Commentary
Content posted in April 2009
Page 1 / 2   >   >>
Spam Close To 2 Year High: 85% Of Mail Now Spam
Commentary  |  4/30/2009  | 
Nobody really expected spam levels to stay low after the McColo takedown last year and, as a new MessageLabs report shows, they haven't. In fact, spam levels are as high as they've been in 19 months, crossing the 85% level for the first time since September '87.
Cloud Security Needs Its Rainmaker
Commentary  |  4/29/2009  | 
The Cloud Security Alliance (CSA) made its inaugural splash at last week's RSA Security Conference 2009 in San Francisco. The group kicked off an ambitious white paper that attempts to define everything from the architecture of cloud services to the impact of cloud services on litigation and encryption. It was a herculean effort to try to get this off the ground. And there is still much more work to do -- especially in the one area the group left out.
Cloud Antivirus Promises A New Approach From Panda Security
Commentary  |  4/29/2009  | 
The free software is designed to scan the cloud to collect antivirus signatures, leading to faster protection from the newest viruses and less load on end-user computers.
Adobe Exploit Sheds Light On Bigger Risk Management Issue
Commentary  |  4/29/2009  | 
Batten down the hatches: It's zero-day exploitation time for Adobe Reader and Acrobat. But according to Adobe's blog post yesterday, "we are currently not aware of any reports of exploits in the wild for this issue." Is that the kind of statement you would feel comfortable taking to your CIO or CIS
Application Aware Storage and Protection
Commentary  |  4/29/2009  | 
In storage, its easy to forget that it is all about the application, especially when it comes to protection and more importantly recovery of that application. There is a wide variety of storage data protection from basic RAID to snapshots. There is an even wider variety of data protection software that provides multiple levels of protection, but between the two there is only rudimentary understanding of the application.
bMighty bSecure Virtual Event: SMB Security On A Budget - Today!
Commentary  |  4/29/2009  | 
When times get tough, it's all too tempting to push security concerns aside -- especially at small and midsize companies with shrinking IT budgets. Fortunately, you don't have to make that mistake, there are ways to address security issues without breaking the bank. Today -- Wednesday, April 29 -- the bMighty bSecure virtual event brings together business and security experts to show you how
Federal Reserve IT Analyst Arrest Highlights Internal Threat
Commentary  |  4/28/2009  | 
I've always had a pick with the trite and hackneyed marketing hype among IT security vendors who repeated the "insiders conduct the most attacks," or "Insiders are the greatest risk." This most recent arrest stokes the debate that was rekindled with the recent release of Verizon Business' 2009 Data Breach Investigations Report.
Swine Flu Outbreak Brings Out Swineflu Web Scams
Commentary  |  4/28/2009  | 
Swine Flu's making headlines and making people nervous, which is leading people to look for swineflu information on the Web. No surprise that the cybercrooks are setting up swine flu scam addresses and sites.
Just Because Security Budget Takes A Hit, Doesn't Mean Security Has To
Commentary  |  4/28/2009  | 
At last week's RSA Conference in San Francisco, there was as much talk about the economy as there was on IT security. And while the show appeared to pull a healthy number of attendees, at times the show floor seemed filled with more vendor reps and consultants, than IT buyers. But a few studies released last week show while vendor's may like to hype fear, the infosec economy certainly isn't all gloom and doom.
Privacy Policies Matter. No, Really. They Do.
Commentary  |  4/27/2009  | 
Forces as dissimilar as the Federal Trade Commission and Google seem to be aligning to reinforce the importance of protecting the privacy of your company's online customers.
The Real Costs Of Laptop Loss
Commentary  |  4/27/2009  | 
How many movies have you seen where the bad guy is just about to get caught and interrogated when he bites down on a cyanide capsule and dies almost instantaneously? It's a pretty common scene that I've seen in movies as recent as "The Watchmen." Similar solutions, like virtual cyanide capsules, exist that can address lost or stolen electronic devices, and a study released by Intel and the Ponemon Institute last week highlights the importance of those products.
RSA's Five Big Takeaways
Commentary  |  4/27/2009  | 
Swag was scarce, attendee counts were down, and a few vendors opted not to exhibit this year, but last week's annual RSA Conference in San Francisco was still the obligatory get-together for security experts and vendors, sprinkled with loads of product and partner announcements and high-profile keynote speakers. The trouble with a show as large as the RSA Conference, of course, is that you can't see it all. So here's a synopsis of just some of the more memorable moments:
Will SSD Delay FCoE?
