Commentary

Content posted in November 2009
Page 1 / 2   >   >>
Global CIO: Fear Of Facebook For The Enterprise
Commentary  |  11/30/2009  | 
Enterprise social networking, at its worst, looks like another way to get buried in data.
The Futility Of Security By Obscurity
Commentary  |  11/30/2009  | 
Last week saw the launch of Shodan, a search engine for machines (servers, routers, etc.) connected to the Internet.
Security Lessons From Couple's White House Hijinks
Commentary  |  11/30/2009  | 
Even the most stringent security procedures have failures. That fact was evident when the U.S. Secret Service learned a Virginia couple slipped into last week's state dinner at the White House.
Famous Password Auditing Tool, L0phtCrack Is Back
Commentary  |  11/30/2009  | 
After a couple of years of rest, L0phtCrack, one of the most famous password auditing and recovery tools is back.
Cloud Storage Now
Commentary  |  11/30/2009  | 
Cloud storage is constantly being discussed in the IT media today. When you get right down to it, what can businesses really use cloud storage for now? The small office, individual user has embraced cloud storage for backups and for collaboration, but what can larger businesses use these services for?
Global CIO: Oracle, Larry Ellison, The EU, And MySQL
Commentary  |  11/30/2009  | 
Would you be shocked--shocked!--to learn that the EU's battle against Oracle is all about politics, power, and preserving jobs?
Microsoft Provides Insight Into Password Attacks
Commentary  |  11/29/2009  | 
For about a year now, Microsoft has been trying to gather data on real-world attacks, the types of attacks normal users might encounter in their day to day Internet use - and the software maker just released some interesting data on password attacks.
Kudos To F-Response's New IR Tool For Ease Of Use
Commentary  |  11/25/2009  | 
F-Response TACTICAL will be released on Thanksgiving Day, with the promise of a plug-and-play ease to help cyber investigators quickly get the evidence they need from live systems.
Cyber Monday Security Risks Are All Business
Commentary  |  11/25/2009  | 
Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.
Exploit Code Targets Internet Explorer Zero-Day
Commentary  |  11/24/2009  | 
There's exploit code circulating that can be used to target certain versions of Internet Explorer, Microsoft says it's working on a fix.
Employees Stealing Data At Frightening Rate
Commentary  |  11/24/2009  | 
Two new studies indicate that workers are not only able to steal confidential data from employers, they're ready and willing to do so -- at rates that are troubling, if not downright frightening.
The Future Of Storage As A Virtual Machine
Commentary  |  11/24/2009  | 
In our last few entries we looked at what can be done today with storage software running as virtual machines. In this entry we will consider what the future holds for storage as a virtual machine. Storage as a virtual machine may be the only way you apply data services in the future.
New Tool For Centralizing Windows Logs
Commentary  |  11/23/2009  | 
Microsoft has always overlooked centralized logging in Windows. To date, the most effective way to centralize Windows Event Logs has been through event log to syslog tools and custom agents for the various SIEM solutions. But now there's a new kid on the block with a full-featured agent that goes beyond what's previously been offered for free.
New Facebook Worm Warning: Wanna See Something Hot?
Commentary  |  11/22/2009  | 
A new Facebook worm is making the rounds today, with a brilliant landing page that has already caused many infections.
Chrome OS Security: Initial Impressions
Commentary  |  11/20/2009  | 
There is much developers can do to build a secure operating system when limits are set on what devices are supported, and there's no regard for compatibility with all types of software applications. I'm sure it's a luxury some software designers in Redmond and Cupertino certainly envy. But that's the clean shot Google has with its new Chrome OS.
Storage As A Virtual Machine Details - Part Two
Commentary  |  11/20/2009  | 
Completing our storage as a virtual machine re-interviews were conversations we had with EMC and Nexenta. While our last entry focused on systems that leveraged virtual machines to deliver block I/O storage services these two companies are delivering something a little different, NAS services and backup services.
Twilight's Latest Hacking: Vampire Byte Scam Targets Stephanie Meyer Fans
Commentary  |  11/20/2009  | 
Scareware masquerading as an interview with Twilight author Stephanie Meyer is making the rounds, and fast. Time to pass the word to any of your employees who are Twilight-obsessed and, more importantly, have them pass the word to their kids who may well be chasing the phenomenon on the same computers their parents may use for work-at-home.
