Commentary

Content posted in May 2009
Page 1 / 2   >   >>
Obama Cybersecurity Plan: What's In It For SMBs?
Commentary  |  5/29/2009  | 
New cyberczar (though no names yet), management from the top, calls for more coordinated cybersecurity efforts, privacy protection -- same old same old, or does the unveiling of the Obama administration's cybersecurity plan promise real changes in the government's approach to scuring cyberspace. More importantly, what's in the plan for small and midsized businesses?
Obama Administration's IT Security Review
Commentary  |  5/29/2009  | 
Today the White House released its 60-day review on cybersecurity policy, and the report -- as well as the administration's plan -- consists of five primary prongs: top-down leadership, education, distributed responsibility, information sharing, and encouraging innovation.
Storage CAPEX VS. OPEX
Commentary  |  5/29/2009  | 
Wrapping up our series on choosing storage projects, part of the conversation has to be what is more important, CAPEX or OPEX? Almost every storage project you decide to embark on will have to be brought to management as something that is going to either reduce your capital expenditures or lower your operational expenditures. Which part of these projects are more important?
Cybercriminals: More Obvious Than They Think?
Commentary  |  5/29/2009  | 
Attackers often use and abuse security by obscurity, which can lessen the likelihood that they will be caught. From them we can learn a lot about profiling attackers on our networks, and how they work to achieve better operational security. Take their use of encryption.
Selecting Your Next Storage Project - Big Projects
Commentary  |  5/27/2009  | 
In a prior entry we discussed how to select your next storage project and suggested that most IT professionals are going to focus on smaller projects. Basically filling in pot holes as opposed to paving a new road. There are times however, even when staffing is scarce and money is tight that you need to undertake a big storage project to fix the problem, essentially putting a new road in.
U.S. Cyber Czar On The Horizon; New Legislation, Too?
Commentary  |  5/27/2009  | 
The buzz surrounding President Obama's efforts at securing our cyber-infrastructure is audible. The release of a 60-day review of the government's cybersecurity efforts, which started back in February, is expected soon, along with the naming of a new White House official -- a "cyber czar," as some are calling the position -- who will reportedly have purview over developing a strategy for securing both government and private networks.
Spam Surge: 9 Out Of 10 E-mails Can't Be Good!
Commentary  |  5/27/2009  | 
90% of all email was spam last month, according to Symantec's MessageLabs Intelligence Report, just released. The figure is up more than 5% in the last month. Good news, I guess, is that things can't get much more than 10% worse from here.
Security Benchmarks For Apple iPhone Released
Commentary  |  5/27/2009  | 
Today the Center for Internet Security released a set of benchmarks designed to help consumers and businesses alike communicate using their favorite toy. Whoops, I meant smartphone. The guidance is worth a look.
Cybersecurity Czar Announcement Imminent
Commentary  |  5/26/2009  | 
President Obama is set to announce, sometime this week, that the post of a cyber czar will be created. So far, the news creates more questions than answers.
Summer Security: Don't Put Backups In The Trunk
Commentary  |  5/26/2009  | 
Temperatures are starting to rise outside -- and when they do, you can bet they're rising even faster in trunks and locked cars. Which are two of the places you should never put media you're transporting. And according to a data recovery specialist, they're also two of the most common locations for media in transit -- and two of the most common sources of data damage.
When Your Security Career Gets Hacked
Commentary  |  5/26/2009  | 
Security professionals like to think they're immune from the economic woes plaguing the rest of the business world, but, unfortunately, many are finding out the hard way that their jobs aren't any more secure than their apps. So career coaches Lee Kushner and Michael Murray today launched an "incident response" podcast series to help security professionals whose careers have been hacked and their jobs lost get back into the job market.
Google I/O Developer Conference: Where's The Security Love?
Commentary  |  5/24/2009  | 
At the Google I/O developer conference this week, Google Inc. will host more than 80 technical sessions on all of the Google apps and platforms we've come to know -- Android, Chrome, App Engine, Web Toolkit, AJAX and others. When reviewing the Google I/O Schedule this morning, I was disappointed by what could not be easily found.
20 SMB Security Products Worth A Look
Commentary  |  5/22/2009  | 
Take a few minutes this holiday weekend -- always assuming there's such a thing as holiday weekends for small and midsized businesses -- and check out twenty of the hottest and most budget-savvy (rarely the same thing) new security products.
Adobe Owns Up To Security Issues
Commentary  |  5/22/2009  | 
The discussion surrounding how to make software vendors accountable for hacked systems and data breaches due to security problems in their products is, at best, an effort in futility. As much as we'd like to have Microsoft, Oracle, and Adobe take responsibility for software vulnerabilities that have caused us headaches and cost us money, we are stuck in an endless loop of dependence on their products.
Lessons From Fighting Cybercrime, Part 2
Commentary  |  5/21/2009  | 
In this article we'll examine three basic guidelines on how to implement solutions into social systems, learned from the fight against spam.
Web 2.0 For Business Requires Web 2.0-Level Security: Websense
Commentary  |  5/21/2009  | 
The various elements and components and approaches that comprise Web 2.0 offer large business promise. But they also create large business risk and exposure. Better make sure your security and especially your security policies are up to the challenges.
