Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Content posted in November 2009
Page 1 / 2   >   >>
Global CIO: Fear Of Facebook For The Enterprise
Commentary  |  11/30/2009  | 
Enterprise social networking, at its worst, looks like another way to get buried in data.
The Futility Of Security By Obscurity
Commentary  |  11/30/2009  | 
Last week saw the launch of Shodan, a search engine for machines (servers, routers, etc.) connected to the Internet.
Security Lessons From Couple's White House Hijinks
Commentary  |  11/30/2009  | 
Even the most stringent security procedures have failures. That fact was evident when the U.S. Secret Service learned a Virginia couple slipped into last week's state dinner at the White House.
Famous Password Auditing Tool, L0phtCrack Is Back
Commentary  |  11/30/2009  | 
After a couple of years of rest, L0phtCrack, one of the most famous password auditing and recovery tools is back.
Cloud Storage Now
Commentary  |  11/30/2009  | 
Cloud storage is constantly being discussed in the IT media today. When you get right down to it, what can businesses really use cloud storage for now? The small office, individual user has embraced cloud storage for backups and for collaboration, but what can larger businesses use these services for?
Global CIO: Oracle, Larry Ellison, The EU, And MySQL
Commentary  |  11/30/2009  | 
Would you be shocked--shocked!--to learn that the EU's battle against Oracle is all about politics, power, and preserving jobs?
Microsoft Provides Insight Into Password Attacks
Commentary  |  11/29/2009  | 
For about a year now, Microsoft has been trying to gather data on real-world attacks, the types of attacks normal users might encounter in their day to day Internet use - and the software maker just released some interesting data on password attacks.
Kudos To F-Response's New IR Tool For Ease Of Use
Commentary  |  11/25/2009  | 
F-Response TACTICAL will be released on Thanksgiving Day, with the promise of a plug-and-play ease to help cyber investigators quickly get the evidence they need from live systems.
Cyber Monday Security Risks Are All Business
Commentary  |  11/25/2009  | 
Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.
Exploit Code Targets Internet Explorer Zero-Day
Commentary  |  11/24/2009  | 
There's exploit code circulating that can be used to target certain versions of Internet Explorer, Microsoft says it's working on a fix.
Employees Stealing Data At Frightening Rate
Commentary  |  11/24/2009  | 
Two new studies indicate that workers are not only able to steal confidential data from employers, they're ready and willing to do so -- at rates that are troubling, if not downright frightening.
The Future Of Storage As A Virtual Machine
Commentary  |  11/24/2009  | 
In our last few entries we looked at what can be done today with storage software running as virtual machines. In this entry we will consider what the future holds for storage as a virtual machine. Storage as a virtual machine may be the only way you apply data services in the future.
New Tool For Centralizing Windows Logs
Commentary  |  11/23/2009  | 
Microsoft has always overlooked centralized logging in Windows. To date, the most effective way to centralize Windows Event Logs has been through event log to syslog tools and custom agents for the various SIEM solutions. But now there's a new kid on the block with a full-featured agent that goes beyond what's previously been offered for free.
New Facebook Worm Warning: Wanna See Something Hot?
Commentary  |  11/22/2009  | 
A new Facebook worm is making the rounds today, with a brilliant landing page that has already caused many infections.
Chrome OS Security: Initial Impressions
Commentary  |  11/20/2009  | 
There is much developers can do to build a secure operating system when limits are set on what devices are supported, and there's no regard for compatibility with all types of software applications. I'm sure it's a luxury some software designers in Redmond and Cupertino certainly envy. But that's the clean shot Google has with its new Chrome OS.
Storage As A Virtual Machine Details - Part Two
Commentary  |  11/20/2009  | 
Completing our storage as a virtual machine re-interviews were conversations we had with EMC and Nexenta. While our last entry focused on systems that leveraged virtual machines to deliver block I/O storage services these two companies are delivering something a little different, NAS services and backup services.
Twilight's Latest Hacking: Vampire Byte Scam Targets Stephanie Meyer Fans
Commentary  |  11/20/2009  | 
Scareware masquerading as an interview with Twilight author Stephanie Meyer is making the rounds, and fast. Time to pass the word to any of your employees who are Twilight-obsessed and, more importantly, have them pass the word to their kids who may well be chasing the phenomenon on the same computers their parents may use for work-at-home.
