Commentary
Content posted in September 2010
In Software We (Can't) Trust
Commentary  |  9/30/2010  | 
I can't think of more than a few attacks in the past decade that involved stolen certificates as part of the malware or exploit code. However, recent attacks, and new research highlights the increasing danger of trusting signed digital certificates.
User Authentication In E-Commerce
Commentary  |  9/29/2010  | 
When we designed SSL to enable e-commerce on the Web, we had to solve two issues. One was the Web's openness -- the fact that anybody can read anything -- and the other was how parties might authenticate with one another.
Ready For Primary Cloud Storage?
Commentary  |  9/29/2010  | 
Cloud storage has moved out of the experimental mode and into some form of production for many organizations. To date most of the use cases are either to backup data to the cloud or to archive data to the cloud. Now though the move is on to provide leverage the cloud for primary data storage. If successful it could change the way many businesses buy storage.
Google To Warn Admins Of Malware Infestations
Commentary  |  9/29/2010  | 
It's been made very clear that one of the greatest threats to Web safety is reputable Web sites getting nailed with malware - and their web masters don't even know it. That malware then infects users - who also go unaware that they've been pwned. This week, Google is taking steps to try to turn that tide.
Why The Insider Threat Is Ignored
Commentary  |  9/28/2010  | 
The insider threat is complicated, and most organizations do not fully understand the magnitude of the problem. There are three main reasons why the insider threat has been ignored: Organizations do not know it's happening, it's easy for organizations to be in denial, and organizations fear bad publicity.
Government Puts The Hurt On The Internet
Commentary  |  9/28/2010  | 
There are a lot of problems that face the Internet and technology today, from major security flaws to increasing infrastructure demands, you name it. But by far the biggest threats are the regular attempts by government and special interests to control the Internet and technology, attempts which would usually end up causing severe damage.
Top Excuses For Foregoing Security Monitoring, Logging
Commentary  |  9/28/2010  | 
Monitoring for security incidents can be tough. It's tougher when you don't know what to look for. Now imagine trying to investigate an incident when you don't have any logs to analyze.
Integrating The SSD Appliance
Commentary  |  9/27/2010  | 
The SSD Appliance or Memory Array applies to storage systems that are designed from the ground up to only be used with solid state storage. They are often focused on storage I/O performance and solid state integrity more so than providing storage services like snapshots or replication. In this entry we will look at when does it make sense to use these products instead of adding SSD to an existing storage system or going all out and buying a new solid state storage system.
Stuxnet Pwned Iran. Are We Next?
Commentary  |  9/27/2010  | 
For the past few weeks rumors had run rampant about the purported targets of the Stuxnet worm. One of those rumors was that the worm was targeting Iran's controversial nuclear sites. Now, according to news reports that hit yesterday, those rumors may very well be right. There's a warning in all of this for the United States.
Five Main Causes Of SMB Security Incidents
Commentary  |  9/27/2010  | 
Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.
Zeus Targeting Mobile Phone Authentication
Commentary  |  9/26/2010  | 
A new variant of the Zeus botnet aims to circumvent an increasingly popular mode of two-factor authentication among financial institutions and other enterprises.
Lock-Picking Popularity Grows
Commentary  |  9/24/2010  | 
As security professionals, it is easy to get focused only on the technical side of security and forget about the importance of physical security.
What Solid State Form Factor Is Best - Integration
Commentary  |  9/24/2010  | 
Returning to our Solid State Form factor series; this entry we are going to begin the discussion about solid state integration. There are really two parts of the integration discussion; how will you integrate solid state disk into your storage infrastructure and the other is how will your vendor integrate solid state disk into their storage system? We'll tackle the vendor issue first since it may directl
'Here You Have' A Lesson
Commentary  |  9/24/2010  | 
It's been interchangeably called spam, or a targeted attack that spun out of control, or a form of cyber-jihad with alleged geopolitical implications. But regardless of what you call it, the "Here You Have" email worm is an excellent example of just how well today's security can work. Here are a few justifications for that optimism.
Different Flavors Of The Insider Threat
Commentary  |  9/22/2010  | 
There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.
The Cookies You Can't Remove
Commentary  |  9/22/2010  | 
They say that some things last forever, like diamonds or true love or Twinkies. But should browser cookies used for tracking be added to that list?
