Oracle Patches Get Bad Rap
On the surface, a recently published survey by the Independent Oracle Users Group (IOUG) bears some seemingly frightening numbers. According to the study, which was conducted during the middle of 2008, 26 percent of 150 respondents admitted that their respective companies require the quarterly Oracle patches to be applied upon release. Nineteen percent said their companies don't have any policies at all
Proving The ROI
With budgets and IT staff stretched to thinner levels than ever, change is going to come slowly this year and proving the ROI of each project is going to be critical not only to enable the approval of the next project, but possibly to keep your job.
PCI Compliance Questions? You're Hardly Alone.
The more companies breached, the likelier we are to hear more clamor for for tighter, stricter, tougher compliance standards for companies handling customer credit card information. But some feel it will take a lot more breaches before standards get a lot tighter.
Better Storage Practices To Improve Backup
Backup is the thorn in the side of many otherwise smoothly running IT operations. There is probably little coincidence that the newest hire is almost always assigned the backup process or the ramification for missing the assignments meeting. The truth is that backup should be simple -- all you're doing is copying data to tape. The problem in general has nothing to do with the backup process, it has more to do with how primary storage is managed and optimized.
IR/Forensic Favorites Get Streamlined
A couple of my favorite incident response and forensic tools were recently updated with some great new features to help streamline their use. The first two tools are from Mandiant and work hand-in-hand, Memoryze and Audit Viewer. If you've not used Memoryze yet, it deserves your attention. I've found it to be extremely useful in incident response situations dealing with malware.
Consumer Password Status Quo
So what's it going to take for consumers to take security seriously? Apparently a lot more than the nearly 10 million cases of identity fraud and massive breaches at their favorite discount retail chains. If they haven't already had their credit card accounts compromised, most everyone knows of someone who has. But apparently that's not incentive enough for them to
Breach! More Payment Processor Problems
The news of another -- another! -- payment processor data breach makes it clear that the crooks have selected processing companies as the battleground of choice in their efforts to grab your customers' credit card information.
Tool Validation: Trust, But Verify
I received a lot of great feedback after my Friday post about WinFE, the bootable Windows Forensic Environment. The biggest question was whether it really is treating the drive as read-only. In my closing, I said I'd do more testing than just building the CD and making sure it booted up in my virtual machine environment. As security professionals and forensic investigators, don't you all validate your tools befor
TCG Drive Encryption Goes Mainstream
The Trusted Computing Group's newly released specifications for the management of hard drive encryption are now being adopted by a number of vendors -- Seagate arguably the most prominent, but also including Fujitsu, Toshiba, Hitachi, Wave Systems, CryptoMill, WinMagic, Secude, and McAfee.
WinFE: Windows Bootable Forensic CD
I've been using the Helix incident response and forensics LiveCD since it was first created. It has been an invaluable tool, but sometimes it falls short on hardware support for various SATA/SAS and RAID controllers. In those situations, creating a forensic image came down to a "best effort" exercise during which I did my best to prevent modification to the original evidence while still getting an image I could analyze later. WinFE is here to help.
CAPTCHA Cnondrum: Automated Attacks Trump Human-Entry Defenses
Automated attacks aimed at bypassing CAPTCHA -- those squiggly characters you have to enter to access some blogs and e-mail -- are getting better and faster at overcoming anti-spam defenses. In other words, the machines are beating us at what was supposed to be our game.
Conficker's Three-Way Knockout
Malware analysis is a highlight of what I do, but it's not something I get to do on a weekly basis. The cases I deal with are a bit sporadic and clustered, showing an obvious ebb and flow based on current trends. This is one of those heavy times, thanks to Conficker and its friends.
Data Compliance: Massachusetts Law Has National Implications (If It Ever Gets Finished)
Massachusetts' decision to revise its exceptionally tough new data privacy law (which will exert effects far beyond the Commonwealth's borders) has a lot of businesses (not to mention their lawyers and compliance advisers) wondering just what to do and when. How do you know what to comply with, and what to finesse? How far do you go in complying with a law that may be changed in the next few months?
Microsoft Puts $250,000 Bounty On Downadup Bot Author
Even as the Downadup (aka Conficker) infection spreads at a rate of millions of compromised machines a day spreads, Microsoft is leading a group of security organizations and companies in attempt to nab the malware's author(s). There's a $250,000 price on the malware creator's head(s)now.
Getting Data To The Cloud
In a recent entry I gave some examples of how cloud storage is maturing. There are companies offering cloud based storage solutions both as a service, like Amazon and Nirvanix, and as a product to sell to service providers or for internal use, like Bycast and
The Problem With Snapshots
Storage solutions have come a long way, but there are areas that need improvement. The next two entries I am going to focus on two of those areas; snapshots and high availability. This entry we will pick on snapshots.
Apple Drops Major Security Patch
Apple today released a bevy of patches that, by my quick count, fix about 55 bugs in its flagship OS X operating system as well as Java. Fortunately, through Software Update, the patch updates for Java for Mac OS X 19.5 Update 3, and Security UPdate 2009-001, which total 47 MB, went smoothly for this user.
The Cost Of Doing Nothing
Cost containment seems to be THE word in storage right now. One of the options for containing costs is to archive old data off primary storage as described in our Archiving Basics article. A common thought, however, is that instead of creating a disk archive, just keep expanding primary storage. Isn't it cheaper to add a shelf of storage instead of developing a whole new storage tier?
