Commentary
Content posted in November 2008
Page 1 / 2   >   >>
Microsoft Releases Updated Offline Virtual Machine Services Tool
Commentary  |  11/26/2008  | 
It's the second release of this handy tool, and it comes with a number of major improvements for enterprises managing numerous Microsoft virtual machines.
How Are We Doing? Dark Reading Seeks Your Input
Commentary  |  11/26/2008  | 
Dear Readers, If you've been clicking through the pages of Dark Reading regularly for the past several weeks, you've probably noticed lots of changes. As we told you back in October, the site has undergone an overhaul that included moving to a new server and a new production system, and we've implemented a new design that's intended to make the site easier to navigate and use. As with most new releases,
Solving The DR Testing Problem
Commentary  |  11/26/2008  | 
It seems like almost every time I see a report on disaster recovery plan (DRP) testing, there are typically 50% of the respondents that either don't test their DR plan or don't test it frequently enough for the plan to be worthwhile. How can we solve this?
Free Memoryze Tool Gets A Much Needed GUI
Commentary  |  11/25/2008  | 
When software vendors release a "free" version, there is often a catch or some limitation that leaves you wanting for more. Rarely is the release good enough to fill a void that you've been missing. But that's not always the case. A good example is the NetWitness Investigator product that I've been testing and wrote about in Friday's
Cyber Monday Risk Factor: Employees Back At Their Desks, Ready to Shop!
Commentary  |  11/25/2008  | 
When everybody comes back to work next Monday, count on some of them spending at least a bit of the day surfing for online bargains. And some of them are going to be spending a lot of their time shopping -- some estimates place Monday's online shopping time as consuming more than half the workday. How much of that time also puts you and your network is up to you.
Security Firm Warns Of New Apple Malware
Commentary  |  11/24/2008  | 
A Trojan horse application has been found circulating the Internet. If infected, users can end up having their system passwords nabbed, and be redirected to a number of phishing Web sites.
LiveView: Seeing Is Believing
Commentary  |  11/24/2008  | 
Investigating security incidents is a necessary fact of life for IT shops everywhere. What varies is how each group handles the incident. I read an interesting article over the weekend from Enterprise IT Planet called "Five Essential Forensics Tools." While I wouldn't consider them all "essential," a couple of them are very important, like Wireshark and Helix, and others are just examples of the ki
IT Efficiency, First Demand Oversight
Commentary  |  11/24/2008  | 
In this era of tightening budgets, storage administrators are once again being asked to do more with less. The problem is that for most data centers, the efficiency crank has been turned several times already and the easy efficiency steps already have been taken.
Underground Economy Booms While World Goes Bust
Commentary  |  11/24/2008  | 
Turns out the real "new economy" may be the one the crooks have created. A new Symantec report shows just how organized the underground is -- and how fast it's growing.
Verizon Fires Employees Who Snooped On President-Elect Obama's Personal Cell Phone Records
Commentary  |  11/23/2008  | 
The news broke publicly late last week that a number of Verizon employees had taken the liberty to sneak a peek at President-elect Barack Obama's personal cell phone records. This weekend, it's been announced that the employees involved have been fired.
Security and Return-Oriented Programming
Commentary  |  11/23/2008  | 
You don't have to stray too far from the financial pages to know that returns of any kind aren't much to brag about these days. You could say the same thing about "return-oriented programing." In a nutshell, return-oriented programming security attacks start out like familiar attacks, in which attackers take advantage of a programming error in the target system to overwrite the runtime stack and divert program execution away from the path intended by the system's designer
SSD Can Mean Hard Cost Savings
Commentary  |  11/21/2008  | 
In our last entry we talked about the time savings and potential increase in productivity and revenue that deploying SSD can enable. This entry we will focus on the hard cost savings associated with SSD. In the right situation, SSD can actually be less expensive than mechanical drives.
Web Security Testing Cookbook Book Review
Commentary  |  11/21/2008  | 
Veteran web application developers know how hostile the Internet can be, and cookbooks like this one remind us that code vulnerabilities are as diverse as the applications they are unintentionally a part of.  Authors Paco Hope and Ben Walther outfit readers with free software security tools and instruct how to use these plug-ins and utilities to build more tamper-resistent apps.
Hundreds Of Thousands Of Bots Lay Dormant
Commentary  |  11/20/2008  | 
According to a story that ran in our sister site, DarkReading.com, 500,000 bots from a recently severed botnet army may now lay dormant, awaiting their next set of orders.
As More Lose Jobs, More Job-Spam Scams On The Loose
Commentary  |  11/20/2008  | 
Spammers get their clicks by preying upon fear, among other things. And as unemployment levels rise, job, income and related concerns are becoming more common spam-prompts than ever.And prime among them are money-mule scams that try to rope people into laundering money from home.
London Hospitals Still Sick From Virus Breach
Commentary  |  11/19/2008  | 
I was reading Graham Cluley's blog at Sophos earlier this week about a virus infection (the computer kind) at a number of U.K.-based hospitals. I pretty much passed over this story until I learned just how badly the hospitals were prepared for this.
