Commentary

Content posted in May 2010
Page 1 / 2   >   >>
FBI Busts $100 Million 'Scareware' Gang
Commentary  |  5/31/2010  | 
The three men who were indicted are alleged to have been part of an illegal scheme that spanned 60 countries and sold victims $100 million worth of bogus software that purported to fix system problems that apparently didn't exist.
Facebook Privacy Protection: Symantec's Six Steps
Commentary  |  5/31/2010  | 
Symantec has offered six steps to protecting your privacy on Facebook -- and the fact that the tips are so obvious, basic and self-evident doesn't make them any less worthwhile. In fact, their obviousness may make them among the most valuable tips to offer employees doing anything on the Internet.
Adobe Contemplates Monthly Patch Cycle
Commentary  |  5/30/2010  | 
While Apple has turned up the heat on Adobe by refusing the Flash platform on the iPhone and iPad platform - Adobe's customers have been coming under increasing fire from attackers for using its Flash and Adobe Reader applications. Now the company is considering taking a move from Microsoft's playbook and switching to a monthly patch cycle.
Botnet Black Market Means Malice For Rent
Commentary  |  5/28/2010  | 
For less than seventy bucks you can hire a botnet for a day, and for under ten you can grab one for an hour. Welcome to the world of commodity cybercrime.
The Roll Down Hill Effect Of Primary Storage Deduplication
Commentary  |  5/28/2010  | 
The adoption rate of deduplication in primary storage has been relatively low so far in primary storage. There are concerns on user's minds about performance impact, data integrity and how much capacity savings they will see. Clearly each of these concerns need to be addressed. When it comes to capacity savings though, there is a key component of capacity savings that might get overlooked, the roll down hill effect of proper primary storage deduplication.
Security's Top 4 Social Engineers Of All Time
Commentary  |  5/26/2010  | 
My team here at Secure Network was recently discussing who we considered the best social engineers of all time. My colleagues and I each made a list and defended our candidates based on the creativity, innovation, and the public impact they had made. Here are our final top four social engineers from number four to number one, and why we chose them.
Not Too Late To Learn From Defcon CTF Qualifiers
Commentary  |  5/26/2010  | 
This past weekend was the return of the wildly popular Defcon Capture the Flag qualifiers. "Quals," the commonly used nickname, is an entire weekend of non-stop online security challenges that test everything from simple trivia to advanced reverse engineering and exploit development.
Tape and Disk Better Together
Commentary  |  5/26/2010  | 
I have seen a few surveys recently that tape penetration in data centers remains very high, less than 15% of data centers have become tapeless, of course that means that 85% of environments still have tape. In my conversations with IT managers most are planning to keep it. Most see the role of disk in the backup process to augment or at best compliment tape. What's needed then is a way to make tape and disk better together.
Researchers: UK's Chip and PIN Payment System Flawed
Commentary  |  5/25/2010  | 
Researchers published a paper detailing an attack of intermediate difficulty that they say makes it possible for criminals to use any "Chip and PIN" smart card that they take into their possession.
Symantec Broadens SMB Protection Services
Commentary  |  5/25/2010  | 
Symantec's expansion of its SMB security and protection services in the latest edition of its Protection Suite, aims to offer a single-vendor solution for small and midsized business security, protection, endpoint, messaging, mobile, backup and recovery.
Patient Data Dump Nets Urgent Care Center $50,000 Fine
Commentary  |  5/24/2010  | 
Here's another egregious example of a health care provider being nothing less than reckless with patient data.
Defense-In-Depth Via Cloud Security Services
Commentary  |  5/24/2010  | 
Repeat after me: defense in depth. It's an archaic concept that hasn't gone out of style. The fact is it's even more critical to enterprises now than ever before. The proliferation of Web-borne threats is making IT shops everywhere re-evaluate their security strategies to deal with malware infections happening on systems that were "locked down" and running updated antivirus.
Selecting A Cloud Storage Provider
Commentary  |  5/24/2010  | 
In my last entry I discussed some of the circumstances that might lead a business to decide to use one cloud storage application over another. The other end of that equation is the actual provider. All cloud storage providers are not created equal and some research should be done before selecting the vendor that could potentially be storing your organization's digital assets for years to come.
What Oracle Gets In The Secerno Buy
Commentary  |  5/24/2010  | 
One key takeaway from Oracle's acquisition of Secerno is that the database giant now has a database activity monitoring (DAM) solution, closing a big gap in its current security capabilities.
Other Facebook Privacy Problems You May Not Know About
Commentary  |  5/23/2010  | 
While people are busy discussing Facebook's privacy policies about user data, it's the less-direct privacy issues that constantly nag at me. I haven't seen these discussed before, although I'm sure I'm not the only one to notice them.
IBM USB Security Conference Gift Gives Malware Too
Commentary  |  5/21/2010  | 
A USB drive given out by IBM at an Australian computer conference included some well known malware. And it was a security conference. Ooooooops!
