Commentary

Content posted in August 2008
Page 1 / 2   >   >>
BNY Mellon Data Breach Potentially Massive
Commentary  |  8/29/2008  | 
It was in May when we noted an investigation launched by the authorities in the state of Connecticut into a backup tape lost by the Bank of New York Mellon. The results of that investigation are in, and they don't look good.
Storage Acquisitions
Commentary  |  8/29/2008  | 
Brocade's purchase of Foundry Networks seems like a smart move, but technology acquisitions in general and storage acquisitions in specific never seem to pay off well. OK, never is a bit extreme, but it does seem rare and failure here hurts everyone. It distracts the buying company, often ruins the software from the bought company, and leaves users hanging in the balance.
Space Station Laptop Virus: This Isn't Rocket Science!
Commentary  |  8/28/2008  | 
Then again maybe anti-virus precautions are rocket science, or should be, as witness a worm problem in a laptop onboard the International Space Station.
Web Application Hacks: Upping The Arms Race
Commentary  |  8/27/2008  | 
It doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list.
Cloud Storage Migrations
Commentary  |  8/27/2008  | 
Finishing up the migration series, let's talk about how you would migrate out of a storage cloud. With public storage clouds in particular, this can be a critical issue. These services are all in their infancy. What if you pick the wrong one, how can you get your data back?
Security Breach: More Laws Needed. Let's Add Health Care
Commentary  |  8/26/2008  | 
Earlier this week, colleague Thomas Claburn covered the unfortunate trend that the tally of data breaches this year already has surpassed all breaches recorded for the entire year in 2007. This isn't entirely bad news, as I'll explain.
National Cybersecurity Responsibilty: Public v. Private. Where Do You Stand?
Commentary  |  8/26/2008  | 
A long article in today's Los Angeles Times raises -- and examines -- what should be a key national issue: who's most responsible for cybersecurity? The government or the private sector?
Best Western Disputes Depth Of Suspected Breach
Commentary  |  8/25/2008  | 
Dispute the depth of the breach is an understatement. A Best Western spokeswoman just issued a statement to InformationWeek stating that the breach, so far, has only been confirmed to involve 13 guests at a single hotel.
Survey Says You Sweat Security More Than Cost. Do You?
Commentary  |  8/25/2008  | 
A new survey of midsize businesses finds that while IT costs are important to you, security is even more so. In fact, security was ranked as the top IT concern for midmarket players.
Migration Relief
Commentary  |  8/25/2008  | 
In my last entry on migration migraines we discussed the challenges of moving from one primary storage provider to another and went through a few solutions. One of the best methods to make migrations easier is to keep the amount of data on primary storage at a minimum, but what do you do about archives that will grow to petabytes in size?
UPDATE: Best Western Refutes (Some) Claims Of Hacker Compromise
Commentary  |  8/24/2008  | 
Shortly after our post, Best Western Hotel Chain Pwned, which is based on the story that appeared here, Best Western e-mailed us a response that raises more questions than it answers. That statement, which is available
Best Western Hotel Chain Pwned
Commentary  |  8/24/2008  | 
According to news reports that started to surface over the weekend, Best Western, one of the world's largest hotel chains -- if not the largest -- is investigating a breach that purportedly has placed millions of its guests' data at-risk, and in the hands of Russian mobsters.
Radio Implants And GPS To Thwart Kidnappers? Don't Think So
Commentary  |  8/23/2008  | 
In the face of rising kidnappings in Mexico, a number of more affluent Mexicans are opting to have minute radio transmitters implanted under their skin so they can, presumably, be located by the authorities if they're ever kidnapped. This is a bad idea.
Poisoned DNS Woes Grow
Commentary  |  8/22/2008  | 
It's been weeks since Dan Kaminsky revealed that the Domain Name System (DNS) that underlies the Internet's address routing system was dangerously flawed. It's been a slightly shorter time since patches were released, and yet unpatched DNS vulnerabilities still exist and are beginning to be exploited. Why aren't we surprised?
Migration Migraines
Commentary  |  8/22/2008  | 
Moving data between tiers of storage has gotten easier as a result of global file systems and simplified archive software, but upgrading to a new platform ... that is just plain ugly.
FEMA Phones Get Hacked
Commentary  |  8/21/2008  | 
If you are going to hack a phone system, do you really want to hack DHS? That's what happened this weekend when someone made hundreds of illegal calls from a Federal Emergency Management Agency (FEMA) Private Branch Exchange (PBX) to the Middle East and Asia. It appears that it was the usual culprits of poor change control and misconfigurations that left FEMA's digital doors open.
The Security And Privacy Of Healthcare Data
Commentary  |  8/20/2008  | 
Despite the aim of the Health Insurance Portability and Accountability Act to bolster the security and privacy of patient information, a majority of health-care providers believe more should -- and can -- be done. And a newly formed consortium of industry leaders plans to do something about it.
