News & Commentary
Content posted in July 2008
|
Most Security Breaches Go Unreported
An RSA survey found the e-mail-borne malware and phishing that affected 69% of respondents' companies, may not have led to serious consequences in every instance.
Credit Card Compliance And Security: New PCI Information Resource Worth A Visit
How much do you know about your business's compliance and security responsibilities for credit card data and other information involved in the transactions that your bank executes for you? Think compliance is completely the responsibility of the financial institution? Think again.
IBM Bulks Up Data Protection
Vendor aims its Tivoli Storage Manager at Windows-based CDP
Startup Promises More Accurate Fraud Detection
Guardian Analytics's new 'fraud modeling' technology recognizes activity that goes outside user norm
Survey Highlights Telecommuter Troubles
Telecommuting security, privacy risks often put on the back burner, according to a new survey by Ernst & Young
Cisco Won't Buy EMC, Will It?
Analyst Kaushik Roy with Choi and Pacific Growth Equities really stoked the fire of a longstanding rumor (repeat rumor) that Cisco would just love to buy storage king EMC. And while this won't happen, there are kernels of truth in there.
Radware Reveals Critical Vulnerability In Firefox 3
Well, not exactly "critical." But there is a flaw. And there is no patch. And so Radware demonstrates how many security vendors push their gear by spreading fear, uncertainty, and doubt on the user community.
Phishing Kits Widely Compromised To Steal From Phishers
From 21 different distribution sites, the authors of the Usenix Conference paper identified 379 distinct phishing kits, 129 of which contained back doors.
The Reality Of Private Clouds
In his blog "Clouds Are Only in the Sky" yesterday, Richard Martin suggested that a cloud must be on the public Internet for it to truly be a cloud and that if something resembling a cloud is used internally then it must be utility computing. He makes a very good point; however, I respectfully disagree.
Websense Warns: Legit Sites Top Hack Targets
Another midyear security overview is out now, this one from Websense, and if the year-to-date is looking bad, the six months to come are looking worse.
The Real Dirt on Whitelisting
The choice for blacklisting versus whitelisting isn't really black and white
Cyber Security for the 44th Presidency Group to Come Out of the Shadows at Black Hat
A presidential 'playbook' for cyberware is among the issues under discussion by the group
Chinese Authorities Order Olympic Hotels To Install Spy Gear
Kansas Sen. Sam Brownback claims foreign-owned hotels have been asked to install Internet monitoring equipment to spy on hotel guests during the Beijing Games.
Oracle WebLogic Servers Vulnerable To Attacks
When it comes to security vulnerabilities, this flaw is as ugly as it gets -- but, in this case, it's not all because of anything Oracle did wrong.
Oracle Issues Alert For WebLogic Plugin Vulnerability
The exploit code was released July 17, two days after Oracle issued its second-quarter Critical Patch Update.
Most Malicious Code Launched From Legitimate Web Sites
The proliferation of user-generated content on popular Web 2.0 sites has opened the door for hackers to plant malware, says Websense report.
IBM Midyear Security Report: A Bad Year That's Getting Worse
Time flies when you're having fun, and flies even faster when the bad guys are having their "fun." Already more than halfway through 2008 and a new security report let's us know in detail just how insecure a year it is.
Hacking Without Exploits
Black Hat researchers will demonstrate how the bad guys are quietly raking in big bucks without ninja hacking skills, tools, or exploit code
Report: From Bug Disclosure to Exploit in 24 Hours
New IBM ISS report shows fast and furious nature of Web browser vulnerability finds and attacks
Apple And Security: Long Road Still Ahead
Apple's trying to pick up its game with iPhone security, recently listing an iPhone Security Engineer position. Assuming the job is really about helping users -- and not just thwarting pesky unlockers -- it's a good move, but some corporate inertia might need to be overcome before security is a true priority. Just take a look at the official iPhone Enterprise Deployment tools.
Modeling IT Attacks
Every day IT managers have to contend with an ever-changing risk environment. That's where good risk modeling can help.
Password Security: With Prosecutors Like This, Who Needs Rogue Administrators?
So the San Francisco District Attorney, building a case against the rogue administrator who shut down city network access, decided to include actual passwords as evidence. Bonehead decisions may not get much more boneheaded than this.
Beating Up Storage Vendors
An analyst firm recently published a report suggesting that the No. 1 priority in reducing IT costs was to beat up your storage vendor for lower costs. I would like to give a dissenting opinion.
