Apple Without Jobs: Who Secures A Company's Heart?
Very often a founder is the heart of a unique, successful company, or in the case of IBM it was actually the son of the founder, Thomas Watson Jr. All the focus this week on the likely departure of Steve Jobs from Apple has me thinking back about one of my very first jobs at Disney shortly after Walt died. In many ways these men embodied more than their companies' brands: They embodied a way of thinking about business that wasn't defined in dollars and cents; it was defined by imagination, carin
The (Not Quite) End Of Security On The Internet
Speaking at the 25th annual Chaos Communication Congress in Berlin, security researchers showed how they developed a rogue (forged) Certificate Authority digital certificate. Yes, this is a big deal. But no, the Internet isn't broken.
ID Theft and Police Scanners
When asked why he robbed banks, the flamboyant criminal Willie Sutton answered, "Because that's where the money is." That's the perfect example of how the principle of Occam's razor applies to crime: the simplest solution to a problem is often the best one. With the economic downturn, high unemployment rates, and the booming business of identity fraud, would-be criminals are on the lookout for easy methods to get access to personal information. And we stumbled across one such way during a rece
Cloud Computing Security: What About It?
I'm always trolling the Web for insight into the latest technology trends, and how these trends could impact both how we use technology and how it may change how we secure our data. During my pursuit for knowledge, I'll often run into bone-headed comments and blogs, and when I do, for the most part, I just shrug them off. Today's experience isn't one of those times.
SIFT Workstation And Resources For Aspiring Forensic Examiners
Rob Lee of Mandiant and a faculty fellow from the SANS Institute gave the forensic community an early Christmas present with the release of version 1.2 of the SIFT Workstation. It is a Linux-based VMware appliance pre-configured with the tools needed to conduct a forensic examination. Rob has developed the SIFT Workstation for the SANS course he developed and teaches, which is ve
CastleCops Phish Fighters Close Site
Quietly, just before Christmas, six year old volunteer anti-phishing group CastleCops closed its Web site, noting in an open letter that "all things come to an end." True enough, but the example CastleCops set deserves to live on, and be emulated.
Yes, Virginia, There Will Be More Attacks
This is the time of year when the editor of a publication usually issues a warm and fuzzy holiday message that's supposed to make you want to gather around the fire with your family for a group hug.
Unless, of course, your publication has to do with information security.
Cloud Storage Is About Dispersion
Cloud storage is destined to be one of the hottest markets next year. It is one of those technologies that is actually aided by a down economy. As IT budgets remain flat or decline, the need for storage capacity will accelerate. The ability to buy that storage as you need it instead of all at once will be interesting. Additionally, Web 2.0 and other Internet-enabled services are supposed to continue to thrive, and all these will need storage as well.
Quick Take: Check Point Frees Nokia To Be Nokia
To IT security industry watchers, the move announced today that Check Point Software Technologies is acquiring Nokia's security business is no shocker. And perhaps it will enable Check Point to start doing what it should have been doing all along: innovating more.
Database Breach Preparedness
A copy of "SQL Server Forensic Analysis," by Kevvie Fowler, arrived in my mailbox today. I'd been looking forward it to because it is a highly topical subject given all of the data breaches that have occurred in the past couple of years involving databases. David Litchfield has produced numerous whitepapers and presented on the topic of Orac
Has Microsoft's Trustworthy Computing Got Us Anywhere?
As we noted earlier this week, Microsoft learned of a vulnerability in IE 7 on "Patch Tuesday," Dec. 9, and had a fix published for download eight days later. Now, Microsoft's Michael Howard, from the security engineering team, takes an interesting look at the lessons learned.
The 2009 Security Tsunami
Many in the United States think the party in power has sacrificed too much privacy and liberty in order to address security concerns, particularly in regard to terrorism. The incoming administration is likely to undo a lot of this, but, at the same time, a massive number of very upset people with and without tech skills are going to find themselves jobless.
Trust Trumps Price For Cybershoppers
The hope that tight economic times are driving shoppers Webward in search of better prices carries a caveat: By a factor of ten to one, online shoppers place a higher value on trust and security than on bargains, according to recent research from VeriSign.
IE7 Zero-Day Lessons
The recent zero-day IE7 vulnerability is a big deal. Hackers used it to hack into hundreds of thousands of machines, if not millions. Both IE7 and Vista are vastly more secure than their predecessors, yet this bug sliced right through them to give the hacker a robust exploit. We need to do a post mortem of this event to figure out what we should do in the future.
How Storage Latency Affects Performance
A few entries ago I introduced the subject of latency as impedance to storage performance. The biggest area of concern is what impact storage latency has on application performance. This is an area where solid state disk (SSD) solutions can make a difference that standard mechanical drive solutions struggle to solve.