Narrowing The Compromise-To-Discovery Breach Time Line
Commentary  |  11/20/2009  | 
Security professionals are intrigued by the fact that for approximately half of the data breach cases Verizon Business works, the victim doesn't realize there's a problem until more than six months after the incident occurred. Another stunning fact: More than two-thirds of incidents we work are discovered by a third-party.
Scrutinizing The White House Cyberspace Policy Review
Commentary  |  11/20/2009  | 
A lot was expected of the White House Cyberspace Policy Review, but like in previous cases, disappointment is what we find.
Two Ways To Encrypt Your Database
Commentary  |  11/20/2009  | 
File/operating system level-encryption is actually implemented outside the database engine -- but it's still a form of database encryption. And it's referred to as "transparent" encryption because it doesn't require any changes to the database, or calling an application.
Phishers Target Apple Customers In New Attack
Commentary  |  11/18/2009  | 
While OS X is targeted by a far fewer number of viruses than other operating systems, that's not stopping fraudsters from trying to hit Mac users with fraud.
Push-Button Forensics
Commentary  |  11/18/2009  | 
Digital forensics, computer forensics, or whatever you want to call the investigation and analysis of computer systems and digital media, is a challenging field that requires deep knowledge of the systems being analyzed. There is a push, however, to lower the barrier to entry for lesser skilled analysts to perform digital forensics using modern forensic tools.
Don't Just Manage Your Data -- Know it
Commentary  |  11/18/2009  | 
There are countless ways to manage data available to the storage manager today but most of these solutions look at data as a problem. Few take an asset view of data, understanding that it is something to be cultivated and leveraged for future use. Storage managers should do more than just manage their data, they should know it.
NSA Iraqi Computer Attacks And U.S. Defense
Commentary  |  11/18/2009  | 
A National Journal Magazine article called "The Cyberwar Plan" has been making waves the last few days in our circles -- it's about how cell phone and computer attacks were supposedly used against Iraqi insurgents by the National Security Agency (NSA). Its significance is far more than just what's on the surface, however.
How To Hack A Brazilian Power Company
Commentary  |  11/17/2009  | 
The recent "60 Minutes" story claiming hackers had caused power outages in Brazil was (likely) bogus, but that doesn't mean hackers can't do this. The story got widespread coverage in the Brazilian press, which meant hackers there were suddenly interested in the subject. And just days later, chatter appeared on Brazilian hacker Websites expressing interest in ONS, the Website of Brazil's national power grid operator.
Free SMB Firewall Offfered By Astaro
Commentary  |  11/17/2009  | 
Security firm Astaro is offering free firewalls to small and midsized businesses starting today. Too good to be true? Maybe not.
There's More To Pen Tests Than Just Breaking In
Commentary  |  11/16/2009  | 
I have a love/hate relationship with Twitter. Sometimes it seems like there's nothing but garbage on there. But on other days, the wealth of information is so much better than what's in my RSS reader.
Storage As A Virtual Machine Part Two - Details
Commentary  |  11/16/2009  | 
As we dive deeper into the storage as a virtual machine concept we went back and re-interviewed some of the players in the storage as a virtual machine market, focusing specifically on what they provide. The first two conversations were with DataCore and HP. We will cover more suppliers as the series unfolds.
The Web Application Security New Top 10 Risks
Commentary  |  11/15/2009  | 
With a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses.
Never Understimate The Power Of A Botnet
Commentary  |  11/14/2009  | 
A deputy director at the Office of Cyber Security in the Cabinet Office in the U.K. said in a recent Home Affairs Committee meeting that botnets are not a big risk for debilitating attacks against the government's networks, but are more likely to be used as a tool to extort money.
Knowing When To Call In Reinforcements
Commentary  |  11/13/2009  | 
Knowing when you're in over your head is important. In the world of the IT security professional, it is especially critical given your knowledge and experience will determine your actions and influence your reports to management. Those reports will, in turn, impact their decisions (or at least they should).
A Peek At Transparent Database Encryption
Commentary  |  11/13/2009  | 
There are several different ways to encrypt data stored within databases -- some residing inside the database, others outside. You can encrypt data programmatically at the application layer or at the database layer, and automatically by the OS/file system or by the database engine itself. Each has a slightly different use case, with differing degrees of data security, complexity, and impact on performance.
Stopping Insider Attacks
Commentary  |  11/12/2009  | 
There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.
Data Thinkage
Commentary  |  11/12/2009  | 
Data storage capacity is cheap. For most environments obtaining enough capacity is no longer a challenge, it is managing that capacity that becomes the problem. Growth, especially in unstructured data, continues unabated. Deciding what data should be where is one of the biggest challenges that the storage manager has to face today. Users don't want to think about where data should be stored and storage managers don't have the time to think about it.
