News & Commentary
Content posted in February 2009
|
Oracle Patches Get Bad Rap
On the surface, a recently published survey by the Independent Oracle Users Group (IOUG) bears some seemingly frightening numbers. According to the study, which was conducted during the middle of 2008, 26 percent of 150 respondents admitted that their respective companies require the quarterly Oracle patches to be applied upon release. Nineteen percent said their companies don't have any policies at all
Few Oracle Customers Have Official Database Patching Policies
Joint survey by the Independent Oracle User Group and Oracle finds database patching practices weak
Obama's Intelligence Chief: NSA Should Have Wider Role In Cybersecurity
Director of National Intelligence Dennis Blair tells House committee that the National Security Agency has the expertise, but must win public's trust
6 Tips For Doing More Security With Less
Security ranks as a top priority in many IT budgets, but this year the money may not be there for many organizations -- here's how to get creative
FTC Report: Identity Theft Remains Consumers' No. 1 Fraud Complaint
Number of identity theft complaints rose 20 percent from 2007 to 2008
Mandiant Appliance Accelerates Incident Response
MIR gets to the heart of system compromises, but its forensic tools are limited.
Proving The ROI
With budgets and IT staff stretched to thinner levels than ever, change is going to come slowly this year and proving the ROI of each project is going to be critical not only to enable the approval of the next project, but possibly to keep your job.
PCI Compliance Questions? You're Hardly Alone.
The more companies breached, the likelier we are to hear more clamor for for tighter, stricter, tougher compliance standards for companies handling customer credit card information. But some feel it will take a lot more breaches before standards get a lot tighter.
Better Storage Practices To Improve Backup
Backup is the thorn in the side of many otherwise smoothly running IT operations. There is probably little coincidence that the newest hire is almost always assigned the backup process or the ramification for missing the assignments meeting. The truth is that backup should be simple -- all you're doing is copying data to tape. The problem in general has nothing to do with the backup process, it has more to do with how primary storage is managed and optimized.
Heartland CEO Provides More Details On Big Data Breach
Heartland chairman and CEO Bob Carr talks about breach during quarterly earnings call
Report: More Than 500,000 Websites Hit By New Form Of SQL Injection In '08
New Web breach incident report finds the bad guys deploying more automated attacks, targeting customers rather than data on sites
IR/Forensic Favorites Get Streamlined
A couple of my favorite incident response and forensic tools were recently updated with some great new features to help streamline their use. The first two tools are from Mandiant and work hand-in-hand, Memoryze and Audit Viewer. If you've not used Memoryze yet, it deserves your attention. I've found it to be extremely useful in incident response situations dealing with malware.
MessageLabs: Recession Spam Volume Shows No Recession In Spam
Spam subject lines reflect public concerns, curiosities, interests -- and fears, as the surge in recession-oriented spam shows. This latest surge includes a tricky search engine link tactic that you need to be aware of.
Consumer Password Status Quo
So what's it going to take for consumers to take security seriously? Apparently a lot more than the nearly 10 million cases of identity fraud and massive breaches at their favorite discount retail chains. If they haven't already had their credit card accounts compromised, most everyone knows of someone who has. But apparently that's not incentive enough for them to
Microsoft Warns Of Zero-Day Excel Exploit
The vulnerability in Excel could allow an attacker to execute malicious code, if a user opens a specially crafted Excel file.
Poker: The New Game In Secure Application Development
Researchers develop a poker-like risk management system to help software developers identify potential flaws in their code before they write it; Red Hat's IT group one of the first to test tool
SSLStrip Hacking Tool Released
Black Hat DC researcher's SSL man-in-the-middle attack tool now available
IT Security Remains Top Government CIO Priority
Those surveyed by TechAmerica say they'd also put IT infrastructure and management at the top of the list, including improvements in governance and standardization.
Breach! More Payment Processor Problems
The news of another -- another! -- payment processor data breach makes it clear that the crooks have selected processing companies as the battleground of choice in their efforts to grab your customers' credit card information.
Terminated Employees Take Company Data With Them
Nearly 60 percent of departing employees make off with sensitive company information, study says
Tool Validation: Trust, But Verify
I received a lot of great feedback after my Friday post about WinFE, the bootable Windows Forensic Environment. The biggest question was whether it really is treating the drive as read-only. In my closing, I said I'd do more testing than just building the CD and making sure it booted up in my virtual machine environment. As security professionals and forensic investigators, don't you all validate your tools befor
Banks, Credit Card Firms Wait For The Other Shoe To Drop Amid Reports Of Another Payment Processor Breach
Hack of a second U.S.-based payment processing firm exposes accounts used in Internet, phone transactions, according to credit union alerts
Top 20 Cybersecurity Defenses Proposed
The government-private organization guidelines are expected to become baseline best practices for computer security.
Layoffs: Close Security Doors Before Showing Employees The Exit Door
Security and system access issues must be addressed long before pink slips are distributed. Some observers, in fact, view laid off employees as one of the biggest network and data security threats your company will face.
TCG Drive Encryption Goes Mainstream
The Trusted Computing Group's newly released specifications for the management of hard drive encryption are now being adopted by a number of vendors -- Seagate arguably the most prominent, but also including Fujitsu, Toshiba, Hitachi, Wave Systems, CryptoMill, WinMagic, Secude, and McAfee.
