Commentary
Content posted in June 2009
Page 1 / 2   >   >>
'Net Parrot Effect
Commentary  |  6/30/2009  | 
Iran. You remember the place? Before several celebrities died in the past week, Iran's election aftermath gripped national attention. The more I found out about the election situation, the demonstrations, and the crackdown, the more I felt as if I were reading a political thriller. That's when the ugly side of our hyper-connected society reared its ugly head.
Social Networks Make Great Phishing Holes (And The Crooks Know It!)
Commentary  |  6/30/2009  | 
The overwhelming popularity of Facebook, Twitter, and other social networks -- as well as the nature of their members' trust in them and their content -- is proving to be bonanza for phishers. So much so that social networking scams increased a stunning 241% between early 2008 and this year.
5 Web Replacements For Traditional Tech Tools
Commentary  |  6/29/2009  | 
New Web-based technology options like Box.net and Basecamp can help you get the job done quicker, easier, and less expensively. You've got nothing to lose but your resistance to change.
Social Network Users Increasingly Under Siege
Commentary  |  6/29/2009  | 
We all knew this was coming. As Social Networks gained in popularity, they'd become more juicy targets. Now we're starting to see some data.
Don't Let Legacy Media Foil Your Forensic Investigation
Commentary  |  6/29/2009  | 
When performing incident response and forensics on a compromised system, the focus of analysis is on the most immediately available and relevant sources of evidence. Volatile data collected from a running system, the hard drive, network flow data, and logs collected on a central server all serve as useful sources for determining the particulars of the incidents. But what about incidents that go back further, requiring you to dig into backup tapes -- and potentially very old ones?
Maximizing Block I/O Dollars With Thin Provisioning
Commentary  |  6/29/2009  | 
Getting the most out of every storage dollar is critical in this economy and as we discussed in our last entry, viable options for optimizing file based primary storage are available now but as of yet solutions that can compress and deduplicate block I/O storage are not yet readily available. But all is not lost, there are things you can do to lower your primary storage block I/O costs.
Botnet Alert: 90% Of Email Now Spam
Commentary  |  6/29/2009  | 
Nine out of ten e-mails are now spam, according to the latest Symantec/MessageLabs Intelligence Report. And more than 83% of that spam is generated by botnets, relatively unaffected by large shutdowns of spam servers.
Think PCI DSS Stinks? Here's Your Chance To Deodorize
Commentary  |  6/26/2009  | 
There's been plenty of complaints about the Payment Card Industry Data Security Standard (PCI DSS), since it went into effect in 2005. Next week, stakeholders, will have a chance to do something about it.
EU Group: Social Networks, Thirty-Party App Developers Subject To EU Privacy Laws
Commentary  |  6/25/2009  | 
I just took a close look at the Article 29 Data Protection Working Party's opinion report on online social networking. While some of its recommendations are what you'd expect, others came as a surprise.
The Iranian 'Proxy War'
Commentary  |  6/25/2009  | 
Iranians are using proxies worldwide to circumvent government censorship.
Mobile Security: IT Pros Anything But Secure With Mobile Devices
Commentary  |  6/25/2009  | 
Do as they say, not as they do might be a good description of the practices of IT professionals when it comes to mobile devices. A new survey from Credant shows that IT Professionals are not much better than anyone else when it comes to using a password to protect data stored on phones or other mobile devices.
Maximizing The Storage Budget - Capacity Optimization
Commentary  |  6/25/2009  | 
In this economy, maximizing what you have and cost justifying what you need now becomes a much sought-after skill. The IT budget and the storage budget along with it are not growing in many organizations and I often hear that the budget is the same but they are not allowed to spend right now, which is worse than the budget being cut. Regardless spendable IT dollars are a precious commodity.
Could The Cloud Lead To An Even Bigger 9/11?
Commentary  |  6/25/2009  | 
Late last week I attended an event sponsored by IBM/Lotus and Technology Review. A very credible "End of the U.S." doomsday scenario tied to the public cloud was outlined that I believe warrants further thought.
Forewarned Is Forearmed, Right?
Commentary  |  6/23/2009  | 
Next-gen Web apps and virtualization are two topics much on the collective mind of CIOs and line-of-business leaders. Of course, they're seeing dollar signs from slick eye-candy RIAs and cramming 20 VMs on each physical server. Security? Meh.
Microsoft Puts Limits On Free Antivirus Downloads!
Commentary  |  6/23/2009  | 
Microsoft's free antivirus and security suite, Microsoft Security Essentials, releases today, sort of. Incredibly, while millions of users have anticipated the release, only 75,000 downloads will be permitted.
Maltego: Going On The Offensive *And* Defensive To Defend Against Social Networks
Commentary  |  6/22/2009  | 
You know the military's ol' mantra about "loose lips sink ships"? Well, it's being redefined by sites like Twitter, Flickr, and Facebook, according to a great article from Federal Computer Week that discusses the threats social networks pose to operational security.
