Commentary
Content posted in December 2008
Page 1 / 2   >   >>
Apple Without Jobs: Who Secures A Company's Heart?
Commentary  |  12/31/2008  | 
Very often a founder is the heart of a unique, successful company, or in the case of IBM it was actually the son of the founder, Thomas Watson Jr. All the focus this week on the likely departure of Steve Jobs from Apple has me thinking back about one of my very first jobs at Disney shortly after Walt died. In many ways these men embodied more than their companies' brands: They embodied a way of thinking about business that wasn't defined in dollars and cents; it was defined by imagination, carin
The (Not Quite) End Of Security On The Internet
Commentary  |  12/30/2008  | 
Speaking at the 25th annual Chaos Communication Congress in Berlin, security researchers showed how they developed a rogue (forged) Certificate Authority digital certificate. Yes, this is a big deal. But no, the Internet isn't broken.
ID Theft and Police Scanners
Commentary  |  12/30/2008  | 
When asked why he robbed banks, the flamboyant criminal Willie Sutton answered, "Because that's where the money is." That's the perfect example of how the principle of Occam's razor applies to crime: the simplest solution to a problem is often the best one. With the economic downturn, high unemployment rates, and the booming business of identity fraud, would-be criminals are on the lookout for easy methods to get access to personal information. And we stumbled across one such way during a rece
Security 2008: Bad Year, But Better Than What's Ahead
Commentary  |  12/30/2008  | 
How bad were the security challenges in 2008? Bad! And a glance back over the year leads to the conclusion that 2009 is going to be worse.
Cloud Computing Security: What About It?
Commentary  |  12/29/2008  | 
I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.
SIFT Workstation And Resources For Aspiring Forensic Examiners
Commentary  |  12/29/2008  | 
Rob Lee of Mandiant and a faculty fellow from the SANS Institute gave the forensic community an early Christmas present with the release of version 1.2 of the SIFT Workstation. It is a Linux-based VMware appliance pre-configured with the tools needed to conduct a forensic examination. Rob has developed the SIFT Workstation for the SANS course he developed and teaches, which is ve
CastleCops Phish Fighters Close Site
Commentary  |  12/29/2008  | 
Quietly, just before Christmas, six year old volunteer anti-phishing group CastleCops closed its Web site, noting in an open letter that "all things come to an end." True enough, but the example CastleCops set deserves to live on, and be emulated.
Infected Digital Picture Frames: They're Ba'aack
Commentary  |  12/28/2008  | 
Last January, Insignia had to yank a line of 10.4-inch digital frames from Best Buy due to reports of infection. This year it's Samsung that has egg on its face.
Every Year Bogus Holiday Cards Flood In-Boxes: This Year is No Exception
Commentary  |  12/27/2008  | 
If your in-box is like mine, you've been hit with numerous fake greeting card spams. Who knows what you really get if you click on the link: Phishing attack attempt? A keystroke logger? Worse? Keep it safe.
Yes, Virginia, There Will Be More Attacks
Commentary  |  12/24/2008  | 
This is the time of year when the editor of a publication usually issues a warm and fuzzy holiday message that's supposed to make you want to gather around the fire with your family for a group hug. Unless, of course, your publication has to do with information security.
Second Zero Day Flaw Nails Microsoft In Two Weeks
Commentary  |  12/23/2008  | 
For the second time in two weeks, Microsoft is rushing to fix a zero-day vulnerability. This time the flaw is in some versions of the software used to run corporate databases.
Cloud Storage Is About Dispersion
Commentary  |  12/23/2008  | 
Cloud storage is destined to be one of the hottest markets next year. It is one of those technologies that is actually aided by a down economy. As IT budgets remain flat or decline, the need for storage capacity will accelerate. The ability to buy that storage as you need it instead of all at once will be interesting. Additionally, Web 2.0 and other Internet-enabled services are supposed to continue to thrive, and all these will need storage as well.
