News & Commentary

Content posted in February 2009
Page 1 / 3   >   >>
Oracle Patches Get Bad Rap
Commentary  |  2/27/2009  | 
On the surface, a recently published survey by the Independent Oracle Users Group (IOUG) bears some seemingly frightening numbers. According to the study, which was conducted during the middle of 2008, 26 percent of 150 respondents admitted that their respective companies require the quarterly Oracle patches to be applied upon release. Nineteen percent said their companies don't have any policies at all
Few Oracle Customers Have Official Database Patching Policies
News  |  2/27/2009  | 
Joint survey by the Independent Oracle User Group and Oracle finds database patching practices weak
Obama's Intelligence Chief: NSA Should Have Wider Role In Cybersecurity
Quick Hits  |  2/27/2009  | 
Director of National Intelligence Dennis Blair tells House committee that the National Security Agency has the expertise, but must win public's trust
6 Tips For Doing More Security With Less
News  |  2/26/2009  | 
Security ranks as a top priority in many IT budgets, but this year the money may not be there for many organizations -- here's how to get creative
FTC Report: Identity Theft Remains Consumers' No. 1 Fraud Complaint
Quick Hits  |  2/26/2009  | 
Number of identity theft complaints rose 20 percent from 2007 to 2008
Mandiant Appliance Accelerates Incident Response
News  |  2/26/2009  | 
MIR gets to the heart of system compromises, but its forensic tools are limited.
Proving The ROI
Commentary  |  2/26/2009  | 
With budgets and IT staff stretched to thinner levels than ever, change is going to come slowly this year and proving the ROI of each project is going to be critical not only to enable the approval of the next project, but possibly to keep your job.
PCI Compliance Questions? You're Hardly Alone.
Commentary  |  2/26/2009  | 
The more companies breached, the likelier we are to hear more clamor for for tighter, stricter, tougher compliance standards for companies handling customer credit card information. But some feel it will take a lot more breaches before standards get a lot tighter.
Better Storage Practices To Improve Backup
Commentary  |  2/25/2009  | 
Backup is the thorn in the side of many otherwise smoothly running IT operations. There is probably little coincidence that the newest hire is almost always assigned the backup process or the ramification for missing the assignments meeting. The truth is that backup should be simple -- all you're doing is copying data to tape. The problem in general has nothing to do with the backup process, it has more to do with how primary storage is managed and optimized.
Heartland CEO Provides More Details On Big Data Breach
Quick Hits  |  2/25/2009  | 
Heartland chairman and CEO Bob Carr talks about breach during quarterly earnings call
Report: More Than 500,000 Websites Hit By New Form Of SQL Injection In '08
News  |  2/25/2009  | 
New Web breach incident report finds the bad guys deploying more automated attacks, targeting customers rather than data on sites
IR/Forensic Favorites Get Streamlined
Commentary  |  2/25/2009  | 
A couple of my favorite incident response and forensic tools were recently updated with some great new features to help streamline their use. The first two tools are from Mandiant and work hand-in-hand, Memoryze and Audit Viewer. If you've not used Memoryze yet, it deserves your attention. I've found it to be extremely useful in incident response situations dealing with malware.
MessageLabs: Recession Spam Volume Shows No Recession In Spam
Commentary  |  2/25/2009  | 
Spam subject lines reflect public concerns, curiosities, interests -- and fears, as the surge in recession-oriented spam shows. This latest surge includes a tricky search engine link tactic that you need to be aware of.
Consumer Password Status Quo
Commentary  |  2/24/2009  | 
So what's it going to take for consumers to take security seriously? Apparently a lot more than the nearly 10 million cases of identity fraud and massive breaches at their favorite discount retail chains. If they haven't already had their credit card accounts compromised, most everyone knows of someone who has. But apparently that's not incentive enough for them to
Microsoft Warns Of Zero-Day Excel Exploit
News  |  2/24/2009  | 
The vulnerability in Excel could allow an attacker to execute malicious code, if a user opens a specially crafted Excel file.
