Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Content posted in January 2008
Page 1 / 2   >   >>
Does This Storage Make My Butt Look Big?
Commentary  |  1/31/2008  | 
This is a curious link to follow if you agree that women as storage buyers: A) Are aliens B) Constitute a completely different species C) Need to be spoken to like prostitutes (the "Pretty Woman" Julia Roberts kind, not that Theresa Russell sort)
Toward Buffer Overflow Extinction
Commentary  |  1/31/2008  | 
The first time a buffer overflow was used as part of an attack on information systems, at least the best I can find, was the infamous 1988 Morris worm. While the Morris worm propagated across Unix, buffer overflows have been the bane of Windows security for years. Microsoft is furthering its efforts to push this problem into the history books.
When Criminal Intent Lurks One Cube Away
Commentary  |  1/31/2008  | 
The ongoing Société Général fraud story is a case study in insider threats. The costs, north of $7 billion for the French bank, are high and likely to go higher. For the rest of us, it leaves an uneasy question: Do we have a rogue in our organization? And if so, what do we do about it?
Federal Government To Spend $30 Billion On New Security Efforts
Commentary  |  1/30/2008  | 
One of the most interesting IT security news stories to hit this week is that the Bush administration is apparently proposing $6 billion (maybe this is an increase on existing spending. That's not yet clear) be invested to shore up federal network security next year, and up to $30 billion across seven years. This is good news. Maybe.
The Four (Non) Myths Of IT Security
Commentary  |  1/30/2008  | 
Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.
Are You SCAP Ready?
Commentary  |  1/29/2008  | 
In case you missed it, about a year ago the Office of Management and Budget issued policy memorandum M-07-11, aka the Implementation of Commonly Accepted Security Configurations for Windows Operating Systems. Essentially, this mandates that all federal agency systems must adhere to the Federal Desktop Core Configuration (FDCC) by February 2008. That's this Friday.
Free Identity Theft Webinar Tomorrow
Commentary  |  1/29/2008  | 
This week's release of a new report on Identity Theft (and strategies for avoiding and combating it) will be accompanied by an online Identity Theft Webinar tomorrow, Thursday, January 31, at 2 pm EST.
Point. Click. Phish.
Commentary  |  1/29/2008  | 
Are you ready to launch your own phishing scam, but don't know where to start? Too tired from your day job to copy write your own fraudulent e-mails? Or, are you like millions of others who just don't know how to leverage Facebook or Orkut for illicit profit? These are no longer problems for you.
Should Your IP Address Be Private?
Commentary  |  1/29/2008  | 
The European Union has just ruled that Spain's Telefonica SA doesn't have to hand over the identities of file sharers on its networks . At least, not simply because the allegedly aggrieved party asks for such information.

Whoops: $73 Billion In Fraudulent Trades Just Slipped By Us
Commentary  |  1/28/2008  | 
While there's no hard evidence yet released on what could prove to be one of the largest frauds in financial history, some details are starting to surface. It's my hunch that this case, other than its financial magnitude, will not prove much different than previous insider frauds.
IT Security Vs. Censorship
Commentary  |  1/28/2008  | 
In a memo distributed to employees, Tribune Co. owner Sam Zell called for all of Tribune's business units to yank the use of content filters. Now, I'm not sure anyone, myself included, would list content filters among their most favorite things. Yet, I'm not so sure Zell made a good move -- at least not for Tribune's IT security.
Happy Data Privacy Day!
Commentary  |  1/28/2008  | 
We're less than a week away from finding out whether Punxsutawney Phil predicts six more weeks of winter. While we wait for him to make his annual weather forecast, we've got time to squeeze in another holiday. You may not be as familiar with this one -- there's no parades, gift-giving or time off from work. Frankly, it's a shame we have to acknowledge it at all. But it's a testament of the kind of world we live in. Today is Data Privacy Day.
Recent Vista Metrics: Don't Be Fooled
Commentary  |  1/26/2008  | 
Microsoft's security strategy director, Jeff Jones' recent report card bestowing high marks on the security of his employer's most recent operating system release has garnered plenty of ink. But what's it mean?
Beauty, Sex, Love, And Your Mobile Phone
Commentary  |  1/25/2008  | 
That's the hook for a mobile phone virus that at least one antivirus vendor says is currently spreading in the wild.
Time to Implement Security as a Service?
Commentary  |  1/25/2008  | 
Software as a Service (SaaS) has been gaining acceptance among small and medium businesses because it eases maintenance and deployment requirements. Having been widely implemented in areas, such as Customer Relationship Management, it is now advancing into the security market.
FCoE Enigma Wrapped In A Riddle
Commentary  |  1/24/2008  | 
And buried inside a mystery: It's where my mind goes when the subject turns to Fibre Channel over Ethernet (FCoE). And apparently I'm not alone.