Symantec Snags VeriSign for $1.28 Billion
Commentary  |  5/20/2010  | 
Symantec yesterday announced that it has signed an agreement to buy VeriSign's identity, authentication, and SSL certificate businesses. That essentially gets VeriSign out of the security business, but what does Symantec really get out of the deal?
Twitter iPhone App Worm TargetsiTweeters
Commentary  |  5/20/2010  | 
Success breeds contempt -- or at least con attempts, as a new worm aimed at stealing financial info from iPhone Twitter app users shows.
When To Use Cloud Storage?
Commentary  |  5/20/2010  | 
When storage managers start to sift through the hype surrounding cloud storage and try to decide if and where cloud storage would make sense in their environment, they are often left dazed and confused. There are so many companies trying to jump on the cloud storage bandwagon that almost any new feature makes them "the" cloud storage provider. The goal of this entry is provide some ideas on when should a business use cloud storage.
Big New Features In New Metasploit Framework
Commentary  |  5/19/2010  | 
The penetration testing world saw a couple of exciting announcements yesterday. The first one I want to mention because it's one of my favorite tools -- Burp Suite Professional. It's a great tool for Web application penetration testing, and a new update was just released. But of course the big news that has everyone talking are the Metasploit releases.
When Social Engineering Tests Fail
Commentary  |  5/18/2010  | 
Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.
AutRun Worms Top McAfee Malware Threat List
Commentary  |  5/18/2010  | 
AutRun worms introduced into networks via removable devices topped McAfee's Q1 threat report, with a USB worm at the head of the malware class.
Goldman Sachs Lawsuit Shows Need For DAM
Commentary  |  5/18/2010  | 
When Goldman Sachs was hit with a lawsuit by Ipreo Networks, I got a call from Dark Reading contributor Ericka Chickowski to talk about the alleged misuse of the "BigDough" database. Specific details on this case remain scarce, but threats to Customer Relationship Management (CRM) systems and SaaS based data services are well known.
Lessons From The Volcano
Commentary  |  5/17/2010  | 
I had a chance to fly rather close to Iceland's Eyjafjallajokull volcano last week. On a flight back from Frankfurt, the pilot somehow got permission to divert from the scheduled flight path as we crossed Iceland to give us a closer look of the volcano.
Build-A-Botnet Kits Let Anyone Steal Data
Commentary  |  5/17/2010  | 
At the recent Cisco Networks Solution Forum held in Toronto, a Cisco product manager stated, "You don't need to be tech savvy" to steal data. It's a sad but true reality that isn't much of an eye opener for many of us who watch users get their accounts compromised day in and day out due to social engineering and malware. We've seen the results of easy-to-use exploit toolkits.
Knowing Your Recovery Will Work, Understanding Images
Commentary  |  5/17/2010  | 
In my last entry the idea of image based backup was introduced as a way to improve recovery confidence. If you take the advice of the first entry in this series and focus on service level agreements (SLA) instead of backups you can narrow down the truly critical machines that you know must be recovered. With im
Automobiles Growing Vulnerable To Hacks
Commentary  |  5/16/2010  | 
Carmakers are rolling automobiles off the assembly line with plenty of fancy new high-tech features. Unfortunately, security is -- once again -- treated as an afterthought.
Microsoft Security In 140 Characters Or Less
Commentary  |  5/14/2010  | 
When Microsoft's JG Chirapurath said he would stick to Twitter's maximum capacity of 140 characters for his responses in our twitterview last week, he wasn't kidding.
If You Kill Your Company's Facebook Page, Make Sure You Kill It Dead
Commentary  |  5/14/2010  | 
Whether or not the "Kill My Facebook" movement achieves critical mass, there are a few things you need to know before eliminating your company's Facebook presence. Most of all, how to make sure that "not only is it merely dead, it's really most sincerely dead."
IT Departments Losing Ground On Cloud Computing
Commentary  |  5/13/2010  | 
While most IT departments and organizations know that current cloud computing environments are not suitable for all types of company data, end users are moving forward with cloud services anyway - a new survey has found.
Knowing That Your Recovery Will Work, Verification
Commentary  |  5/13/2010  | 
In our last entry we talked about the importance of creating and managing to service level agreements (SLA) to set recovery expectations correctly and to give some sense of clarity and priority to the backup jobs that you manage. The second step is to be able to verify that those critical jobs will actually work when you need them to.
Suricata Pushing Intrusion Detection Evolution
Commentary  |  5/12/2010  | 
Advances in intrusion detection systems (IDS) and intrusion prevention systems (IPS) have stayed fairly stagnant, with the exception of the signatures that must change daily to meet current threats. The Suricata project from the Open Information Security Foundation (OISF) looks to change that and bring forth the evolution of the IDS.
A New Way To Choose Database Encryption
Commentary  |  5/12/2010  | 
I can't count how many times I've been in a meeting when someone tosses out the phrase, "Oh, we'll just encrypt the database." Yeah. Right. Good luck with that.
