Commentary

Content posted in February 2009
Page 1 / 2   >   >>
Oracle Patches Get Bad Rap
Commentary  |  2/27/2009  | 
On the surface, a recently published survey by the Independent Oracle Users Group (IOUG) bears some seemingly frightening numbers. According to the study, which was conducted during the middle of 2008, 26 percent of 150 respondents admitted that their respective companies require the quarterly Oracle patches to be applied upon release. Nineteen percent said their companies don't have any policies at all
Proving The ROI
Commentary  |  2/26/2009  | 
With budgets and IT staff stretched to thinner levels than ever, change is going to come slowly this year and proving the ROI of each project is going to be critical not only to enable the approval of the next project, but possibly to keep your job.
PCI Compliance Questions? You're Hardly Alone.
Commentary  |  2/26/2009  | 
The more companies breached, the likelier we are to hear more clamor for for tighter, stricter, tougher compliance standards for companies handling customer credit card information. But some feel it will take a lot more breaches before standards get a lot tighter.
Better Storage Practices To Improve Backup
Commentary  |  2/25/2009  | 
Backup is the thorn in the side of many otherwise smoothly running IT operations. There is probably little coincidence that the newest hire is almost always assigned the backup process or the ramification for missing the assignments meeting. The truth is that backup should be simple -- all you're doing is copying data to tape. The problem in general has nothing to do with the backup process, it has more to do with how primary storage is managed and optimized.
IR/Forensic Favorites Get Streamlined
Commentary  |  2/25/2009  | 
A couple of my favorite incident response and forensic tools were recently updated with some great new features to help streamline their use. The first two tools are from Mandiant and work hand-in-hand, Memoryze and Audit Viewer. If you've not used Memoryze yet, it deserves your attention. I've found it to be extremely useful in incident response situations dealing with malware.
MessageLabs: Recession Spam Volume Shows No Recession In Spam
Commentary  |  2/25/2009  | 
Spam subject lines reflect public concerns, curiosities, interests -- and fears, as the surge in recession-oriented spam shows. This latest surge includes a tricky search engine link tactic that you need to be aware of.
Consumer Password Status Quo
Commentary  |  2/24/2009  | 
So what's it going to take for consumers to take security seriously? Apparently a lot more than the nearly 10 million cases of identity fraud and massive breaches at their favorite discount retail chains. If they haven't already had their credit card accounts compromised, most everyone knows of someone who has. But apparently that's not incentive enough for them to
Breach! More Payment Processor Problems
Commentary  |  2/24/2009  | 
The news of another -- another! -- payment processor data breach makes it clear that the crooks have selected processing companies as the battleground of choice in their efforts to grab your customers' credit card information.
Tool Validation: Trust, But Verify
Commentary  |  2/23/2009  | 
I received a lot of great feedback after my Friday post about WinFE, the bootable Windows Forensic Environment. The biggest question was whether it really is treating the drive as read-only. In my closing, I said I'd do more testing than just building the CD and making sure it booted up in my virtual machine environment. As security professionals and forensic investigators, don't you all validate your tools befor
Layoffs: Close Security Doors Before Showing Employees The Exit Door
Commentary  |  2/23/2009  | 
Security and system access issues must be addressed long before pink slips are distributed. Some observers, in fact, view laid off employees as one of the biggest network and data security threats your company will face.
TCG Drive Encryption Goes Mainstream
Commentary  |  2/20/2009  | 
The Trusted Computing Group's newly released specifications for the management of hard drive encryption are now being adopted by a number of vendors -- Seagate arguably the most prominent, but also including Fujitsu, Toshiba, Hitachi, Wave Systems, CryptoMill, WinMagic, Secude, and McAfee.
