Targeted Threats, Cloud Security Will Top RSA Talk
It's that time of year again, when thousands of security professionals converge here at the Moscone Center in San Francisco to hear about the latest security technologies and trendiest threats. What will top this year's lists?
Intel Hacked At Same Time As Google
Intel's annual report revealed that the company was successfully hacked this past January, around the same time as the Chinese Google hacks were grabbing all the headlines.
Can Rip And Replacing Storage Solutions Be Good?
When you hear the term "Rip and Replace" it is not typically considered a good feature. In fact most of the time you hear it will be from a vendor stating that their solution is NOT rip and replace. Which of course they expect you to take to be good. Are there times though were rip and replace could be a good thing?
Is That A Rootkit In Your Pocket?
Computer scientists from Rutgers University have demonstrated how smart phones could be as susceptible to rootkit infiltration as PC and server operating systems.
Fight Malware With Software Restriction Policies
Good news for Department of Defense folks. They can now start using USB flash drives again -- provided there's absolutely no other way to transfer the data from point A to point B. OK, so maybe it isn't time to rejoice just yet.
Firewalls And DIY Plug-Ins
Let's face it: Users love the concept of adding free plug-ins and apps to customize and empower the base software tool, whether it's in a smartphone or browser. Doing so is fun, it's cool, and it lets them personalize their software to augment or shape how they use it. Even firewall management has joined the plug-in party.
P2P Business Problems Growing: FTC Issues Warnings
The FTC's announcement that nearly 100 private and public organizations had insecurely transmitted confidential, personal data over P2P networks is a wakeup call not just to those receiving the warnings, but to every business whose employees may be using file-sharing technology -- and especially to those who don't know whether employees are P2Ping or not.
Storage Services In The Infrastructure
In our last entry we discussed using storage services as part of the hypervisor in a virtual server environment. In this entry we will explore embedding those services as part of a SAN infrastructure itself. In this deployment the storage services that we have come to count on are essentially part of the SAN switch instead of on the storage controller.
Enhancing Botnet Detection With Manpower
The average computer user (a.k.a. most of my family) doesn't have a fighting chance. I hate to say it, but the malware we're seeing on a daily basis makes this scary fact evermore true. There is absolutely no way that most home users are going to be able to protect themselves against modern malware like Zeus. Malware authors have become extremely good and proficient at what they do because it's making them money.
Adobe, Mozilla Users At Risk To Remote Code Execution Flaws
Software maker Adobe Systems has certainly had its share of vulnerabilities recently. This week a security researcher added to the company's pain when he announced a vulnerability in Adobe Download Manager that allows remote attacks. Mozilla Firefox users are also at-risk to attacks against an unpatched flaw in that browser.
Boosting Your Defenses Against Botnet Infections
In the past few weeks since the Google/China incident, we have seen a number of interesting blog posts and white papers that provide further details on some of the techniques used by the attackers.
Storage Service At The Hypervisor
In our last entry we discussed what storage services are and reviewed the traditional manner in which they are delivered. They are the capabilities that make a storage system more than just an array and this intelligence typically lives on the storage controllers. There are several alternative ways to deliver these services and one of the newest is to leverage server virtualization. Storage service at t
Will Cyber Shockwave Make Some Waves?
With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.
Mozilla's Add-On Policies And Spyware Surprises
I've been using FlashGot on and off for years. It is a useful plug-in that helps you download multiple files from the same Web page "automagically." So when Firefox informed me about a new update for an add-on I've used for years, I clicked "OK" and updated it, only to find a surprise the next time I used Google.
Penetration Testing Is Sexy, But Mature?
The buzz generated from Core Security's move to integrate with the Metasploit Framework has left me a little puzzled. Don't get me wrong: I love Metasploit. It's a fantastic tool that has certainly been put through its paces as a pen-testing tool -- it's free, open source, and extremely accessible to aspiring security professionals. And, of course, I've heard great things about Core's flagship product, Impact Pro. But the deal just seems like an odd move.
Where Will You Get Your Storage Services From?
Storage services is the intelligence added to storage systems that make them more than just a bunch of disk drives in a cabinet. This can range from the very basic RAID and LUN management functions to the more advanced snapshot and replication. The type of services a storage system is, to a large degree, where the vendors do battle. The differentiation between the services offered is often what makes you want one solution over the other.
Is It Time For Software Liability?
MITRE and the SANS Institute, along with more than 30 U.S. and international cyber security organizations, released today an updated list of the 25 most dangerous programming mistakes. Software acquisition contract language, designed to protect software buyers from being held liable for faulty code, was also made available.
Measuring Database Security
How much does it cost to secure your database, and how do you calculate that? One of the more vexing problems in security is the lack of metrics models for measuring and optimizing security efforts. Without frameworks and metrics to measure the efficiency and effectiveness of security programs, it's difficult both to improve processes and to communicate our value to nontechnical decision makers.
CISOs Help Deliver A Better Business
Most organizations with Chief Information Security Officers that function independently from, but work closely with IT operations, experience less data loss, less business downtime, and also ease some of the pain associated with regulatory audits. Oh yeah: they also help deliver higher revenue, profit, and retain customers.
