Commentary

Content posted in July 2010
Be Careful What You Search For
Commentary  |  7/31/2010  | 
Viruses and malware used to spread and try to find computer users to infect. Today, research released at DefCON 18, shows that increasingly search engines are bringing users are going straight to the malware.
Real-World Attacks With Social Engineering Tookit
Commentary  |  7/30/2010  | 
Social engineering has always been a penetration tester's (and hacker's) most effective tool. I would say it's their best weapon, but not everyone is good at the softer, human side of social engineering. However, when it comes to the technical side, the tools are getting better and better, including the latest version of the Social Engineering Toolkit released at BSides Las Vegas on Wednesday.
Rite Aid's $1 Million Settlement: More Good Enforcement News
Commentary  |  7/30/2010  | 
Rite Aid Corp. having to pay a $1 million settlement to possible Health Insurance Portability and Accountability Act (HIPAA) violations is another right step in the direction of enforcement.
Four Must-Have SMB Security Tools
Commentary  |  7/28/2010  | 
Regardless of their size, many SMBs still need to meet strict compliance regulations, such as PCI and HIPAA. In addition to any special requirements, there are a few security technologies every small business should have in place. Here are my four SMB security must-haves.
Verizon Data Breach Report: Some Big Surprises
Commentary  |  7/28/2010  | 
One of the most comprehensive data breach reports available found the number of breaches to have declined significantly last year, and significant changes in how attackers are infiltrating companies.
Making Storage Management Easier
Commentary  |  7/27/2010  | 
As we discussed in our last entry no matter how easy the storage protocol or storage system you select at some point someone is going to have to interact with the storage itself. It may be a problem that needs to be resolved or it may be a need to provision a new server but something will come up. In most mid-sized data centers managing storage is no one's full time job. It is something that is dealt with
What You Should Know About Tokenization
Commentary  |  7/26/2010  | 
A week ago Visa released a set of best practices and recommendations for tokenization. Unfortunately, "best practices" leaves plenty of room for poor implementations.
Mozilla Patches Critical Firefox Security Patch
Commentary  |  7/26/2010  | 
Just a few days after issuing more than a dozen security updates, many of them critical, the foundation that published the popular Firefox web browser issues a patch to fix its patch.
Killed By Code: The FDA And Implantable Devices Security
Commentary  |  7/26/2010  | 
A new report from the Software Freedom Law Center deals with the security implications of bionic medical devices being implanted into the human body.
Security BSides Grows, But Not Too Much
Commentary  |  7/23/2010  | 
The security "unconference" is back in Vegas, and this time the setting is a gated private resort with multiple swimming pools and a sand beach, and the number of attendees signed up so far for the free -- yes, free -- event has doubled. But that doesn't mean Security BSides will lose the intimate vibe that its organizers envisioned and encouraged when they first launched it in Las Vegas a year ago.
Healthcare Breaches Spin Out Of Control
Commentary  |  7/22/2010  | 
If the past week is any indication (and I'm afraid it is), health care companies are doing an abysmal job at protecting personal health care data.
The Value Of A Storage Administrator
Commentary  |  7/22/2010  | 
Storage hardware and software manufacturers are trying to make the process of managing storage easier. There are simplified storage infrastructures, simplified storage management systems and software to monitor the storage environment, but reality is even the smallest of storage environments need someone focused on the task of making sure that everything is operating as planned.
Conquering Large Web Apps With Solid Methodology
Commentary  |  7/21/2010  | 
This is one of those weeks where I'm trying to wrap up as much as possible before I'm out of the office for Black Hat, BSides, and Defcon. One of those things on my list is a Web application assessment for a client that's a monstrous, open-source beast with subapplications bolted on from all over the place and tons of places for vulnerabilities to hide.
Storage Protocol Explosion
Commentary  |  7/21/2010  | 
Today's Storage Manager is faced with more shared storage connectivity choices than ever. Off the top of my head there is SAS, iSCSI, NAS, AoE, FCoE and of course good old Fibre Channel. One would think that at some point there will be a shake out in storage but that doesn't seem to happen and when it does it seems like they are replaced with two or three new ones.
The Cash Drawer Lock Box And SMB Security
Commentary  |  7/21/2010  | 
Since information security first sprouted into its own industry, the small business market has been the red-headed stepchild of the newfound art.
Hackers Unite!
Commentary  |  7/20/2010  | 
I'm like the proverbial kid in a candy store. This my favorite time of year. Between Black Hat, Defcon, and BSides, you have feds, criminals, security experts, reporters, and everyone in between congregating in the city of sin. What's not to like? Here's a rundown of these events, my picks for talks not to be missed, and an invitation.
Detection And Defense Of Windows Autorun Locations
Commentary  |  7/19/2010  | 
As an incident responder and forensic investigator, there's a truth we expect malware to always follow: Persistence is a must to survive. OK, exceptions exist. But the general rule of thumb is that malware seeks to persist, and it will hook itself into common areas on a victim Windows machine to do so.
SIEM Ain't DAM
Commentary  |  7/19/2010  | 
I've been getting questions about the difference between system information and event management (SIEM) and database activity monitoring (DAM) platforms. It's easy to get confused given their similarities in architecture. There's also a great deal of overlap in events that each collects and the way they handle information. Couple that with aggressive marketing claims, and it seems impossible to differentiate between the two platforms.