WARNING: Old Windows SQL Server Flaw Exploit Code Published
Commentary  |  12/23/2008  | 
Microsoft has issued an advisory that a known critical vulnerability in older versions of Windows SQL Server now has proven attack code, developed by a security firm weary of waiting for a patch to be released.
Quick Take: Check Point Frees Nokia To Be Nokia
Commentary  |  12/22/2008  | 
To IT security industry watchers, the move announced today that Check Point Software Technologies is acquiring Nokia's security business is no shocker. And perhaps it will enable Check Point to start doing what it should have been doing all along: innovating more.
Database Breach Preparedness
Commentary  |  12/22/2008  | 
A copy of "SQL Server Forensic Analysis," by Kevvie Fowler, arrived in my mailbox today. I'd been looking forward it to because it is a highly topical subject given all of the data breaches that have occurred in the past couple of years involving databases. David Litchfield has produced numerous whitepapers and presented on the topic of Orac
Holiday Security: While Employees Are Away, Don't Let Crooks Play
Commentary  |  12/22/2008  | 
As the holidays approach, so do opportunities to tighten security in the workplace -- or have lax habits turn into disasters.
Has Microsoft's Trustworthy Computing Got Us Anywhere?
Commentary  |  12/19/2008  | 
As we noted earlier this week, Microsoft learned of a vulnerability in IE 7 on "Patch Tuesday," Dec. 9, and had a fix published for download eight days later. Now, Microsoft's Michael Howard, from the security engineering team, takes an interesting look at the lessons learned.
The 2009 Security Tsunami
Commentary  |  12/19/2008  | 
Many in the United States think the party in power has sacrificed too much privacy and liberty in order to address security concerns, particularly in regard to terrorism. The incoming administration is likely to undo a lot of this, but, at the same time, a massive number of very upset people with and without tech skills are going to find themselves jobless.
Trust Trumps Price For Cybershoppers
Commentary  |  12/19/2008  | 
The hope that tight economic times are driving shoppers Webward in search of better prices carries a caveat: By a factor of ten to one, online shoppers place a higher value on trust and security than on bargains, according to recent research from VeriSign.
IE7 Zero-Day Lessons
Commentary  |  12/19/2008  | 
The recent zero-day IE7 vulnerability is a big deal. Hackers used it to hack into hundreds of thousands of machines, if not millions. Both IE7 and Vista are vastly more secure than their predecessors, yet this bug sliced right through them to give the hacker a robust exploit. We need to do a post mortem of this event to figure out what we should do in the future.
Much Ado Over Microsoft's (Somewhat) Rare Out-Of-Band Patch
Commentary  |  12/17/2008  | 
My advice: Patch this puppy, and don't worry about whether or not Microsoft should have published this update out of its normal monthly update cycle.
How Storage Latency Affects Performance
Commentary  |  12/17/2008  | 
A few entries ago I introduced the subject of latency as impedance to storage performance. The biggest area of concern is what impact storage latency has on application performance. This is an area where solid state disk (SSD) solutions can make a difference that standard mechanical drive solutions struggle to solve.
Out-Of-Cycle Patches Test Maturity Of Patch Management Programs
Commentary  |  12/17/2008  | 
With two out-of-cycle security updates from Microsoft this fall, organizations are getting the opportunity to evaluate the maturity of their patch management processes through trial by fire.
Patch 'Em Up! IE Releases Critical Patch, Firefox Patches Dozen Bugs
Commentary  |  12/17/2008  | 
Microsoft has released the patch that closes an Internet Explorer vulnerability that's been exploited hundreds of thousands of times in the last few days. Mozilla has patched more than a dozen Firefox problems, many of them critical. Time to get Patching!
ALERT: Emergency Explorer Patch From Microsoft Tomorrow
Commentary  |  12/16/2008  | 
Tomorrow, Microsoft will be releasing an off-cycle emergency patch for the Internet Explorer vulnerability that has infected more than a million machines worldwide.
