Commentary

Content posted in July 2008
Page 1 / 2   >   >>
Credit Card Compliance And Security: New PCI Information Resource Worth A Visit
Commentary  |  7/31/2008  | 
How much do you know about your business's compliance and security responsibilities for credit card data and other information involved in the transactions that your bank executes for you? Think compliance is completely the responsibility of the financial institution? Think again.
Cisco Won't Buy EMC, Will It?
Commentary  |  7/30/2008  | 
Analyst Kaushik Roy with Choi and Pacific Growth Equities really stoked the fire of a longstanding rumor (repeat rumor) that Cisco would just love to buy storage king EMC. And while this won't happen, there are kernels of truth in there.
Radware Reveals Critical Vulnerability In Firefox 3
Commentary  |  7/30/2008  | 
Well, not exactly "critical." But there is a flaw. And there is no patch. And so Radware demonstrates how many security vendors push their gear by spreading fear, uncertainty, and doubt on the user community.
The Reality Of Private Clouds
Commentary  |  7/30/2008  | 
In his blog "Clouds Are Only in the Sky" yesterday, Richard Martin suggested that a cloud must be on the public Internet for it to truly be a cloud and that if something resembling a cloud is used internally then it must be utility computing. He makes a very good point; however, I respectfully disagree.
Websense Warns: Legit Sites Top Hack Targets
Commentary  |  7/30/2008  | 
Another midyear security overview is out now, this one from Websense, and if the year-to-date is looking bad, the six months to come are looking worse.
Oracle WebLogic Servers Vulnerable To Attacks
Commentary  |  7/29/2008  | 
When it comes to security vulnerabilities, this flaw is as ugly as it gets -- but, in this case, it's not all because of anything Oracle did wrong.
IBM Midyear Security Report: A Bad Year That's Getting Worse
Commentary  |  7/29/2008  | 
Time flies when you're having fun, and flies even faster when the bad guys are having their "fun." Already more than halfway through 2008 and a new security report let's us know in detail just how insecure a year it is.
Apple And Security: Long Road Still Ahead
Commentary  |  7/29/2008  | 
Apple's trying to pick up its game with iPhone security, recently listing an iPhone Security Engineer position. Assuming the job is really about helping users -- and not just thwarting pesky unlockers -- it's a good move, but some corporate inertia might need to be overcome before security is a true priority. Just take a look at the official iPhone Enterprise Deployment tools.
Modeling IT Attacks
Commentary  |  7/28/2008  | 
Every day IT managers have to contend with an ever-changing risk environment. That's where good risk modeling can help.
Password Security: With Prosecutors Like This, Who Needs Rogue Administrators?
Commentary  |  7/28/2008  | 
So the San Francisco District Attorney, building a case against the rogue administrator who shut down city network access, decided to include actual passwords as evidence. Bonehead decisions may not get much more boneheaded than this.
Beating Up Storage Vendors
Commentary  |  7/28/2008  | 
An analyst firm recently published a report suggesting that the No. 1 priority in reducing IT costs was to beat up your storage vendor for lower costs. I would like to give a dissenting opinion.
Vibrations Part II
Commentary  |  7/25/2008  | 
In my last entry we opened up a can of worms around drive vibration, discussing what it is and how it occurs. Vibration exists, but why should you, the IT professional, care? This stuff is all on RAID 5, right? Why do you care if a drive fails?
DNS Woes: How Worried Should You Be? Pretty Dang Worried!
Commentary  |  7/25/2008  | 
Yesterday's news that the first DNS attack strategies are circulating was no surprise: once a vulnerability -- large, small or in-between -- is discovered, the exploit code follows like rats nipping at the heels of the Pied Piper. The question is, how worried should you be about this particular vulnerability? Pretty worried, is my take.
Disclosure Isn't Working
Commentary  |  7/24/2008  | 
After a decade of writing about IT security, I don't know how anyone would think this current system of disclose and patch is working. It's not.
Are Lock-Picking Demos On YouTube A Bad Idea?
Commentary  |  7/24/2008  | 
Amateur lock hackers who share their techniques may be improving security -- or endangering your life and property.
DNS Flaw Attacks Coming: Patch Now!!!
Commentary  |  7/24/2008  | 
The first attackware strategies based on the widespread DNS flaw announced earlier this month have been spotted. If you haven't patched yet, do it now, before it's too late. (Some say it's already too late.)