Poker: The New Game In Secure Application Development
News  |  2/24/2009  | 
Researchers develop a poker-like risk management system to help software developers identify potential flaws in their code before they write it; Red Hat's IT group one of the first to test tool
SSLStrip Hacking Tool Released
Quick Hits  |  2/24/2009  | 
Black Hat DC researcher's SSL man-in-the-middle attack tool now available
IT Security Remains Top Government CIO Priority
News  |  2/24/2009  | 
Those surveyed by TechAmerica say they'd also put IT infrastructure and management at the top of the list, including improvements in governance and standardization.
Breach! More Payment Processor Problems
Commentary  |  2/24/2009  | 
The news of another -- another! -- payment processor data breach makes it clear that the crooks have selected processing companies as the battleground of choice in their efforts to grab your customers' credit card information.
Terminated Employees Take Company Data With Them
News  |  2/23/2009  | 
Nearly 60 percent of departing employees make off with sensitive company information, study says
Tool Validation: Trust, But Verify
Commentary  |  2/23/2009  | 
I received a lot of great feedback after my Friday post about WinFE, the bootable Windows Forensic Environment. The biggest question was whether it really is treating the drive as read-only. In my closing, I said I'd do more testing than just building the CD and making sure it booted up in my virtual machine environment. As security professionals and forensic investigators, don't you all validate your tools befor
Banks, Credit Card Firms Wait For The Other Shoe To Drop Amid Reports Of Another Payment Processor Breach
News  |  2/23/2009  | 
Hack of a second U.S.-based payment processing firm exposes accounts used in Internet, phone transactions, according to credit union alerts
Top 20 Cybersecurity Defenses Proposed
News  |  2/23/2009  | 
The government-private organization guidelines are expected to become baseline best practices for computer security.
Layoffs: Close Security Doors Before Showing Employees The Exit Door
Commentary  |  2/23/2009  | 
Security and system access issues must be addressed long before pink slips are distributed. Some observers, in fact, view laid off employees as one of the biggest network and data security threats your company will face.
TCG Drive Encryption Goes Mainstream
Commentary  |  2/20/2009  | 
The Trusted Computing Group's newly released specifications for the management of hard drive encryption are now being adopted by a number of vendors -- Seagate arguably the most prominent, but also including Fujitsu, Toshiba, Hitachi, Wave Systems, CryptoMill, WinMagic, Secude, and McAfee.
WinFE: Windows Bootable Forensic CD
Commentary  |  2/20/2009  | 
I've been using the Helix incident response and forensics LiveCD since it was first created. It has been an invaluable tool, but sometimes it falls short on hardware support for various SATA/SAS and RAID controllers. In those situations, creating a forensic image came down to a "best effort" exercise during which I did my best to prevent modification to the original evidence while still getting an image I could analyze later. WinFE is here to help.
Adobe Warns Of Critical Vulnerability In Acrobat, Reader
News  |  2/20/2009  | 
Users are advised to disable JavaScript until Adobe releases a patch, which may not occur for more than two weeks.
New XSS Attack Builds An Anonymous Network
News  |  2/20/2009  | 
Black Hat DC researchers demonstrate new cross-site scripting browser hack that lets attackers retrieve data without a trace
'Sexy View' Malware Targets Symbian
News  |  2/20/2009  | 
The worm targets Symbian OS S60 3rd Edition handsets, and it can send a user's contacts, phone number, and other sensitive information to a remote server.
Zero-Day Attack On Adobe Acrobat And Reader Under Way, But Patch Is Weeks Away
Quick Hits  |  2/20/2009  | 
Disable JavaScript in Reader, security experts say
Disaster Recovery: Got A Plan? Know Where It Is?
Commentary  |  2/20/2009  | 
Do you have a formal, written disaster recovery plan? Do you know where it is? Just as important, do others know where it is in case something happens to you?
Romanian Hacker Cracks Symantec, International Herald Tribune
Quick Hits  |  2/19/2009  | 
Unu claims SQL injection flaws in sites operated by Symantec, New York Times
Black Hat: Google Gears Offline Data Vulnerable
News  |  2/19/2009  | 
Google defends its product after a demonstration of a Web service-based attack using a cross-site scripting vulnerability.
