Commentary

Content posted in June 2010
Have A Secure Summer Vacation
Commentary  |  6/30/2010  | 
With summer now here officially, many of you are most likely planning vacations, and you probably want to be able to connect to the Internet during your vacation. But how do you do this securely?
Which Platform Is Safer: Android, Blackberry, or iPhone?
Commentary  |  6/30/2010  | 
With the hand-held platform battle over market share heating up, more people are wondering just which platforms may be safer from attackers and snoops.
Protecting SSH From The Masses
Commentary  |  6/30/2010  | 
SSH brute-force attacks are not uncommon against computer systems sitting on public IP addresses. Script kiddies and botnet-infected systems are scanning the Internet looking for low-hanging fruit (think: weak passwords) to leverage for additional attacks, website defacements, or attack-tool storage.
Dark Reading Launches New Tech Center On Security For Small And Midsize Enterprises
Commentary  |  6/30/2010  | 
Today Dark Reading launches a new feature: the SMB Security Tech Center, a subsite of Dark Reading devoted to bringing you news, insight, and in-depth reporting on the topic of data security in small and midsize businesses.
Keeping Data Forever vs. Data Retention
Commentary  |  6/30/2010  | 
Keeping data forever vs. data retention is going to become an increasingly fierce battle. In the past data retention strategies always won but as we discussed in our first entry in the series the technology is now available to store data forever and as we discussed in the second entry the technology is there to find it when you need it.
The Failure Of Cryptography To Secure Modern Networks
Commentary  |  6/30/2010  | 
For a while now, I've pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on.
No PDF Updates Anymore--Anyone Interested?
Commentary  |  6/29/2010  | 
Adobe has published its security updates for Adobe Reader and Adobe Acrobat.
Hackers Busted In Online Poker Cheats
Commentary  |  6/28/2010  | 
Korean police nabbed 33 hackers who were using bots to cheat online poker players from November 2009 through May of this year.
Android, iPhone, "Kill Switch" Capabilities
Commentary  |  6/27/2010  | 
The recent security related events surrounding Google Android highlights why users must exercise constant vigilance in the applications they choose to install on their handsets, and raises questions about the ability for vendors to reach into your handset to remove potentially nasty software.
FTC Security Smackdown And Twitter's Hollow Excuses
Commentary  |  6/25/2010  | 
The social networking site Twitter has settled with the U.S. Federal Trade Commission regarding charges that it failed to properly safeguard the data of its users.
There's No (New) Internet Kill Switch
Commentary  |  6/25/2010  | 
The Lieberman-Collins cybersecurity bill passed out of the Senate Homeland Security and Governmental Affairs Committee on Thursday to await consideration by the full Senate. But not everyone is satisfied with what it says.
The Types Of SSD Cache
Commentary  |  6/25/2010  | 
In our last entry we discussed the value of using solid state disk (SSD) as a cache, which provides a simpler on-ramp to the accelerated world of SSD. With SSD cache there are no or limited changes needed to applications and using SSD as a cache does not require a large capacity investment in the more premium priced technology.
iPhone iOS 4 Security
Commentary  |  6/24/2010  | 
Apple iPhone hit the streets today. I happened to be one of the lucky few who had his delivered by FedEx on Wednesday. So I had some time to kick around with it a bit, and took a look at its (lack) of new security features.
Kyrgyzstan On Verge Of Cyberwar? Not So Much
Commentary  |  6/24/2010  | 
Cyberwarfare has become one of these buzzwords people just like to use. But in most cases -- it isn't used accurately.
The Cache Value of SSD
Commentary  |  6/22/2010  | 
When I speak with IT Managers about Solid State Disk (SSD) one of the most common questions is how and where should it be implemented? There are many options but an extremely simple risk free way to get started is using SSD as a large cache in front of a disk array.
Secure Web Surfing With HTTPS Everywhere
Commentary  |  6/22/2010  | 
HTTPS Everywhere is a new Firefox extension that tries to make surfing the Web a little bit safer by ensuring that a secure connection is the default on many popular websites.
Open-Source Database Security
Commentary  |  6/21/2010  | 
A recent article on Dark Reading underscores a growing concern in IT: how to secure open-source databases.
Stock Manipulation Botnet Surfaces
Commentary  |  6/21/2010  | 
A Belgian federal investigation into an electronic bank account heist reveals a sophisticated attack designed to manipulate stock prices, a Belgian newspaper reported over the weekend.