NetApp Buys Data Domain - User Impact
Commentary  |  5/21/2009  | 
With yesterdays announcement of NetApp's intention to buy Data Domain, a question that needs to be answered by IT professionals is how does this affect them? In our blog on Information Week's sister publication Byte and Switch we looked at the industry impact, but what about the users? There are current customers, c
Adobe (Finally) Getting Security Religion
Commentary  |  5/20/2009  | 
In the past number of years Adobe Systems hasn't seemed to have its act together when it comes to mitigating security risks in its PDF. Hopefully, that's about to change.
Ruminating on CSI SX
Commentary  |  5/20/2009  | 
Citizens of the Information Security Nation, to you I say Classify and inventory your data and assets! Tedium? Odium? Delirium? Yes, probably all three. But worth the trouble.
Educating Our Clients Is Part Of Our Responsibility
Commentary  |  5/20/2009  | 
Have you ever had a client (or your own employer) say, "There's no way a user could hack our internal Web apps; they can't run anything but authorized applications like a Web browser and e-mail client." Happens all the time, right? Guess what -- you're not alone.
Selecting Your Next Storage Project - Edge Projects
Commentary  |  5/19/2009  | 
Unfortunately the reality is often that the storage project you are going to work on next is based on the one that users are screaming the loudest for that you can also afford and it usually contains "add capacity". Is there a better way to go about selecting your next storage project?
Trend Micro Adds USB To "Worry Free" SMB Security List
Commentary  |  5/19/2009  | 
Announced today, the latest version of Trend Micro's small and midsized business "Worry Free" Business Security Suite includes enhanced URL filtering as well as USB device monitoring.
On Prison And Corporate Data Escapes
Commentary  |  5/18/2009  | 
In its broadest sense, social engineering is deception to manipulate or exploit people. That's exactly how more than 50 Mexican inmates were freed this weekend. How much proprietary corporate data is "liberated" in much the same way?
Watch Your Website Even As You Watch Out For Others
Commentary  |  5/18/2009  | 
Businesses rightly spend much time and effort seeking to protect their employees from malicious Web sites and the havoc those sites can wreak. A new report reminds us not to neglect vulnerabilities on our own sites, 60% of which contain the sorts of vulnerabilities the malware makers love to exploit.
Zero-Day IIS Vuln Bypasses Authentication
Commentary  |  5/18/2009  | 
Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerabili
Lessons From Fighting Cybercrime
Commentary  |  5/17/2009  | 
The history of anti-spam teaches us about half-baked ideas and how people succeeded or failed to implement them. The analogy of evolution, while limited, demonstrates how reactionary solutions can achieve strategic goals before they are made obsolete by countermeasures.
Security Is Part Of The Cost Of Doing Business
Commentary  |  5/15/2009  | 
Looking for ROI on a security investment is misguided -- how do you measure the cost of something that doesn't happen? But nothing happening is exactly the return you hope for when you invest in securing your business IT.
'Kramer' Is In The Building
Commentary  |  5/15/2009  | 
My firm, Secure Network Technologies, was recently hired by a large healthcare provider to perform a security assessment. As part of the job, my partner, Bob Clary, posed as an employee, similar to the "Seinfeld" episode in which Kramer shows up and works at a company where he was never actually hired.
SMBs Can Trim Costs With Remote Workers, But Do It Securely
Commentary  |  5/14/2009  | 
If you're looking at ways to trim operating costs without trimming staff, sending employees home to work may be near the top of your list. Just be sure, before you do, that the employees' home workspace is as secure (or more!) as your business facility.
So, You Want To Build an Effective Application Security Program? How Good Are You At Politics?
Commentary  |  5/14/2009  | 
Being that the tagline of the Secure360 Conference was Evolving Threats, Practical Solutions I figured a session on How To Build an Effective Application Security Program would be appropriate. Fewer areas of information security have more evolving threats, or are in more need of practical, applied, solutions.
Tippett To Discuss Verizon Breach Report
Commentary  |  5/14/2009  | 
Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, will discuss the results of the company's "2009 Verizon Business Data Breach Investigations Report" (DBIR) at CSI SX: Security Exchange, taking place May 17-21 in Las Vegas.
Return On Efficiency
Commentary  |  5/14/2009  | 
What if "do more with less" was more than a marketing phrase? What if you really could do more with less? There are storage solutions available now that really let you improve efficiency but one of the key components of deciding if a do more with less project is successful, is to measure the return on efficiency. For the dollars invested are you X more effective at your job?
Detecting Malware Through Configuration Management
Commentary  |  5/13/2009  | 
Malware analysis has two basic approaches that fall into either the static or dynamic analysis category. The static approach analyzes the malicious executable itself by disassembling it to determine its true nature. Dynamic analysis involves execution of the malware and analyzing it's behavior.
3 Disaster Recovery Tips (Or Risks!) You May Have Overlooked
Commentary  |  5/13/2009  | 
You've got your Disaster Recovery plan in place (don't you?) and, if disaster should strike, you're ready to bounce back quickly. Or are you? Take a look at these three good -- and in case of disaster, critical -- tips to make sure your plan works.