DNS Poisoning Vulnerability: If You Haven't Yet Patched, It May Be Too Late
Commentary  |  7/23/2008  | 
If you've ignored the urge to patch Dan Kaminsky's DNS cache poisoning flaw, you could be on the verge of big trouble: Exploit code has just been published in a popular penetration testing tool.
McAfee Says Small, Midsize Business Sweats Security Too Little. You Agree?
Commentary  |  7/23/2008  | 
A new survey from security firm McAfee warns that small and midsize businesses don't consider themselves to be targets for cybercrime. Do their findings match your feelings? Let's hope not.
Good, Good, Good…Good Vibrations
Commentary  |  7/23/2008  | 
Its summertime, time for a little Beach Boys? No, Good Vibrations is the beginning of a series of entries that I will be posting on increasing physical hard drive unit life. In recent briefings, manufacturers like Copan Systems and Xiotech have been raising the issue on the impact of drive vibration. While I was aware of drive vibration, it is not discussed much, so I decided to take a deeper dive.
Brocade Buys Foundry For $3B - Let The FCOE Battles Begin
Commentary  |  7/22/2008  | 
After the close of trading yesterday, Brocade announced that it was going to buy Foundry Networks for $19.75 in cash and stock or a total of $3 billion dollars. This acquisition puts Brocade in a much better position in the coming data center network wars, as just being the dominant Fibre Channel switch vendor isn't worth much as large enterprise data centers move from separate storage and communications networks to a converged Ethernet.
Has The Time Arrived For iPhone Antivirus Software?
Commentary  |  7/21/2008  | 
Apple antivirus and privacy software maker Intego thinks so. The security vendor last week announced its software is the first AV to scan the iPhone and iPod Touch for malware. I wouldn't rush out to install it, just yet.
Private Clouds
Commentary  |  7/21/2008  | 
Last night, Sunday, July 20, Amazon S3 went down for more than two hours. Last weekend, Apple struggled its way through its MobileMe transition and it is still having some issues with its iDisk service. Both of these companies provide a high quality cloud service, but scaling these types of technology for the masses isn't an easy task and as we have seen in the case of Apple, upgrades or transitio
There'll Always Be An England -- It Just Won't Have Any Secure Laptops
Commentary  |  7/21/2008  | 
The news that more than 650 of the British Ministry of Defence's laptop computers have been stolen over the past four years, along with dozens of thumb drives over the last few months, all containing sensitive information, offers a startling reminder of just how mobile your mobile devices can unfortunately be.
iPhone Is Owned Again; Yawn
Commentary  |  7/20/2008  | 
A little more than a week after Apple's shiny new iPhone 3G went on sale, a team of programmers say they've, once again, gained control over the highly coveted gadget.
Utilities Ready To Put IT Security Efforts In Place
Commentary  |  7/18/2008  | 
The North American Electric Reliability Corp. (NERC) announced this week that it's improving its ability to better manage IT security and critical infrastructure protection efforts to North America's bulk power system.
The Problem With Power-Efficient Drives
Commentary  |  7/18/2008  | 
Power-efficient drives are drives that slow down and go into a standby or idle mode and do exactly what they say they will do -- they save power. The challenge with these drives is that many manufacturers are putting these drives into standard array shelves, typically with the same power supplies and the same fans. The array shelf still has to be designed to assume that the drives will spin up at full power, because at some point they probably will.
State Of Spam: Illinois Tops Badmail Target List
Commentary  |  7/17/2008  | 
A new study claims that Illinois receives more spam traffic than any other state in the union. But a close look at the data shows that the other 49 aren't doing all that well either (with one interesting exception.)
TrueCrypt: No Cloaking Crypto For You
Commentary  |  7/17/2008  | 
Researchers say the steganography feature, also known as the Deniable File System (DFS), in TrueCrypt may not provide the "security by obscurity" users hoped for.
Power Rationing--Green Gets Serious
Commentary  |  7/16/2008  | 
As part of my normal routine I try to speak with as many data center managers as possible. A trend has appeared lately that I believe we are on the front end of. I am calling the trend power rationing. We have been told several times now over the past few weeks that data center managers are being given a hard limit as to how much power they can use. This is a shift from the more common "Reduce power consumption by x%" to "You can use X watts of power."
San Francisco Network Lockout: Who Controls System Access -- And Who Controls The Controllers?
Commentary  |  7/16/2008  | 
San Francisco's misadventures (to put it mildly) of being locked out of part of its own computer network by a disgruntled but password/access-controlling employee raises one of IT security's oldest and still thorniest questions: who has the authority to grant or deny system access, and who has authority over the authorizers?
