Commentary
Content posted in August 2009
Page 1 / 2   >   >>
Data Breach Silence Breached: 5 Good Security Tips
Commentary  |  8/31/2009  | 
For every high profile big headline data breach, there are plenty of others that are kept quiet. A good piece in Informationweek takes a peek behind the curtain of quiet and offers some solid lessons in how to avoid having your data compromised.
The Foundation Of The Data Asset
Commentary  |  8/31/2009  | 
In my last entry we discussed Making Data an Asset. This entry will focus on where that data asset should be stored. What is needed is a strong storage foundation, one that is designed to last for years, if not decades, but also one that will store that data efficiently and of course be complimentary to the enterprise class indexing that we described in our last entry.
Snow Leopard's Toothless Trojan Defense
Commentary  |  8/31/2009  | 
Snow Leopard is the strongest business offering that Apple has ever fielded, but Apple remains in the dark ages when it comes to protection against malware and its unwillingness to work with third-party vendors to minimize the risk of bringing an Apple machine into a large business.
Hacking Oil Rigs
Commentary  |  8/30/2009  | 
When it comes to cyberwar, real cyberwar, perhaps the most damaging attacks won't come in the form of denial-of-service attacks, but be aimed directly at our energy supply.
Snow Leopard's Anti-Malware Lacks Roar
Commentary  |  8/29/2009  | 
A security firm's assessment of the malware protection capabilities that was leaked prior to Friday's release shows that Apple's Snow Leopard won't be chasing down much malware.
Lessons From The Credit Union Penetration-Test Debacle
Commentary  |  8/28/2009  | 
Determining who is "in the loop" during a penetration test is an important step not always properly planned during the beginning phases of an engagement. The recent media release from the National Credit Union Association (NCUA) provides an excellent example of what can go wrong.
Is Your Wi-Fi Network Open to Intrusion?
Commentary  |  8/27/2009  | 
Security has been an ongoing concern among wireless LANs users since their emergence in the middle 1990s. While vendors have worked diligently to close up any holes, new ones seem to emerge on a regular period, and one is now coming to light that could impact many small and medium businesses.
Cybercriminals: Taking The Road Less Traveled
Commentary  |  8/27/2009  | 
If you were a criminal, what data would you be looking for? The most obvious answer is to look for the types of data that give you direct access to cash: bank accounts, brokerage accounts, credit cards. Like Willie Sutton, you'd go where the money is, right? And that's why some of the stiffest security defenses surround this sort of account data.
Making Data An Asset
Commentary  |  8/27/2009  | 
Data is often looked at as a liability; something that has to be stored, protected and preserved. Data storage has led to massively expanding storage environments and such initiatives as archive. Protection has led to incredibly elaborate backup and recovery schemes and preservation has led to eDiscovery and compliance. All of these processes are reactive, how can the view of data be changed to proactive, to using data as an asset?
Printer Security? Yep: Printer Security!
Commentary  |  8/27/2009  | 
The news that IEEE has released new standards for networked printer security is a good reminder that it's not just the computers and servers on your network that pose risks.
Attacking Customers, Employees With SQL Injection
Commentary  |  8/26/2009  | 
In the security world, providing "what-if" scenarios can be good, but real-world examples are often required to get people to sit up and listen.
OOOPS Factors: Accidental Data Leaks Are Biggest Business Threat
Commentary  |  8/26/2009  | 
A new IDC/RSA report shows that the the accidental data leak is the insider threat businesses feel is most likely to happen. Not a lot of comfort in that, if you think about it.
Is Snow Leopard Coming With Antivirus?
Commentary  |  8/25/2009  | 
Apple security firm Intego posted a hint that Snow Leopard, the new Macintosh operating system that is due for release this Friday, may contain some level of anti-malware detection.
When Mass SQL Injection Worms Evolve...Again
Commentary  |  8/24/2009  | 
In the past, I've described how mass SQL injection worms took the Web completely by storm. Two years ago, SQL injection attacks evolved from sentient, one-off, targeted data-stealing exploits, like in the breaches at Hannaford Brothers and Heartland, to fully automated, unauthenticated
Government Finalizing Medical Data Breach Notification Rules
Commentary  |  8/24/2009  | 
Medical data breaches are on the rise. Much in the same way that credit card breach notifications skyrocketed following California's enactment of SB 1386, California's medical breach laws are doing the same now with patient data. Unlike financial breaches, however, federal rules are now coming into play.
Your Cloud Insurance Policy
Commentary  |  8/24/2009  | 
Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.
Getting To The Last Copy Of Data
Commentary  |  8/24/2009  | 
One of the storage management challenges we see every day in customer data centers is there are too many copies of data in circulation. Ironically its this fact that built much of the value and motivation behind data deduplication. It should not be this way. Why should you get to a last copy of data?