Hey Joe, What Are You Doing With That Resume In Your Hand?
Commentary  |  1/24/2008  | 
A buddy of mine called today. He's (we'll call him Joe) chief security officer at a fairly large public company in the health field. I hadn't spoken with Joe in a while, and he was sounding somewhat down. "What's wrong, Joe?" I asked.
CyberWar! Not So Much
Commentary  |  1/24/2008  | 
It's looking more like the distributed denial-of-service attacks that crippled the Web site of the Estonian Reform Party last spring were not the result of grim-faced Russian warriors vigorously clicking their mice. No.
Trusted Web Site? Not So Fast
Commentary  |  1/23/2008  | 
It's not been a great year for Web security, so far. First we learn that HackerSafe isn't so hacker safe, after all. Then we find out that hackers have found a way to automatically redirect most home routers to wherever they
Drive-By Pharming: This Nasty Attack Technique Looks Significant
Commentary  |  1/23/2008  | 
The first time I learned of the concept of drive-by pharming was when reading about a presentation given by application security expert Jeremiah Grossman at Black Hat in mid-2006. It's a concerning attack technique, not just because it enables an attacker to do nasty things, but also because of how passively Web users can become victimized. Until very recently, this attack was merely theoretical.
Bank Failure Spawns New Regulations
Commentary  |  1/22/2008  | 
Few may have noticed, but during the real-world summer stock slump Ginko Financial, a bank within Second Life, went bust. And ever since its failure, Second Life citizen complaints of interest-rate scams seem to have soared. "Since the collapse of Ginko Financial in August 2007, Linden Lab has received complaints about several in-world "banks" defaulting on their promises. These banks often promise unusually high rates of L$ return, reaching 20%, 40%, or even 60% annualized, reads a recent blog
Vote. Get Your Identity Stolen
Commentary  |  1/22/2008  | 
Fortunately, the stolen notebook was recovered. Unfortunately, it's now up to the forensics experts to determine if any of the data, including the names and Social Security numbers of register voters, was accessed or tampered with. I'm talking about the notebook that was allegedly stolen from the Election Commission in the Nashville area last month. According to this report, the notebook held the names and Social Security n
Protecting Bob In Accounting, From Himself
Commentary  |  1/21/2008  | 
Of the hundreds of data loss incidents in 2007, it seems the majority involved some type of lost storage media or notebook. If only the companies had used, or were certain that encryption had been in place, then the customers of GE Money, Accenture, the Department of Veterans Affairs, and too many others to list would be sleeping better. It's a problem that's only going to get worse as more data is held on portable storage devices, such as USB devices, smartphones, and even MP3 players.
RIAA Attacked: The SQL
Commentary  |  1/21/2008  | 
The Recording Industry of America's (RIAA) Web site was attacked -- again -- over the weekend. According to numerous breaking news stories, it seems a lack of proper security controls enabled some to take parts of the site down, and tweak its pages. Get serious.
Hackers Threaten Power Grid. FERC Strengthens Security Standards
Commentary  |  1/19/2008  | 
While I enjoyed the first two Bruce Willis Die Hard movies, Live Free or Die Hard was a different story. The coordinated, near simultaneous cyberattacks of the power grid, financial systems, government databases, and media satellites was so over-the-top that I couldn't suspend my disbelief long enough to enjoy the movie. Maybe that's because I've long been suspicious of the terms cyberterrorism and cyberwarfare. In fact, the threats of thunderstorms, tornadoes, and overgrown trees
Yahoo Users Get OpenID: No Game Changer
Commentary  |  1/18/2008  | 
There seems to be plenty of buzz surrounding Yahoo's decision to choose OpenID as a way to enable users to sign on once and seamlessly access all of their Yahoo services, as well as any other Web site that supports the OpenID Web authentication standard. It's not going to change much.
650,000 More Customer Records Lost: It's The Physical Security, Too, Stupid
Commentary  |  1/18/2008  | 
A data tape containing 650,000 J.C. Penney and other retailers' customer records including Social Security numbers, has been missing since last October, but notification of all affected customers has yet to be completed. Lots of lessons in this one.
Don't Do As Bruce Does
Commentary  |  1/17/2008  | 
I'm talking about encryption and security expert, speaker, book author, and restaurant critic Bruce Schneier. Don't follow his security advice. At least when it comes to securing home wireless networks.
Identity Theft Is A Drag For Everyone
Commentary  |  1/17/2008  | 
There's yet more evidence that privacy and security concerns, when it comes to online shopping, are on the rise. This time it's from a phone survey, released today, conducted by the University of Southern California's Center for the Digital Future.
Excel Security Flaw Poses Mac And Windows Risk
Commentary  |  1/16/2008  | 
A Microsoft security advisory warns that some Excel users are at risk of attacks specifically targeting the vulnerability. Users who've installed Excel 2003 Service Pack 3, or who are running Office 2007 (Windows) or 2008 (Mac) should be protected.
