Commentary

Content posted in April 2010
Microsoft Issues Workaround For Serious SharePoint Vulnerability
Commentary  |  4/30/2010  | 
While not a complete patch, the software maker has issued guidance detailing how to mitigate a serious vulnerability that places corporate data at-risk to snooping and theft.
Sending Email, Web Security To The Cloud
Commentary  |  4/30/2010  | 
E-mail and Web security outsourcing are gaining more momentum as resource-strapped companies look for ways to tighten their IT belts. IT shops are constantly being asked to do more with less, and it's often security that gets more budget cuts since it's an IT area that doesn't contribute directly to a company making money.
Storage Checkers Vs. Chess
Commentary  |  4/30/2010  | 
Checkers is a two dimensional game where all the pieces have the same ability. Its about covering space. Chess is a complex three dimensional game where all the pieces have different capabilities and there is one common target: the enemy's king. In storage some features begin to look like checkers because they have become so commonplace, but when you dig deeper you find that the capabilities of these features between vendors vary greatly.
Al Qaeda Implicated In Cyberattacks
Commentary  |  4/30/2010  | 
Some papers recently became publicly available in the case of terrorism suspect Mohamedou Ould Slahi, accused of being one of Al-Qaeda's top recruiters. The papers revealed Al-Qaeda hacking activity, which demonstrates what proof of accountability in Internet attacks is, and how many of us jump to conclusions about countries, such as China, without it.
Data Breaches More Costly In U.S. Than Elsewhere
Commentary  |  4/29/2010  | 
Data breaches cost U.S. companies twice as much as they do in other countries, according to a new Ponemon Institute study. Which adds up to twice as many reasons not to get breached!
Fixing Storage Utilization Without A Refresh
Commentary  |  4/29/2010  | 
In the final part of our storage utilization series we address how to improve storage utilization without refreshing the storage itself. This is, unfortunately, the most difficult way to improve storage utilization.
When It Comes To Data Breaches, U.S. Most Costly
Commentary  |  4/28/2010  | 
Research published today shows that the average cost of a data breach, globally, is about $3.43 million per incident and $142 per compromised record. But that's not the entire story.
Microsoft SIR, Dissected
Commentary  |  4/28/2010  | 
Microsoft published Version 8 of its Security Intelligence Report (SIR) this week. The report covers the second half of 2009 and is a massive piece of information with almost 250 pages.
Medical Records Keep Getting Dumped
Commentary  |  4/27/2010  | 
Why were possibly thousands of private patient records found dumped outside the closed offices of a physical therapy center?
Trusting 'Trusted' Sites Again
Commentary  |  4/27/2010  | 
I've been teaching a user security awareness and training course to faculty and staff at our university. One of the great aspects of the class is the discussions that develop out of the participants' questions, like the security of social networks and how to use wireless securely while on the road. Lately, I've been getting one question more and more often: How do I know if a site is safe?
What To Look For In A Primary Storage Refresh
Commentary  |  4/26/2010  | 
In our last entry we covered how the potential to increase storage utilization may help justify a storage refresh. If you are in a position to refresh your primary storage platform or you think the last entry may help you do that a little sooner than normal, what should you be looking for in your next storage platform?
McAfee's Mess, SEC's Sex Problem And What SMBs Can Learn From Each
Commentary  |  4/26/2010  | 
Last week's McAfee release of a virus def file that didn't play well (to say the least!) with Windows XP SP3, along with unrelated revelations about the amount of pornsurfing going on at the SEC offers the chance to think a little bit about each problem -- and what your business has done and can do to avoid getting tagged by similar ones.
How Well Do Hospitals Protect Your Data? Abysmally
Commentary  |  4/24/2010  | 
A just released survey of about 200 compliance executives in hospitals from around the country shows that data breaches and medical identity theft continue to soar.
CSRF Attacks Get New PoC Creation Tool
Commentary  |  4/21/2010  | 
Cross site request forgery (CSRF) is a powerful attack that can have devastating consequences. It's not a new attack, but new tools are released every year because Web developers don't always write secure code that can prevent these attacks. Often, CSRF vulnerabilities go undetected because automated scanners have difficulty detecting them.
