Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Content posted in April 2010
Microsoft Issues Workaround For Serious SharePoint Vulnerability
Commentary  |  4/30/2010  | 
While not a complete patch, the software maker has issued guidance detailing how to mitigate a serious vulnerability that places corporate data at-risk to snooping and theft.
Sending Email, Web Security To The Cloud
Commentary  |  4/30/2010  | 
E-mail and Web security outsourcing are gaining more momentum as resource-strapped companies look for ways to tighten their IT belts. IT shops are constantly being asked to do more with less, and it's often security that gets more budget cuts since it's an IT area that doesn't contribute directly to a company making money.
Storage Checkers Vs. Chess
Commentary  |  4/30/2010  | 
Checkers is a two dimensional game where all the pieces have the same ability. Its about covering space. Chess is a complex three dimensional game where all the pieces have different capabilities and there is one common target: the enemy's king. In storage some features begin to look like checkers because they have become so commonplace, but when you dig deeper you find that the capabilities of these features between vendors vary greatly.
Al Qaeda Implicated In Cyberattacks
Commentary  |  4/30/2010  | 
Some papers recently became publicly available in the case of terrorism suspect Mohamedou Ould Slahi, accused of being one of Al-Qaeda's top recruiters. The papers revealed Al-Qaeda hacking activity, which demonstrates what proof of accountability in Internet attacks is, and how many of us jump to conclusions about countries, such as China, without it.
Data Breaches More Costly In U.S. Than Elsewhere
Commentary  |  4/29/2010  | 
Data breaches cost U.S. companies twice as much as they do in other countries, according to a new Ponemon Institute study. Which adds up to twice as many reasons not to get breached!
Fixing Storage Utilization Without A Refresh
Commentary  |  4/29/2010  | 
In the final part of our storage utilization series we address how to improve storage utilization without refreshing the storage itself. This is, unfortunately, the most difficult way to improve storage utilization.
When It Comes To Data Breaches, U.S. Most Costly
Commentary  |  4/28/2010  | 
Research published today shows that the average cost of a data breach, globally, is about $3.43 million per incident and $142 per compromised record. But that's not the entire story.
Microsoft SIR, Dissected
Commentary  |  4/28/2010  | 
Microsoft published Version 8 of its Security Intelligence Report (SIR) this week. The report covers the second half of 2009 and is a massive piece of information with almost 250 pages.
Medical Records Keep Getting Dumped
Commentary  |  4/27/2010  | 
Why were possibly thousands of private patient records found dumped outside the closed offices of a physical therapy center?
Trusting 'Trusted' Sites Again
Commentary  |  4/27/2010  | 
I've been teaching a user security awareness and training course to faculty and staff at our university. One of the great aspects of the class is the discussions that develop out of the participants' questions, like the security of social networks and how to use wireless securely while on the road. Lately, I've been getting one question more and more often: How do I know if a site is safe?
What To Look For In A Primary Storage Refresh
Commentary  |  4/26/2010  | 
In our last entry we covered how the potential to increase storage utilization may help justify a storage refresh. If you are in a position to refresh your primary storage platform or you think the last entry may help you do that a little sooner than normal, what should you be looking for in your next storage platform?
McAfee's Mess, SEC's Sex Problem And What SMBs Can Learn From Each
Commentary  |  4/26/2010  | 
Last week's McAfee release of a virus def file that didn't play well (to say the least!) with Windows XP SP3, along with unrelated revelations about the amount of pornsurfing going on at the SEC offers the chance to think a little bit about each problem -- and what your business has done and can do to avoid getting tagged by similar ones.
How Well Do Hospitals Protect Your Data? Abysmally
Commentary  |  4/24/2010  | 
A just released survey of about 200 compliance executives in hospitals from around the country shows that data breaches and medical identity theft continue to soar.
CSRF Attacks Get New PoC Creation Tool
Commentary  |  4/21/2010  | 
Cross site request forgery (CSRF) is a powerful attack that can have devastating consequences. It's not a new attack, but new tools are released every year because Web developers don't always write secure code that can prevent these attacks. Often, CSRF vulnerabilities go undetected because automated scanners have difficulty detecting them.
