Commentary

Content posted in October 2009
Page 1 / 2   >   >>
New Project Takes Aim At Web Vulnerabilities
Commentary  |  10/31/2009  | 
New open source honeypot sets bait to lure attackers and to gain first hand information on current attack techniques underway.
LinkedIN With 'Bill Gates'
Commentary  |  10/30/2009  | 
Bill Gates invited me to join his LinkedIN network. OK, so it wasn't really Bill Gates, but as far as my email system, spam filter, and email client were concerned, it's perfectly normal for Gates to send me a LinkedIn invitation.
Global CIO: SAP Eliminates All-Up-Front Payment Requirement
Commentary  |  10/30/2009  | 
In a striking move, SAP is extending to 580 very large customers a plan allowing them to spread payment across multiple years instead of making one big capital-expense payment up front.
Getting To Know Your Infrastructure
Commentary  |  10/29/2009  | 
Knowing your network is a fundamental step for building a successful vulnerability management (VM) project.
Global CIO: Hewlett-Packard's Hurd Says Bad IT Means A Bad CEO
Commentary  |  10/28/2009  | 
Hurd offers a startling observation about how the roots of bad IT almost always reside in the corner office, and he explains how HP attempts to address the needs of both the CEO and the CIO.
Know Your Tools
Commentary  |  10/28/2009  | 
Ever have one of those days where nothing really seems to go right? You're working on something that should be simple and it ends up throwing seemingly unexplainable errors back at you no matter what you try? Then when it does work, you're not sure what you changed that fixed it. Yeah -- me, too.
Global CIO: Greenpeace Shakedown Targets Google, Microsoft, And IBM
Commentary  |  10/28/2009  | 
Greenpeace is mounting a major assault on the business practices of not just those three companies but the entire IT industry. They will lie to get what they want--and here's the proof.
File Virtualization, The Ultimate Cloud Gateway?
Commentary  |  10/28/2009  | 
In our last entry we talked about the use of cloud storage as a backup target, but another ideal use case for cloud storage is to use it as an archive area. Almost every IT organization has old data that they want or must keep, but are struggling with where to keep it. Its ability to identify, automatically move and transparently recall data could make file virtualization the ultimate cloud gateway.
Patch Your Firefox
Commentary  |  10/27/2009  | 
Mozilla just released 16 patches for vulnerabilities in Firefox. Eleven of the flaws are critical, and affect a number of components in the browser.
Global CIO: What CIOs Can Learn From Kindle
Commentary  |  10/27/2009  | 
The real lesson is in the growing power of machine-to-machine wireless links.
SMB Security Survey Shows Sorry State Of Cyber Safety
Commentary  |  10/27/2009  | 
A new survey of small business cybersecurity offers a bleak picture of the state of things. Bleak unless you're a cybercrook, of course.
AVG Sends Speedy Small Business Security Signal
Commentary  |  10/27/2009  | 
New Internet security and anti-virus products for small businesses from AVG are being touted by the company as both secure and speedy, with an array of promised features and administrative tools that address some of the tech-challenges smaller firms face.
UK Jobs Website Hacked
Commentary  |  10/26/2009  | 
The news site Guardian is warning members of its UK jobs site that the site has been breached, and that personal data may been snagged.
Christian Site's Poll Backfires
Commentary  |  10/26/2009  | 
The Alpha Course, a Christian Website, has created an instant Internet poll asking if God exists. So far, 96 percent of respondents clicked on "NO."
Cloud Based Backup, Ready For Business?
Commentary  |  10/26/2009  | 
Cloud based backup services have been successful in the consumer space. Companies like Mozy, Carbonite and others are protecting thousands of laptops and home desktops, but can cloud based backups services move beyond protecting consumer or prosumer data and into the data center? Are cloud based backups ready for business?
Using Evil WiFi To Educate Users, IT Admins
Commentary  |  10/26/2009  | 
For my keynote at Operation WebLock, I was asked to include a demo or two that would leave attendees rethinking some of their current practices. It didn't take a long to come up with a few different possibilities, but I settled on one of my favorite attacks: wireless network- impersonation and connection hijacking.
Smartphones Call For Security-Smarter Users
Commentary  |  10/26/2009  | 
Smartphones, and all the other smartstuff filling our pockets, bags, lives, make for mobile convenience and access -- including access by crooks. Time to get your smartphone-using staff to dial up their security practices.
The ABCs Of DAM
Commentary  |  10/26/2009  | 
Database activity monitoring (DAM) has been the biggest advancement in database security in the past decade. Identity management controls access, and encryption protects data on media, but monitoring verifies usage.
Application Security Is National Security
Commentary  |  10/23/2009  | 
Hacks targeting U.S. government computers are coming from China. We knew that. The Chinese hackers are relying on zero-day software vulnerabilities to exploit critical systems. So, tell me again: why aren't we doing more to require applications be built secure from the start?