Web 2.0 And Social Networks Ripening Targets For Hackers And Fraudsters
Commentary  |  1/16/2008  | 
We're on the verge of an upswing in Web 2.0 and social networking security attacks and fraudulent scams. Just yesterday, Thomas Claburn reported on a serious Universal Plug and Play (UPnP) vulnerability that can be exploited through malicious SWF (Flash) files on Web sites. Successful attacks can be used to sidestep firewalls, access Web router admin pages, and alte
Hackers Targeting Microsoft Zero-Day Excel Flaw: Microsoft Offers Kludgey Fix
Commentary  |  1/16/2008  | 
Late yesterday, Microsoft confirmed in a security advisory (947563) that hackers are targeting a significant vulnerability in multiple versions of Excel. The vulnerability appears to be a previously unknown zero-day, and a successful attack could result in various levels of control over the affected system -- depending on how user rights have been configured.
The FBI Doesn't Want Your Data. Really.
Commentary  |  1/15/2008  | 
The Federal Bureau of Investigation is not after your personal information, the agency insists. If you've received e-mail seeking personal information that appears to be from FBI Director Robert Mueller or another FBI official, it's fake, the agency warned Tuesday.
The Time Is Now (Better Yet, Yesterday) For A Federal Data Breach Disclosure Law
Commentary  |  1/15/2008  | 
It'll soon be five years since the California data breach disclosure law, better known as SB 1386, went into effect. So far the law has had some success. But we need a federal standard.
A Couple More Things Apple Needs To Do To Become IT (Security) Friendly
Commentary  |  1/15/2008  | 
As Macworld kicks off, more companies, especially SMBs, are bound to be eyeing the possibility of displacing Microsoft in favor of Apple. And there are plenty of good reasons why: Vista has been a disappointment, and OS X is simply more elegant and easier to use than anything Microsoft has to offer. And if my personal experience with OS X is any indicator, OS X is a lot more stable. But when it comes to security, Apple has some work to do.
10 Threats You Need To Worry About: SANS Report
Commentary  |  1/15/2008  | 
SANS is out with its 2008 top threats report, and the outlook isn't good. While many of the threats are familiar, they're getting more sophisticated, supple, smart.
Brit Posts Bank Account Number, Gets Hacked
Commentary  |  1/10/2008  | 
The world is filled with daredevils: bungee jumpers, mountain climbers, those crazy guys who get chased by bulls in Spain. However, none of those thrill-seekers hold a candle to British columnist/TV celebrity Jeremy Clarkson. Fearless to the core, Mr. Clarkson decided to publish his own personal bank account number in the paper, confident that no one would be able to do anything with it.
Have You Been Victimized By Malware?
Commentary  |  1/9/2008  | 
Crime reporting often includes the victim's side of the story. This seems to be less common with cybercrime reporting. There are several reasons: Many of those with computer viruses are unaware that they've been victimized, and IT workers don't want the world to know that their systems have been compromised. I'm hoping some of you, anonymously or not, will be willing to e-mail me (or post here if you prefer) and share your experience with malware. With ne
Who's In Charge -- Really In Charge -- Of Your Security? Anybody?
Commentary  |  1/9/2008  | 
If your small or midsize business has a designated Chief Security Officer, well-done. If you don't, welcome to the club -- but it's not a club you want your business to be part of.
Hackers Count On Unpatched Problems -- How Patched Are Yours?
Commentary  |  1/8/2008  | 
The lesson of the mass-hack that tagged 70,000 Web pages over the past week is be careful what you ask for on your Web site -- and be even more careful that you're completely patched before you ask.
Privacy Skeptic Gets Robbed Online And Recants
Commentary  |  1/7/2008  | 
Not everyone believes privacy matters. Take U.K. journalist and TV presenter Jeremy Clarkson, who hosts a show called Top Gear. Clarkson, according to the BBC, believed that the furor over the U.K. government's loss of optical discs containing the personal information of more than 25 million U.K. citizens was much ado about nothing.
Privacy Lawsuit Against Sears Is Ridiculous
Commentary  |  1/7/2008  | 
Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.
Let's Raise The Stakes For Data Loss Culpability
Commentary  |  1/4/2008  | 
After a year of unbelievable (and in some cases incomprehensible) data loss among corporations both big and small, I propose we adopt a brand-new catchphrase for 2008. To borrow somewhat from culinary personality Emeril Lagasse: It's time to kick the penalties up a notch.
Is There A Wi-Fi Flu Waiting To Happen?
Commentary  |  1/3/2008  | 
We've all talked a lot about wireless security (or lack thereof) and hotspot vulnerabilities and other perils of the wireless world. But researchers at Indiana University suggest that wireless routers may be a perfect medium for communicating contagious malware.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file