Commentary  |  4/27/2009  | 
In a recent entry we discussed the impact of Solid State Disk (SSD) on the IO infrastructure. Where SSD may have the most significant impact is on the adoption of 8GB fibre vs. Fibre Channel over Ethernet (FCoE). SSD has a performance profile that is worthy of the 10GB speeds of FCoE but will FCoE be adopted quickly enough by IT prior to SSD on 8GB Fibre establishing a foot hold?
The High Cost Of Not Spending On Security
Commentary  |  4/27/2009  | 
Slashing your security budget might be tempting in these tight times, but a security breach will cost you far more than you save. Recent IT spending surveys show that many tech leaders see security as a top priority whereas others are trimming security spending and putting their organizations at increased risk of a security breach.
Conficker Making Its Move, Finally
Commentary  |  4/26/2009  | 
After months of hype and, admit it it, hysteria, the Conficker worm has finally been getting getting down to work, spewing spam and pushing popups warning that the user's computers are infected (Ya think?) with viruses.
Taking Some Of The Sting Out Of Data Breaches
Commentary  |  4/24/2009  | 
Anyone who has suffered a recent data breach involving regulatory or legislative data knows the investigation can be an excruciating process. The investigation is subject to time constraints as to how long it takes time to prepare and notify affected individuals. Statutes may apply to the company requiring customers to be notified within X number of days. And, of course, breaches never occur when it's convenient for the victim. So what can you do to streamline the investigative process and make
Social Networks A New Security Frontline
Commentary  |  4/23/2009  | 
USA Today ran an interesting story about how cybercriminals are using social media in greater numbers to attack users. What started as a trickle last year has quickly sprung to an open fire hydrant, as criminals turn to low-paid grunts to crack captchas.
What Part Of Disaster Recovery Don't You Understand? (bMighty Wants To Know!)
Commentary  |  4/23/2009  | 
Disaster Recovery planning and preparation remains one of the great vulnerabilities of small and midsized businesses (and plenty of big businesses, too). Why do so many businesses avoid taking the time and spending the money to prep themselves for disasters that may never happen? The three most common answers are in that question.
DeDupe Team Up
Commentary  |  4/23/2009  | 
There is a growing trend in storage lately, the concept of a manufacturer tapping another developer to help them compete in the market. This allows two smaller suppliers to team up against the larger suppliers. One of the best examples of this is NAS vendors adding deduplication functionality to their systems.
10 After-Tax-Filing Security Tips
Commentary  |  4/23/2009  | 
Filing your taxes isn't the end of the story. You've also got to be sure that you the electronic information you submit doesn't fall prey to identity theft. Think it can't happen to you? Tell that to the 10 million Americans who had their identity stolen last year.
Third-Party App Updates, Unite!
Commentary  |  4/22/2009  | 
Unite, unite, UNITE! It's a great fight song being preached by Secunia at this week's RSA Conference. In "Secunia Pushes For Standard That Updates Consumer Apps," here on Dark Reading, Secunia's effort to unify patching was discussed with some interesting statistics from the recent Microsoft Incident Report. According to the report, 90 percent of vulnerabilities present on Windows system
Being Secure While Being Green
Commentary  |  4/22/2009  | 
Tossing out digital devices with data on them is a security risk. Disposing of digital devices improperly, with or without data present, is an environmental risk.
NSA Does Not Want To Lead U.S. Cybersecurity Efforts. This Is Good News
Commentary  |  4/21/2009  | 
Lt. Gen. Keith Alexander told a packed security audience here at the RSA Conference 2009 that the National Security Agency wants to help support the nation's critical IT security infrastructure efforts as part of a "team" effort. And that the NSA isn't interesting in the job of running the security of the critical IT security infrastructure.
Analyzing Security Psychology
Commentary  |  4/21/2009  | 
The integration of psychology into the security strategic-thinking process is critical for the advancement of information security. The human element influences all security controls because all of these controls seek to regulate human behavior.
Disappointed In Thin?
Commentary  |  4/21/2009  | 
In a recent review of Symantec's 2009 Stop Buying Storage Survey, an odd result on thin provisioning might get overlooked. 42% of users are essentially disappointed in their thin provisioning investment, and another 37% only indicated seeing moderate improvement. If you aren't in the small group that saw significant improvement, you may have invested in the wrong thin provisioning technology.