Target's Swipe At Privacy, An Update
Commentary  |  7/15/2008  | 
A representative from retailing company Target explained why they're scanning customers' driver's licenses, and exactly what information they are collecting.
Crooks Making Less From Bank Data Look To Steal From Other Businesses (Including Yours)
Commentary  |  7/15/2008  | 
Things are tough all over, as a new report on the drop in the value of stolen bank data shows. But as stolen bank info drops in price, you can bet that the crooks are going to be looking elsewhere to make up the difference. And small and midsize business data is definitely one of the elsewheres.
Ready, Set, Patch Your Oracle Software
Commentary  |  7/14/2008  | 
On Tuesday, Oracle is set to release a bevy of patches for Oracle Database and a handful of other Oracle software.
Block-Level Tiered Storage
Commentary  |  7/14/2008  | 
Tiered storage no longer has the hype surrounding it that it did a few years ago. The concept was simple -- move data from expensive Fibre drives to inexpensive SATA drives. SATA drive technology was just coming into its own and the price and modest capacity made it a good fit for the concept. As a result, every storage manufacturer on the planet was proposing a tiered storage strategy. There were seminars, Webinars, white papers (guilty as charged, I wrote more than a few of them), yet only a f
Why Isn't Internet Infrastructure Security A Bigger Issue?
Commentary  |  7/14/2008  | 
The ongoing debate and discussion about the domain name server vulnerability disclosed last week may be getting a bit of traction in the world beyond IT, but the size and potential seriousness of the problem ought to raise other questions: Namely, why the security of the Net itself, as well as its users, doesn't loom larger (or at all) on the campaign trails.
Securing Your Wireless Internet Connection (You Know You Should)
Commentary  |  7/13/2008  | 
Well, it's not really breaking news, security firm Kaspersky Lab is pointing out the obvious: that most home and small business wireless networks run at a low, or no, level of security. Kaspersky Lab also listed a handful of steps that could be taken to enhance your wireless security. And while it's all good advice, it left out one of the most important.
First Steps Into The Cloud
Commentary  |  7/11/2008  | 
Storage will be one of the first steps many will make in using cloud services. In fact, many users have already taken that first step without even knowing it. They are using services like online storage, backup, and archive. Online backup is there, because of block-level incremental and data deduplication technologies; sending backup data over a network connection is not the impossibility that it was even a few years ago. Also, these companies have been in existence for quite some time, so there
New Media Trojan Exploits Bad Old Piracy, P2P Habits
Commentary  |  7/11/2008  | 
A particularly aggressive new Trojan takes advantage of the oldest of vulnerabilities -- human nature. Hiding in pirate software sites, the Trojan infects the music and video files of illegal software seekers, then spreads when those files are peer-shared.
EMP Risk Follow-Up: Blather O'Plenty, No Action
Commentary  |  7/10/2008  | 
As we discussed yesterday, it's been four years since Congress was fully briefed on our nation's vulnerability to an Electromagnetic Pulse (EMP) Attack, and the debilitating impact it would have on our electro-dependent society.
Justice Breyer's Data Exposure A Reminder Of P2P File Risks
Commentary  |  7/10/2008  | 
The news that Supreme Court Justice Stephen Breyer's personal information was among thousands of other personal data files compromised as a result of a file-sharing snafu raises a couple of issues, chief among them whether or not peer-to-peer file sharing via public programs is ever appropriate for business info.
Cell Phone Security? Speak Up
Commentary  |  7/10/2008  | 
Cell phone security? Try selling that to a bunch of kids in middle school, each with his or her own cell phone. To them, security is a word that means "don't let my parents know that I'm loaning you my cell phone so you can call your friend  vacationing in Europe."

It's Time To Defend The U.S. Against The Ultimate Denial Of Service (DOS) Attack
Commentary  |  7/9/2008  | 
Thursday, Congress will be hearing testimony on a potential attack that could shut down most every electronic device, everywhere, and render the entire U.S. power grid dysfunctional for months, if not for more than a year.
Server Hijack Problem Prompts Unified Industry Response
Commentary  |  7/9/2008  | 
The show of patch-unity displayed by many of the industry's major players in addressing a domain name sever flaw is gratifying -- and annoying too. Nice to see them working together. Nicer if we knew more about the problem they're working to fix.
Page 1 / 2   >   >>


Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.