Web-Based Spam Detection With Google Alerts
Commentary  |  9/22/2010  | 
Search engines are great, powerful tools. They can help find an answer when you've tried everything you can think of. They can also help find information about a company you may be performing a penetration test on.
Twitter Under Attack
Commentary  |  9/21/2010  | 
There's a cross-site site scripting flaw aggressively spreading across the social networking site Twitter. I know, I was hacked first thing this morning. . .
Virtual Desktops And Storage - Dealing With Boot Storms
Commentary  |  9/21/2010  | 
Virtual desktop environments are different than virtual server environments when discussing performance. To the virtual desktop environment we need to be able to provide acceptable performance consistent, but moderate, performance throughout the day to a set of endpoints (desktops and laptops) that have similar I/O patterns. This is different than server virtualization which has highly random I/O patterns and needs very high performance at peak moments throughout the day.
The What And The Why Of Professional Penetration Testing
Commentary  |  9/20/2010  | 
Welcome to the first in a series of posts on professional penetration testing. During the course of the next few entries, I will shed light on the often confusing and rarely straightforward world of penetration testing based on my experience during the past decade as both a professional penetration tester and a manager of penetration testing teams.
Missing The Insider Threat
Commentary  |  9/20/2010  | 
"I trust everyone. It is the devil inside that I do not trust" is a great line from the movie "The Italian Job." Every single person has the potential to do harm if the right circumstances occur. Yes, this includes employees.
Protegrity Gets Aggressive
Commentary  |  9/20/2010  | 
Last week Protegrity announced it had filed patent infringement suits against NuBridges and Voltage Security Inc., its main competitors. Patent infringements suits are nothing new with technology companies, but this one was a little odd in that the suits were actually filed in May.
A Lesson From Steve Jobs' Email
Commentary  |  9/20/2010  | 
We've all had one of these moments: You get an email and quickly respond without putting much thought into it. Then you end up wishing you'd taken more time.
Steady Bleed: State of HealthCare Data Breaches
Commentary  |  9/19/2010  | 
Study reveals that, for many healthcare providers, patient data breaches continue - month after month - at an alarming rate.
Desktop Virtualization And The Storage Challenges It Creates
Commentary  |  9/17/2010  | 
As server virtualization becomes more widespread desktop virtualization is quickly becoming the next big project that IT Managers have on their white board. As with any new IT project it has the opportunity to bring added flexibility and cost savings to the organization while at the same time increasing IT efficiency. However like server virtualization before desktop virtualization brings a whole new set of storage challenges.
Which Solid State Disk Is Best? Part IV
Commentary  |  9/15/2010  | 
The next step in deciding which solid state storage is best for your environment is to understand how you are going to use solid state disk. I moved this ahead of how to integrate solid state disk into your environment because knowing how you are going to use solid state disk may impact how you choose to implement it.
Taking USB Attacks To The Next Level
Commentary  |  9/15/2010  | 
USB devices have many benign, legitimate uses. But put a USB-based device in the hands of a savvy hardware hacker, and that USB device can go from good to evil in no time.
Dark Reading Launches Tech Center On Security Monitoring
Commentary  |  9/14/2010  | 
Today Dark Reading launches a new feature: the Security Monitoring Tech Center, a subsite of Dark Reading devoted to bringing you news, insight, and in-depth reporting on the topic of security data monitoring and analysis.
Cloud Security And Compliance: Clear The Ambiguity
Commentary  |  9/13/2010  | 
The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.
What Solid State Storage Form Factor Is Best? Part III
Commentary  |  9/13/2010  | 
In our series on trying to decide which Solid State Storage is best for your environment we have covered PCIe Based Solid State Storage and Solid State Disk (SSD). This entry will cover Solid State Systems (SSS) or Memory Arrays. These are systems that are designed from the ground up to only provide solid state
Relying On Tools Makes You Dumber
Commentary  |  9/13/2010  | 
It takes a lot of time and effort to stay up on the latest vulnerabilities, attacks, and tools. Often, we in the security field rely on tools to automate parts of a vulnerability assessment or penetration test, but our testing should never rely only on the tools. If all we ran were some tools and blindly trusted their output,then we would be no better than your average script kiddie.