SIEM Case Study: Israeli E-Government ISP
Commentary  |  5/12/2009  | 
Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.)
SIEM Case Study: Israeli e-government ISP
Commentary  |  5/12/2009  | 
Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.) Assaf Keren, information security manager at the Israeli e-government recently briefed me on the challenges and lessons he is learning whilst implementing a SIEM center in the Israeli e-government ISP Project (called "Tehila")--a topic he first told us about during the SIEM Summit at the CSI Annual 2008 conf
Secure360: The Triumph Of Politics (Over Security)
Commentary  |  5/12/2009  | 
While listening to former special adviser for cyberspace security for the White House this morning, Howard Schmidt, talk candidly about information security at the Secure360 conference here in Saint Paul, MN - I began wondering: why didn't we implement the original National Strategy To Secure Cyberspace?
DAS VS. SAN - High Capacity
Commentary  |  5/12/2009  | 
Continuing our examination of the resurgence of direct attached storage (DAS), in this entry we look at the ever-increasing internal capacity of DAS in servers. One of the key reasons users begin looking at a SAN or NAS is when the capacity demands of a single server outpace its internal storage capabilities. This may no longer be justification enough to make the move to networked storage or to continue to expand the network storage you have.
Porn Leads To Conviction Under 'Hacker Law'
Commentary  |  5/11/2009  | 
Did you know that by looking online for an "adult friend" and uploading nude pictures of yourself while at work, you could be convicted using the same law that was designed for prosecuting malicious hackers?
Hidden Botnet Costs Hit SMBs Hard
Commentary  |  5/11/2009  | 
While the obvious risks of bots to your business and its data -- harvesting of names, keylog sniffers seeking sensitive data -- rightly receive the most attention, compromised systems carry other risks that can exact a heavy business price. Server capacity, bandwidth and even power consumption are hidden parts of the bot equation.
Maybe Government Should Give Up On Computers, Revert To Paper
Commentary  |  5/8/2009  | 
Governments and their agencies are clearly over their head when it comes to IT security and governance. In fact, a number of recent reports highlight just how poor a job governments perform when it comes to securing our data.
Recession Opens Up Opportunities To Innovate
Commentary  |  5/8/2009  | 
Information technology, and especially the area of security, is an ever-changing, dynamic field for work and research. That's one of the reasons I enjoy it so much; if I get bored with one thing, there's a dozen others I can focus on and come back to the previous thing later. But, we are in interesting times. Enterprises are cutting back IT budgets. Layoffs are happening all around us. Companies are consolidating. What does this mean to the infosec community?
Windows 7 Will Mostly Be More Secure Than Leopard
Commentary  |  5/8/2009  | 
Apple's Snow Leopard will be attacked more than any other version of the vendor's platform, and Apple's use of a s"ecurity by obscurity policy" where it does its very best not to actually talk in any depth about the subject will likely bite it in the butt this time.
SMBs In Cyber Criminals' Crosshairs
Commentary  |  5/7/2009  | 
When it comes to IT security, small and midsize businesses are in the unenviable position of being not only more attractive to criminals, but also having fewer resources to defend themselves.
DAS VS. SAN - Capacity And Performance Management
Commentary  |  5/7/2009  | 
Capacity presents two challenges to the Storage Area Network (SAN) vs. Direct Attached Storage (DAS) debate. A traditional knock against DAS and a reason that many data centers get a SAN is because of these two capacity challenges. The first is can you get enough capacity and the second is can you use that capacity efficiently in a performance sensitive environment? DAS however now has the ability to address both of these issues.
CouchSurfing: A Working Trust Model
Commentary  |  5/7/2009  | 
Trust. At the beginning we take it on faith. On the Internet, a fortiori, all the more so. While security professionals struggle to establish online trust, CouchSurfing, a social site for tourists who want to borrow your couch and, perhaps -- wink, wink -- make friends, has a working trust model that is cool to boot.
Backdoors In The Network: Modems, WiFi, & Cellular
Commentary  |  5/6/2009  | 
War-dialing received a revival in March with HD Moore's release of WarVOX, a tool that leverages VoIP to speed up the calling of phone numbers to find modems, faxes, and voice systems. Finding modems can help enterprises find backdoors into their network setup by a rogue employee. Likewise, it can help penetration testers find forgotten or lesser-known ways into a target's network through a poorly secured modems.
Inflight Insecurity Update: Gogo Responds
Commentary  |  5/6/2009  | 
Inflight Internet Access provider Gogo took some issue with today's earlier post, and it's worth taking a look at the issues the company raises.
Inflight Insecurity? Netragard Says Airborne Web Service Easily Hacked
Commentary  |  5/6/2009  | 
According to anti-hacking company Netragard, Gogo, the unencrypted inflight Internet access service, puts user data at risk.
When It Comes To Getting Hacked, Organizations Fatalistic
Commentary  |  5/5/2009  | 
According to a British Telecom survey, to be released later this week, 94 percent of the 200 IT professionals surveyed from around the globe expect to suffer a breach.
Page 1 / 2   >   >>


Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.