Narrowing The Compromise-To-Discovery Breach Time Line
Commentary  |  11/20/2009  | 
Security professionals are intrigued by the fact that for approximately half of the data breach cases Verizon Business works, the victim doesn't realize there's a problem until more than six months after the incident occurred. Another stunning fact: More than two-thirds of incidents we work are discovered by a third-party.
Scrutinizing The White House Cyberspace Policy Review
Commentary  |  11/20/2009  | 
A lot was expected of the White House Cyberspace Policy Review, but like in previous cases, disappointment is what we find.
Two Ways To Encrypt Your Database
Commentary  |  11/20/2009  | 
File/operating system level-encryption is actually implemented outside the database engine -- but it's still a form of database encryption. And it's referred to as "transparent" encryption because it doesn't require any changes to the database, or calling an application.
Phishers Target Apple Customers In New Attack
Commentary  |  11/18/2009  | 
While OS X is targeted by a far fewer number of viruses than other operating systems, that's not stopping fraudsters from trying to hit Mac users with fraud.
Push-Button Forensics
Commentary  |  11/18/2009  | 
Digital forensics, computer forensics, or whatever you want to call the investigation and analysis of computer systems and digital media, is a challenging field that requires deep knowledge of the systems being analyzed. There is a push, however, to lower the barrier to entry for lesser skilled analysts to perform digital forensics using modern forensic tools.
Don't Just Manage Your Data -- Know it
Commentary  |  11/18/2009  | 
There are countless ways to manage data available to the storage manager today but most of these solutions look at data as a problem. Few take an asset view of data, understanding that it is something to be cultivated and leveraged for future use. Storage managers should do more than just manage their data, they should know it.
NSA Iraqi Computer Attacks And U.S. Defense
Commentary  |  11/18/2009  | 
A National Journal Magazine article called "The Cyberwar Plan" has been making waves the last few days in our circles -- it's about how cell phone and computer attacks were supposedly used against Iraqi insurgents by the National Security Agency (NSA). Its significance is far more than just what's on the surface, however.
How To Hack A Brazilian Power Company
Commentary  |  11/17/2009  | 
The recent "60 Minutes" story claiming hackers had caused power outages in Brazil was (likely) bogus, but that doesn't mean hackers can't do this. The story got widespread coverage in the Brazilian press, which meant hackers there were suddenly interested in the subject. And just days later, chatter appeared on Brazilian hacker Websites expressing interest in ONS, the Website of Brazil's national power grid operator.
Free SMB Firewall Offfered By Astaro
Commentary  |  11/17/2009  | 
Security firm Astaro is offering free firewalls to small and midsized businesses starting today. Too good to be true? Maybe not.
There's More To Pen Tests Than Just Breaking In
Commentary  |  11/16/2009  | 
I have a love/hate relationship with Twitter. Sometimes it seems like there's nothing but garbage on there. But on other days, the wealth of information is so much better than what's in my RSS reader.
Storage As A Virtual Machine Part Two - Details
Commentary  |  11/16/2009  | 
As we dive deeper into the storage as a virtual machine concept we went back and re-interviewed some of the players in the storage as a virtual machine market, focusing specifically on what they provide. The first two conversations were with DataCore and HP. We will cover more suppliers as the series unfolds.
The Web Application Security New Top 10 Risks
Commentary  |  11/15/2009  | 
With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.
Never Understimate The Power Of A Botnet
Commentary  |  11/14/2009  | 
A deputy director at the Office of Cyber Security in the Cabinet Office in the U.K. said in a recent Home Affairs Committee meeting that botnets are not a big risk for debilitating attacks against the government's networks, but are more likely to be used as a tool to extort money.
Knowing When To Call In Reinforcements
Commentary  |  11/13/2009  | 
Knowing when you're in over your head is important. In the world of the IT security professional, it is especially critical given your knowledge and experience will determine your actions and influence your reports to management. Those reports will, in turn, impact their decisions (or at least they should).
A Peek At Transparent Database Encryption
Commentary  |  11/13/2009  | 
There are several different ways to encrypt data stored within databases -- some residing inside the database, others outside. You can encrypt data programmatically at the application layer or at the database layer, and automatically by the OS/file system or by the database engine itself. Each has a slightly different use case, with differing degrees of data security, complexity, and impact on performance.
Stopping Insider Attacks
Commentary  |  11/12/2009  | 
There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.
Data Thinkage
Commentary  |  11/12/2009  | 
Data storage capacity is cheap. For most environments obtaining enough capacity is no longer a challenge, it is managing that capacity that becomes the problem. Growth, especially in unstructured data, continues unabated. Deciding what data should be where is one of the biggest challenges that the storage manager has to face today. Users don't want to think about where data should be stored and storage managers don't have the time to think about it.