Botnets Behind One Fourth of Click Fraud
Click Fraud Index reports biggest surge of botnet-generated pay-per-click fraud to date in the second quarter
New Video Surveillance Technology 'Recognizes' Abnormal Activity
BRS software can establish 'normal' on-camera activity - and alert security staff when something unusual occurs
When Penetration Testers (Almost) Get Caught
Sometimes employees really do learn their physical security lessons
Vibrations Part II
In my last entry we opened up a can of worms around drive vibration, discussing what it is and how it occurs. Vibration exists, but why should you, the IT professional, care? This stuff is all on RAID 5, right? Why do you care if a drive fails?
DNS Woes: How Worried Should You Be? Pretty Dang Worried!
Yesterday's news that the first DNS attack strategies are circulating was no surprise: once a vulnerability -- large, small or in-between -- is discovered, the exploit code follows like rats nipping at the heels of the Pied Piper. The question is, how worried should you be about this particular vulnerability? Pretty worried, is my take.
Ad Agency Keeps the Word From Spreading
Access control technology helps Arnold Worldwide protect client data, meet compliance requirements
Small & Mid-Sized Enterprises Living in La-La Land, Study Says
Many smaller firms kid themselves that they're too little to be targets, McAfee study says
Disclosure Isn't Working
After a decade of writing about IT security, I don't know how anyone would think this current system of disclose and patch is working. It's not.
Are Lock-Picking Demos On YouTube A Bad Idea?
Amateur lock hackers who share their techniques may be improving security -- or endangering your life and property.
D-Link Introduces Ethernet-Powered Security Camera
Market Wire via MarketWatch, ChannelWeb
'Spam King' Escapes From Prison
Eddie Davidson remains at large after walking away from the Colorado prison where he was serving time for his role in spam scams.
San Francisco Computer Tech Set Booby Trap In City Network
Prosecutors say Childs set the network to delete numerous files during a scheduled maintenance of the system.
DNS Flaw Attacks Coming: Patch Now!!!
The first attackware strategies based on the widespread DNS flaw announced earlier this month have been spotted. If you haven't patched yet, do it now, before it's too late. (Some say it's already too late.)
Report: Website Infection Rate Has Tripled Since 2007
Malicious Web pages now exceed more than 16,000 per day, Sophos says
Details, Exploits of Web-Wide DNS Vulnerability Revealed
Kaminsky outlines flaw, says 'we're in serious trouble'; exploit code posted on Metasploit
DNS Poisoning Vulnerability: If You Haven't Yet Patched, It May Be Too Late
If you've ignored the urge to patch Dan Kaminsky's DNS cache poisoning flaw, you could be on the verge of big trouble: Exploit code has just been published in a popular penetration testing tool.
Apple's iPhone Mail, Safari Apps Vulnerable To Attack
Apple's iPhone Mail and Safari apps under the iPhone 1.1.4 and 2.0 firmware are vulnerable to URL spoofing, a security researcher said Wednesday.
McAfee Says Small, Midsize Business Sweats Security Too Little. You Agree?
A new survey from security firm McAfee warns that small and midsize businesses don't consider themselves to be targets for cybercrime. Do their findings match your feelings? Let's hope not.
Good, Good, Good…Good Vibrations
Its summertime, time for a little Beach Boys? No, Good Vibrations is the beginning of a series of entries that I will be posting on increasing physical hard drive unit life. In recent briefings, manufacturers like Copan Systems and Xiotech have been raising the issue on the impact of drive vibration. While I was aware of drive vibration, it is not discussed much, so I decided to take a deeper dive.
Most Bank Sites Are Insecure
Security risks caused by basic flaws in Web site design are widespread, according to computer scientists.
S.F. Computer Tech Gives Up Password To City Network
Terry Childs has been charged with four felony computer-tampering counts for allegedly locking out system administrators and supervisors from the city's servers.
Red Alert! DNS Flaw Revealed
Security researchers warn users to patch immediately, as technical details to exploit a widespread DNS vulnerability were disclosed online.
Researchers Raise Alarm Over New Iteration of Coreflood Botnet
Password-stealing Trojan is spreading like a worm - and targeted directly at the enterprise
|
White Papers
Video
3 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I spy, you spy, we all spy...a spy...
Latest Comment: I spy, you spy, we all spy...a spy...
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-19367
PUBLISHED: 2018-11-20
PUBLISHED: 2018-11-20
PUBLISHED: 2018-11-20
PUBLISHED: 2018-11-20
PUBLISHED: 2018-11-19
From DHS/US-CERT's National Vulnerability Database CVE-2018-19367
PUBLISHED: 2018-11-20
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
CVE-2018-19335PUBLISHED: 2018-11-20
Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby value) can be used to obtain sensitive information about the content of bug reports.
CVE-2018-19334PUBLISHED: 2018-11-20
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports.
CVE-2018-10099PUBLISHED: 2018-11-20
Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive information about the content of bug reports.
CVE-2018-17906PUBLISHED: 2018-11-19
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This