Sneak Peek: New PCI DSS Rules
Commentary  |  8/20/2008  | 
Updates to the Payment Card Industry Data Security Standard (PCI DSS) have been released by the PCI Security Standards Council. The updates, hopefully, will bring some clarity to a number of areas which retailers, merchants, and auditors say are foggy.
Are Competitor Security Problems A Business Advantage Worth Talkng?
Commentary  |  8/20/2008  | 
The news that one of the nation's leading student testing companies had its security problems made public by another testing company should give us all pause. How worried do we need to be about competitors blowing the security whistle on us? How worried should that type of competitor be about protecting an industry's customers as well as its own competitive advantage?
Tier 4, The End Of The Trail Of Tiers
Commentary  |  8/20/2008  | 
Tier 4 once was the simplest of all tiers -- it was just tape. The advent of disk-to-disk backup, which has helped most backup strategies, actually has made the tier itself more complex. I also can take a stand that, in some ways, the introduction of disk has made the process of backup itself more complex.
Security Solutions Arriving for Virtualized Systems
Commentary  |  8/20/2008  | 
New technology typically emerges one step ahead of needed security checks. That has been the case with the recent push to virtualized systems although one leading vendor is trying to alter that equation.
As Google Android SDK Hits Street, Android Security Team Braces
Commentary  |  8/19/2008  | 
It's been a big week for the Android phone platform. Most important, the Federal Communications Commission gave the all clear to the first Android-powered handset, which will be built by High Tech Computer and is currently expected to be called the Dream. Additionally, Google released an updated versi
Securing A (Networked) Apple OS X 10.5 Install
Commentary  |  8/19/2008  | 
Despite Apple's laggard attitude toward patching the underbelly of its flagship OS X software; the ability for attackers to crack the OS in seconds; or even the capability of security researchers to dedicate an entire
Microsoft Snags Another Security Researcher
Commentary  |  8/18/2008  | 
There was a time when it seemed Microsoft viewed security researchers as the enemy, and a big public relations problem. They were the troublemakers who poked holes in Microsoft's operating systems, browser, and desktop software. And they published exploits that helped to automate attacks. Today, Microsoft announced that it hired one of them.
The Death Of Storage Hardware
Commentary  |  8/18/2008  | 
My former boss, who is still a mentor today, had a saying: "Success in life is the elimination of variables." Words to live by and words that the storage community must have heard. The biggest variable they deal with when installing a solution into their environment is the variable of, well, their environment.
Vulnerability Management Pays Off: New Aberdeen Report
Commentary  |  8/18/2008  | 
Think vulnerability management costs too much? Might be time to think again: some companies are generating a whopping 91 percent return on vulnerability management investment according to a new report from Aberdeen Group.
Microsoft Blue Hat Fall '08: Security Researchers Want To Hack You
Commentary  |  8/17/2008  | 
If you think the future of hacking may be things like Web applications, social networks, or even infiltrating "The Cloud," you might want to look in a mirror. Sure, all of those things will be targeted, but one of the next frontiers for exploration will be hacking the mind.
Oh, Tier 3...
Commentary  |  8/15/2008  | 
Remember about five years or so ago when life was simple? We had fast SCSI and Fibre Channel drives for data and we had tape for backup. Seemed perfect. Then came the ATA-based drives, and you were told to move your older data to them and start sending backups to disk. Then powering the data center and storage in particular became a problem; another use for ATA, put them in stand-by mode, spin them down, put them to sleep, and then eventually turn them off. As is usually the case, the hardware i
Cisco Releases Security Advisory On WebEx Client ActiveX Control
Commentary  |  8/15/2008  | 
According to Cisco, the WebEx Meeting Manager client software includes atucfobj.dll, a DLL that allows meeting participants to view Unicode fonts. This library contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code on your system. Your WebEx provider must patch its servers in order for you to be protected. Read on to find out how to check.
MBTA: Legally Shackling Security Researchers Rarely Works
Commentary  |  8/14/2008  | 
As many security and technology followers know, three MIT students had planned on presenting their findings on a number of vulnerabilities they found in the Massachusetts Bay Transportation Authority's CharlieTicket and CharlieCard payment cards at last week's Defcon conference. That was, until a gag order was put in place to keep them quiet. Today, a federal judge in Boston let the temporary restraining order stand. And so this Saga of Stupidity continues.
Business Lessons From The VMWare Bug (And How It Was Handled)
Commentary  |  8/14/2008  | 
VMWare's "Your license has expired" bug from earlier this week has been resolved by a patch, but that doesn't mean there aren't large lessons for small and midsize businesses in how VMWare handled the problem and, in a couple of important areas, failed to.
Tier Matching
Commentary  |  8/13/2008  | 
Tiered storage can be difficult to manage and one of the challenges to its acceptance is the amount of effort it takes to move data between those tiers. We've written about several methods to move data between tiers in previous blogs, but in some cases the decision isn't that complicated.
Securing Virtualization, Or Is That Virtualizing Security?
