Commentary
Content posted in August 2010
Dangerous Internet Explorer QuickTime Flaw Surfaces
Commentary  |  8/31/2010  | 
Spanish security researcher Ruben Santamarta has discovered a way to exploit Apple QuickTime on Microsoft Windows systems and bypass advanced security defenses to take complete control of targeted systems.
The Essentials Of Database Assessment
Commentary  |  8/30/2010  | 
The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.
Microsoft Software Security Development Lifecycle (SDL) Unleashed
Commentary  |  8/30/2010  | 
While many industry watchers may not acknowledge it, Microsoft has been one of the few software makers to put a serious, and highly public, effort behind the development of secure software. Now, much of what the company has learned about secure software development is going to be even more accessible.
Make Security About Security, Not Compliance
Commentary  |  8/30/2010  | 
The lack of follow-through and belief in any type of lifecycle for security is one that really bothers me when working with clients who are looking only to meet the minimum compliance requirements.
Are We Missing the Point?
Commentary  |  8/29/2010  | 
Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?
Practical Analysis: For SMB Backups, Think Hybrid Technology
Commentary  |  8/27/2010  | 
Building a system to protect your data can't be a one-size-fits-all endeavor.
Buy Storage From A Storage Vendor
Commentary  |  8/27/2010  | 
As a company gets larger it becomes increasingly difficult for it to innovate and storage is a market that thrives on innovation. It has not become commoditized like the server market despite multiple predictions to the contrary. Server vendors have repeatedly bought their way into storage attracted by the higher margins. My recommendation is to resist and buy your storage from a storage only, or at least mostly, vendor.
The Case For Zero-Day Penetration Testing
Commentary  |  8/26/2010  | 
Penetration testing is a tightrope act where you balance existing knowledge with a mixture of freshly released- and zero-day knowledge. As a penetration tester, I often hear the argument that zero-day attacks do not belong in a test, that there is no time to prepare for them, so of course the target will be compromised. But I have the exact opposite philosophy: zero-day testing should occur to gauge an organization's response to such an attack. If mitigating controls are in place, an unknown att
What Solid State Storage Form Factor Is Best?
Commentary  |  8/25/2010  | 
Solid state storage comes in several form factors. Each has its value to both suppliers and to users of the technology. In the data center there seems to be three popular choices emerging; solid state disk drives, PCIe solid state cards and solid state appliances or memory arrays. Choosing the right one for your environment is critical in making sure that you get the most out of your solid state investment.
What Storage Is Best For Server Virtualization, Part II
Commentary  |  8/24/2010  | 
In my last entry and the first part of this series we discussed some of the key capabilities to look for when selecting a server virtualization strategy, but as a friend of mine pointed out I never really declared one storage type the best. In this entry we will start to give you some steps to follow in making that selection.
CloudAudit Gets Real
Commentary  |  8/22/2010  | 
For enterprises, one of the biggest challenges with cloud computing include transparency into the operational, policy and regulatory, and security controls of cloud providers. For cloud providers, one of their pressing challenges is answering all of the audit and information gathering requests from customers and prospects. CloudAudit aims to change that.
Choosing The Right Firewall For Your Small Business
Commentary  |  8/21/2010  | 
After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.
Intel Buys McAfee: Is The PC Security Model Dead?
Commentary  |  8/20/2010  | 
When it comes to emerging platforms like smartphones, tablets, and embedded networked systems, the old model of separate antivirus security companies is officially dead. And Intel's purchase of McAfee puts a stake in it.
Intel Buys (Overpays For?) McAFee For Growth
Commentary  |  8/20/2010  | 
Chipmaker Intel buys security software maker McAfee for $7.68 billion. The question is: why?
What Storage Is Best For Server Virtualization?
Commentary  |  8/19/2010  | 
One of the biggest challenges to expanding a virtual server infrastructure is dealing with the storage challenges that often come with the deployment. The way storage is used in the virtual infrastructure is unlike most use cases. In this environment we want the same storage area to be accessed by almost every connecting server and each of those servers may have dozens of workloads trying to access that storage at the same time.
Embedded Systems Can Mean Embedded Vulnerabilities
Commentary  |  8/18/2010  | 
I'll admit that I've been having a lot of fun with the VxWorks vulnerabilities lately, but it's important to step back and look at our networks to see what other devices could be sitting there waiting to be the next harbingers of doom.
Anti-Virus Suite Protection? Not Much
Commentary  |  8/17/2010  | 
It's no secret that anti-virus software doesn't do much to protect you against new and rapidly moving viruses, so it shouldn't come as much of a surprise that these suites don't do much good defending you against exploit code, either. A fresh evaluation from NSS Labs reveals just how vulnerable you really are.
Database Threat Modeling And Strip Poker
Commentary  |  8/17/2010  | 
Threat modeling used to be an arcane process handed down from one security expert to another. But it's the single most valuable skill I have learned in security. It involves looking at every system interface or function and trying to find different ways to break it.
Advanced Persistent Threat: The Insider Threat
Commentary  |  8/16/2010  | 
APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.
Is Dell Set To Become A Storage Juggernaut?
Commentary  |  8/16/2010  | 
Dell today announced its intention to buy 3PAR. Assuming for a moment that everything goes through and Dell is successful at the integration strategy they suddenly become a force to be reckoned with in the storage industry. The combination of 3PAR, EqualLogic, Ocarina Networks all supported by Perot Services makes for a compelling combination.