Justifying An Early Storage Refresh
Commentary  |  4/21/2010  | 
Our last entry covered ways to increase storage utilization. There are three options; live with under-utilization (easy but costly), refresh your current storage (easy but potentially expensive) or making what you have more efficient (potentially time consuming but potentially inexpensive). Most data centers have a schedule to refresh their current storage systems at some point in the future. In this ent
Network Solutions Hack Highlights Hosting Risks
Commentary  |  4/20/2010  | 
Website hosting vendor Network Solutions Inc. (NSI) has been forced to cleanse its customer Websites after a few "thousand" sites where attacked after an unspecified number of NSI's shared servers were infiltrated.
PCI: Data Token Alternatives
Commentary  |  4/20/2010  | 
When a merchant cannot -- or will not -- replace credit card numbers with tokens provided by its payment processor, how does it secure it database to be PCI-compliant?
Google Chrome Attracting Hacker Attention
Commentary  |  4/20/2010  | 
The good news: at a recent security conference, Google Chrome got kudos as the hardest to browser hack. The bad news: a new hack is targeting possibly overconfident Chrome users and tagging them with malware.
California Senate Moves On New Data Breach Law
Commentary  |  4/19/2010  | 
With 2003's landmark data breach notification law, SB-1386, California set the tone for the wave of state breach notification laws that would follow. Today, more states have similar laws than don't. Last week, the California Senate approved SB-1166 which aims to add more detail to the existing law.
Log Review Checklist For Responders Under Fire
Commentary  |  4/19/2010  | 
Checklists are one of the most important things for first responders to have access to when responding to an incident. The reasons are many, and most of them tend to fall back on the human nature of the first responder. Incident response can impose a lot of stress on an individual, whether from management or the sheer criticality of the potentially hacked resource, it can be easy to miss a step or remember a command incorrectly when under fire.
Increasing Storage Utilization Rates
Commentary  |  4/19/2010  | 
In a recent entry by John Foley he discusses some of the pros and cons for leveraging cloud computing to increase IT efficiency in the Federal Government. One of the more startling statements is how low utilization of storage is. Of course low utilization is not the sole problem of Federal IT, the private sector has its challenges with storage utilization as well. What can be done to inc
New Full Disclosure, Website Vulnerabilities Database
Commentary  |  4/16/2010  | 
The biggest news in security circles in the past day or so is the new full disclosure site, Vulnerable Sites DB database.
Attacking Electronic Door Access Control Systems
Commentary  |  4/16/2010  | 
A friend recently pointed me to some research he has been doing with embedded door access control systems, as well as some of the vulnerabilities he has uncovered. Some of his findings were recently disclosed at Carolinacon, with more to come during his presentation at Hack in the Box.
Bridging The Gap Between Training And Operations
Commentary  |  4/15/2010  | 
The EDUCAUSE Security Professionals Conference is a great conference for IT staff from higher education to meet and learn about deploying and managing security tools like OSSEC and Bro IDS, hear how others are dealing with compliance issues, and network with other professionals interested in security.
FCoE Poised For Adoption
Commentary  |  4/15/2010  | 
FCoE adoption is getting ready to pick up steam. That's my take from Storage Networking World (SNW). The FCoE sessions and labs seemed well attended. This means that users are getting ready to deploy the technology, and of course, some already have.
Websites Vulnerable To New Clickjacking Techniques
Commentary  |  4/15/2010  | 
At Black Hat Europe, UK-based security researcher Paul Stone has demonstrated new and seemingly powerful attacks that dupe users into activating malicious links on Web sites without their even knowing it.
NSA Director On The Cyber-Counterattack
Commentary  |  4/15/2010  | 
According to an Associated Press report, the director of the National Security Agency told Congress the U.S. should respond in force to computer-based attacks -- even when the attacker is not known. Is that possible, and is it a good idea?
Shrinkage! SMB Security Budget Cuts Could Cost More Than They Save
Commentary  |  4/14/2010  | 
The combination of a lousy economy and increasingly an increasingly sophisticated threat environment has resulted in SMB security spending that's flat or shrinking. Just what the crooks are counting on!
BitTorrent Scareware Scam Targets Copyright Pirates
Commentary  |  4/13/2010  | 
A new malware scam is going after pirates, of all people -- preying on file-sharers' copyright violation paranoia.
Nmap Does Much More Than Network Discovery
Commentary  |  4/12/2010  | 
Nmap is among a network penetration tester's best friends, sitting high on a pedestal with the Metasploit Framework. I've been using the tool my entire career for network mapping and host discovery, typically on a weekly basis.