Spammers Pumping More (And More) Of The Same: Kaspersky
Commentary  |  11/12/2009  | 
Spam rates jumped a full percentage point, to past 86% of all e-mail this past September, according to a report from Kaspersky Labs. So what else is new? Not a lot. And that's what's scary.
Measuring Insider Risk
Commentary  |  11/11/2009  | 
The key thing to remember when dealing with insiders is they have access and, in most cases, will exploit the weakest link that gives them the greatest chance of access, while minimizing the chances that they get caught. Why try to break through a firewall and gain access to a system with a private address when you can find someone behind the firewall with full access to the system?
Conficker's Next Move
Commentary  |  11/11/2009  | 
I recently attended a presentation about the current state of the Conficker worm, delivered by Felix Leder and Tillman Werner, two German security researchers from the University of Bonn.
Panda Launches SMB Cloud Security
Commentary  |  11/10/2009  | 
Building on its cloud-based anti-virus service for consumers, Panda Security is launching Panda Cloud Protection, a hosted security service for small and midsized businesses.
Partially Spilled COFEE
Commentary  |  11/10/2009  | 
It turns out the version of COFEE (Computer Online Forensic Evidence Extractor) posted to BitTorrent sites is incomplete: It contains only 45 commands, whereas Microsoft claims the tool executes more than 150 commands. It grabs neither browser history nor password hashes. It runs only built-in Windows commands, sysinternals tools, and resource kit tools.
Cell-Level Encryption
Commentary  |  11/10/2009  | 
A friend of mine was wondering why cell-level encryption isn't used often in databases. What would seem to be a fast and efficient approach to data security actually requires a complex implementation. Cell-level encryption stands in stark contrast to commonly adopted transparent forms of database encryption, and helps us identify hidden costs and complexity.
Storage Services As A Virtual Machine
Commentary  |  11/10/2009  | 
Traditionally storage systems and other storage related services have been delivered as customized systems. This was done to maintain performance and to reduce support costs to the manufacturers. As server technology continues to increase in performance, the concept of providing storage services as a standalone application installed on your own server hardware is becoming increasingly popular. Now with virtualization the storage as an application concept is being applied to virtual machines.
USB-Based Incident Response Tools
Commentary  |  11/9/2009  | 
Last month's "Using USBs For Incident Response" blog garnered a lot of e-mail responses asking about what tools are available, free or commercial, and how easy they were to use. While there isn't an "EASY" button that makes incident response and digital forensics easy for the layperson, there are tools that enable first responders to arrive on scene, pop a USB flash drive (or hard drive), grab volati
Despite Security Concerns, Social Networks Soar
Commentary  |  11/9/2009  | 
Security firm Palo Alto Networks peeked at the application use of more than 200 organizations around the globe, and found social networking growth on corporate networks is on fire. Will security concerns be the extinguisher? Don't count on it.
Insider Threat Reality Check
Commentary  |  11/9/2009  | 
Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?
JailBroken iPhones Targeted By Rick-Rolling Worm
Commentary  |  11/8/2009  | 
The SANS Institute Internet Storm Center is warning users of jailbroken iPhones that a new worm is targeting their hacked phones. So how dangerous is it, really?
WiFi = Mobile Phone
Commentary  |  11/6/2009  | 
Traditionally, we've thought of WiFi as the way we connect to the Internet from our notebook computers. This is rapidly changing, with definite implications for security pros.
Microsoft To Patch 15 Vulnerabilities
Commentary  |  11/5/2009  | 
As part of its monthly ritual, Microsoft in its Security Bulletin Advanced Notification for this month warned of a number of nasty vulnerabilities in its operating systems and productivity software.
Dissecting Microsoft's Latest Security Intelligence Report
Commentary  |  11/5/2009  | 
This week Microsoft published volume 7 of its Security Intelligence Report (SIR), covering January 2009 through June 2009.
Global CIO: Oracle Trapped By EU Politics As Sun Employees Suffer
Commentary  |  11/5/2009  | 
As thousands of Sun employees face layoffs, the EU ninnies focus on conjuring up an outcome that will make them seem less pathetic than they truly are.
Practical Analysis: The Fastest-Growing Security Threat
Commentary  |  11/5/2009  | 
SQL injections, more than any other exploit, can land your company in trouble. So why aren't you worried about them?
Page 1 / 2   >   >>


5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.