WinFE: Windows Bootable Forensic CD
I've been using the Helix incident response and forensics LiveCD since it was first created. It has been an invaluable tool, but sometimes it falls short on hardware support for various SATA/SAS and RAID controllers. In those situations, creating a forensic image came down to a "best effort" exercise during which I did my best to prevent modification to the original evidence while still getting an image I could analyze later. WinFE is here to help.
Adobe Warns Of Critical Vulnerability In Acrobat, Reader
Users are advised to disable JavaScript until Adobe releases a patch, which may not occur for more than two weeks.
New XSS Attack Builds An Anonymous Network
Black Hat DC researchers demonstrate new cross-site scripting browser hack that lets attackers retrieve data without a trace
'Sexy View' Malware Targets Symbian
The worm targets Symbian OS S60 3rd Edition handsets, and it can send a user's contacts, phone number, and other sensitive information to a remote server.
Zero-Day Attack On Adobe Acrobat And Reader Under Way, But Patch Is Weeks Away
Disable JavaScript in Reader, security experts say
Disaster Recovery: Got A Plan? Know Where It Is?
Do you have a formal, written disaster recovery plan? Do you know where it is? Just as important, do others know where it is in case something happens to you?
Romanian Hacker Cracks Symantec, International Herald Tribune
Unu claims SQL injection flaws in sites operated by Symantec, New York Times
Black Hat: Google Gears Offline Data Vulnerable
Google defends its product after a demonstration of a Web service-based attack using a cross-site scripting vulnerability.
Black Hat: Security Pro Shows How To Bypass SSL
Moxie Marlinspike captured 16 credit card numbers, seven PayPal logins, and 300 other miscellaneous secure login sessions in only 24 hours.
Kaminsky Calls For DNSSEC Adoption
Researcher who discovered big DNS vulnerability gets behind DNSSEC, points out steps needed to implement it
CAPTCHA Cnondrum: Automated Attacks Trump Human-Entry Defenses
Automated attacks aimed at bypassing CAPTCHA -- those squiggly characters you have to enter to access some blogs and e-mail -- are getting better and faster at overcoming anti-spam defenses. In other words, the machines are beating us at what was supposed to be our game.
How Metasploit Turned The Tables On Its DDoS Attackers
An inside look at how Metasploit creator HD Moore battled the botnet that flooded Metasploit servers for nearly one week
Forensic Science System In U.S. Needs Overhaul
Digital evidence examiners have no agreed-upon certification program or list of qualifications, in addition to other issues, a report to Congress points out.
Microsoft Internet Explorer 7 Vulnerability Being Exploited
Cyber criminals are using a malicious Microsoft Word file distributed through spam to attack an exploit Microsoft patched last week.
Conficker's Three-Way Knockout
Malware analysis is a highlight of what I do, but it's not something I get to do on a weekly basis. The cases I deal with are a bit sporadic and clustered, showing an obvious ebb and flow based on current trends. This is one of those heavy times, thanks to Conficker and its friends.
Sun Delivers Open Source Protocol For Encrypted Devices
The communications protocol aims to help Sun's users and business partners more flexibly handle encryption keys while sidestepping costly licensing fees.
Online Scam In Utah Nets $2.5 Million For Fraudsters
Attackers successfully submit fake invoices to university -- and get paid
About-Facebook: Zuckerberg Relents On Privacy Rules
Social networking site's CEO reverses course on new polices that drew fire from users.
Black Hat DC: U.S. Must Consider Impact Of 'Militarization' Of Cyberspace
Homeland security and cybersecurity expert Paul Kurtz calls for public debate on cyberweapons, cyberattack response, and the role of the intelligence community
Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)
Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?
Cisco Adds Security Apps To Home Wireless Routers
The hardware includes an antivirus application and can provide reports on user control violations.
Smartphone Threats Intensify
Enterprise data at risk, according to new McAfee report, which shows mobile device manufacturers seeing more malware attacks than ever before
Three Arrested For Using Stolen Heartland Credit Card Numbers
Heartland Payment Systems, which handles about 100 million payment transactions per month, reported in January that its network was compromised by malware in 2008.
Wyndham Hotels Hack Exposes Guest Names, Credit Cards
State Attorney General of Florida warns residents whose accounts may have been compromised to keep an eye on their credit reports for suspicious activity
Busted: 3 Myths About Stealing Identify From Electronic Tax Returns
No one (accountants excepted) looks forward to the quarterly and annual scrambles to pay taxes. And though electronic filing has made the process easier, it creates an opening for identify theft that could put you and your business at risk.
|
White Papers
Video
0 Comments
Current Issue
Flash Poll
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2011-2765
PUBLISHED: 2018-08-20
PUBLISHED: 2018-08-20
PUBLISHED: 2018-08-20
PUBLISHED: 2018-08-20
PUBLISHED: 2018-08-20
From DHS/US-CERT's National Vulnerability Database CVE-2011-2765
PUBLISHED: 2018-08-20
pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.
CVE-2018-15594PUBLISHED: 2018-08-20
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests.
CVE-2018-15572PUBLISHED: 2018-08-20
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.
CVE-2018-15573PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf...
CVE-2018-15574PUBLISHED: 2018-08-20
** DISPUTED ** An issue was discovered in the license editor in Reprise License Manager (RLM) through 12.2BL2. It is a cross-site scripting vulnerability in the /goform/edit_lf_get_data lf parameter via GET or POST. NOTE: the vendor has stated "We do not consider this a vulnerability."
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This