Commentary  |  8/12/2008  | 
One of the big topics at last week's Black Hat and Defcon security confabs was virtualization security, but few speakers talked about what is really important: how we approach virtualizing security, and how virtualization itself changes the way we approach information security. All of that changed when I was trampled over by The Four Horsemen Of the Virtualization Security Apocalypse.
Alert: Major VMWare Flaw Revealed, Cutting Off Customers' Virtual Machines
Commentary  |  8/12/2008  | 
A flaw in the latest VMWare hypervisor update resulted in product licenses being declared invalid at midnight, with customers being rendered unable to run virtual machines (and as a result some applications) in their data centers. The license-recognition flaw was announced earlier today and a permanent patch is hoped for by tomorrow.
Threat Report News: The Good, The Bad And The Blended
Commentary  |  8/12/2008  | 
Spam is down, and so are zombies, but guards have to stay up -- new types of attacks are picking up the slack, and picking it up in particularly nasty ways, according to a quarterly report from Secure Computing. Just because old threats appear to be diminishing, doesn't mean they're going away. In fact, they're being blended into more dangerous threats than ever.
Tiered Storage Redefined
Commentary  |  8/11/2008  | 
In the never-ending world of tiered storage, it really breaks down into two types of storage; transactional (active) and passive storage. For obvious reasons these two worlds overlap, but it is surprising how many levels of granularity there are within these tiers. Gone are the days of three tiers. There are more tiers of storage than ever, so it's helpful to see where we are.
Black Hat Conference: Hackers Hacked At Hacker-Hacking Journalists
Commentary  |  8/11/2008  | 
This year's Black Hat conference made more than the usual "Hackers Gather" headlines when three journalists were expelled for allegedly sniffing the digital trails of other media representatives covering the conference. That they did so via a wired rather than wireless connection is a reminder that nothing's as secure as we think it might be -- even at a security conference.
Defcon/Black Hat: Social Network Security = Fail!
Commentary  |  8/11/2008  | 
Social networks such as LinkedIn, MySpace, Facebook, and microblogging sites such as Twitter are all fertile grounds for both social engineering and technical attacks. It can get even nastier when you combine the two. Too bad we haven't learned anything about secure coding practices and proper authentication in the past 20 years or so.
Defcon 16 Kicks Off In Controversy
Commentary  |  8/10/2008  | 
Would you expect the 16th annual hackfest to begin any other way? Whether it's the arrest of security researchers, or the outted undercover TV producer of years gone by, Black Hat's sister security and hacking conference, Defcon, always causes a stir. This year, it was the press conference that wasn't to be.
SMB Archiving
Commentary  |  8/8/2008  | 
Data retention and archiving aren't just for large enterprises. Small to medium-sized businesses need to be concerned about e-mail retention, data retention, and data archiving. I know the first response is, "We are not a public company, we don't have to worry about that." You might be right, but the need to retain and store e-mails and other forms of data goes well beyond being a public company. While I won't go into all the reasons why, here are some simple ones:
Olympic Surfing Can Cost Businesses More Than Time
Commentary  |  8/8/2008  | 
With the 2008 Summer Games' opening ceremonies now completed (though not broadcast until tonight in the U.S) it's a safe bet that small and midsize businesses are going to be losing more and more time to employees surfing for Olympic news. Time to be sure their clicks don't turn up malware as well as event standings.
Black Hat: French Reporters Ejected From The Conference, Accused Of Hacking Fellow Journalists
Commentary  |  8/8/2008  | 
After being accused of sniffing the network traffic in the pressroom at the Black Hat security conference, three French reporters were given their walking papers by conference organizers. If you can't feel safe accessing the Internet at a hacker's conference, where can you feel safe?
Black Hat: The Microsoft Exploitability Index: More Vulnerability Madness
Commentary  |  8/7/2008  | 
On Tuesday, Microsoft introduced the "The Microsoft Exploitability Index." The software maker hopes this index will help companies more effectively prioritize the patches they need to deploy. I don't believe it will. And it may even make the vulnerability madness that exists today even more maddening.
Black Hat Disputes Charles Edge Talk Even Submitted
Commentary  |  8/7/2008  | 
Last week we covered two incidents surrounding Apple's (non) participation at this year's Black Hat conference. Apparently, the first was a potential talk pulled for consideration because Apple just doesn't like its engineers explaining anything about how they handle software security. The other, Black Hat contends, was never even submitted.
Angelina Jolie On Top Of Barack Obama On Top Of Paris Hilton! (For Spam Subject Line Championship)
Commentary  |  8/6/2008  | 
Obama and Hilton and Spears, oh my! Angelina and Paris and Britney, oh my! Celebrities are the hottest spamlines going, and a new study shows which rich and famous (and infamous) names are A-list on the spam hall of shame, and which ones are slipping.
Black Hat: DNS Researcher Flaw Much Bigger Than Thought
Commentary  |  8/6/2008  | 
While it may be hard to fathom, considering the extraordinary amount of coverage and speculation that swirled about Dan Kaminsky's DNS vulnerability announcement, Kaminsky today said that the flaw is much more serious than previously speculated.
Page 1 / 2   >   >>


Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.