DarkReading Weblog

Authentication A Problem That Needs a Solution -- Yesterday

Wed, 08 Sep 2010 16:35:35 -0500

A number of distinct developments brought about the current authentication schemes we see in networks today.

Ownage By USB Keyboard

Wed, 08 Sep 2010 07:29:52 -0500

When was the last time Windows asked you for permission before adding your new hardware -- say, a mouse?

Seven Features To Look For In Database Assessment Tools

Tue, 07 Sep 2010 09:59:32 -0500

As a follow-up to my "Essentials of Database Assessment" post, I want to go over some of the basic features and functions to look for in a database assessment product. Many features differentiate one tool from another, but I'll focus in on the top seven items you should review.

Keep Your Browser Updated

Tue, 07 Sep 2010 09:55:38 -0500

During the Labor Day weekend, I got pulled in by friends and relatives (some remotely) to take care of their computer-related problems.

Anticipating The First Car Virus

Tue, 07 Sep 2010 08:00:02 -0500

I've been thinking a lot about Intel's acquisition of McAfee, and recently spent the afternoon with the company reviewing its strategy. Intel doesn't want to repeat the mistake made with the PC in regard to malware as we move to more common interfaces, operating systems, and network-connected TVs, appliances, manufacturing equipment, air conditioning and heating systems -- and, yes, automobiles and motorcycles. While a virus or an attack on a PC or server is certainly painful, the same attack on a plane or motor vehicle could be deadly.

Finding Exposed Devices On Your Network

Wed, 01 Sep 2010 08:30:00 -0500

When browsing through SHODAN, it never ceases to amaze me what I can find. How is it that people think it's okay to leave their printers, routers, fiber channel switches, and industrial control systems completely open to the Internet?

The Essentials Of Database Assessment

Mon, 30 Aug 2010 22:22:27 -0500

The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.

Make Security About Security, Not Compliance

Mon, 30 Aug 2010 09:56:13 -0500

The lack of follow-through and belief in any type of lifecycle for security is one that really bothers me when working with clients who are looking only to meet the minimum compliance requirements.

Are We Missing the Point?

Sun, 29 Aug 2010 18:20:55 -0500

Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?

The Case For Zero-Day Penetration Testing

Thu, 26 Aug 2010 15:27:45 -0500

Penetration testing is a tightrope act where you balance existing knowledge with a mixture of freshly released- and zero-day knowledge. As a penetration tester, I often hear the argument that zero-day attacks do not belong in a test, that there is no time to prepare for them, so of course the target will be compromised. But I have the exact opposite philosophy: zero-day testing should occur to gauge an organization's response to such an attack. If mitigating controls are in place, an unknown attack should gain some level of access -- but not compromise the entire organization. This is the real value of penetration testing.

Choosing The Right Firewall For Your Small Business

Sat, 21 Aug 2010 17:56:19 -0500

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.

Intel Buys McAfee: Is The PC Security Model Dead?

Fri, 20 Aug 2010 14:31:40 -0500

When it comes to emerging platforms like smartphones, tablets, and embedded networked systems, the old model of separate antivirus security companies is officially dead. And Intel's purchase of McAfee puts a stake in it.

Embedded Systems Can Mean Embedded Vulnerabilities

Wed, 18 Aug 2010 13:25:06 -0500

I'll admit that I've been having a lot of fun with the VxWorks vulnerabilities lately, but it's important to step back and look at our networks to see what other devices could be sitting there waiting to be the next harbingers of doom.

Database Threat Modeling And Strip Poker

Tue, 17 Aug 2010 09:52:12 -0500

Threat modeling used to be an arcane process handed down from one security expert to another. But it's the single most valuable skill I have learned in security. It involves looking at every system interface or function and trying to find different ways to break it.

Fake Facebook Dislike Button Latest In A Long Line Of Survey Scams

Tue, 17 Aug 2010 06:45:29 -0500

Facebook users are proving to be easy prey for the current wave of survey scammers.

Advanced Persistent Threat: The Insider Threat

Mon, 16 Aug 2010 12:37:22 -0500

APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.

Gaining A Foothold By Exploiting VxWorks Vulns

Fri, 13 Aug 2010 09:49:26 -0500

The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.

Girl Quits Job! Oh, What A Meme

Wed, 11 Aug 2010 19:36:13 -0500

Who hasn't yet seen the "Girl quits her job on dry erase board, emails entire office" meme? It hit the Net like an hurricane, and I liked it immediately. In fact, fake or not -- I still do. What can we learn from it?

Protecting Your Network From The Unpatchable

Tue, 10 Aug 2010 16:49:05 -0500

When I first saw the F-Secure blog post on installing Microsoft's fix for the LNK vulnerability on a Windows XP SP2 host, I couldn't help but ask, "Why?" Seriously. Why would anyone running a Windows XP host not be running with the latest service pack and security updates? And then it hit me.

How To Protect Oracle Database Vault

Mon, 09 Aug 2010 19:30:05 -0500

In Esteban Martinez Fayo's "Hacking and Protecting Oracle Database Vault" session at Black Hat USA in Las Vegas a couple weeks ago, he used several exploit methods that could be used to disable Oracle Data Vault. Each exploit provided an avenue by which he could hack the database. With each exploit he performed the same hack: rename the dynamically linked library that implemented all Oracle Database Vaults functions.

How RIM Could Fail

Mon, 09 Aug 2010 13:16:43 -0500

Of the handset choices that are sold broadly on the market, the BlackBerry platform is the most inherently secure. To appeal to the business market it targets, it had to be better than any other handset or mobile solutions vendor. But with Saudi Arabia blocking the service and other countries expected to follow -- coupled with mistakes on its new flagship Blackberry Torch -- RIM could be on the brink of a Palm-like failure.

Yet Another Facebook Malware Evolution

Mon, 09 Aug 2010 06:43:15 -0500

Every once in a while I like to discuss the strategic view and how different players affect each other in the realm of cybercrime. This post is about the latest evolutionary development in the fight -- with Facebook malware.

Dark Reading Launches New Tech Center On Authentication

Sun, 08 Aug 2010 14:27:38 -0500

Today Dark Reading launches a new feature: the Authentication Tech Center, a subsite of Dark Reading devoted to bringing you news, insight, and in-depth reporting on the topic of authentication and certification of end user access.

Data Visualization For Faster, More Effective Pen Testing

Thu, 05 Aug 2010 15:03:43 -0500

"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.

Using The 36 Stratagems For Social Engineering

Tue, 03 Aug 2010 06:33:26 -0500

I attended several great presentations during last week's BSides and Defcon. HD's VxWorks, egyp7's phpterpreter, and David Kennedy's SET talks were a few of my favorites, with great content and demos, but one that I found especially refreshing and fun was Jayson Street's "Deceiving the Heavens to Cross the Sea: Using the 36 Stratagems for Social Engineering."