Will You Be My Botnet? Storm Returns For Valentine's
Valentine's Day has been Botnet Day for as long as there have been botnets, and 2009 is no exception. An evolved and wily version of the Storm botnet is producing as many as a thousand variations of itself a day.
Path To Becoming An Infosec Pro
Last Friday, my blog entry discussed how many companies out there are disrespecting IT security by inundating infosec professionals with system administration and network management tasks to the point that security is put on the back burner. I've received some excellent feedback from readers, including an e-mail asking what route someone should take to become an infosec professional.
Could Slimmer OSes Lead To Better Mobile Device Security?
Maybe I'm stretching a bit, but let's say that operating system developers slimmed down their standard OSes enough so that eventually they'd be skinny enough to have a career in fashion and, more important, run on mobile devices. And, if so, would this be a good thing for mobile device security?
President Obama Seeks Immediate Cyber Review
The White House yesterday instructed the National Security and Homeland Security Advisers to immediately conduct a review of all of the federal government's cybersecurity plans and programs.
Metasploit To (Almost) Go SaaS
The Metasploit hacking tool is going the direction of many other IT security tools: it's going to be delivered, in part, as a service. But will corporate security managers upload critical data to a third party to test to see if it can be cracked?
Free Helix IR Tool Sells Out To Cash In
All good things must come to an end. That's the sentiment I'm seeing on a few forensic mailing lists in regard to the demise of the free version of the Helix incident response and forensic LiveCD.
Identity Theft Rises, ID Thieves' Take Falls
The number of identity theft cases jumped more than 20% in 2008, but the amount the crooks got per theft dropped by more than 30%, a result of savvier consumers and businesses acting more swiftly when identity is taken. New study just out from Javelin Strategy & Research.
Startup May Just Digitize Your Wallet
I despise having to carry paper. You also can add credit and ATM cards, driver's licenses, insurance cards -- all of this stuff we need to carry every day to that list, too. While we worry about hackers cracking retailers' Web sites and getting our credit card or financial information -- a lost wallet or purse can easily end up being a much bigger nightmare.
A startup from Bend, Ore., believes it may have a solution.
PHPBB Password Analysis
A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. This is like candy to us security professionals because it's hard data we can use to figure out how users choose passwords. I wrote a program to analyze these passwords looking for patterns, and came up with some interesting results.
Companies Lack Respect For Infosec Pros
While a lot of my friends are off having a blast as ShmooCon in D.C., many more of my infosec friends and I are, instead, wishing we were there. It's tempting to rant about how little infosec training many of us actually get, but there's another problem I've seen several examples of lately -- infosec professionals getting stuck wearing the hat of sysadmin or network administrator.
An SSD Strategy We Can Believe In?
NetApp this week began to enhance its solid-state disk strategy. I have been critical of traditional storage suppliers' efforts in trying to incorporate SSD into their overall storage offerings. This time someone is finally getting close.
Cisco Warns Of Significant Wireless Vulnerability
Cisco today warned its customers of vulnerabilities in its Cisco Wireless LAN Controllers, Cisco Catalyst 6500 Wireless Services Modules, and Cisco Catalyst 3750 Integrated Wireless LAN Controllers gear. The four vulnerabilities, which are not related to one another, could enable attackers to escalate privileges on some equipment or launch sustained denial-of-service attacks.
Targeted Attacks Keep Rolling
There's a stealthy Trojan, named Bankpatch.com, that is circulating in Denmark. Unlike most Trojans, which aim to grab information from wherever they can, this one is targeting specific banks.
Twitter Clickjacking Hack Potential Revealed
Twitterjacking? Tweethacking? Too early for a clever name yet, but a proof of concept for a clickjacking hack aimed at Twitter's "What Are You Doing" update has been released. The hacks themselves may not be far behind.
Free Fuzzing Tool For Oracle Databases
The word "free" in front of any technology is always enticing, but even more so in the current economic climate. It's not unusual for security or other technology vendors to toss out the occasional freebie tool, which, of course, they also hope will stimulate interest in their other (price-tagged) products. The latest freebie utility is FuzzOr, an open-source fuzzing tool released today by Sentrigo for detecting potential security flaws in Oracle database a
Archives Dirty Little Secret
If you have read this blog for any length of time, you know that I am a big believer in archiving. Moving data off primary storage and onto a disk-based archive just makes sense and saves dollars. That said, there is one downside to archiving; you have to really like your choice of archive solutions (software and hardware) because leaving IS painful.
KACE Automates Systems And Security Management In One Appliance
Updating software and installing security patches is tedious work, but it's crucial to keeping your IT systems -- from end-user applications to data centers -- running efficiently and safe. A new integrated management appliance may ease some of the pain.
Cost Of Data Breaches Keeps Going Up
The costs associated with a data breach involving consumer records have been steadily rising, according to the Ponemon Institute's fourth annual study, Cost Of A Data Breach. The survey took a close look at 43 organizations that reported a breach in 2008 -- ranging from the loss of 4,200 records to more than 113,000.
Going Public About Corporate Espionage
Corporate espionage probably goes on every day. I suspect we don't hear about it because of the high stakes involved; companies don't want their reputation tarnished as the victim or perpetrator of espionage, especially if the intrusion was successful and trade secrets were lost. Another more probable reason is that it goes completely unnoticed. And in the few cases we do hear about, the victim is sometimes publicly calling the attacker out to embarrass them and win some public opinion in their