SSD In Tough Times
Commentary  |  11/19/2008  | 
At a recent conference I was asked how to cost-justify solid state disk during tough economic times. The interesting aspect to SSD is that because of its cost, it always has needed to be cost justified, regardless of the economic situation, and as a result is far better suited to do more than just "ride out" the storm.
Internal vs. External Penetration Testing
Commentary  |  11/19/2008  | 
In the past, I've talked about the merits of penetration testing (a.k.a. pen-testing) and several related tools. One thing I've not covered much is the difference between internal and external pen-testing. Today's Webcast, "Zen and the Art of Maintaining an Internal Penetration Testing Program," by Paul Asadoorian of PaulDotCom (which has a great weekly security podcast) is what started me thin
Thompson Era At Symantec Drawing To A Close
Commentary  |  11/18/2008  | 
Yesterday, the news broke that decade-long Symantec veteran John Thompson would be retiring. Symantec's board of directors appointed Enrique T. Salem, currently chief operating officer at the company, to be president and chief executive officer effective April 4, 2009.
Death of the AV Vendor: Microsoft Offers Free AV
Commentary  |  11/18/2008  | 
The fundamental problem with the AV market is that it makes antivirus vendors as much a part of the problem as they are a part of the solution. They are motivated to promote exposures to create a market for their offerings, and the end result has been a massive increase in malware and an inability by the ecosystem to effectively combat it. This will change that dramatically.
Economy Sinks, Phish Rise
Commentary  |  11/18/2008  | 
Shouldn't surprise anybody, but the worse the economy gets, the more aggressive the phishers become. Some new statistics show just how aggressive that is.
Fallout From 'Joe The Plumber' Snooping Heats Up
Commentary  |  11/17/2008  | 
This presidential election involved more hacking and digital snooping than any other election I can recall.
Storage Consolidation?
Commentary  |  11/17/2008  | 
Every so often you hear the prediction of consolidation in the storage industry, especially during times where the economy is in question. Now is again one of those times and surely we will see some acquisitions here or there, but I think we are a long way off from the classic consolidate down to three vendors scenario. Here's why....
Making a Case For Comprehensive Patch Management
Commentary  |  11/17/2008  | 
The Security Manager's Journal at Computerworld had a good, "real life" story about the effort required to implement a comprehensive patch management program and to have management sign off. J.F. Rice (a pseudonym created to protect the manager and the company) says he used a two-pronged attack to get support and raise awareness by meeting with system admini
Privacy & Protection Challenges: The European Perspective
Commentary  |  11/17/2008  | 
Curious about how other nations are addressing security and privacy concerns? A new report from an EU agency offers some interesting and provocative insights.
Palin E-Mail Hacker Trial Delayed
Commentary  |  11/16/2008  | 
The trial of David "Popcorn" Kernell, the 20-something student who has been accused of hacking then vice president-hopeful Sarah Palin's Yahoo e-mail account, has been postponed.
Hacking VoIP Book Review
Commentary  |  11/15/2008  | 
Having implemented and customized Asterisk-based VoIP solutions in the past, I was already aware of potential security issues around Voice over IP, especially using SIP.  So it was with great curiosity to read about author Himanshu Dwived's VoIP-hacking investigations.
Pssst. What's Your Password?
Commentary  |  11/14/2008  | 
Your company invests heavily in provisioning and identity management software. Password are to be changed every 90 days or so. The goal is to make sure accounts are secure and users are accountable for their actions. Problem is: Everyone is sharing passwords.
New Tool Makes VoIP An Easy Target
Commentary  |  11/14/2008  | 
VoIP isn't something that pops up on my radar too often. We're only now just beginning a deployment at my office that will take place during the next couple of weeks, so I'm slowly becoming more aware of what impact it could have. But what really got me thinking about just how secure the upcoming implementation is going to be is the release of a new VoIP security tool, UCSniff, by the Sipera Viper Lab.
My Spammers Didn't Get the Memo That They Were Toast
Commentary  |  11/13/2008  | 
It has been a week that seemed like the good guys might finally be winning -- something -- in the cybercrime war. First, there were reports of a 65-plus percent drop in spam volume after a Web hosting firm known for hosting botnets, spammers, and child pornography was taken down. Then the Internet Corporation for Assigned Names and Numbers (ICANN) on Wednesday finally
Spam Falls By More Than Half After Single Host Is Closed
Commentary  |  11/13/2008  | 
What does it take to cut spam volumes by half or more worldwide? A reporter whose research resulted in shutting down a single Web host, evidently. What does it take to keep volumes down? Depends on who you ask.
Visa To Test New Credit Card Security Tactic
Commentary  |  11/12/2008  | 
Credit cards were never designed for online purchases. They were designed more than 50 years ago for face-to-face purchases, yet credit card companies and online merchants continue to try to re-tool credit cards as viable for online payments.