That Was Easy: New Tool For Web Form Password Brute Force Attacks
Commentary  |  6/21/2010  | 
Passwords suck. We all know it, but unless you can afford to provide multifactor authentication to all of your users and business partners, you're stuck with them.
BP And The Importance Of Calling Out Corruption
Commentary  |  6/18/2010  | 
A recent article in Rolling Stone shows how the combination of a corrupt process for ensuring the safety of oil rigs, corruption of the information on the risk, the actual BP disaster -- and politics -- has resulted in the biggest environmental disaster in the country's history. It also mirrors a massive problem in IT security where political expediency, short-term financial gains, and personal benefits often trump good business practice.
Why Aren't Health Organizations Embracing Cloud Storage?
Commentary  |  6/18/2010  | 
As hospitals around the world move from paper-based records to electronic systems, they cited disaster recovery as one of their top priorities. While prepping for disaster is good business, shouldn't something else be a priority on the agenda of those embracing more health IT?
Real-Life Social Engineering
Commentary  |  6/18/2010  | 
Social engineering attacks are becoming so commonplace that it has become a little easier to educate users about identifying phishing e-mails and websites because they are seeing the attacks firsthand on a more regular basis. What they often don't realize is the damage that can be done, or how similar attacks might come at them, through their personal lives.
Search Google, Surf Facebook Using HTTPS
Commentary  |  6/18/2010  | 
While more and more sites support encryption (Twitter, LinkedIn), sometimes even by default (Gmail), others still send your data in the clear. The new Firefox extension is just what the doctor ordered.
Porn Tops Web Watching, Gaming Growing Fast
Commentary  |  6/17/2010  | 
Pornographic Web content accounted for a whopping one-third of all page views, according to security firm Optenet. Online gaming sites are also dramatically growing in popularity. If their popularity is growing with your employees, it's time to review your usage policies.
Keep Everything Forever, Part II - Indexing
Commentary  |  6/17/2010  | 
In our last entry we reintroduced the idea of a keep everything forever storage retention strategy. We also touched on some of the basic capabilities like cost effective storage options and data movement options that can make a forever retention strategy realistic. In this entry we will look at what is one of the most important requirements the ability to find what you have in the archive.
There's A Recipe For That
Commentary  |  6/15/2010  | 
Back in the dark ages when I was a programmer, I became horribly fascinated with a tool called make. It was a tool for dealing with the complexities of, well, making finished executable code.
Revisiting The Keep It All Forever Retention Strategy
Commentary  |  6/15/2010  | 
Each day a seemingly new regulation is being placed on businesses and almost every one of these regulations adds to the data management burden in the data center. In the past I have advised against the keep it all forever mentality of data retention but now it may just be the only way left to protect the business.
Vulnerability Scanners Must Be Used Carefully
Commentary  |  6/14/2010  | 
Automated network and Web app vulnerability scanners can make strengthening your business's defenses a lot simpler -- or a lot more complicated, depending on how much you and your team know about their uses. A new report looks at some of the challenges accompanying vulnerability scanning.
Snort'ing Out Anomalies
Commentary  |  6/14/2010  | 
Detecting determined attackers focused on getting your data -- and getting away with it is not an easy task. To that end, many security products have been created that attempt everything from separation of privileges and tight access control to full network packet inspection and data loss prevention.
Shed Vulnerabilities With One Simple Rule
Commentary  |  6/14/2010  | 
A couple of months ago, Secunia's Stefan Frei published a great paper about the patching burden that the average PC user faces every week.
On AT&T's iPad E-mail Security Snafu
Commentary  |  6/11/2010  | 
While the flaw that made it possible for onlookers to access the e-mail addresses of Apple iPad users wasn't directly Apple's fault, the incident is certainly disrupting the Jobs' Reality Distortion Field and dulling some shine of the successful iPad launch.
Cloud Is Real Culprit In iPad/AT&T Security Hole
Commentary  |  6/11/2010  | 
The recent revelation that over 100,000 iPad users had their email and account information exposed to hackers due to a mistake by AT&T made a lot of news this week and caused no small amount of embarrassment for AT&T and Apple. Bu the big news isn't the security failure itself, it's the reminder that in the modern world of cloud computing, security goes well beyond personal devices.
iPad Email Hack Shows AT&T Security Sloppiness
Commentary  |  6/10/2010  | 
Info on more than 100,000 iPad email addresses grabbed from AT&T by a self-proclaimed security group will cause far more problems for AT&T than for Apple. But Apple's single-mindedness about AT&T deserves more than a bit of the blame, too.