State Of Cybercrime Legislation Around The World
Commentary  |  9/13/2010  | 
The main problem with international law enforcement on cybercrime is that even with efforts by the FBI and others, international communication between different agencies around the world is extremely slow.
The DeDupe Performance Boost
Commentary  |  9/10/2010  | 
Deduplication is the elimination of redundant data typically associated with optimizing storage utilization. I've spent some time lately defending our stance that deduplication in primary storage can be done without a performance penalty. What is not often discussed is that there is also the potential for a performance gain when using deduplication that may outweigh the resources costs associated with the process.
'Virus Crashes Plane' And Poor Safety Protocols
Commentary  |  9/10/2010  | 
Now that people are done making noise about how a "virus crashes a plane," the subject can be discussed reasonably.
What Solid State Storage Form Factor Is Best? Part II
Commentary  |  9/9/2010  | 
As discussed in an earlier entry, there are three basic types of solid state form factors available in the market today; PCIe as we discussed last entry, Solid State Disks, which we will cover in this entry and Solid State Appliances also called Memory Arrays which we will cover next. We'll conclude this series with a discussion in integration methods that storage vendors are using to implement solid sta
iPhone iOS Devices Jailbroken
Commentary  |  9/9/2010  | 
Hackers are claiming to have uncovered a flaw within iPhone and iPod Touch hardware that will make it easy for users to jailbreak their devices. And, if these reports prove accurate, it'll not be a trivial workaround for Apple to fix.
Authentication A Problem That Needs a Solution -- Yesterday
Commentary  |  9/8/2010  | 
A number of distinct developments brought about the current authentication schemes we see in networks today.
Ownage By USB Keyboard
Commentary  |  9/8/2010  | 
When was the last time Windows asked you for permission before adding your new hardware -- say, a mouse?
Twitter Hit With Another Cross-Site Scripting Vulnerability
Commentary  |  9/7/2010  | 
Over this Labor Day weekend developers at Twitter had to do a bit of additional labor that they should have previously completed - and that's to close a potentially dangerous cross-site scripting (XSS) vulnerability before things slid out of hand.
Are Clouds Real?
Commentary  |  9/7/2010  | 
The theme last week at VMworld was "Virtual Roads, Actual Clouds" which begs the question, are we really to a point that clouds are real? The answer, as always, is "it depends". The determent is dependent on where you sit and what your angle of view is, but for the most part clouds are more real for more businesses than they ever were.
Seven Features To Look For In Database Assessment Tools
Commentary  |  9/7/2010  | 
As a follow-up to my "Essentials of Database Assessment" post, I want to go over some of the basic features and functions to look for in a database assessment product. Many features differentiate one tool from another, but I'll focus in on the top seven items you should review.
Keep Your Browser Updated
Commentary  |  9/7/2010  | 
During the Labor Day weekend, I got pulled in by friends and relatives (some remotely) to take care of their computer-related problems.
Anticipating The First Car Virus
Commentary  |  9/7/2010  | 
I've been thinking a lot about Intel's acquisition of McAfee, and recently spent the afternoon with the company reviewing its strategy. Intel doesn't want to repeat the mistake made with the PC in regard to malware as we move to more common interfaces, operating systems, and network-connected TVs, appliances, manufacturing equipment, air conditioning and heating systems -- and, yes, automobiles and motorcycles. While a virus or an attack on a PC or server is certainly painful, the same attack on
Apple's Ping Stumble Highlights Systemic Security Problem
Commentary  |  9/4/2010  | 
Within 48 hours of Ping's launch, Apple's foray into music social networks, more than one million users joined. Too bad, like so many other applications and services on the Internet, security was an afterthought, and those users were plagued with spam comments.
vStorage API Spreads Its Wings
Commentary  |  9/2/2010  | 
The goal for VMware is to virtualize as much of the data center as possible. This goal can only be reached by increasing virtual machine (VM) density per physical server. The roadblock to high VM density per host is storage performance and data protection. Much of the focus of VMworld was addressing those issues through more vendors adopting the use of the vStorage API set.
Finding Exposed Devices On Your Network
Commentary  |  9/1/2010  | 
When browsing through SHODAN, it never ceases to amaze me what I can find. How is it that people think it's okay to leave their printers, routers, fiber channel switches, and industrial control systems completely open to the Internet?


Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Tell the sysadmin that we have a situation.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.