What Are Botmasters Thinking?
Commentary  |  8/21/2009  | 
They're thinking that bots are where the money is, according to a fascinating piece over at Dark Reading. Did you know, for instance, that the average bot is worth between a dime and quarter on the market? You gotta sell a lotta bots at that price to make real money -- and people are making real money doing just that.
Rapid Triage To Stop The Data Bleed
Commentary  |  8/20/2009  | 
The SANS Internet Storm Center on Tuesday questioned whether an exploit was out in the wild for MS09-039 due to increased scanning for TCP port 42. That same afternoon, a notice went out to the EDUCAUSE Security mailing list with the subject: "CRITICAL: Active exploitation of MS09-039 in the EDU sector." It's not often we get to see a preauthentication attack against a Windows service like WINS that makes an easy jumping-off point to compromise an entire Microsoft Active Directory. Can you imagi
Cloud Storage As An On Demand Data Archive
Commentary  |  8/20/2009  | 
The challenge that most archive systems have is they are too big for the job. Some organizations, especially in the small to medium sized business market, may not want or need to move all their inactive data to a secondary storage tier, yet they know they have specific electronic documents that from time to time need to be retained and locked down.
Why I Refuse to Update My Website Certificate
Commentary  |  8/20/2009  | 
Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.
Option Emerges to Secure Google Android SmartPhones
Commentary  |  8/19/2009  | 
One of the first signs in growing acceptance of a new technology is an influx of security products. An Israeli startup, DroidSecurity, thinks the time has come for companies to try and secure their Android smartphones, so the company has delivered an anti-malware and physical security package for the device.
Hacker Indictments Highlight Application Security
Commentary  |  8/18/2009  | 
As you probably know, A federal grand jury has indicted Albert Gonzales, 28, of Miami, Fla., for allegedly hacking into computers belonging to retail and financial companies and stealing more than 130 million credit and debit cards. And the hacking didn't involve anything more than standard SQL injection attacks.
One Storage Solution For Everyone?
Commentary  |  8/18/2009  | 
There is a dizzying array of storage solutions available to storage managers today. Whether its backup, archive or primary storage there are multiple options available. Many times manufacturers try to position themselves as a single source of storage solutions for a data center. Be careful of this approach, seldom is one manufacturer able to provide best of breed solutions in every product category.
Qualys Report Shows Disturbing Persistence Of Critical Vulns
Commentary  |  8/17/2009  | 
In my recent Tech Insight on vulnerability management, I covered a few of the major components for having a successful program to address vulnerabilities as they are disclosed by vendors and researchers. I've known for a while that patching desktop applications is lagging behind, but for some reason companies just aren't taking it seriously enough to resolve quickly -- even when confronted wit
Twitterbot Tweets Malware Orders
Commentary  |  8/17/2009  | 
The discovery of a Twitter profile being used to tweet botnet updates and link is one more indication (not that we needed one) that cybercriminals are using the same tools that we are.
Who Are These Followers And Followees of the Twitter Botnet?
Commentary  |  8/17/2009  | 
Social networks really do bring people together, don't they? Old friends. Long-lost relatives. Bots and bot-herders. Warms the heart.
Banks, Credit Card Companies Take Swipe At New Encryption Method
Commentary  |  8/16/2009  | 
Visa Inc. and Fifth Third Bancorp are testing a novel technique at authenticating in-person credit and debit card transactions by using a fingerprint created by the individual magstripe on each card.
Physical Penetration Testing Tells All
Commentary  |  8/14/2009  | 
Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most companies just don't understand physical security and how it can fail. They often think they do, but then they end up putting in flawed physical security controls that can't keep out even the mo
Data Center Revolution Or Evolution
Commentary  |  8/14/2009  | 
I recently read a claim by one major supplier of Fiber Channel over Ethernet (FCoE) technology that it would be the dominant infrastructure in use in data centers in two to three years! Are you kidding me? Other than impossible that is just not the speed at which the data center moves. The data center evolves, it does not revolt.
Reclaiming The Email Channel
Commentary  |  8/14/2009  | 
Financial institutions and ecommerce sites use email as a marketing platform, training users to trust email -- essentially blazing a trail for the phishers.
E-Voting Takes Another Hit
Commentary  |  8/13/2009  | 
A group of computer scientists have shown how voting results, held in electronic voting machines, can be changed using a novel hacking technique. It's yet another reason why we need to have a verifiable, auditable, paper-trail for electronic voting machines.
Specialization Inevitable In Infosec
Commentary  |  8/13/2009  | 
Specialization in the information security field is key. Plenty of blogs have been written during the past few months with infosec career advice, but none has hit the nail on the head like two recent posts from Richard Bejtlich and Anton Chuvakin.