WinFE: Windows Bootable Forensic CD
Commentary  |  2/20/2009  | 
I've been using the Helix incident response and forensics LiveCD since it was first created. It has been an invaluable tool, but sometimes it falls short on hardware support for various SATA/SAS and RAID controllers. In those situations, creating a forensic image came down to a "best effort" exercise during which I did my best to prevent modification to the original evidence while still getting an image I could analyze later. WinFE is here to help.
Disaster Recovery: Got A Plan? Know Where It Is?
Commentary  |  2/20/2009  | 
Do you have a formal, written disaster recovery plan? Do you know where it is? Just as important, do others know where it is in case something happens to you?
CAPTCHA Cnondrum: Automated Attacks Trump Human-Entry Defenses
Commentary  |  2/19/2009  | 
Automated attacks aimed at bypassing CAPTCHA -- those squiggly characters you have to enter to access some blogs and e-mail -- are getting better and faster at overcoming anti-spam defenses. In other words, the machines are beating us at what was supposed to be our game.
Conficker's Three-Way Knockout
Commentary  |  2/18/2009  | 
Malware analysis is a highlight of what I do, but it's not something I get to do on a weekly basis. The cases I deal with are a bit sporadic and clustered, showing an obvious ebb and flow based on current trends. This is one of those heavy times, thanks to Conficker and its friends.
Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)
Commentary  |  2/18/2009  | 
Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?
Busted: 3 Myths About Stealing Identify From Electronic Tax Returns
Commentary  |  2/17/2009  | 
No one (accountants excepted) looks forward to the quarterly and annual scrambles to pay taxes. And though electronic filing has made the process easier, it creates an opening for identify theft that could put you and your business at risk.
Microsoft Puts $250,000 Bounty On Downadup Bot Author
Commentary  |  2/17/2009  | 
Even as the Downadup (aka Conficker) infection spreads at a rate of millions of compromised machines a day spreads, Microsoft is leading a group of security organizations and companies in attempt to nab the malware's author(s). There's a $250,000 price on the malware creator's head(s)now.
Getting Data To The Cloud
Commentary  |  2/17/2009  | 
In a recent entry I gave some examples of how cloud storage is maturing. There are companies offering cloud based storage solutions both as a service, like Amazon and Nirvanix, and as a product to sell to service providers or for internal use, like Bycast and
The Problem With Snapshots
Commentary  |  2/13/2009  | 
Storage solutions have come a long way, but there are areas that need improvement. The next two entries I am going to focus on two of those areas; snapshots and high availability. This entry we will pick on snapshots.
Apple Drops Major Security Patch
Commentary  |  2/12/2009  | 
Apple today released a bevy of patches that, by my quick count, fix about 55 bugs in its flagship OS X operating system as well as Java. Fortunately, through Software Update, the patch updates for Java for Mac OS X 19.5 Update 3, and Security UPdate 2009-001, which total 47 MB, went smoothly for this user.
The Cost Of Doing Nothing
Commentary  |  2/12/2009  | 
Cost containment seems to be THE word in storage right now. One of the options for containing costs is to archive old data off primary storage as described in our Archiving Basics article. A common thought, however, is that instead of creating a disk archive, just keep expanding primary storage. Isn't it cheaper to add a shelf of storage instead of developing a whole new storage tier?
Will You Be My Botnet? Storm Returns For Valentine's
Commentary  |  2/12/2009  | 
Valentine's Day has been Botnet Day for as long as there have been botnets, and 2009 is no exception. An evolved and wily version of the Storm botnet is producing as many as a thousand variations of itself a day.
New And Improved Storm Botnet Morphing Malware
Commentary  |  2/11/2009  | 
Waledac (which was previously known as Storm) is once again spewing gads of Valentine's Day spam and malware.
Path To Becoming An Infosec Pro
Commentary  |  2/11/2009  | 
Last Friday, my blog entry discussed how many companies out there are disrespecting IT security by inundating infosec professionals with system administration and network management tasks to the point that security is put on the back burner. I've received some excellent feedback from readers, including an e-mail asking what route someone should take to become an infosec professional.