Trusting Trust
Commentary  |  10/23/2009  | 
An old and respected paper about compilers teaches us a lot about network security architecture.
Reducing Storage Complexity In Server Virtualization
Commentary  |  10/23/2009  | 
The storage component of a virtualized server infrastructure has been labeled as complex and expensive. In our prior entries about selecting a storage foundation we discussed what systems and protocols are available that might help simplify and reduce costs for storage in a virtualized environment. Beyond physi
My Hat Is Blue
Commentary  |  10/22/2009  | 
For the past two days I have been back in Seattle. It was almost two years ago I left the city, and was not sure when I'd get a chance to return. Microsoft's BlueHat security conference was a great reason to come back to my favorite rainy city. What is BlueHat?
Microsoft And Mozilla Compete, Cooperate
Commentary  |  10/22/2009  | 
In its patch release last week, Microsoft described an interesting side effect in one of its bulletins.
Understanding Hard Drive Performance
Commentary  |  10/21/2009  | 
In the last performance entries we discussed understanding storage bandwidth and understanding storage controllers. Next up is to understand the performance characteristics of the hard drive itself and how the mechanical hard drive can be the performance bottleneck.
Firefox Web Browser Weaponization Redux
Commentary  |  10/21/2009  | 
I've written about the Samurai Web Testing Framework (WTF) LiveCD project and some of the Firefox Add-Ons that can be used to transform Firefox into a highly capable Web application penetration testing tool. Now the Add-Ons included in Samurai and a few others have been bundled together into the Samurai WTF Firefox Collection--essentially, a one-stop shop for Web browser weaponization.
Gumblar: Back With A Vengeance
Commentary  |  10/20/2009  | 
Earlier this year, the botnet Gumblar made a splash when it infected more than 2,300 Websites, including popular destinations such as Tennis.com, Variety, and Coldwellbanker.com. Now, security researchers say Gumblar is back in strength and is changing its tactics.
Phishing Alert: Get Your Guards Up! Botnet On The Move And It Looks Like It's Coming From YOU
Commentary  |  10/20/2009  | 
Odds are you or someone in your business have received some dangerously convincing e-mails in the last few days. Mail that claims to come from Microsoft, warning of Conficker infections and, more dangerously, mail that appears to be from your administrator at your own domain, announcing a server upgrade. They're phishing attacks, of course, and particularly nasty ones.
Using USBs For Incident Response
Commentary  |  10/19/2009  | 
I was honored to be the keynote speaker this week at Operation WebLock, a cyber incident response two-day seminar hosted by the Florida Department of Law Enforcement. The event focused on helping administrators and IT staff respond better to cyber-threats that could affect their networks and Florida's infrastructure -- a very worthwhile endeavor, and awesome that it was offered free to local business, government, and law enforcement.
Full Nelson: The Growing Threat Of Cyberwarfare
Commentary  |  10/19/2009  | 
Many more casualities will pile up, but policy and agreements will prove meaningless against today's anonymous cyberwarrior.
Scammers Up The 'Rogueware' War
Commentary  |  10/17/2009  | 
Attackers have been known to encrypt user files (such as happened with Gpcode), and then demand payment for the decryption key, for some time. These so-called rogueware, including scareware, attacks have been underway for some time. Now scammers have upped their attack tactics.
Here Comes Automated Storage Tiering
Commentary  |  10/16/2009  | 
At Storage Networking World, at least one new category in storage is coming to the forefront; Automated Storage Tiering. These are typically devices that can sit in front of your existing storage platform and allow some of it to leverage a high speed solid state front end without you manually having to move data to a Solid State Disk (SSD).
App Whitelisting Potentially More Effective Against Bots
Commentary  |  10/15/2009  | 
Application whitelisting is beginning to look more and more appealing. Don't get me wrong. It has had its merits all along. But lately I've seen way too many failures of antivirus against bots, and that has me rethinking a few things.
UPDATE Sidekick Data Restored: Security And Cofidence Questions Remain
Commentary  |  10/15/2009  | 
So now the missing Microsoft/T-Mobile Sidekick is back, doubtless relieving both hundreds of thousands of customers and the legal departments at the affected companies. But the questions about confidence in cloud-based data remain. And that's a good thing.
The Priority Patches From This Month's Batch
Commentary  |  10/15/2009  | 
Tuesday's patch releases by Microsoft and Adobe are creating plenty of work for IT administrators -- quite possibly involving multiple groups with further coordination and meetings. But there are two patches that IT administrators should be focusing on to roll out quickly:
Getting Around Vertical Database Security
Commentary  |  10/14/2009  | 
A few database administrators told me they wanted to know why database security is vertical and how they can fix it. True, database access controls are vertical. The basic construct of a database is a table, and access controls grant access to tables or columns. This means you can see all of the entries from top to bottom, or none at all. Access is vertical and it lacks granularity.