Justifying An Early Storage Refresh
Commentary  |  4/21/2010  | 
Our last entry covered ways to increase storage utilization. There are three options; live with under-utilization (easy but costly), refresh your current storage (easy but potentially expensive) or making what you have more efficient (potentially time consuming but potentially inexpensive). Most data centers have a schedule to refresh their current storage systems at some point in the future. In this ent
Network Solutions Hack Highlights Hosting Risks
Commentary  |  4/20/2010  | 
Website hosting vendor Network Solutions Inc. (NSI) has been forced to cleanse its customer Websites after a few "thousand" sites where attacked after an unspecified number of NSI's shared servers were infiltrated.
PCI: Data Token Alternatives
Commentary  |  4/20/2010  | 
When a merchant cannot -- or will not -- replace credit card numbers with tokens provided by its payment processor, how does it secure it database to be PCI-compliant?
Google Chrome Attracting Hacker Attention
Commentary  |  4/20/2010  | 
The good news: at a recent security conference, Google Chrome got kudos as the hardest to browser hack. The bad news: a new hack is targeting possibly overconfident Chrome users and tagging them with malware.
California Senate Moves On New Data Breach Law
Commentary  |  4/19/2010  | 
With 2003's landmark data breach notification law, SB-1386, California set the tone for the wave of state breach notification laws that would follow. Today, more states have similar laws than don't. Last week, the California Senate approved SB-1166 which aims to add more detail to the existing law.
Log Review Checklist For Responders Under Fire
Commentary  |  4/19/2010  | 
Checklists are one of the most important things for first responders to have access to when responding to an incident. The reasons are many, and most of them tend to fall back on the human nature of the first responder. Incident response can impose a lot of stress on an individual, whether from management or the sheer criticality of the potentially hacked resource, it can be easy to miss a step or remember a command incorrectly when under fire.
Increasing Storage Utilization Rates
Commentary  |  4/19/2010  | 
In a recent entry by John Foley he discusses some of the pros and cons for leveraging cloud computing to increase IT efficiency in the Federal Government. One of the more startling statements is how low utilization of storage is. Of course low utilization is not the sole problem of Federal IT, the private sector has its challenges with storage utilization as well. What can be done to inc
New Full Disclosure, Website Vulnerabilities Database
Commentary  |  4/16/2010  | 
The biggest news in security circles in the past day or so is the new full disclosure site, Vulnerable Sites DB database.
Attacking Electronic Door Access Control Systems
Commentary  |  4/16/2010  | 
A friend recently pointed me to some research he has been doing with embedded door access control systems, as well as some of the vulnerabilities he has uncovered. Some of his findings were recently disclosed at Carolinacon, with more to come during his presentation at Hack in the Box.
Bridging The Gap Between Training And Operations
Commentary  |  4/15/2010  | 
The EDUCAUSE Security Professionals Conference is a great conference for IT staff from higher education to meet and learn about deploying and managing security tools like OSSEC and Bro IDS, hear how others are dealing with compliance issues, and network with other professionals interested in security.
FCoE Poised For Adoption
Commentary  |  4/15/2010  | 
FCoE adoption is getting ready to pick up steam. That's my take from Storage Networking World (SNW). The FCoE sessions and labs seemed well attended. This means that users are getting ready to deploy the technology, and of course, some already have.
Websites Vulnerable To New Clickjacking Techniques
Commentary  |  4/15/2010  | 
At Black Hat Europe, UK-based security researcher Paul Stone has demonstrated new and seemingly powerful attacks that dupe users into activating malicious links on Web sites without their even knowing it.
NSA Director On The Cyber-Counterattack
Commentary  |  4/15/2010  | 
According to an Associated Press report, the director of the National Security Agency told Congress the U.S. should respond in force to computer-based attacks -- even when the attacker is not known. Is that possible, and is it a good idea?
Shrinkage! SMB Security Budget Cuts Could Cost More Than They Save
Commentary  |  4/14/2010  | 
The combination of a lousy economy and increasingly an increasingly sophisticated threat environment has resulted in SMB security spending that's flat or shrinking. Just what the crooks are counting on!
BitTorrent Scareware Scam Targets Copyright Pirates
Commentary  |  4/13/2010  | 
A new malware scam is going after pirates, of all people -- preying on file-sharers' copyright violation paranoia.
Nmap Does Much More Than Network Discovery
Commentary  |  4/12/2010  | 
Nmap is among a network penetration tester's best friends, sitting high on a pedestal with the Metasploit Framework. I've been using the tool my entire career for network mapping and host discovery, typically on a weekly basis.