Google Apps: Right For The Small Business Buck? (And Does Google Even Want Your Bucks?)
Commentary  |  2/11/2009  | 
Some new Google Apps security measures go a ways toward increasing the platform's safety for business use. But which businesses? Google stance is increasingly aiming the top end Apps package at the enterprise customers it most clearly covets. Where does that leave the small and midsized business?
Could Slimmer OSes Lead To Better Mobile Device Security?
Commentary  |  2/10/2009  | 
Maybe I'm stretching a bit, but let's say that operating system developers slimmed down their standard OSes enough so that eventually they'd be skinny enough to have a career in fashion and, more important, run on mobile devices. And, if so, would this be a good thing for mobile device security?
President Obama Seeks Immediate Cyber Review
Commentary  |  2/10/2009  | 
The White House yesterday instructed the National Security and Homeland Security Advisers to immediately conduct a review of all of the federal government's cybersecurity plans and programs.
Cloud Storage's Killer App... Geographic Collaboration
Commentary  |  2/10/2009  | 
Cloud storage can be used for backups, archives, and extra disk space, but the ability to collaborate on documents, even if it is in a sequential process, could be the most significant.
Kaspersky Hacked; Anti-Virus Firm Learns Of Intrusion From Hacker Blog
Commentary  |  2/10/2009  | 
Antivirus maker Kaspersky Lab acknowledged that its customer databases had been hacked, and that the hack had been in place for 11 days without Kaspersky's awareness.
Metasploit To (Almost) Go SaaS
Commentary  |  2/9/2009  | 
The Metasploit hacking tool is going the direction of many other IT security tools: it's going to be delivered, in part, as a service. But will corporate security managers upload critical data to a third party to test to see if it can be cracked?
Free Helix IR Tool Sells Out To Cash In
Commentary  |  2/9/2009  | 
All good things must come to an end. That's the sentiment I'm seeing on a few forensic mailing lists in regard to the demise of the free version of the Helix incident response and forensic LiveCD.
Identity Theft Rises, ID Thieves' Take Falls
Commentary  |  2/9/2009  | 
The number of identity theft cases jumped more than 20% in 2008, but the amount the crooks got per theft dropped by more than 30%, a result of savvier consumers and businesses acting more swiftly when identity is taken. New study just out from Javelin Strategy & Research.
Startup May Just Digitize Your Wallet
Commentary  |  2/8/2009  | 
I despise having to carry paper. You also can add credit and ATM cards, driver's licenses, insurance cards -- all of this stuff we need to carry every day to that list, too. While we worry about hackers cracking retailers' Web sites and getting our credit card or financial information -- a lost wallet or purse can easily end up being a much bigger nightmare. A startup from Bend, Ore., believes it may have a solution.
PHPBB Password Analysis
Commentary  |  2/6/2009  | 
A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.
Companies Lack Respect For Infosec Pros
Commentary  |  2/6/2009  | 
While a lot of my friends are off having a blast as ShmooCon in D.C., many more of my infosec friends and I are, instead, wishing we were there. It's tempting to rant about how little infosec training many of us actually get, but there's another problem I've seen several examples of lately -- infosec professionals getting stuck wearing the hat of sysadmin or network administrator.
Workers Working Around Web Filters, Surfing Where They Please
Commentary  |  2/6/2009  | 
A new study confirms what we already know: Workers are finding ways around Web filters and watchware, using business computers to surf at will.
An SSD Strategy We Can Believe In?
Commentary  |  2/5/2009  | 
NetApp this week began to enhance its solid-state disk strategy. I have been critical of traditional storage suppliers' efforts in trying to incorporate SSD into their overall storage offerings. This time someone is finally getting close.
