quarantine Plan
Commentary  |  10/7/2010  | 
A plan by Microsoft Security Chief Scott Charney would place infected or unsecured PCs in an Internet isolation ward. And block users from Internet access.
Desktop Virtualization's Storage Challenges - Data Preservation
Commentary  |  10/7/2010  | 
One of the biggest potential problems that desktop virtualization brings to a data center is the change to the data protection process. Often the assumption is that when the move to desktop virtualization happens the data center will protect the newly virtualized laptops/desktops. If that hadn't been the case before, the impact of the storage requirements of the virtual desktop may take the backup administrator off-guard.
Blocking Zero Days With EMET 2.0
Commentary  |  10/6/2010  | 
Few security products I've used over the years are ones I would run on a Windows system on a daily basis. Of course, that would require me to run Windows on a daily basis, but if I did and I used it for daily activities like Web browsing, e-mail, etc., I wouldn't do so without the Microsoft Mitigation Experience Toolkit (EMET).
Which SSD Integration Method Is Best
Commentary  |  10/6/2010  | 
As we continue our series on determining the best solid state storage system makes the most sense for your environment, another area to discuss is what integration method is best. In other words once the solid state storage is installed how will you get data to it and from it?
Who's Driving Your Security Bus?
Commentary  |  10/5/2010  | 
When did vendors begin setting our security priorities? I asked myself this question recently while at dinner with three friends representing two security vendors. This was a personal event, not business, and as is often the case, I was the only person from the enterprise side of the industry. You can imagine the conversation.
Data Security: You're Doing It Wrong!
Commentary  |  10/4/2010  | 
Pete Finnegan's recent webinar, "The Right Way to Secure Oracle," was pretty controversial. His message? Database security is not what's important -- data security is.
Understanding The Mindset Of The Evil Insider
Commentary  |  10/4/2010  | 
Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.
Desktop Virtualization And Storage - Dealing With The Cost
Commentary  |  10/1/2010  | 
In this entry we continue our series on Desktop Virtualization and the challenges it creates for the storage infrastructure. Today we focus on the problem of cost. As I mentioned in the opening entry of this series, cost is always a big concern. You are taking your least expensive storage, desktops and laptops, and more than likely putting it on your most expensive, shared storage. How do you keep cost


Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.