Implementing Storage Capacity Planning In The Modern Era
Commentary  |  6/10/2010  | 
As discussed in our last entry, all the storage optimization strategies will impact how much capacity you will need to purchase in your next upgrade. The problem is that much of the savings are going to be dependent on your data. You will hear vendors state something like "your actual mileage will vary" and that is very true. With that as the backdrop how do you make sure you don't overshoot or worse, un
Ways To Slow An Attacker
Commentary  |  6/9/2010  | 
The inevitability of failure in security has been up for discussion a lot during the past couple of years. It's a mentality that a lot of security professionals have subscribed to because of various reasons: proliferation of malware, user behavior, advanced persistent threat (APT), or simply Murphy's Law.
Massachusetts Data Privacy Standard: Comply Or Not?
Commentary  |  6/8/2010  | 
In my previous position at a database security vendor, I was often asked by marketing to explain the applicability of technology to problems: how you could use assessment for PCI compliance, or why database activity monitoring was applicable to privacy laws, for example.
Does Deduplication Make Storage Capacity Planning Difficult?
Commentary  |  6/8/2010  | 
With all the technologies out now, and it not just deduplication, to optimize the use of primary storage capacity, the guidelines for how you estimate how much capacity you need in a given year needs to change. In some ways storage capacity planning is more difficult than it has been in the past. It has to change to keep up with the new capabilities of storage systems like thin provisioning, compression and deduplication.
Confidela Upgrades Secure Document Solution
Commentary  |  6/7/2010  | 
Watchdox, a cloud-based platform for businesses that need to share sensitive or secure documents, now has enhanced compliance features and the ability to support larger files.
Deepwater Horizon Lessons Parallel IT Risk Management
Commentary  |  6/7/2010  | 
Set aside the magnitude of the loss of life, and the extraordinary costs of the BP Deepwater Horizon catastrophe to the Gulf coast region to the wildlife and the livelihood of millions. Individual IT disasters rarely would have such horrendous reach and impact. However, there are a number of eerie similarities between the BP Deepwater Horizon catastrophe and the failures within IT risk management we see all too often.
Think Your Enterprise Is Under Attack?
Commentary  |  6/5/2010  | 
Well, I'm sure it's probed, prodded, and attacked every day. Sometimes by live criminal attackers, other times by curiosity seeking hackers, and quite often by automated and malicious software. But it's probably not hit as often as the Department of Defense networks. It's tough getting one's mind around these numbers.
Turkish Hackers Defacing Israeli Facebook Accounts
Commentary  |  6/5/2010  | 
Following the Gaza flotilla incident, Turkish hackers have been defacing Facebook accounts of Israelis and uploading anti-Israeli material to them.
'Dark Side' Uses For Defensive Tools
Commentary  |  6/4/2010  | 
Tools used by system administrators for defensive security can often be turned around and used offensively by attackers. Microsoft Sysinternals' psexec is a great example.
An Industrial Espionage Comeback
Commentary  |  6/3/2010  | 
Apple seems to believe, and likely with good reason, that competitors are aggressively trying to steal its ideas.
SANS And RSA Say SMBs Use SIEM For Security, Not Just Compliance
Commentary  |  6/3/2010  | 
According to new reports from SANS and RSA, after years of SMB investment in security information and event management (SIEM) tools as a means of confirming regulatory compliance, businesses are now buying forensic and event management tools in order to use them.
Guided Storage Analysis
Commentary  |  6/2/2010  | 
Software tools that provide storage and data protection analysis are very useful. They can help inventory, monitor and bring to your attention problems in the environment. Typically there are two challenges that I see with these tools however. First, they don't provide recommendations on what to do about a problem and they don't help you prioritize and organized your addressing of the problem.
Kerio Control 7 Expands Network Security Offering
Commentary  |  6/2/2010  | 
Enhanced intrusion detection and prevention, new admin console and embedded Sophos anti-virus are among the new features in Kerio Technologies latest iteration of its Kerio Control network security management product.
Facebook: Screw You, Privacy Hugger
Commentary  |  6/1/2010  | 
As you know, Facebook recently overhauled its privacy controls -- or, well, overhauled the user interface to them. Upshot: Get over the privacy thing. But is that really what we want?
Tabnapping Threat Should Have You on Guard
Commentary  |  6/1/2010  | 
How many tabs do you have open in your browser right now? Potentially, some of them can be tabnapped -- taken over by crooks looking to trick you into re-entering your password and user name.


To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.