Can You Vote for Me Now? Estonia First Country to Cast Cell Phone Votes
Commentary  |  12/16/2008  | 
The Estonian Parliament has passed a law that will allow citizens to vote via cell phone by 2011. In the past, Estonians were able to cast their votes over the Internet, which apparently worked seamlessly despite security concerns. (See Sara Peters' coverage of e-voting in Estonia in the November 2005 Alert, Academic Group Publishes Criticisms of e-Voting; memb
Nostalgic For Cybercrime
Commentary  |  12/16/2008  | 
I spent last week serving as a juror in a murder trial. Jury duty is a bit like living in an alternate universe: You live and breathe the trial, but you can't say a word about it to anyone until it's all over. I was unable to discuss what I was hearing each day in the courtroom and prohibited from watching or reading the news so that I wouldn't inadvertently hear any press on the case. And my fellow jurors and I weren't allowed to talk at all about the case until our deliberations.
OS X Users: Apple Unleashes Security Updates
Commentary  |  12/15/2008  | 
Colleague Paul McDougall covered the release of Apple's OS X 10.5.6 update, which includes 36 new fixes. We're now taking a look at the security updates, and there are quite a few. Many are critical to get patched.
DNSChanger Trojan Spoofs DHCP Responses To Unsuspecting Victims
Commentary  |  12/15/2008  | 
Malware analysis has been a small obsession of mine for at least the past four years. I always have a virtual machine sitting around just waiting to be subjected to the next unknown executable that lands in my lap. A psychologist might say I have some "issues" since I get excited from the thought of infecting hapless Windows machines.
Alert: Hacked Hong Kong Porn Site Spews IE Attacks
Commentary  |  12/15/2008  | 
Microsoft is warning of a large increase in the number of attacks aimed at an Internet Explorer vulnerability left unpatched last week. Some of the early attacks originated from a compromised Hong Kong pornserver, but the number of infected legitimate sites is in the thousands and climbing rapidly.
Internet Explorer XML Flaw Attacks Heat Up
Commentary  |  12/14/2008  | 
At first, we thought the XML exploits targeting the flaws discussed in Microsoft Security Advisory 961051 affected only Internet Explorer 7. However, many more versions of IE are affected, and exploits are moving in the wild.
USB Flash Drive Network Weaponization
Commentary  |  12/12/2008  | 
Last month, the U.S. Department of Defense took drastic measures to stomp out a "rapidly spreading worm crawling across their networks" by banning USB flash drives and other removable media (see Wired's "Under Worm Assault, Military Bans Disks, USB Drives"). While knee-jerk reactions like this are sometimes useful to curb particular issues, quite often they wind up ineffective in the long term because decisions
Most Vulnerable Apps Include Most Popular Apps
Commentary  |  12/12/2008  | 
A new list of the most vulnerable applications in widespread business use is populated with many of the most popular applications in business use -- whether or not their use is actually authorized by the business.
President-Elect Barack Obama Offers InfoSec Bailout Plan
Commentary  |  12/11/2008  | 
While the president-elect may not realize it's what he's working on -- he is. And savvy security vendors already should be revamping their marketing plans for the InfoSec Stimulus Package of 2009.
Facebook Fear Factors: Social Nets And Business Risk
Commentary  |  12/11/2008  | 
Facebook and other social networks are as hot at work as elsewhere. And therein, according to a security executive, lies a very big rub. More than one, actually.
Free Software to Protect Virtual Machines in the Cloud: Third Brigade VMware Protection
Commentary  |  12/11/2008  | 
There are some ways to effectively begin securing your information in the cloud. We've recently been pondering whether one can prove compliance with security and privacy regulations in the cloud. Luckily, while cloud services still may not be right for handling health or payment card information, security vendors and cloud service providers are beginning to offer ways to effectively secure your cloud-based computing resources and satisfy some compliance requirements.
Security Budgets Insecure, Criminals Confident
Commentary  |  12/10/2008  | 
Cutbacks across the board mean cutbacks in security, obviously. And that's just what the crooks are counting on.
