When browsing through SHODAN, it never ceases to amaze me what I can find. How is it that people think it's okay to leave their printers, routers, fiber channel switches, and industrial control systems completely open to the Internet?

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.

The lack of follow-through and belief in any type of lifecycle for security is one that really bothers me when working with clients who are looking only to meet the minimum compliance requirements.

Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?

Penetration testing is a tightrope act where you balance existing knowledge with a mixture of freshly released- and zero-day knowledge. As a penetration tester, I often hear the argument that zero-day attacks do not belong in a test, that there is no time to prepare for them, so of course the target will be compromised. But I have the exact opposite philosophy: zero-day testing should occur to gauge an organization's response to such an attack. If mitigating controls are in place, an unknown attack should gain some level of access -- but not compromise the entire organization. This is the real value of penetration testing.

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.

When it comes to emerging platforms like smartphones, tablets, and embedded networked systems, the old model of separate antivirus security companies is officially dead. And Intel's purchase of McAfee puts a stake in it.

I'll admit that I've been having a lot of fun with the VxWorks vulnerabilities lately, but it's important to step back and look at our networks to see what other devices could be sitting there waiting to be the next harbingers of doom.

Threat modeling used to be an arcane process handed down from one security expert to another. But it's the single most valuable skill I have learned in security. It involves looking at every system interface or function and trying to find different ways to break it.

Facebook users are proving to be easy prey for the current wave of survey scammers.

APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.

The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.

Who hasn't yet seen the "Girl quits her job on dry erase board, emails entire office" meme? It hit the Net like an hurricane, and I liked it immediately. In fact, fake or not -- I still do. What can we learn from it?

When I first saw the F-Secure blog post on installing Microsoft's fix for the LNK vulnerability on a Windows XP SP2 host, I couldn't help but ask, "Why?" Seriously. Why would anyone running a Windows XP host not be running with the latest service pack and security updates? And then it hit me.

In Esteban Martinez Fayo's "Hacking and Protecting Oracle Database Vault" session at Black Hat USA in Las Vegas a couple weeks ago, he used several exploit methods that could be used to disable Oracle Data Vault. Each exploit provided an avenue by which he could hack the database. With each exploit he performed the same hack: rename the dynamically linked library that implemented all Oracle Database Vaults functions.

Of the handset choices that are sold broadly on the market, the BlackBerry platform is the most inherently secure. To appeal to the business market it targets, it had to be better than any other handset or mobile solutions vendor. But with Saudi Arabia blocking the service and other countries expected to follow -- coupled with mistakes on its new flagship Blackberry Torch -- RIM could be on the brink of a Palm-like failure.

Every once in a while I like to discuss the strategic view and how different players affect each other in the realm of cybercrime. This post is about the latest evolutionary development in the fight -- with Facebook malware.

Today Dark Reading launches a new feature: the Authentication Tech Center, a subsite of Dark Reading devoted to bringing you news, insight, and in-depth reporting on the topic of authentication and certification of end user access.

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.

I attended several great presentations during last week's BSides and Defcon. HD's VxWorks, egyp7's phpterpreter, and David Kennedy's SET talks were a few of my favorites, with great content and demos, but one that I found especially refreshing and fun was Jayson Street's "Deceiving the Heavens to Cross the Sea: Using the 36 Stratagems for Social Engineering."

If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.

Social engineering has always been a penetration tester's (and hacker's) most effective tool. I would say it's their best weapon, but not everyone is good at the softer, human side of social engineering. However, when it comes to the technical side, the tools are getting better and better, including the latest version of the Social Engineering Toolkit released at BSides Las Vegas on Wednesday.

Regardless of their size, many SMBs still need to meet strict compliance regulations, such as PCI and HIPAA. In addition to any special requirements, there are a few security technologies every small business should have in place. Here are my four SMB security must-haves.

Here at SophosLabs we've been working out the best way to protect computer users against the zero-day flaw that has hit all versions of Windows.

A week ago Visa released a set of best practices and recommendations for tokenization. Unfortunately, "best practices" leaves plenty of room for poor implementations.