Dark Reading is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
|
Oracle Patches Get Bad Rap
On the surface, a recently published survey by the Independent Oracle Users Group (IOUG) bears some seemingly frightening numbers. According to the study, which was conducted during the middle of 2008, 26 percent of 150 respondents admitted that their respective companies require the quarterly Oracle patches to be applied upon release. Nineteen percent said their companies don't have any policies at all
Proving The ROI
With budgets and IT staff stretched to thinner levels than ever, change is going to come slowly this year and proving the ROI of each project is going to be critical not only to enable the approval of the next project, but possibly to keep your job.
PCI Compliance Questions? You're Hardly Alone.
The more companies breached, the likelier we are to hear more clamor for for tighter, stricter, tougher compliance standards for companies handling customer credit card information. But some feel it will take a lot more breaches before standards get a lot tighter.
Better Storage Practices To Improve Backup
Backup is the thorn in the side of many otherwise smoothly running IT operations. There is probably little coincidence that the newest hire is almost always assigned the backup process or the ramification for missing the assignments meeting. The truth is that backup should be simple -- all you're doing is copying data to tape. The problem in general has nothing to do with the backup process, it has more to do with how primary storage is managed and optimized.
IR/Forensic Favorites Get Streamlined
A couple of my favorite incident response and forensic tools were recently updated with some great new features to help streamline their use. The first two tools are from Mandiant and work hand-in-hand, Memoryze and Audit Viewer. If you've not used Memoryze yet, it deserves your attention. I've found it to be extremely useful in incident response situations dealing with malware.
MessageLabs: Recession Spam Volume Shows No Recession In Spam
Spam subject lines reflect public concerns, curiosities, interests -- and fears, as the surge in recession-oriented spam shows. This latest surge includes a tricky search engine link tactic that you need to be aware of.
Consumer Password Status Quo
So what's it going to take for consumers to take security seriously? Apparently a lot more than the nearly 10 million cases of identity fraud and massive breaches at their favorite discount retail chains. If they haven't already had their credit card accounts compromised, most everyone knows of someone who has. But apparently that's not incentive enough for them to
Breach! More Payment Processor Problems
The news of another -- another! -- payment processor data breach makes it clear that the crooks have selected processing companies as the battleground of choice in their efforts to grab your customers' credit card information.
Tool Validation: Trust, But Verify
I received a lot of great feedback after my Friday post about WinFE, the bootable Windows Forensic Environment. The biggest question was whether it really is treating the drive as read-only. In my closing, I said I'd do more testing than just building the CD and making sure it booted up in my virtual machine environment. As security professionals and forensic investigators, don't you all validate your tools befor
Layoffs: Close Security Doors Before Showing Employees The Exit Door
Security and system access issues must be addressed long before pink slips are distributed. Some observers, in fact, view laid off employees as one of the biggest network and data security threats your company will face.
TCG Drive Encryption Goes Mainstream
The Trusted Computing Group's newly released specifications for the management of hard drive encryption are now being adopted by a number of vendors -- Seagate arguably the most prominent, but also including Fujitsu, Toshiba, Hitachi, Wave Systems, CryptoMill, WinMagic, Secude, and McAfee.
WinFE: Windows Bootable Forensic CD
I've been using the Helix incident response and forensics LiveCD since it was first created. It has been an invaluable tool, but sometimes it falls short on hardware support for various SATA/SAS and RAID controllers. In those situations, creating a forensic image came down to a "best effort" exercise during which I did my best to prevent modification to the original evidence while still getting an image I could analyze later. WinFE is here to help.
Disaster Recovery: Got A Plan? Know Where It Is?
Do you have a formal, written disaster recovery plan? Do you know where it is? Just as important, do others know where it is in case something happens to you?
CAPTCHA Cnondrum: Automated Attacks Trump Human-Entry Defenses
Automated attacks aimed at bypassing CAPTCHA -- those squiggly characters you have to enter to access some blogs and e-mail -- are getting better and faster at overcoming anti-spam defenses. In other words, the machines are beating us at what was supposed to be our game.
Conficker's Three-Way Knockout
Malware analysis is a highlight of what I do, but it's not something I get to do on a weekly basis. The cases I deal with are a bit sporadic and clustered, showing an obvious ebb and flow based on current trends. This is one of those heavy times, thanks to Conficker and its friends.
Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)
Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?