Chasing A Moving Target
Commentary  |  12/10/2008  | 
Coping with a Microsoft "Black Tuesday" is bad enough when there's 28 vulnerabilities being patched, but add to it a zero day vulnerability in Internet Explorer 7 (IE) that's being exploited in the wild and it could turn into a pretty bad week. Since none of the patches released by Microsoft during their normal December patch cycle address t
Security Recession Proof?
Commentary  |  12/9/2008  | 
There have been numerous stories lately about whether or not IT security is recession proof. The answer is: no
Cybercrime Wave Becoming Tsunami
Commentary  |  12/9/2008  | 
Cybercrime figures and analysis out from Finjan and McAfee today tell us what we already know but can't be reminded of too often: the criminal side of the Web is hot and getting hotter, with 2009 already looking like a bad year for everybody but the crooks.
The No Migration Strategy
Commentary  |  12/9/2008  | 
I am a believer in getting old data off primary storage as fast as possible and previous entries have discussed manual migration, agent migration, and global file systems. One I have missed is the no migration strategy.
When It Comes To Database Security: Enterprises Seem Confused
Commentary  |  12/8/2008  | 
This October, research firm Enterprise Strategy Group surveyed 179 North American businesses with 1,000-plus employees about their database security efforts. The survey results (published today) reveal the bifurcated nature and the scary state of database security.
Cybersecurity Battles Loom For New Administration
Commentary  |  12/8/2008  | 
A report released today argues that the U.S. is losing ground in the cybersecurity war. Reversing that trend will be a major challenge for the new administration -- for whom the report was prepared.
Crossing The Streams -- Virtually
Commentary  |  12/8/2008  | 
Everywhere I go, virtualization is being used. No matter the size of the organization, virtualization has taken off with, what appears to be, very little concern about security. As security professionals, we know not to mix security domains across the same physical machines or cluster. Why? The answer is simple. A vulnerability could exist in the virtualization product that would allow an attacker to exploit a less secure, or lower value, guest VM allowing them to run arbitrary code on the host
Air Force Seeks (Non Lethal) City Stopper
Commentary  |  12/7/2008  | 
While it won't destroy buildings, or directly kill people, it will shut down everything in its path with a power button.
Is Obama's Mac A National Security Risk -- And Will He Be Allowed To Keep It?
Commentary  |  12/5/2008  | 
There was a lot of focus a few weeks ago about whether President-elect Obama was going to be allowed to keep his BlackBerry. The discussion seemed kind of silly given how many BlackBerrys are in wide use in the U.S. government. However, you may recall that a foreign national stole a couple a few months ago, which certa
Drive IN Efficiency
Commentary  |  12/5/2008  | 
In 2009, IT professionals will be asked yet again to do more with less. Much of this focus will be on "driving out cost" projects like primary storage reduction, archiving, and further server consolidation through virtualization. All good projects, but don't forget that you also will be asked to manage all this and your current environment with less staff, hence your need to drive IN efficiency.
Big--BIG--Microsoft Patch Tuesday Coming. Do You Care?
Commentary  |  12/5/2008  | 
Next Tuesday is the last Microsoft "Patch Tuesday" of 2008, and signs are it's going to be a big one. Patches will be released to plug eight vulnerabilities. Six of those are labeled critical. And a fair percentage of users won't pay any more attention to these patches than they do to others.
Secure USB Drive Comes To OS X
Commentary  |  12/4/2008  | 
There are plenty of USB thumb drives with native encryption, such as IronKey, available -- if you're a PC user. Today, SanDisk announced its secure USB flash drive that supports OS X. It's about time.
2% Of Windows PCs Are Patched. The Rest -- YIKES!
Commentary  |  12/4/2008  | 
Think your PCs are fully patched? Think again. New research from Secunia shows less than 2 percent of the world's PCs are completely patched. And the situation's getting worse.
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.