Make Storage Strategic
Commentary  |  6/22/2009  | 
How does your organization look at storage in the data center? Is it something you have to live with or is it something that can increase the organization's revenue or improve customer satisfaction? How do you make storage strategic to your organization?
Free Microsoft Antivirus, Security Suite Arrives Tomorrow
Commentary  |  6/22/2009  | 
Tuesday is the day for release of the free public beta of Microsoft Security Essentials, Microsoft's security and anti-virus suite. The price is certainly right. Question is, will the program change the security landscape? Bigger questions is whether or not it provides the security your business needs.
Facebook Scam: I'm Stranded In London. Send Money!
Commentary  |  6/21/2009  | 
Facebook users are facing a new threat, 419 scams in chat form, masquerading as friends.
Decommissioned Storage Justifies Encryption
Commentary  |  6/19/2009  | 
There are many reasons to justify storage encryption; tapes falling off the back of a truck on the way to a vault for disaster recovery purposes is one, but when it comes to disk encryption not many have made the effort to encrypt disk based data. While that disk array is in your environment it should be relatively secure, except from internal threats, but what about when you decommission a storage array?
Data Leakage Through Nontraditional Networks
Commentary  |  6/19/2009  | 
Securing our company's data is our job. We build up layers of defense to protect it when it is housed within our corporate network and corporate computer systems. Firewalls, VPNs, encryption, and data leakage prevention all help in some way to protect the data that we don't want anyone else to have. Sometimes, however, we are stuck in the situation where we don't control the network or systems that portions of our data ends up on.
Twitter Worm InvitesTweet Trouble
Commentary  |  6/19/2009  | 
The latest Twitter worm arrives in the form of an invite -- but it's an invitation only to trouble.
iPhone 3.0 Software Sports Snazzy New Features, Sure: It Also plugs a Whopping 46 Security Flaws
Commentary  |  6/18/2009  | 
The nearly four dozen security holes filled in the iPhone 3.0 software published by Apple yesterday have gone nearly ignored with all of the buzz surrounding the new features. But these flaws aren't anything you want to put on hold.
MessageLabs Launches IM Security Service
Commentary  |  6/18/2009  | 
Symantec's MessageLabs has unveiled an Instant Messaging security service in response to a sharp increase in the number of malicious urls in IMs.
New Company Targets Web-Based Malware And Blacklists
Commentary  |  6/17/2009  | 
Dasient, a security startup started up by former Google engineers, among others, is targeting malware that has your Web sites targeted, as well as monitoring your sites for their presence on blacklists. That last, as any business that's been blacklisted can attest, can be deadly.
Government Takes Action On Internet Badness
Commentary  |  6/17/2009  | 
Sources of online criminal activity, such as Atrivo/Intercage and McColo, are no longer around. While I am not quite willing to share the full story behind these takedowns just yet, I can say that community action was the key.
Developers Often Left Out Of Security Training
Commentary  |  6/17/2009  | 
A good friend was telling me recently about a risk assessment he was involved with in which his organization found some vulnerabilities in the Web application. When they asked the developer about them, the response was, "What is cross site scripting?" Wow -- how is it that in this day and age that someone, who probably considers themselves to be a competent Web developer, doesn't know XSS? Ask them about SQL injection, and the response would probably be the same.
Data-Encryption Critics Play A Dangerous Game
Commentary  |  6/16/2009  | 
Is encryption "overrated" as a data-security tool? Only if your company has a death wish.
Twitter Security Flaws: One A Day For A Month!
Commentary  |  6/16/2009  | 
Twitter may be taking the world by tweetstorm (or it may be doomed) but one security researcher says that the social network carries a mess of vulnerabilities. A month's worth, in fact, and he intends to prove it, once a day, this July.
Dark Reading Launches Database Security Tech Center
Commentary  |  6/16/2009  | 
Today Dark Reading launches a new feature: the Database Security Tech Center, a subsite of Dark Reading devoted to bringing you news, product information, opinion, and analysis specifically focused on the topic of database security.
Apple Issues Java Security Updates For OS X 10.4, 10.5
Commentary  |  6/15/2009  | 
Apple released security updates today for Java for Mac OS X for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X 10.5.7 and later. The unfortunately reality is that Sun fixed these flaws more than six months ago. Why did Apple take so long?
Incorporating The 'CIA' Triad In Software Purchases
Commentary  |  6/15/2009  | 
When talking to sysadmins and developers about security of the new software they're looking to deploy, I often end up in a discussion in which at least one or two of the CIA (confidentiality, integrity, and availability) triad is left out.