Spammers Pumping More (And More) Of The Same: Kaspersky
Commentary  |  11/12/2009  | 
Spam rates jumped a full percentage point, to past 86% of all e-mail this past September, according to a report from Kaspersky Labs. So what else is new? Not a lot. And that's what's scary.
Measuring Insider Risk
Commentary  |  11/11/2009  | 
The key thing to remember when dealing with insiders is they have access and, in most cases, will exploit the weakest link that gives them the greatest chance of access, while minimizing the chances that they get caught. Why try to break through a firewall and gain access to a system with a private address when you can find someone behind the firewall with full access to the system?
Conficker's Next Move
Commentary  |  11/11/2009  | 
I recently attended a presentation about the current state of the Conficker worm, delivered by Felix Leder and Tillman Werner, two German security researchers from the University of Bonn.
Panda Launches SMB Cloud Security
Commentary  |  11/10/2009  | 
Building on its cloud-based anti-virus service for consumers, Panda Security is launching Panda Cloud Protection, a hosted security service for small and midsized businesses.
Partially Spilled COFEE
Commentary  |  11/10/2009  | 
It turns out the version of COFEE (Computer Online Forensic Evidence Extractor) posted to BitTorrent sites is incomplete: It contains only 45 commands, whereas Microsoft claims the tool executes more than 150 commands. It grabs neither browser history nor password hashes. It runs only built-in Windows commands, sysinternals tools, and resource kit tools.
Cell-Level Encryption
Commentary  |  11/10/2009  | 
A friend of mine was wondering why cell-level encryption isn't used often in databases. What would seem to be a fast and efficient approach to data security actually requires a complex implementation. Cell-level encryption stands in stark contrast to commonly adopted transparent forms of database encryption, and helps us identify hidden costs and complexity.
Storage Services As A Virtual Machine
Commentary  |  11/10/2009  | 
Traditionally storage systems and other storage related services have been delivered as customized systems. This was done to maintain performance and to reduce support costs to the manufacturers. As server technology continues to increase in performance, the concept of providing storage services as a standalone application installed on your own server hardware is becoming increasingly popular. Now with virtualization the storage as an application concept is being applied to virtual machines.
USB-Based Incident Response Tools
Commentary  |  11/9/2009  | 
Last month's "Using USBs For Incident Response" blog garnered a lot of e-mail responses asking about what tools are available, free or commercial, and how easy they were to use. While there isn't an "EASY" button that makes incident response and digital forensics easy for the layperson, there are tools that enable first responders to arrive on scene, pop a USB flash drive (or hard drive), grab volati
Despite Security Concerns, Social Networks Soar
Commentary  |  11/9/2009  | 
Security firm Palo Alto Networks peeked at the application use of more than 200 organizations around the globe, and found social networking growth on corporate networks is on fire. Will security concerns be the extinguisher? Don't count on it.
Insider Threat Reality Check
Commentary  |  11/9/2009  | 
Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?
JailBroken iPhones Targeted By Rick-Rolling Worm
Commentary  |  11/8/2009  | 
The SANS Institute Internet Storm Center is warning users of jailbroken iPhones that a new worm is targeting their hacked phones. So how dangerous is it, really?
WiFi = Mobile Phone
Commentary  |  11/6/2009  | 
Traditionally, we've thought of WiFi as the way we connect to the Internet from our notebook computers. This is rapidly changing, with definite implications for security pros.
Microsoft To Patch 15 Vulnerabilities
Commentary  |  11/5/2009  | 
As part of its monthly ritual, Microsoft in its Security Bulletin Advanced Notification for this month warned of a number of nasty vulnerabilities in its operating systems and productivity software.
Dissecting Microsoft's Latest Security Intelligence Report
Commentary  |  11/5/2009  | 
This week Microsoft published volume 7 of its Security Intelligence Report (SIR), covering January 2009 through June 2009.
Global CIO: Oracle Trapped By EU Politics As Sun Employees Suffer
Commentary  |  11/5/2009  | 
As thousands of Sun employees face layoffs, the EU ninnies focus on conjuring up an outcome that will make them seem less pathetic than they truly are.
Practical Analysis: The Fastest-Growing Security Threat
Commentary  |  11/5/2009  | 
SQL injections, more than any other exploit, can land your company in trouble. So why aren't you worried about them?
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file