The Best Protocol For The Entry Level SAN
Commentary  |  4/12/2010  | 
When the time comes to select your first shared storage system or even a second, one of the key points of debate is going to be what protocol you should use for it. The choices today can be somewhat staggering. At a minimum there is fibre, iSCSI and the NAS protocols CIFS and NFS, but there are also several new protocols that you may want to explore.
Big Patch Tuesday On Way
Commentary  |  4/12/2010  | 
Tomorrow, Microsoft will patch 25 flaws in its operating system, e-mail software, and Office. For its part, Adobe will release a security update for Acrobat and Reader and provide a new way for its customers to receive updates.
Serious Java Flaw Surfaces
Commentary  |  4/10/2010  | 
All current versions of Windows are open to attack thanks to a flaw within the Java Web Start Framework. Two security researchers announced the flaw just yesterday. The flaw could lead, through very rudimentary Web attacks, to full comprise of attacked systems.
Stop Counting Bots
Commentary  |  4/9/2010  | 
How many bots are on the Internet, and why should we care? This is an argument I've been making since the late 1990s, and it is high time I got it in writing outside of closed circles.
The Perfect Entry Level SAN
Commentary  |  4/9/2010  | 
At each Storage Network World (SNW) there are more than a few vendors that I meet with that are trying to address the first time SAN buyer. I expect that this year will be no different. In fact given the economy there may be more than ever. There are few observations that I have made in what makes a successful entry level SAN beyond the given easy and affordable.
Tax Time Is Hacks Time -- Time To Be Wary!
Commentary  |  4/8/2010  | 
Over the next week or so as you, and, odds are, more than a few others in your workplace are scrambling to make the April 15th deadline, bear in mind that there are plenty of scams hoping to catch and bilk you mid-scramble.
In SSL We Trust? Not Lately
Commentary  |  4/7/2010  | 
In the past two weeks we have seen multiple problems with SSL, which is used in our Web browsers to protect the privacy and integrity of our electronic transactions.
PCI Database Security Primer
Commentary  |  4/6/2010  | 
I have written a lot about compliance in that past three months, but most of the guidance has been generic. Now I want to talk about database security specifically in relation to the Payment Card Industry (PCI) Data Security Standard, and consider compliance more from an architectural standpoint as opposed to a tools- or policy-based perspective.
What Is Zero Detect?
Commentary  |  4/6/2010  | 
There is a term you are going to start hearing more of in storage circles; Zero Detect. Some storage systems that offer thin provisioning are adding the ability to detect areas of a volume that have been zeroed out so they can reclaim that space and use it elsewhere. Zero detect becomes a critical component as we advance the capabilities of thin provisioning.
iPad Hacked, Jailbroken
Commentary  |  4/5/2010  | 
Unless you've been disconnected from the Internet, TV, and the free world - you know that Apple released the iPad. It only took about a day for a well-known iPhone OS hacking group -- the iPhone Dev team -- to Jailbreak the device using an unpatched security flaw.
Conficker Dead -- Long Live Conficker
Commentary  |  4/5/2010  | 
Whether or not the Conficker worm is essentially dead, just lying low or somewhere in-between, the lessons of the massive botnet are likely to live on for a long time. Bad news is that there are lessons learned by the botnet makers, too.
Share -- Or Keep Getting Pwned
Commentary  |  4/2/2010  | 
Forget the bad guys: Sometimes it seems like the security industry doesn't trust itself. There's too much internal hoarding of intelligence for privacy or competitive reasons and too little sharing of information among researchers, victims, and law enforcement about real attacks. All this does is give the cybercriminals an edge.
Password Brute Forcing Tool Gets Major Update
Commentary  |  4/2/2010  | 
Brute-force password guessing attacks are very common. If you operate a publicly accessible SSH server, then you know firsthand just how common it is with constant poking for weak passwords on accounts like root, admin, and test. When the attackers do find a weak password and gain access, they will typically download their tools and start scanning for more weak passwords from the newly compromised server.
Breaking The Capacity Addiction
Commentary  |  4/1/2010  | 
One of the complaints I hear about the new Apple iPad is that it does not have enough storage capacity, with high end units only offering 64GBs of storage. As a storage guy from the 5MB hard drive days, this reaction sometimes makes me shake my head in dismay.


3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.