Understanding Storage Controller Performance
Commentary  |  10/14/2009  | 
Storage controllers are the engine that drives the storage system you own. They are essentially a compute engine for storage arrays. Understanding storage controller performance and what can impact storage controllers is an important step in the optimization of your storage environment. It is also something that many storage managers assume is good enough.
Sidekick Failure Highlights Security Demands Cloud Customers Must Make
Commentary  |  10/14/2009  | 
Whether or not Sidekick recovers from the data debacle that may have cost hundreds of thousands of customers their cloud-stored material, the disaster shows into sharp relief a couple of great and greatly unasked questions about doing business in and with the cloud: How confident can you be of your cloud service providers? How confident should you insist on being?
RAND: U.S. Should Not Prioritize Cyberwarfare
Commentary  |  10/13/2009  | 
The think tank RAND came out with an Air Force funded paper that concludes spending money on operational cyberwarfare is a waste of budget. I agree.
McAfee Rolls Out Centralized Security Solution For Macs
Commentary  |  10/13/2009  | 
Security vendor McAfee has announced McAfee Endpoint Protection for Mac, a unified suite of security features that can be managed from a central console. The product is intended to address the security needs of the growing number of Macintoshes in businesses.
In Support of Poor Ol' Windows Vista
Commentary  |  10/13/2009  | 
We just released the October issue of the CSI Alert to CSI members, and this month we focus on Windows 7. This issue is, in some ways, a follow-up to last year's issue, "The Fate of the Secure OS," in which I said some nice things about Windows Vista, and advised it would be imprudent to completely ignore Windows Vista -- eyes-closed, fingers-in-ears, chanting I'm-not-listening-I'm-not-listening.
Dark Reading Launches Vulnerability Management Tech Center
Commentary  |  10/12/2009  | 
Today Dark Reading launches a new feature: the Vulnerability Management Tech Center, a subsite of Dark Reading devoted to bringing you news, product information, opinion, and analysis of the technologies and practices used to identify and eradicate security vulnerabilities from enterprise IT environments.
Phishing Your Users for Better Security
Commentary  |  10/12/2009  | 
A couple of years ago, William Perlgrin taught users about phishing...by phishing them. In doing so, the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, created an awareness program that (for the most part) worked.
Patch Alert! Microsoft Releasing Largest Patch Array Ever
Commentary  |  10/9/2009  | 
Use BOLD when you mark next Tuesday on your patch calendar-- that's when Microsoft is releasing the biggest patch array ever: 13 patches addressing close to 3 dozen vulnerabilities.
October's Scary Patch Tuesday
Commentary  |  10/9/2009  | 
Next Tuesday Microsoft plans to release 13 separate security bulletins that will cover more than 30 individual patches. More than half of the bulletins are ranked as "critical."
Understanding Storage Bandwidth Performance
Commentary  |  10/9/2009  | 
Storage bandwidth is the connectivity between servers and the storage they are attached to. When it comes to understanding storage bandwidth performance you have two challenges to deal with. The first and most obvious is can the storage get the data to the application or user fast enough? The second and less obvious is can the applications and hardware those applications run on take advantage of that bandwidth?
The Future Of Digital Forensics
Commentary  |  10/9/2009  | 
Last week's 10th annual IT Security Awareness Day at the University of Florida had IT workers from all over the state in attendance to hear experts from InGuardians, F-Response, Sunbelt Software, and Microsoft. Though I enjoyed every presentation, I keep thinking about one in particular -- the future of forensics, by F-Response's Matt Shannon.
You Can't Always Be Proactive
Commentary  |  10/8/2009  | 
Having your car serviced regularly, stretching before working out, and visiting the dentist twice a year are known to prevent engine failure, physical injury, and potentially life-threatening gingivitis. In addition, being proactive also extends to the world of information security.
Avoiding Database Audit Pitfalls
Commentary  |  10/8/2009  | 
Many seasoned database administrators howl in protest at the mere suggestion of running native auditing functions due to the poor performance and log management headaches that often come with auditing.
Understanding Storage Performance
Commentary  |  10/7/2009  | 
For most storage managers improving storage performance is an endless loop of upgrades that are taken until the problem goes away. Understanding where to look and how to configure the environment is often a series of "best guesses" instead of a thorough understanding of it. In today's economy best guesses are not allowed. Making the right move, the first time, is critical.
Hotmail Phishers Pull In Poor Passwords By The Thousands
Commentary  |  10/7/2009  | 
Tens of thousands of email accounts from Hotmail, Gmail, Earthlink, Yahoo and Comcast compromised by phishing scams had those those details posted briefly online for all to see. One thing that was seen was how many of those accounts had lousy passwords.
Page 1 / 2   >   >>


5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.