Symantec Beefs Up Its SMB Security Line
Commentary  |  4/21/2009  | 
Symantec used this weeks RSA convention to roll out a pair of new security products aimed at small and midsize companies. The Symantec Protection Suite combines endpoint and messaging protection with data recovery to create a layered approach to security, while the Symantec Endpoint Protection Small Business Edition is designed to make SMB security easy to install and manage.
The Human Element Behind Malware-Related Breaches
Commentary  |  4/20/2009  | 
Last year, the Verizon Data Breach Investigation Report made a big splash with insightful statistics on actual data breach investigations performed by the company's incident response team. Last week, the team released an updated version (PDF) for 2009 that includes more data, as well as an interesting look at what happened during the past year. What's grabbing my attention? The numbers related to malwa
Oracle's Acquisition of Sun Changes Identity Management Landscape
Commentary  |  4/20/2009  | 
Oracle's stealing Sun at the altar of a possible marriage with IBM not only saves Oracle from a long-standing partnership going stale, but also significantly bolsters Oracle's security capabilities.
I'm Interested, But In You
Commentary  |  4/20/2009  | 
Social engineering is a disturbing aspect of overall security threat analysis because it is the human element that is least in our control. Security and psychology -- once again -- go hand in hand.
Apps Bypassing Business Security -- Bigtime!
Commentary  |  4/20/2009  | 
Those applications your employees use (whether you want them to or not) are making it easier for them to bypass security systems and controls. A new report from firewall company Palo Alto Networks shows just how easy -- and just how serious the problem is.
Botnets: Coming To A Social Network Near You
Commentary  |  4/17/2009  | 
I've dealt with a lot of different types of bots. The communication channels among them have varied from unsophisticated IRC command and control (C&C) servers to advanced peer-to-peer (P2P) protocols. For botnet herders, the challenge is flying under the radar of network security professionals who are monitoring their networks and looking for anomalies. The infosec pros who know their networks inside and out are likely to pick up on strange protocols pretty quickly -- which is one of the reasons
SSD And The Infrastructure
Commentary  |  4/17/2009  | 
In a recent blog on InformationWeek's sister site Internet Evolution, David Vellante's "Flash Drives Set to Give Internet a Performance Boost" suggests that fibre drives might be replaced by flash drives within the next three years. In our presentation last year on "The State of SSD" we made a similar prediction. Since David and I agr
Netgear Unified Threat Management Appliances Aimed At Small Business Gateways
Commentary  |  4/17/2009  | 
Netgear's just announced ProSecure Unified Threat Management (UTM) appliances aim to identify threats in the cloud, block them at the gateway, and to do so at prices aggressively aimed at small business budgets, even in tight economic times.
Insecurity The Price Of Ubiquity
Commentary  |  4/16/2009  | 
The mainstream media seems enamored by the ubiquitous Internet, but it's not doing much to reveal the risks of interconnected computers.
Data Breaches WAY Up In 2008; 90% Of Them Easily Preventable
Commentary  |  4/16/2009  | 
According to a new Verizon study, 2008 saw more instances of data breaches than the preceding four years combined. And considering how easily most of those breaches could be prevented -- but weren't -- my guess is that 2008 won't hold the record for long.
The Certainty Of Death, Taxes and Malware
Commentary  |  4/15/2009  | 
In a letter to Jean-Baptiste Leroy, Benjamin Franklin spoke of the seemingly permanent outlook for the new Constitution, and followed up with "but in this world nothing can be said to be certain, except death and taxes." I don't think we can disagree about any of those points, especially with today being when the tax man cometh. However, I think we can add something else to that quote about certainty: malware.
With More Urgency Than Usual, Apply This Month's Batch of Microsoft Patches
Commentary  |  4/14/2009  | 
Exploits are already out in the wild for a number of the vulnerabilities patched just today.
Got Any Good Disaster Stories? Got Any Good (Or Better!) Recovery Stories?
Commentary  |  4/14/2009  | 
Disaster strikes! And businesses that are prepared spring into Recovery Mode, missing as few business beats as possible. How prepared is your business for disaster? (More importantly, how prepared are you for recovery?) And have you ever had to test your planning for real? bMighty wants to know.