Symantec Tackles SMB Endpoint Security From The Cloud
Commentary  |  5/12/2010  | 
Call it one shop stopping: a new SaaS security service from Symantec offers cloud-based protection for all of an SMB's Windows-based endpoints, desktop, laptop or server.
Secure360: Why Are We Losing The Struggle To Secure IT Systems?
Commentary  |  5/11/2010  | 
Today, at the Secure360 Conference in St. Paul, MN Alan Paller, director of research at the SANS Institute explained what may be the nation's missing ingredient when it comes to keeping both government and private sector run IT systems secure.
Verizon Enters Cloud Security Market
Commentary  |  5/11/2010  | 
Small and medium businesses have been moving their IT infrastructure into the cloud, but one challenge has been determining how to secure such applications. To address such concerns, Verizon Business has developed a new suite of cloud-based security services.
The Myth Of Cyberattack Deterrence
Commentary  |  5/10/2010  | 
Deterrence online is one of the biggest idiocies of the past couple of years. There are some interesting research possibilities in the subject matter, but not as it is portrayed today -- a cure-all strategy.
Knowing That Your Data Recovery Will Work
Commentary  |  5/10/2010  | 
Probably no single process has had more software, hardware and infrastructure thrown at it then the backup process. Despite this continual investment many of the IT managers that I speak with express doubt in their ability to recover the right data in the right amount of time. What do you do to know that your data recovery will work when you need it to?
Microsoft To Patch Critical Vulnerabilities
Commentary  |  5/9/2010  | 
This Tuesday Microsoft will issue two bulletins aimed at fixing vulnerabilities to address critical vulnerabilities in Windows, Offices, and Visual basic for Applications.
Multifunction Print Devices Under Fire
Commentary  |  5/7/2010  | 
There's nothing like a news story on a major television network (or talk radio) to get your boss asking you odd questions. Ever had that happen? The recent CBS story on digital photocopiers sure generated a buzz and some extra work for IT professionals across all industries.
Dark Reading Celebrates Its Fourth Anniversary
Commentary  |  5/7/2010  | 
Four years ago this week, we flipped the switch on a new website -- Dark Reading -- that was designed to meet a simple goal: to tell you everything you need to know about IT security, right up-to-the-minute that it happens. OK, I said the goal was simple, not easy to achieve.
The Idiot Threat
Commentary  |  5/6/2010  | 
It's been interesting to see how the failed bombing in New York's Times Square has been sifted for "lessons."
Cloud's Role In Backup, Part III
Commentary  |  5/6/2010  | 
In this final entry on cloud based backup we will examine how enterprise backup systems can leverage the cloud. This involves the developer of the backup application to add cloud support directly to their application and providing an option to replicate or move backup jobs to an internet based storage repository. Essentially cloud storage becomes another target option to the application, similar to the
VaporStream Takes E-mail "Off The Record"
Commentary  |  5/6/2010  | 
Not every e-mail needs to be part of the permanent record -- which is the point VaporStream is making with 256-bit encrypted "vanishing" e-mail service. Could be just what the doctor ordered for dealing with e-mail overload -- although more than a few divorce lawyers and tabloid headline writers might disagree.
Alert: Disposable Facebook Apps Installing Adware
Commentary  |  5/6/2010  | 
Just like throwaway domains on the wider Internet, it seems like criminals now use throwaway applications on Facebook. They bring one app online to lure users and potentially infect them, and by the time one is taken down by Facebook, they create yet another.
'Twitterview' With Microsoft
Commentary  |  5/5/2010  | 
I sometimes get a little long-winded when I pose a question to a source during an interview. But I undoubtedly will be pithy tomorrow when I conduct Dark Reading's first-ever "twitterview," or interview via Twitter, where I'll be strictly limited to 140 characters or less for a question.
DLP Gets An Open-Source Boost
Commentary  |  5/5/2010  | 
Data loss, or leakage, prevention (a.k.a. DLP) is a product class that includes data discovery, classification, and monitoring to prevent your sensitive data from falling into the wrong hands. Some implementations are configured to alert instead of block, but the basics are the same. You have sensitive data, you don't always know where it is, so you use DLP tools to find it and keep it safe.
Cloud's Role In Backup, Part II
Commentary  |  5/5/2010  | 
In our last entry we discussed how the backup process is a natural fit for the use of cloud storage and how the first model of cloud backup is being used. In this entry we will discuss the second of the other two cloud backup implementation methods, hybrid cloud storage and then tomorrow we will cover cloud enabled enterprise backup.
A Decade Ago, ILoveYou Worm Changed Security
Commentary  |  5/5/2010  | 
It's been a decade to the week since the infamous "Love Bug "or ILoveYou virus hammered in-boxes around the world. While mass-mailer viruses of this type don't make headlines anymore, the ILoveYou virus forever changed the face of IT security.
75% Of SMBs Never Store Data Offsite: KineticD
Commentary  |  5/4/2010  | 
The migration of storage to the cloud may be the first time many small and midsized business have adequately backed up data offsite, according to a new survey from cloud storage company KineticD.
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.