Cisco Warns Of Significant Wireless Vulnerability
Commentary  |  2/5/2009  | 
Cisco today warned its customers of vulnerabilities in its Cisco Wireless LAN Controllers, Cisco Catalyst 6500 Wireless Services Modules, and Cisco Catalyst 3750 Integrated Wireless LAN Controllers gear. The four vulnerabilities, which are not related to one another, could enable attackers to escalate privileges on some equipment or launch sustained denial-of-service attacks.
Cutting Windows Admin Rights Cuts Windows Risks 92%: BeyondTrust
Commentary  |  2/5/2009  | 
Reducing the number of users granted Windows administrative rights reduces the number of exposed Windows vulnerabilities by over 90%, according to access management company BeyndTrust.
Targeted Attacks Keep Rolling
Commentary  |  2/4/2009  | 
There's a stealthy Trojan, named Bankpatch.com, that is circulating in Denmark. Unlike most Trojans, which aim to grab information from wherever they can, this one is targeting specific banks.
PCI DSS Is A Process, Not A Checklist
Commentary  |  2/4/2009  | 
Data breaches happen. We all know this simple fact. It's plastered on the news and the Internet. We hear about the big ones from co-workers, friends, and family. The recent Heartland Payment Systems breach, reported here on Dark Reading, is a testament.
Twitter Clickjacking Hack Potential Revealed
Commentary  |  2/4/2009  | 
Twitterjacking? Tweethacking? Too early for a clever name yet, but a proof of concept for a clickjacking hack aimed at Twitter's "What Are You Doing" update has been released. The hacks themselves may not be far behind.
Free Fuzzing Tool For Oracle Databases
Commentary  |  2/4/2009  | 
The word "free" in front of any technology is always enticing, but even more so in the current economic climate. It's not unusual for security or other technology vendors to toss out the occasional freebie tool, which, of course, they also hope will stimulate interest in their other (price-tagged) products. The latest freebie utility is FuzzOr, an open-source fuzzing tool released today by Sentrigo for detecting potential security flaws in Oracle database a
Archives Dirty Little Secret
Commentary  |  2/3/2009  | 
If you have read this blog for any length of time, you know that I am a big believer in archiving. Moving data off primary storage and onto a disk-based archive just makes sense and saves dollars. That said, there is one downside to archiving; you have to really like your choice of archive solutions (software and hardware) because leaving IS painful.
Think Electronic Passports Are Secure? Think Again
Commentary  |  2/3/2009  | 
With a little time, and a $250 investment, a security researcher says he has shown how easy it is to capture electronic passport data, and then create cloned passports.
Data Breach Costs Climb Past $6.6 Million: Most Breaches Caused By Negligence
Commentary  |  2/3/2009  | 
The business cost of a data breach is skyrocketing, according to a new study from Ponemon Institute and security firm PGP, with cost per breached company averaging $6.6 million. Most breaches are the result of insider negligence.
KACE Automates Systems And Security Management In One Appliance
Commentary  |  2/3/2009  | 
Updating software and installing security patches is tedious work, but it's crucial to keeping your IT systems -- from end-user applications to data centers -- running efficiently and safe. A new integrated management appliance may ease some of the pain.
Cost Of Data Breaches Keeps Going Up
Commentary  |  2/2/2009  | 
The costs associated with a data breach involving consumer records have been steadily rising, according to the Ponemon Institute's fourth annual study, Cost Of A Data Breach. The survey took a close look at 43 organizations that reported a breach in 2008 -- ranging from the loss of 4,200 records to more than 113,000.
Going Public About Corporate Espionage
Commentary  |  2/2/2009  | 
Corporate espionage probably goes on every day. I suspect we don't hear about it because of the high stakes involved; companies don't want their reputation tarnished as the victim or perpetrator of espionage, especially if the intrusion was successful and trade secrets were lost. Another more probable reason is that it goes completely unnoticed. And in the few cases we do hear about, the victim is sometimes publicly calling the attacker out to embarrass them and win some public opinion in their
Page 1 / 2   >   >>


5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.