Primary Storage Optimization Compromises
Commentary  |  4/13/2009  | 
Primary file system storage optimization, i.e. squeezing more data into the same space, continues to grow in popularity. The challenge is that the deduplication of primary storage is not without its rules. You can't dedupe this, you can dedupe that and you have to be cognizant of the performance impact on a deduplicated volume.
Get Ready To Patch
Commentary  |  4/13/2009  | 
Organizations need to prep for a pretty significant set of patches that are scheduled to be rolling out from Redmond tomorrow. It's the most security patch updates from Microsoft in nearly six months.
New Web Vulnerability Tool Is Passive But Aggressive
Commentary  |  4/13/2009  | 
Every couple of weeks, a project comes across my desk that requires some sort of Web application vulnerability assessment or penetration test. It's one of the more fun things I get to do, and I rely on a quite a few different tools during each engagement. While most people relatively unfamiliar with Web app security think of active scanning apps such as Cenzic and WebInspect when they think Web app testing, quite a few of the tools I use fall into the passive analysis category.
Twitter Worm Strikes; Teen Worm Creator Feels Pretty Bad About It
Commentary  |  4/13/2009  | 
This weekend's Twitter worm(s) problem is turning into this week's Twitter worm(s) problem, and is a reminder that as social networks come of age so do social net risks. Good thing the kid who created the worms feels bad about it.
Worm Hits Twitter Over Easter Weekend
Commentary  |  4/13/2009  | 
A multi-day attack infected numerous user accounts on the popular micro-blogging platform. Reports say malicious code is still active.
Black Hat Europe: Interesting InfoSec Research Ahead (Be Afraid)
Commentary  |  4/11/2009  | 
I always enjoy the Black Hat sessions. The conference leans much more on the technical side of things, more so than the humungous brochure-fest known as RSA. Black Hat Europe is next week April 14th through 17th. And while I won't be able to (unfortunately) attend, there's a number of sessions I wouldn't miss if I was able to hope a flight to Amsterdam.
Webcam Captures Burglars
Commentary  |  4/10/2009  | 
The Internet gets plenty of blame for facilitating crimes, but it deserves at least as much credit for solving them. Consider the case of 43-year-old Jeanne Thomas of Boynton Beach, Florida, who was at work in Fort Lauderdale on Wednesday, watching her home through a live video feed from a desktop Webcam, when she saw two intruders enter her house.
Optimize Cloud Storage, Flash Storage And Deduplication
Commentary  |  4/10/2009  | 
In our last entry we discussed the growing importance of efficiency. Tools and better storage systems can help make IT Administrators more efficient. The other option is to keep throwing new technology at the problem. Cloud Storage, Flash Storage and Deduplication are great examples.
SMB Security Spending Holding Steady, SMB Vulnerabilities Holding Steady Too
Commentary  |  4/9/2009  | 
A new Symantec survey indicates that small and midsized business security budgets are either holding at established levels or growing slightly, despite t6he economic downturn. Good thing, too, because the survey also found high levels of vulnerabilities, including a third of businesses running no anti-virus protection.
Efficiency A Key Objective For 2009
Commentary  |  4/9/2009  | 
2009, more so than any year, IT professionals are looking for ways to drive out costs. Technologies like deduplication, compression and server virtualization all try to lower the IT expenditures and these technologies have been successful at doing just that. The challenge however is that each of these technologies potentially compounds the challenge of making IT Operations more efficient by putting more workload in the same space.
WSJ's Meatless 'Spies' Story
Commentary  |  4/8/2009  | 
Wednesday's Wall Street Journal article reporting that the U.S. power grid had been infiltrated by Chinese and Russian "cyberspies" likely caused a few people to choke on their Cheerios. But it left the security community -- already jaded with stories of SCADA and power-grid vulnerabilities, and with assumptions that the grid had been hacked a long time ago -- hungry for more.
F-Response 3.09 Preview
Commentary  |  4/8/2009  | 
I've written a little about F-Response before. It's an incident response and forensic tool that gives investigators and responders the ability to access a running computer system's hard drive and physical memory in a read-only manner. Your analysis workstation connects over iSCSI to the target machine, and you can use practically any forensic tool to conduct analysis and imaging. I have used it with Forensic Toolkit (FTK), Encase, FTK Imager, Memoryze, and X-Ways. It's a great "enabler" tool tha
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.