Analysis: Healthcare Breach Costs May Reach $800 Million
Commentary  |  8/15/2010  | 
According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.
The Value Of Bursting
Commentary  |  8/13/2010  | 
Having things burst in the data center does not seem like a very good idea but the term really applies to allowing components of the data center to expand on the fly when there is a peak load and then contract when it has passed. The value of bursting is that it will allow you not to have to design infrastructures for the norm not the worst case, saving capital.
Gaining A Foothold By Exploiting VxWorks Vulns
Commentary  |  8/13/2010  | 
The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.
Apple Plugs Jailbreak Flaw, Exploit Code Released
Commentary  |  8/12/2010  | 
About a week after JailbreakMe 2.0 surfaced, Apple has plugged the flaws in iOS that made the Jailbreak possible. If you've not jailbroken your phone, you'll want to get the update ASAP as the exploit code has been released.
Girl Quits Job! Oh, What A Meme
Commentary  |  8/11/2010  | 
Who hasn't yet seen the "Girl quits her job on dry erase board, emails entire office" meme? It hit the Net like an hurricane, and I liked it immediately. In fact, fake or not -- I still do. What can we learn from it?
Cleaning The Digital Dump
Commentary  |  8/11/2010  | 
One of the challenges that IT faces is getting rid of all old unused files that are clogging up primary storage. Primary storage can have data on it that has not been modified or even opened for years. The challenge is how do you deal with the digital dump, especially since most IT people don't have the authority to delete other peoples files?
Post Patch Tuesday. Don't Stop There
Commentary  |  8/11/2010  | 
While you may be well underway testing and deploying this month's hefty batch of patches from Redmond, it's never too soon to ask: how secure do the rest of your applications and servers look?
Protecting Your Network From The Unpatchable
Commentary  |  8/10/2010  | 
When I first saw the F-Secure blog post on installing Microsoft's fix for the LNK vulnerability on a Windows XP SP2 host, I couldn't help but ask, "Why?" Seriously. Why would anyone running a Windows XP host not be running with the latest service pack and security updates? And then it hit me.
How To Protect Oracle Database Vault
Commentary  |  8/9/2010  | 
In Esteban Martinez Fayo's "Hacking and Protecting Oracle Database Vault" session at Black Hat USA in Las Vegas a couple weeks ago, he used several exploit methods that could be used to disable Oracle Data Vault. Each exploit provided an avenue by which he could hack the database. With each exploit he performed the same hack: rename the dynamically linked library that implemented all Oracle Database Vaults functions.
How RIM Could Fail
Commentary  |  8/9/2010  | 
Of the handset choices that are sold broadly on the market, the BlackBerry platform is the most inherently secure. To appeal to the business market it targets, it had to be better than any other handset or mobile solutions vendor. But with Saudi Arabia blocking the service and other countries expected to follow -- coupled with mistakes on its new flagship Blackberry Torch -- RIM could be on the brink of a Palm-like failure.
Yet Another Facebook Malware Evolution
Commentary  |  8/9/2010  | 
Every once in a while I like to discuss the strategic view and how different players affect each other in the realm of cybercrime. This post is about the latest evolutionary development in the fight -- with Facebook malware.
Dark Reading Launches New Tech Center On Authentication
Commentary  |  8/8/2010  | 
Today Dark Reading launches a new feature: the Authentication Tech Center, a subsite of Dark Reading devoted to bringing you news, insight, and in-depth reporting on the topic of authentication and certification of end user access.
Does Every Data Center Need Storage?
Commentary  |  8/6/2010  | 
As a business grows it reaches a size where it needs servers for certain functions; an email server, an application server for business financials and maybe a collaboration server to track and maintain documents.
Brace For Heavy Patch Tuesday
Commentary  |  8/5/2010  | 
This Tuesday Microsoft is expected to release a record number of security bulletins that affect many versions of Windows and an assortment of applications.
Data Visualization For Faster, More Effective Pen Testing
Commentary  |  8/5/2010  | 
"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.
The Truth About iSCSI
Commentary  |  8/4/2010  | 
Over the next several entries we are going to explore several of the protocols that are available to IT managers as they try to select a protocol for use in their environments. First up is iSCSI. The protocol it seems most will look to first because it is believed to be both cost effective and easier to use then the currently more commonplace fibre channel. The truth about iSCSI though is that it is a real storage protocol and it needs to be treated like one.
On iPhone, Jailbreaking, And Security
Commentary  |  8/3/2010  | 
It may not be the fashionable decision, but I choose not to jailbreak my iPhone. That's primarily out of security concerns. However, it turns out that Jailbreaking (read: pwning) an iPhone is now as simple as visiting a web page.
Using The 36 Stratagems For Social Engineering
Commentary  |  8/3/2010  | 
I attended several great presentations during last week's BSides and Defcon. HD's VxWorks, egyp7's phpterpreter, and David Kennedy's SET talks were a few of my favorites, with great content and demos, but one that I found especially refreshing and fun was Jayson Street's "Deceiving the Heavens to Cross the Sea: Using the 36 Stratagems for Social Engineering."
Managing The Mixed Storage Environment
Commentary  |  8/2/2010  | 
In my last entry we covered the value of just having one device to manage. What if that is not realistic for your environment? Either you selected a storage system that won't scale, you have business reasons for multiple units or the environment is just too large, it needs to diverse to put everything on one storage platform. You need tools to allow the different systems to be managed more easily.
VxWorks Vulnerability Tools Released
Commentary  |  8/2/2010  | 
If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.


Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.