Busted: 3 Myths About Stealing Identify From Electronic Tax Returns
No one (accountants excepted) looks forward to the quarterly and annual scrambles to pay taxes. And though electronic filing has made the process easier, it creates an opening for identify theft that could put you and your business at risk.
Microsoft Puts $250,000 Bounty On Downadup Bot Author
Even as the Downadup (aka Conficker) infection spreads at a rate of millions of compromised machines a day spreads, Microsoft is leading a group of security organizations and companies in attempt to nab the malware's author(s). There's a $250,000 price on the malware creator's head(s)now.
Getting Data To The Cloud
In a recent entry I gave some examples of how cloud storage is maturing. There are companies offering cloud based storage solutions both as a service, like Amazon and Nirvanix, and as a product to sell to service providers or for internal use, like Bycast and
The Problem With Snapshots
Storage solutions have come a long way, but there are areas that need improvement. The next two entries I am going to focus on two of those areas; snapshots and high availability. This entry we will pick on snapshots.
Apple Drops Major Security Patch
Apple today released a bevy of patches that, by my quick count, fix about 55 bugs in its flagship OS X operating system as well as Java. Fortunately, through Software Update, the patch updates for Java for Mac OS X 19.5 Update 3, and Security UPdate 2009-001, which total 47 MB, went smoothly for this user.
The Cost Of Doing Nothing
Cost containment seems to be THE word in storage right now. One of the options for containing costs is to archive old data off primary storage as described in our Archiving Basics article. A common thought, however, is that instead of creating a disk archive, just keep expanding primary storage. Isn't it cheaper to add a shelf of storage instead of developing a whole new storage tier?
Will You Be My Botnet? Storm Returns For Valentine's
Valentine's Day has been Botnet Day for as long as there have been botnets, and 2009 is no exception. An evolved and wily version of the Storm botnet is producing as many as a thousand variations of itself a day.
New And Improved Storm Botnet Morphing Malware
Waledac (which was previously known as Storm) is once again spewing gads of Valentine's Day spam and malware.
Path To Becoming An Infosec Pro
Last Friday, my blog entry discussed how many companies out there are disrespecting IT security by inundating infosec professionals with system administration and network management tasks to the point that security is put on the back burner. I've received some excellent feedback from readers, including an e-mail asking what route someone should take to become an infosec professional.
Google Apps: Right For The Small Business Buck? (And Does Google Even Want Your Bucks?)
Some new Google Apps security measures go a ways toward increasing the platform's safety for business use. But which businesses? Google stance is increasingly aiming the top end Apps package at the enterprise customers it most clearly covets. Where does that leave the small and midsized business?
Could Slimmer OSes Lead To Better Mobile Device Security?
Maybe I'm stretching a bit, but let's say that operating system developers slimmed down their standard OSes enough so that eventually they'd be skinny enough to have a career in fashion and, more important, run on mobile devices. And, if so, would this be a good thing for mobile device security?
President Obama Seeks Immediate Cyber Review
The White House yesterday instructed the National Security and Homeland Security Advisers to immediately conduct a review of all of the federal government's cybersecurity plans and programs.
Cloud Storage's Killer App... Geographic Collaboration
Cloud storage can be used for backups, archives, and extra disk space, but the ability to collaborate on documents, even if it is in a sequential process, could be the most significant.
Kaspersky Hacked; Anti-Virus Firm Learns Of Intrusion From Hacker Blog
Antivirus maker Kaspersky Lab acknowledged that its customer databases had been hacked, and that the hack had been in place for 11 days without Kaspersky's awareness.
Metasploit To (Almost) Go SaaS
The Metasploit hacking tool is going the direction of many other IT security tools: it's going to be delivered, in part, as a service. But will corporate security managers upload critical data to a third party to test to see if it can be cracked?
Free Helix IR Tool Sells Out To Cash In
All good things must come to an end. That's the sentiment I'm seeing on a few forensic mailing lists in regard to the demise of the free version of the Helix incident response and forensic LiveCD.
Identity Theft Rises, ID Thieves' Take Falls
The number of identity theft cases jumped more than 20% in 2008, but the amount the crooks got per theft dropped by more than 30%, a result of savvier consumers and businesses acting more swiftly when identity is taken. New study just out from Javelin Strategy & Research.
Startup May Just Digitize Your Wallet
I despise having to carry paper. You also can add credit and ATM cards, driver's licenses, insurance cards -- all of this stuff we need to carry every day to that list, too. While we worry about hackers cracking retailers' Web sites and getting our credit card or financial information -- a lost wallet or purse can easily end up being a much bigger nightmare.