Solving Storage Performance Problems
Commentary  |  6/15/2009  | 
When an application is slowing down because of poor storage I/O performance, the first step most IT professionals will take to solve the problem is to increase the physical drive count on the RAID group assigned to that application. How do you know when this will work and what are the best ways to implement this?
Working With Security Service Providers: What Every Small Business Should Know
Commentary  |  6/12/2009  | 
Our friends at DarkReading say choosing the right security provider is only the beginning. The real keys lie in setting expectations and building relationships - you can't just hire a security provider and forget about it.
IT Snooping: Too Much Ado About Something?
Commentary  |  6/12/2009  | 
There's been a lot of buzz lately about internal threats, and like most buzz, some of it's on-target. But some of it seems designed to make us paranoid about our employees -- to what end? Do we need to distrust everyone on our IT staffs and, by implication, everyone in our companies? And where does that get us?
Thin Provisioning Reduces The Cost Of Failure
Commentary  |  6/11/2009  | 
When vendors talk about thin provisioning you will hear how it reduces CAPEX and how it increases storage admin efficiency. What you don't hear very often is how thin provisioning can reduce the cost of failure.
Isilon Debuts New Appliance to Speed Backups
Commentary  |  6/11/2009  | 
The Backup Accelerator appliance works with Isilon's NAS cluster to speed up backups of file-based data.
Cost Analysis Of Multifactor Authentication
Commentary  |  6/10/2009  | 
A recent article on integrating the YubiKey, a USB token that can provide one-time passwords (OTP), and WordPress reminded me of how few people I know actually use multi-factor authentication to secure their resources. Instead, they rely on the passwords for users to authenticate to Websites and VPNs with nothing in between them and an attacker who might steal that password. The insecurity of passwords is a topic that's b
You're Secure. Now What About Your Vendors And Providers?
Commentary  |  6/10/2009  | 
Having spent time and resources securing your own network, shouldn't you make sure that your customers, vendors, and providers have made the same effort?
Hacking Challenge Shows XSS Still King
Commentary  |  6/8/2009  | 
Last week, another company got egg on its face by running a "we're-so-secure-you-can't-hack-our-stuff contest." When are companies going to learn claims like that always backfire?
Trend Micro Tightens Defenses Against SMB Data Leaks
Commentary  |  6/8/2009  | 
The latest version of Trend Micro's data loss protection (DLP) package, LeakProof 5.0, comes in two flavors: one for monitoring users and confidential data, the other covering those elements, but also providing tools for protecting intellectual property as well as confidential information.
Cloud Storage's Next Move: Archive
Commentary  |  6/8/2009  | 
Cloud storage for the most part is being used today as a backup medium or for collaboration, but the next big step and where cloud storage may be at it's best is an archive repository to meet the enterprise's growing data retention and compliance demands.
Hackers Claim To Have Pwned US T-Mobile. As In: Everything.
Commentary  |  6/8/2009  | 
It's not the kind of forum post an executive would like to see created about their company. It's not a leaked rumor about an upcoming product or service, or even a ranting upset customer. Nope. It's a group claiming to have controlled portions of your IT network for a long time. And they published what looks to be proof of the breach. T-Mobile is investigating.
Former Hacker Named To Homeland Security Advisory Council
Commentary  |  6/7/2009  | 
The Obama administration has said it wanted to bring a new approach to government, and a renewed emphasis on national cybersecurity efforts. And maybe that's what the administration was shooting for when it appointed Jeff Moss (also known as "Dark Tangent") and founder of the annual DefCon and Black Hat hacker conferences to the Homeland Security Council.
Trust And Web Ad Services
Commentary  |  6/5/2009  | 
Well-respected, highly secure Websites commonly infect the people who surf them. So if they are so secure, then why does this keep happening?
What Is Deduplication And Why Should You Care?
Commentary  |  6/5/2009  | 
A couple of days ago I was speaking at an event in Dallas and was reminded that sometimes those of us in storage get too wrapped up in, well, storage and that IT professionals have other things to worry about than just storage. I asked the audience how many of them had done anything with deduplication. Only 30% had, although 100% wanted to know more.
Disaster Recovery: Location, Location, Location
Commentary  |  6/5/2009  | 
A comment from a reader offers a reminder that effective disaster recovery planning -- and successful DR in the event of disaster -- requires more than just IT and personnel planning. You have to know where those resources are going to be able to work.
Microsoft Squashing Six Critical "June Bugs" in IE, Windows, and Office Apps
Commentary  |  6/4/2009  | 
The software maker said today that it deliver a total of ten patches next week, which is about average for a Patch Tuesday. Six of the 10, however, are rated critical.
Disclosure Helps Bad Guys -- But Not The Way You'd Think
Commentary  |  6/4/2009  | 
When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.
For SMBs, Being Security-Savvy Doesn't Always Mean Doing It Yourself
Commentary  |  6/4/2009  | 
When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro. But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are ju
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.