DarkReading CS Island Weblog

Will Cyber Shockwave Make Some Waves?

By Robert Richardson — Wed, 17 Feb 2010 22:11:11 -0500

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

New Flaws Pry Lid Off Cloud Frameworks

By Robert Richardson — Fri, 05 Feb 2010 12:21:05 -0500

A new set of vulnerabilities came to light this week at Black Hat DC, and its appearance provides a good look at our bleak "next-gen" security future.

In Support of Poor Ol' Windows Vista

By Sara Peters — Tue, 13 Oct 2009 16:49:36 -0500

We just released the October issue of the CSI Alert to CSI members, and this month we focus on Windows 7. This issue is, in some ways, a follow-up to last year's issue, "The Fate of the Secure OS," in which I said some nice things about Windows Vista, and advised it would be imprudent to completely ignore Windows Vista -- eyes-closed, fingers-in-ears, chanting I'm-not-listening-I'm-not-listening.

How Much Would You Pay To Never Have To Store PII?

By Sara Peters — Wed, 02 Sep 2009 11:09:48 -0500

Imagine a world in which you can do all manner of smooth, rich, user-friendly online commerce with mighty security. You can have complete faith in the validity of customers' login credentials and payment data (thereby reducing fraud costs, for starters). You can protect users' privacy...and never need to worry about securely storing -- or even seeing -- customers' credit card data or other legally protected personally identifiable information. Wait 12 to 18 months, and you might just have that.

Who Are These Followers And Followees of the Twitter Botnet?

By Sara Peters — Mon, 17 Aug 2009 11:01:43 -0500

Social networks really do bring people together, don't they? Old friends. Long-lost relatives. Bots and bot-herders. Warms the heart.

Black Hat, Day One: Rationalizing And Reinforcing My Pessimistic World View

By Sara Peters — Thu, 30 Jul 2009 12:26:20 -0500

When I arrived in Las Vegas, I already smoldered and grumbled about the facts that online trust mechanisms are untrustworthy, and that browsers' fundamental weaknesses persist despite the fact that better browsers would make an incalculable impact on overall Web security. Yesterday's sessions simply added more kindling to the fire.

UPDATE: BlackHat, Kinda: 'Real' Black Hats Hack Security Experts

By Sara Peters — Wed, 29 Jul 2009 12:23:20 -0500

The rumor here is that the attacks did indeed happen, but the significance of it is actually quite small--not worth paying attention to, since attention is clearly what the attackers are seeking. More info to come...

BlackHat, Kinda: Yesterday a hacking group released details (http://r00tsecurity.org/files/zf05.txt) of a number of successful attacks they conducted, apparently with the principal purpose of embarrassing some of the security industry's most well-known experts. The group claims that they collected about 75,000 passwords, including those of a few security experts speaking at the BlackHat Briefings today and tomorrow.

"Welcome one and all to the real Black Hat Briefings," reads the site. "Live from the underground, coming right at you free of charge."

Kantara Initiative: Another Effort To Get Identity 2.0 Out Of The Gate

By Sara Peters — Mon, 06 Jul 2009 17:09:50 -0500

We've been saying for a while now that better identity management -- more so than secure Web app coding or even more secure browsers -- could fuel a quantum leap in Web security. The "Identity 2.0" community can be credited with wonderful research and truly significant advancements in identity management technology. In many ways, we're poised for an identity revolution. However, the efforts have been hampered by a lack of public awareness, a lack of interoperable standards, usability concerns, and a fundamental chicken/egg problem.

EU Group: Social Networks, Thirty-Party App Developers Subject To EU Privacy Laws

By Sara Peters — Thu, 25 Jun 2009 13:57:55 -0500

I just took a close look at the Article 29 Data Protection Working Party's opinion report on online social networking. While some of its recommendations are what you'd expect, others came as a surprise.

Ruminating on CSI SX

By Sara Peters — Wed, 20 May 2009 17:11:09 -0500

Citizens of the Information Security Nation, to you I say Classify and inventory your data and assets!

Tedium? Odium? Delirium? Yes, probably all three. But worth the trouble.

Tippett To Discuss Verizon Breach Report

By Sara Peters — Thu, 14 May 2009 12:47:35 -0500

Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, will discuss the results of the company's "2009 Verizon Business Data Breach Investigations Report" (DBIR) at CSI SX: Security Exchange, taking place May 17-21 in Las Vegas.