The Best Protocol For The Entry Level SAN
Commentary  |  4/12/2010  | 
When the time comes to select your first shared storage system or even a second, one of the key points of debate is going to be what protocol you should use for it. The choices today can be somewhat staggering. At a minimum there is fibre, iSCSI and the NAS protocols CIFS and NFS, but there are also several new protocols that you may want to explore.
Big Patch Tuesday On Way
Commentary  |  4/12/2010  | 
Tomorrow, Microsoft will patch 25 flaws in its operating system, e-mail software, and Office. For its part, Adobe will release a security update for Acrobat and Reader and provide a new way for its customers to receive updates.
Serious Java Flaw Surfaces
Commentary  |  4/10/2010  | 
All current versions of Windows are open to attack thanks to a flaw within the Java Web Start Framework. Two security researchers announced the flaw just yesterday. The flaw could lead, through very rudimentary Web attacks, to full comprise of attacked systems.
Stop Counting Bots
Commentary  |  4/9/2010  | 
How many bots are on the Internet, and why should we care? This is an argument I've been making since the late 1990s, and it is high time I got it in writing outside of closed circles.
The Perfect Entry Level SAN
Commentary  |  4/9/2010  | 
At each Storage Network World (SNW) there are more than a few vendors that I meet with that are trying to address the first time SAN buyer. I expect that this year will be no different. In fact given the economy there may be more than ever. There are few observations that I have made in what makes a successful entry level SAN beyond the given easy and affordable.
Tax Time Is Hacks Time -- Time To Be Wary!
Commentary  |  4/8/2010  | 
Over the next week or so as you, and, odds are, more than a few others in your workplace are scrambling to make the April 15th deadline, bear in mind that there are plenty of scams hoping to catch and bilk you mid-scramble.
In SSL We Trust? Not Lately
Commentary  |  4/7/2010  | 
In the past two weeks we have seen multiple problems with SSL, which is used in our Web browsers to protect the privacy and integrity of our electronic transactions.
PCI Database Security Primer
Commentary  |  4/6/2010  | 
I have written a lot about compliance in that past three months, but most of the guidance has been generic. Now I want to talk about database security specifically in relation to the Payment Card Industry (PCI) Data Security Standard, and consider compliance more from an architectural standpoint as opposed to a tools- or policy-based perspective.
What Is Zero Detect?
Commentary  |  4/6/2010  | 
There is a term you are going to start hearing more of in storage circles; Zero Detect. Some storage systems that offer thin provisioning are adding the ability to detect areas of a volume that have been zeroed out so they can reclaim that space and use it elsewhere. Zero detect becomes a critical component as we advance the capabilities of thin provisioning.
iPad Hacked, Jailbroken
Commentary  |  4/5/2010  | 
Unless you've been disconnected from the Internet, TV, and the free world - you know that Apple released the iPad. It only took about a day for a well-known iPhone OS hacking group -- the iPhone Dev team -- to Jailbreak the device using an unpatched security flaw.
Conficker Dead -- Long Live Conficker
Commentary  |  4/5/2010  | 
Whether or not the Conficker worm is essentially dead, just lying low or somewhere in-between, the lessons of the massive botnet are likely to live on for a long time. Bad news is that there are lessons learned by the botnet makers, too.
Share -- Or Keep Getting Pwned
Commentary  |  4/2/2010  | 
Forget the bad guys: Sometimes it seems like the security industry doesn't trust itself. There's too much internal hoarding of intelligence for privacy or competitive reasons and too little sharing of information among researchers, victims, and law enforcement about real attacks. All this does is give the cybercriminals an edge.
Password Brute Forcing Tool Gets Major Update
Commentary  |  4/2/2010  | 
Brute-force password guessing attacks are very common. If you operate a publicly accessible SSH server, then you know firsthand just how common it is with constant poking for weak passwords on accounts like root, admin, and test. When the attackers do find a weak password and gain access, they will typically download their tools and start scanning for more weak passwords from the newly compromised server.
Breaking The Capacity Addiction
Commentary  |  4/1/2010  | 
One of the complaints I hear about the new Apple iPad is that it does not have enough storage capacity, with high end units only offering 64GBs of storage. As a storage guy from the 5MB hard drive days, this reaction sometimes makes me shake my head in dismay.

7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php
PUBLISHED: 2020-10-22
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
PUBLISHED: 2020-10-22
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escala...
PUBLISHED: 2020-10-22
ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.