A startup from Bend, Ore., believes it may have a solution.
PHPBB Password Analysis
A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.
Companies Lack Respect For Infosec Pros
While a lot of my friends are off having a blast as ShmooCon in D.C., many more of my infosec friends and I are, instead, wishing we were there. It's tempting to rant about how little infosec training many of us actually get, but there's another problem I've seen several examples of lately -- infosec professionals getting stuck wearing the hat of sysadmin or network administrator.
Workers Working Around Web Filters, Surfing Where They Please
A new study confirms what we already know: Workers are finding ways around Web filters and watchware, using business computers to surf at will.
An SSD Strategy We Can Believe In?
NetApp this week began to enhance its solid-state disk strategy. I have been critical of traditional storage suppliers' efforts in trying to incorporate SSD into their overall storage offerings. This time someone is finally getting close.
Cisco Warns Of Significant Wireless Vulnerability
Cisco today warned its customers of vulnerabilities in its Cisco Wireless LAN Controllers, Cisco Catalyst 6500 Wireless Services Modules, and Cisco Catalyst 3750 Integrated Wireless LAN Controllers gear. The four vulnerabilities, which are not related to one another, could enable attackers to escalate privileges on some equipment or launch sustained denial-of-service attacks.
Cutting Windows Admin Rights Cuts Windows Risks 92%: BeyondTrust
Reducing the number of users granted Windows administrative rights reduces the number of exposed Windows vulnerabilities by over 90%, according to access management company BeyndTrust.
Targeted Attacks Keep Rolling
There's a stealthy Trojan, named Bankpatch.com, that is circulating in Denmark. Unlike most Trojans, which aim to grab information from wherever they can, this one is targeting specific banks.
PCI DSS Is A Process, Not A Checklist
Data breaches happen. We all know this simple fact. It's plastered on the news and the Internet. We hear about the big ones from co-workers, friends, and family. The recent Heartland Payment Systems breach, reported here on Dark Reading, is a testament.
Twitter Clickjacking Hack Potential Revealed
Twitterjacking? Tweethacking? Too early for a clever name yet, but a proof of concept for a clickjacking hack aimed at Twitter's "What Are You Doing" update has been released. The hacks themselves may not be far behind.
Free Fuzzing Tool For Oracle Databases
The word "free" in front of any technology is always enticing, but even more so in the current economic climate. It's not unusual for security or other technology vendors to toss out the occasional freebie tool, which, of course, they also hope will stimulate interest in their other (price-tagged) products. The latest freebie utility is FuzzOr, an open-source fuzzing tool released today by Sentrigo for detecting potential security flaws in Oracle database a
Archives Dirty Little Secret
If you have read this blog for any length of time, you know that I am a big believer in archiving. Moving data off primary storage and onto a disk-based archive just makes sense and saves dollars. That said, there is one downside to archiving; you have to really like your choice of archive solutions (software and hardware) because leaving IS painful.
Think Electronic Passports Are Secure? Think Again
With a little time, and a $250 investment, a security researcher says he has shown how easy it is to capture electronic passport data, and then create cloned passports.
Data Breach Costs Climb Past $6.6 Million: Most Breaches Caused By Negligence
The business cost of a data breach is skyrocketing, according to a new study from Ponemon Institute and security firm PGP, with cost per breached company averaging $6.6 million. Most breaches are the result of insider negligence.
KACE Automates Systems And Security Management In One Appliance
Updating software and installing security patches is tedious work, but it's crucial to keeping your IT systems -- from end-user applications to data centers -- running efficiently and safe. A new integrated management appliance may ease some of the pain.
Cost Of Data Breaches Keeps Going Up
The costs associated with a data breach involving consumer records have been steadily rising, according to the Ponemon Institute's fourth annual study, Cost Of A Data Breach. The survey took a close look at 43 organizations that reported a breach in 2008 -- ranging from the loss of 4,200 records to more than 113,000.
Going Public About Corporate Espionage
Corporate espionage probably goes on every day. I suspect we don't hear about it because of the high stakes involved; companies don't want their reputation tarnished as the victim or perpetrator of espionage, especially if the intrusion was successful and trade secrets were lost. Another more probable reason is that it goes completely unnoticed. And in the few cases we do hear about, the victim is sometimes publicly calling the attacker out to embarrass them and win some public opinion in their
|
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