Correlating Many Data Sources Is Often The Key
Commentary  |  11/12/2008  | 
Being able to successfully perform incident response and digital forensics requires having the right tools and, more importantly, the right sources of information. I was assisting a client with a case recently that made this simple fact more apparent the more I dug into the monstrous amount of information they provided me.
Will The Cloud Hurt Storage Companies?
Commentary  |  11/12/2008  | 
There have been a few articles written lately which claim cloud computing will hurt smaller storage companies like 3Par, Compellent, Xiotech, etc…. The theory being that there will have to be some industry consolidation. I disagree. Cloud computing should be a net gain for storage companies and here's why.
Serious Flaw Leaves SAP Users Vulnerable
Commentary  |  11/11/2008  | 
The US-CERT is warning SAP users of a flaw that could make it possible for systems to succumb to remote, unauthenticated attacks.
A Quarter Of DNS Servers Still Vulnerable
Commentary  |  11/11/2008  | 
Maybe DNS should stand for Do Not Secure. Half a year after the announcement of of a Domain Name System flaw and about a quarter of the DNS servers that should have been patched haven't been.
Apple iLife Gets Security Fix
Commentary  |  11/10/2008  | 
Apple today announced a serious security fix for iLife 8.0, Aperture 2, and Max OS 10.4.9 through 10.4.11. Each of the security flaws, if left unpatched, could lead to "arbitrary code execution," which means attackers could run code of their choice on your system.
Solving The Gap Between Virtual Machine And Storage
Commentary  |  11/10/2008  | 
Server virtualization rollouts often get stuck after the first wave. That first wave is where you have virtualized most of your easy stuff. Then as the virtual machines begin to proliferate, it occurs to you that you have lost control. One of the key disconnects is from server to storage.
Adobe Reader Vulnerability Being Attacked
Commentary  |  11/9/2008  | 
Within days of the announcement of a serious Adobe Reader flaw, attackers already are planting maliciously crafted PDF files to attack Windows users.
Gingrich: Repeal SOX
Commentary  |  11/7/2008  | 
The Republicans may have fallen short in the elections this week, but that didn't stop conservative Newt Gingrich from making news: The erstwhile antiregulator is now calling for the repeal of the Sarbanes-Oxley Act.
Obama Wins Spam Race Too
Commentary  |  11/7/2008  | 
The spammers love a winner -- winners exploited in subject-lines make it easier for spammers to turn computer users into losers. Take a look at the still-growing volume of Obama-themed spam and spam-scams to see how the cybercrooks are handling the transition.
Chinese Hackers Repeatedly Hack White House Network
Commentary  |  11/7/2008  | 
The Financial Times is reporting that Chinese hackers have repeatedly nabbed e-mails between government officials.
SSD's Latency Impact
Commentary  |  11/7/2008  | 
In our last entry we talked about latency and what it was. We also discussed how storage system manufacturers are trying to overcome latency and performance issues of mechanical drives by using techniques like making the drives faster by using higher RPM drives, array groups with a high drive count, short-stroking those drives, wide striping those drives, and increasing the number of application servers
The Worst Way To Learn Of A Data Breach
Commentary  |  11/7/2008  | 
While there's no welcomed way to learn that your customer data has been compromised, perhaps the worst way is to learn via an extortion letter. Pay up, or we'll expose millions of patient records, threatens a letter to Express Scripts.
Bending Skein Code
Commentary  |  11/6/2008  | 
Few of the submissions to NIST's hash standard contest have been optimized for desktop/server processors. One, though, known as Skein, seems to have considered this. It is designed specifically to run well on Intel Core 2 processors -- without sacrificing speed on other processors or security.
Trojan-Elect: Obama-Spam Inaugurates Malware Attack
Commentary  |  11/6/2008  | 
Even as the election results are still warm, a new Obama-related Trojan began running up a tally in the tens of millions of copies distributed -- and hundreds of thousands of newly infected computers.
Malware Attack Riding Coattails Of Obama Win
Commentary  |  11/5/2008  | 
Antivirus software maker Sophos today discovered attackers have launched a Web campaign of their own that aims to exploit the senator's presidential victory. And it's rather nasty.
SSDs Are All About Latency
Commentary  |  11/5/2008  | 
Nearly every storage manufacturer has been articulating a solid state disk (SSD) strategy in the past two quarters. EMC, HP, IBM, HDS, NetApp, and Compellent are all set to add the capability to their offering. Some are doing so today, while others are still in the strategy mapping process.
The Importance of Exit Procedures
Commentary  |  11/5/2008  | 
There is an interesting article in the San Francisco Chronicle about a former IT manager turned "vengeful computer hacker" who logged in to his former company's mail server and turned it into an open mail relay for spammers to abuse. He also deleted the Exchange server's mail database and critical system files, preventing the server from being able to boot. After five years, he has fina
Optical Scanning Machines, Not Just DREs, Giving Voters Trouble Today
Commentary  |  11/4/2008  | 
If voters do not even have confidence in the voting machines recommended by the Verified Voting Foundation, what hope have we in any voting system in use today?
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.