SIEM Case Study: Israeli E-Government ISP

By Sara Peters — Tue, 12 May 2009 16:04:35 -0500

Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.)

A Cloud Might Save You Money...But What If The Cloud Goes Broke?

By Sara Peters — Wed, 25 Mar 2009 12:29:11 -0500

I've been talking quite a bit about whether or not (not) users of cloud services can prove compliance with security, privacy, and e-discovery laws. Now a story from The Register has me thinking about yet another issue -- the inescapable question of a service provider's financial stability.

BBC Responds To Legality Issues Of Recent Tech Show

By Sara Peters — Thu, 19 Mar 2009 13:20:39 -0500

Yesterday Nick Reynolds of the BBC directed me, as well as many other writers, to the BBC's official response to allegations that its technology show, Click, violated the U.K.'s Computer Misuse Act when it purchased and used a botnet as part of an investigative report into cybercrime.

BBC Botnet Experiment IS Illegal, No Matter What They Say

By Sara Peters — Tue, 17 Mar 2009 15:05:21 -0500

Saturday, "Click"--"the BBC's flagship technology programme"--broadcast an investigative report on cybercrime. The exciting thing about this particular program is that they purchased and used a botnet as part of their investigation. The creators of the program are under the impression that their experiment was perfectly legal, because they had no criminal intent.

They are mistaken.

See How I Suffer For My Science?

By Sara Peters — Thu, 12 Mar 2009 11:21:40 -0500

Today I saw two fraudulent charges on my bank account, and a few weeks ago I accidentally wiped off all of the data from my BlackBerry.

Why?

Because I love too much.

Peter Parker's Uncle Ben Would Not Approve

By Sara Peters — Tue, 03 Mar 2009 14:03:35 -0500

Note to Web browsers: With great power comes great responsibility.

Could Slimmer OSes Lead To Better Mobile Device Security?

By Sara Peters — Tue, 10 Feb 2009 18:15:24 -0500

Maybe I'm stretching a bit, but let's say that operating system developers slimmed down their standard OSes enough so that eventually they'd be skinny enough to have a career in fashion and, more important, run on mobile devices. And, if so, would this be a good thing for mobile device security?

Can You Vote for Me Now? Estonia First Country to Cast Cell Phone Votes

By Kristen Romonovich — Tue, 16 Dec 2008 15:51:53 -0500

The Estonian Parliament has passed a law that will allow citizens to vote via cell phone by 2011. In the past, Estonians were able to cast their votes over the Internet, which apparently worked seamlessly despite security concerns. (See Sara Peters' coverage of e-voting in Estonia in the November 2005 Alert, Academic Group Publishes Criticisms of e-Voting; membership required.)

Free Software to Protect Virtual Machines in the Cloud: Third Brigade VMware Protection

By Kristen Romonovich — Thu, 11 Dec 2008 09:38:25 -0500

There are some ways to effectively begin securing your information in the cloud. We�ve recently been pondering whether one can prove compliance with security and privacy regulations in the cloud. Luckily, while cloud services still may not be right for handling health or payment card information, security vendors and cloud service providers are beginning to offer ways to effectively secure your cloud-based computing resources and satisfy some compliance requirements.

Were Early Warnings Ignored Prior To Mumbai Attack?

By Kristen Romonovich — Wed, 03 Dec 2008 12:57:11 -0500

Earlier this week it was implied that early warnings of an Islamic terrorist attack were "lost in the system." At this time, I am not able to find a credible enough source to prove whether this was actually the case, but it is rumored that the warning was specific in that the attack would come from the sea.

Sandboxes and Surfing With Google Chrome

By Kristen Romonovich — Mon, 27 Oct 2008 09:00:00 -0500

Google designed Chrome to be faster, more stable and most importantly, more secure than other Web browsers. So with these features in mind, Google Chrome was built from scratch to be a Web browser designed for today�s web application users. As more businesses venture into the cloud, it�s becoming increasingly important that your browser doesn�t crash when you�re creating reports in Google Docs or when you�re video conferencing. In order to prevent crashes, Google Chrome developers sandboxed each tab, so that if one tab malfunctions, the whole browser doesn�t crash. If one tab does go down, a �sad tab� will appear depicting a �sad face� emoticon.