Microsoft Warns Of Critical Vulnerability
Commentary  |  7/18/2010  | 
Microsoft Friday warned its customers that attackers are targeting an unpatched and critical Windows vulnerability.
Mozilla Raises Security Bug Payout
Commentary  |  7/16/2010  | 
If you are a bug finder, finding security flaws in Mozilla software products, such as the Firefox web browser, just became much more profitable after the foundation raised its bug bounty from $500 to $3,000. But will this move help improve your security?
Does Data Retention Really Protect A Corporation?
Commentary  |  7/16/2010  | 
As I have gone through the series on developing a keep data for ever strategy, one of the criticisms has been about the risk to the organization. The conventional wisdom is that email stores and PST files are fertile ground for opposing counsel looking for evidence and by keeping that data forever you are exposing yourself to further risk. My opinion is that you are at no greater risk than with a strict r
Patching And Risk Mitigation
Commentary  |  7/15/2010  | 
I followed an interesting discussion on a DBA chat board this week regarding whether to patch a database. The root issue for the DBA was a minor vulnerability was corrected by a recent patch release, but fear that a multipatch install process could fail halted the upgrade.
IOV - A Different Way To Wire Once
Commentary  |  7/14/2010  | 
There is much discussion about wire-once strategies. The concept sounds like nirvana for storage administrators and network managers. Don't worry about the backend protocol, just use 10GbE and use the protocol that you need at the time; iSCSI, NAS or FCoE. Wire-once is not without its challenges and a compelling alternative may be I/O Virtualization (IOV).
DEFCON: Bridging The Gap Between Hardware And Software Hacking
Commentary  |  7/14/2010  | 
I got into hardware hacking as a kid, but never quite stuck with. Electronics weren't safe back then, and I often bridged that world with the physical to give my G.I. Joe something new conquer. That interest has been renewed.
5 Ways To Fix The iPhone 4's Antenna Problem
Commentary  |  7/14/2010  | 
Having trouble with the signal performance of your iPhone 4? Here are five ways to solve the "death grip" problem, plus some recommendations for Apple.
Patch Tuesday: XP SP 2, Windows Help Center Patches Coming
Commentary  |  7/12/2010  | 
Tuesday Microsoft said it will patch the critical Windows Help and Support Center vulnerability that has been widely attacked. This month's Patch Tuesday will also the last day of support for Windows 2000 and Windows XP Service Pack 2.
Friction-Free Security
Commentary  |  7/12/2010  | 
As security professionals, we want our network to be as secure as possible. The exception is if we're hired to break into it, but even then our job is to help secure the network to prevent future break-ins. The problem is that in securing our networks, it's easy to forget about the user and the "business."
Containing The Cost Of Keeping Data Forever - Capacity
Commentary  |  7/12/2010  | 
As we stated when we began the Keeping Data Forever strategy, the reason we can even consider this as a viable strategy is because technology has provided us with solutions to the challenges associated with it. In this entry we will look at some of the ways to contain the costs associated with this strategy. We will look at containing the capacity costs.
Would 'Robin Sage' Have Made So Many Friends Without The Hot Pics?
Commentary  |  7/9/2010  | 
One of the intriguing and slightly disturbing aspects of the "Robin Sage" social network experiment is the role the phony profile's looks had in, well, attracting people. Men especially. There -- I said it.
Primary Storage In The Cloud, Ready For Prime Time
Commentary  |  7/9/2010  | 
Fast, inexpensive primary storage that can store all your files and host all your applications that you don't have to have in your data center sounds like nirvana, but it may be coming sooner than you think. In some situations it is ready now.
Facebook And National Security: Two Cases
Commentary  |  7/9/2010  | 
Dark Reading's Kelly Jackson Higgins wrote about the fake Robin Sage account, which duped many in vetted circles to add "Robin" as a Facebook friend. Now from Israel comes a story of how soldiers from a secret IDF base created a Facebook group for it.
Social Networking: Keeping It Real
Commentary  |  7/8/2010  | 
Another demonstration on the security and privacy implications of using social networking sites reveals their real weakness. And I say: so what.
How Intelligent Does Your Storage Need To Be?
Commentary  |  7/7/2010  | 
We have always counted on storage systems to provide software based services like snapshots, RAID protection, replication and thin provisioning, but now operating systems (OS) or file systems are offering much of those capabilities. Do we need the storage systems to offer them as well?
Virtual Machines For Fun, Profit, And Pwnage
Commentary  |  7/2/2010  | 
Virtualization has turned the IT world upside down. It is used everywhere these days, from desktops to servers and data centers to the "cloud." It has also presented itself as a double-edged sword to security professionals.
Is Google Stealing Our Digital Freedom?
Commentary  |  7/2/2010  | 
With the Fourth Of July here, it's a good time to focus on freedom. It seems that often when new technology and new ways of getting revenue advance in an industry, those who don't understand that technology are exploited by those who do. Google's model seems to increasingly fit this mold, and the example it is setting is driving others down the same path.
The Costs Of Finite Data Retention
Commentary  |  7/2/2010  | 
In closing out our series about keeping data forever we will examine the financial aspects of keeping data forever. What can be done to curtail costs and how does it compare to the more traditional finite data retention model? In this entry we will look at the costs of a finite data retention policy.
The Kraken Botnet Returns
Commentary  |  7/1/2010  | 
The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.


Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.