Nostalgic For Cybercrime
I spent last week serving as a juror in a murder trial. Jury duty is a bit like living in an alternate universe: You live and breathe the trial, but you can't say a word about it to anyone until it's all over. I was unable to discuss what I was hearing each day in the courtroom and prohibited from watching or reading the news so that I wouldn't inadvertently hear any press on the case. And my fellow jurors and I weren't allowed to talk at all about the case until our deliberations.
OS X Users: Apple Unleashes Security Updates
Colleague Paul McDougall covered the release of Apple's OS X 10.5.6 update, which includes 36 new fixes. We're now taking a look at the security updates, and there are quite a few. Many are critical to get patched.
DNSChanger Trojan Spoofs DHCP Responses To Unsuspecting Victims
Malware analysis has been a small obsession of mine for at least the past four years. I always have a virtual machine sitting around just waiting to be subjected to the next unknown executable that lands in my lap. A psychologist might say I have some "issues" since I get excited from the thought of infecting hapless Windows machines.
Alert: Hacked Hong Kong Porn Site Spews IE Attacks
Microsoft is warning of a large increase in the number of attacks aimed at an Internet Explorer vulnerability left unpatched last week. Some of the early attacks originated from a compromised Hong Kong pornserver, but the number of infected legitimate sites is in the thousands and climbing rapidly.
Internet Explorer XML Flaw Attacks Heat Up
At first, we thought the XML exploits targeting the flaws discussed in Microsoft Security Advisory 961051 affected only Internet Explorer 7. However, many more versions of IE are affected, and exploits are moving in the wild.
USB Flash Drive Network Weaponization
Last month, the U.S. Department of Defense took drastic measures to stomp out a "rapidly spreading worm crawling across their networks" by banning USB flash drives and other removable media (see Wired's "Under Worm Assault, Military Bans Disks, USB Drives"). While knee-jerk reactions like this are sometimes useful to curb particular issues, quite often they wind up ineffective in the long term because decisions
Most Vulnerable Apps Include Most Popular Apps
A new list of the most vulnerable applications in widespread business use is populated with many of the most popular applications in business use -- whether or not their use is actually authorized by the business.
Free Software to Protect Virtual Machines in the Cloud: Third Brigade VMware Protection
There are some ways to effectively begin securing your information in the cloud. We've recently been pondering whether one can prove compliance with security and privacy regulations in the cloud. Luckily, while cloud services still may not be right for handling health or payment card information, security vendors and cloud service providers are beginning to offer ways to effectively secure your cloud-based computing resources and satisfy some compliance requirements.
Security Recession Proof?
There have been numerous stories lately about whether or not IT security is recession proof. The answer is: no
Cybercrime Wave Becoming Tsunami
Cybercrime figures and analysis out from Finjan and McAfee today tell us what we already know but can't be reminded of too often: the criminal side of the Web is hot and getting hotter, with 2009 already looking like a bad year for everybody but the crooks.
When It Comes To Database Security: Enterprises Seem Confused
This October, research firm Enterprise Strategy Group surveyed 179 North American businesses with 1,000-plus employees about their database security efforts. The survey results (published today) reveal the bifurcated nature and the scary state of database security.
Cybersecurity Battles Loom For New Administration
A report released today argues that the U.S. is losing ground in the cybersecurity war. Reversing that trend will be a major challenge for the new administration -- for whom the report was prepared.
Crossing The Streams -- Virtually
Everywhere I go, virtualization is being used. No matter the size of the organization, virtualization has taken off with, what appears to be, very little concern about security. As security professionals, we know not to mix security domains across the same physical machines or cluster. Why? The answer is simple. A vulnerability could exist in the virtualization product that would allow an attacker to exploit a less secure, or lower value, guest VM allowing them to run arbitrary code on the host
Drive IN Efficiency
In 2009, IT professionals will be asked yet again to do more with less. Much of this focus will be on "driving out cost" projects like primary storage reduction, archiving, and further server consolidation through virtualization. All good projects, but don't forget that you also will be asked to manage all this and your current environment with less staff, hence your need to drive IN efficiency.
Big--BIG--Microsoft Patch Tuesday Coming. Do You Care?
Next Tuesday is the last Microsoft "Patch Tuesday" of 2008, and signs are it's going to be a big one. Patches will be released to plug eight vulnerabilities. Six of those are labeled critical. And a fair percentage of users won't pay any more attention to these patches than they do to others.
Secure USB Drive Comes To OS X
There are plenty of USB thumb drives with native encryption, such as IronKey, available -- if you're a PC user. Today, SanDisk announced its secure USB flash drive that supports OS X. It's about time.