Black Hat: Security Pro Shows How To Bypass SSL
News  |  2/19/2009  | 
Moxie Marlinspike captured 16 credit card numbers, seven PayPal logins, and 300 other miscellaneous secure login sessions in only 24 hours.
Kaminsky Calls For DNSSEC Adoption
News  |  2/19/2009  | 
Researcher who discovered big DNS vulnerability gets behind DNSSEC, points out steps needed to implement it
CAPTCHA Cnondrum: Automated Attacks Trump Human-Entry Defenses
Commentary  |  2/19/2009  | 
Automated attacks aimed at bypassing CAPTCHA -- those squiggly characters you have to enter to access some blogs and e-mail -- are getting better and faster at overcoming anti-spam defenses. In other words, the machines are beating us at what was supposed to be our game.
How Metasploit Turned The Tables On Its DDoS Attackers
News  |  2/18/2009  | 
An inside look at how Metasploit creator HD Moore battled the botnet that flooded Metasploit servers for nearly one week
Forensic Science System In U.S. Needs Overhaul
News  |  2/18/2009  | 
Digital evidence examiners have no agreed-upon certification program or list of qualifications, in addition to other issues, a report to Congress points out.
Microsoft Internet Explorer 7 Vulnerability Being Exploited
News  |  2/18/2009  | 
Cyber criminals are using a malicious Microsoft Word file distributed through spam to attack an exploit Microsoft patched last week.
Conficker's Three-Way Knockout
Commentary  |  2/18/2009  | 
Malware analysis is a highlight of what I do, but it's not something I get to do on a weekly basis. The cases I deal with are a bit sporadic and clustered, showing an obvious ebb and flow based on current trends. This is one of those heavy times, thanks to Conficker and its friends.
Sun Delivers Open Source Protocol For Encrypted Devices
News  |  2/18/2009  | 
The communications protocol aims to help Sun's users and business partners more flexibly handle encryption keys while sidestepping costly licensing fees.
Online Scam In Utah Nets $2.5 Million For Fraudsters
Quick Hits  |  2/18/2009  | 
Attackers successfully submit fake invoices to university -- and get paid
About-Facebook: Zuckerberg Relents On Privacy Rules
News  |  2/18/2009  | 
Social networking site's CEO reverses course on new polices that drew fire from users.
Black Hat DC: U.S. Must Consider Impact Of 'Militarization' Of Cyberspace
News  |  2/18/2009  | 
Homeland security and cybersecurity expert Paul Kurtz calls for public debate on cyberweapons, cyberattack response, and the role of the intelligence community
Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)
Commentary  |  2/18/2009  | 
Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?
Cisco Adds Security Apps To Home Wireless Routers
News  |  2/17/2009  | 
The hardware includes an antivirus application and can provide reports on user control violations.
Smartphone Threats Intensify
News  |  2/17/2009  | 
Enterprise data at risk, according to new McAfee report, which shows mobile device manufacturers seeing more malware attacks than ever before
Three Arrested For Using Stolen Heartland Credit Card Numbers
News  |  2/17/2009  | 
Heartland Payment Systems, which handles about 100 million payment transactions per month, reported in January that its network was compromised by malware in 2008.
Wyndham Hotels Hack Exposes Guest Names, Credit Cards
Quick Hits  |  2/17/2009  | 
State Attorney General of Florida warns residents whose accounts may have been compromised to keep an eye on their credit reports for suspicious activity
Busted: 3 Myths About Stealing Identify From Electronic Tax Returns
Commentary  |  2/17/2009  | 
No one (accountants excepted) looks forward to the quarterly and annual scrambles to pay taxes. And though electronic filing has made the process easier, it creates an opening for identify theft that could put you and your business at risk.
Page 1 / 3   >   >>


Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1848
PUBLISHED: 2018-12-14
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ...
CVE-2018-1977
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
CVE-2018-18006
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
CVE-2018-18984
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
CVE-2018-19003
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...