During BlackHat, David Litchfield disclosed a security issue with the Oracle 10g and 11g database platforms. The vulnerability centers on the ability to exploit low security privileges to compromise Oracle's Java implementation, resulting in a total takeover of the database. While the issue appears relatively easy to address, behind the scenes this disclosure has raised a stir in database security circles. The big issue is not the bug or misconfiguration issue, or whatever you want to call it.
Sights, Sounds (And Snow) Of ShmooCon 2010
There are hacker conferences, and then there's ShmooCon. The annual East Coast convention was held during a major snowstorm in Washington, D.C., but that didn't stop researchers from sharing their latest exploits, hardware, and software inventions, and huddling over discussions about the latest security issues.
Changing Backup's Image
In a recent briefing with Vizioncore they introduced their Backup 2.0 concept that is based on the value of image based backups. The concept of image based backups are not new and there are several companies that offer image based backup technology like NetApp, Symantec, Syncsort and others. Thanks to the wide acceptance of disk as a backup repos
How Much Crypto You Really Need
Last month an international team of researchers announced they had managed to factor a 768-bit RSA key. This raises interesting questions about handling encryption and planning ahead in your security strategy.
Dark Reading Launches New Database Security Newsletter
One of the things we've learned in publishing Dark Reading is that a pretty wide range of people work under the title of "security professional." There are techies and managers, risk managers and privacy people, white hats and black hats. Not surprisingly, they aren't all interested in the same news and information.
Speeding Incident Response With 'Indicators' Of A Compromise
Advanced persistent threat: I like the term -- it sounds evil, and it is...well, at least I think it is. There has been a lot of news, opinions, and genuine FUD on APT since Google went public with news of its breach several weeks ago. Until then, I really don't think anyone ever paid much attention to what APT was, even though well-respected people, like Richard Bejtlich and the folks at Mandiant, have been talking about it for a while.
Blackberry Users Vulnerable to Applications That Spy
In early December news broke about a security researcher who developed Spyphone, an application that uses the public iPhone API to grab data from other iPhone applications. This week a security researcher demonstrated a similar application that snoops on the Blackberry.
The Importance Of QoS In Automated Tiering
In a conversation I had a few weeks ago with Pillar Data's CEO, Mike Workman, we discussed his recent blog entry on the "Auto Tiering of Data". In this blog he brings up several important considerations as vendors and users begin to examine automated tiering. One I'd like to elaborate on is QoS in Automated Tiering.
Amazon's SimpleDB Not Your Typical Database
Several cloud providers offer databases specifically designed for cloud deployment. Amazon's SimpleDB, while technically a database, deviates from what most of us recognize as a database platform. Although SimpleDB is still in prerelease beta format, developers have begun designing applications for it.
National Cyber Security: Are We Focused On The Right Stuff?
With major cyber-security initiatives by the Department of Homeland Security underway, and the U.S. House of Representatives passing nearly $400 million in IT security research, I wonder if the efforts are being placed where they are most needed, and if more would be achieved by focusing on application security - and unleashing the bug finders.
Web App Scanners Missing Lots Of Vulnerabilities
Web application vulnerability scanners may miss as many as half the vulnerabilities, according to a researcher who found mounds of missed vulnerabilities and false positives, as well as laggardly performance.
'Brand' Your Employees
You might want your product to be in the news every day, and for your PR to create miracles for you. But if you want attention, then your company must speak out on big security issues and news.
Anatomy Of A Modern Hack
In a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look.
Litchfield's Last Hurrah
Yesterday was David Litchfield's last day at NGS Software, and he commemorated the milestone by dropping a zero-day vulnerability in Oracle's 11g database at Black Hat DC. He also surprised the audience -- and possibly himself -- by awarding Oracle a "B+" final grade for security in 11g, after nearly 10 years of keeping Oracle on its toes by calling out vulnerabilities in its database technology.
Updated Tool Targets Facebook Security
Security issues surrounding social networking sites make me cringe. I understand their practical applications, but they are also the platform for easy delivery of exploits through social engineering. I've seen many systems compromised by the unconscious click on a Facebook link that users' nonchalance on similar sites and their trust in the Internet frustrates me to no end.
Cloud Storage Under Attack
There is a case of piling on going on right now as it relates to cloud storage. While I agree that the term has been hijacked, stretched and bent by more than a few storage vendors, that does not mean that the whole concept is bad. While the name is as poorly chosen as "social media", the concept is dead on.
Tool Helps Prepare For Disaster
When I see an event like the Haiti earthquake, I worry that we treat disaster preparedness much like we do data backup -- we don't really think about it until it's too late. We are faced with putting in place a plan to deal with disaster, and then realize we don't aren't properly prepared. But I might have found a tool that can help.
Security Scoreboard Lists Services By Specialty
A new service, Security Scorecard, aims to help simplify the search for qualified security specialists simpler by listing them, categorizing them, making them searchable. Service providers will have the option of buying premium display space.
Mac vs. PC Security Not The Real Question
The argument over whether Macs are more secure than Windows PCs may never be resolved, but it's no longer the relevant issue, according to a survey of security experts.
When Software Glitches Are Fatal -- Literally
Hearing about how many companies were hacked during the Aurora attacks due to a software vulnerability in Microsoft's Internet Explorer (IE) is frustrating. Now another attack is ready to be unveiled at Black Hat DC that also uses an IE "feature." The thought of what can and has happened because of these flaws is scary -- theft of personal information, espionage, identity theft, etc. -- but what happens when software glitches lead to death?