It's Time To Integrate Physical And Virtual Security
Commentary  |  8/13/2009  | 
With examples of employee theft and the increasing threat of damage to systems by disgruntled ex-employees, it's time to consider presence-linked polices and implementing the Trusted Computing Group's new Trusted Network Connect (TNC) standard. We have the technology to better support our financial and intellectual property -- and in these hard times, we need to step up and do just that.
Deletion And Reclamation - The Ultimate Deduplication Strategy
Commentary  |  8/12/2009  | 
With all the products that are available today for optimizing storage through deduplication and/or compression, one of the best methods available is deletion and reclamation.
Dasient Offers Free Open Source Anti-Malware For Apache Server
Commentary  |  8/11/2009  | 
New security company Dasient is offering at no charge a limited functionality version of its anti-malware software. The module, for Apache Web server, blocks infected Web pages and aims to help keep companies from finding their site on Internet black lists.
Social Zombies Out For Your Network, Not Brains
Commentary  |  8/10/2009  | 
Last week, I took a shot at the Marines for banning social networks without waiting for the Pentagon to finish looking into the threats posed by members of our armed forces using sites like Facebook and Twitter.
Maximizing IOPS With SSD
Commentary  |  8/10/2009  | 
In a recent series of entries I covered several storage technologies that can help a data center maximize their CAPEX. Most of that series focused on cutting costs by using less primary storage either through archiving or efficiency. Another way to maximize your CAPEX investment is to maximize IOPS with SSD (Solid State Disk) technology.
Lockpicking And The Internet
Commentary  |  8/10/2009  | 
Physical locks aren't very good. They keep the honest out, but any burglar worth his salt can pick the common door lock pretty quickly. It used to be that most people didn't know this. Sure, we all watched television criminals and private detectives pick locks with an ease only found on television and thought it realistic, but somehow we still held onto the belief that our own locks kept us safe from intruders. The Internet changed that.
Big Names, Big Blogs
Commentary  |  8/10/2009  | 
The Dark Reading blog section continues to add new voices from some of the top security researchers and experts in the industry.
Prepare To Patch
Commentary  |  8/10/2009  | 
If you are a Microsoft Windows user, chances are there's a patch waiting for you tomorrow.
Top 3 Bots: Billions (With A B!) Of Spams A Day!
Commentary  |  8/7/2009  | 
How much havoc can a botnet wreak? Too much, according to MessageLabs, which reports that the top 3 bots are spewing 21 billion spams a day.
SecurityBSides: The Best-Kept Vegas Secret
Commentary  |  8/6/2009  | 
Getting to SecurityBSides made me think of all the Vegas movies where a casino boss takes a cheater out into the desert and buries him in the sand.
Twitter Takedown: DDoS Attack Beats Tweets
Commentary  |  8/6/2009  | 
Twitter was shut down for a couple of hours this morning by a Distributed Denial of Service (DDoS) attack; blogsite LiveJournal went down too, and the rumors flew that FaceBook was having traffic troubles of its own.
Marines Jump The Gun On Social Networking
Commentary  |  8/5/2009  | 
Being on the front line of IT security, it often feels like the equivalent of holding a hammer during a game of Whack-A-Mole. One day it's a client-side vulnerability in Adobe Acrobat, and the next, it's an unsubstantiated vulnerability in OpenSSH. At the end of the day, we're just trying to find that balance between usability,productivity, and security. That's why the news that the U.S. Marines are banning social networking sites completely makes me think they're jumping the gun.
The Seedy Side Of Hacking
Commentary  |  8/5/2009  | 
The running joke among seasoned Defcon attendees in Las Vegas every year is to steer clear of ATM machines at the Riviera Hotel, where hackers have known to place a booby-trapped ATM to prove their point that nothing is sacred when hackers are in the house (or worse). Then there's the Wall of Sheep "contest" at both Black Hat USA and Defcon to see who's either clueless or bold enough to jump onto the unsecured WiFi network at the shows. When they do, they get the dubious honor of getting their
Turn Off Auto-Updates Before Hitting the Road
Commentary  |  8/4/2009  | 
The convenience of automatic software updates can create major problems if apps are updated via unsecured public Wi-Fi connections. Hotspots make great hijack spots, and as a result, your mobile employees need to make some adjustments in their update settings.
'FOCA' And The Power Of Metadata Analysis
Commentary  |  8/3/2009  | 
Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.
New SSL Attacks Don't Change Your Web Risk
Commentary  |  8/3/2009  | 
There's been a a lot of talk about SSL security since last week's Black Hat conference. While these attacks are significant, I don't see them as changing the security posture of the Web.
Secure Certificate Vulnerabilities Revealed
Commentary  |  8/3/2009  | 
The SSL Certificate that tells visitors a site is certified as trustworthy may be easier to fake than previously thought. And that's one more reminder that the whole system of trust authorization is in need of work.
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.