BNY Mellon Data Breach Potentially Massive
It was in May when we noted an investigation launched by the authorities in the state of Connecticut into a backup tape lost by the Bank of New York Mellon. The results of that investigation are in, and they don't look good.
Brocade's purchase of Foundry Networks seems like a smart move, but technology acquisitions in general and storage acquisitions in specific never seem to pay off well. OK, never is a bit extreme, but it does seem rare and failure here hurts everyone. It distracts the buying company, often ruins the software from the bought company, and leaves users hanging in the balance.
Web Application Hacks: Upping The Arms Race
It doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list.
Cloud Storage Migrations
Finishing up the migration series, let's talk about how you would migrate out of a storage cloud. With public storage clouds in particular, this can be a critical issue. These services are all in their infancy. What if you pick the wrong one, how can you get your data back?
Security Breach: More Laws Needed. Let's Add Health Care
Earlier this week, colleague Thomas Claburn covered the unfortunate trend that the tally of data breaches this year already has surpassed all breaches recorded for the entire year in 2007. This isn't entirely bad news, as I'll explain.
Best Western Disputes Depth Of Suspected Breach
Dispute the depth of the breach is an understatement. A Best Western spokeswoman just issued a statement to InformationWeek stating that the breach, so far, has only been confirmed to involve 13 guests at a single hotel.
In my last entry on migration migraines we discussed the challenges of moving from one primary storage provider to another and went through a few solutions. One of the best methods to make migrations easier is to keep the amount of data on primary storage at a minimum, but what do you do about archives that will grow to petabytes in size?
Best Western Hotel Chain Pwned
According to news reports that started to surface over the weekend, Best Western, one of the world's largest hotel chains -- if not the largest -- is investigating a breach that purportedly has placed millions of its guests' data at-risk, and in the hands of Russian mobsters.
Radio Implants And GPS To Thwart Kidnappers? Don't Think So
In the face of rising kidnappings in Mexico, a number of more affluent Mexicans are opting to have minute radio transmitters implanted under their skin so they can, presumably, be located by the authorities if they're ever kidnapped. This is a bad idea.
Poisoned DNS Woes Grow
It's been weeks since Dan Kaminsky revealed that the Domain Name System (DNS) that underlies the Internet's address routing system was dangerously flawed. It's been a slightly shorter time since patches were released, and yet unpatched DNS vulnerabilities still exist and are beginning to be exploited. Why aren't we surprised?
Moving data between tiers of storage has gotten easier as a result of global file systems and simplified archive software, but upgrading to a new platform ... that is just plain ugly.
FEMA Phones Get Hacked
If you are going to hack a phone system, do you really want to hack DHS? That's what happened this weekend when someone made hundreds of illegal calls from a Federal Emergency Management Agency (FEMA) Private Branch Exchange (PBX) to the Middle East and Asia. It appears that it was the usual culprits of poor change control and misconfigurations that left FEMA's digital doors open.
Sneak Peek: New PCI DSS Rules
Updates to the Payment Card Industry Data Security Standard (PCI DSS) have been released by the PCI Security Standards Council. The updates, hopefully, will bring some clarity to a number of areas which retailers, merchants, and auditors say are foggy.
Are Competitor Security Problems A Business Advantage Worth Talkng?
The news that one of the nation's leading student testing companies had its security problems made public by another testing company should give us all pause. How worried do we need to be about competitors blowing the security whistle on us? How worried should that type of competitor be about protecting an industry's customers as well as its own competitive advantage?
Tier 4, The End Of The Trail Of Tiers
Tier 4 once was the simplest of all tiers -- it was just tape. The advent of disk-to-disk backup, which has helped most backup strategies, actually has made the tier itself more complex. I also can take a stand that, in some ways, the introduction of disk has made the process of backup itself more complex.
Security Solutions Arriving for Virtualized Systems
New technology typically emerges one step ahead of needed security checks. That has been the case with the recent push to virtualized systems although one leading vendor is trying to alter that equation.
Microsoft Snags Another Security Researcher
There was a time when it seemed Microsoft viewed security researchers as the enemy, and a big public relations problem. They were the troublemakers who poked holes in Microsoft's operating systems, browser, and desktop software. And they published exploits that helped to automate attacks. Today, Microsoft announced that it hired one of them.
The Death Of Storage Hardware
My former boss, who is still a mentor today, had a saying: "Success in life is the elimination of variables." Words to live by and words that the storage community must have heard. The biggest variable they deal with when installing a solution into their environment is the variable of, well, their environment.
Vulnerability Management Pays Off: New Aberdeen Report
Think vulnerability management costs too much? Might be time to think again: some companies are generating a whopping 91 percent return on vulnerability management investment according to a new report from Aberdeen Group.
Microsoft Blue Hat Fall '08: Security Researchers Want To Hack You
If you think the future of hacking may be things like Web applications, social networks, or even infiltrating "The Cloud," you might want to look in a mirror. Sure, all of those things will be targeted, but one of the next frontiers for exploration will be hacking the mind.
Oh, Tier 3...
Remember about five years or so ago when life was simple? We had fast SCSI and Fibre Channel drives for data and we had tape for backup. Seemed perfect. Then came the ATA-based drives, and you were told to move your older data to them and start sending backups to disk. Then powering the data center and storage in particular became a problem; another use for ATA, put them in stand-by mode, spin them down, put them to sleep, and then eventually turn them off. As is usually the case, the hardware i
Cisco Releases Security Advisory On WebEx Client ActiveX Control
According to Cisco, the WebEx Meeting Manager client software includes atucfobj.dll, a DLL that allows meeting participants to view Unicode fonts. This library contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code on your system. Your WebEx provider must patch its servers in order for you to be protected. Read on to find out how to check.
MBTA: Legally Shackling Security Researchers Rarely Works
As many security and technology followers know, three MIT students had planned on presenting their findings on a number of vulnerabilities they found in the Massachusetts Bay Transportation Authority's CharlieTicket and CharlieCard payment cards at last week's Defcon conference. That was, until a gag order was put in place to keep them quiet. Today, a federal judge in Boston let the temporary restraining order stand. And so this Saga of Stupidity continues.
Business Lessons From The VMWare Bug (And How It Was Handled)
VMWare's "Your license has expired" bug from earlier this week has been resolved by a patch, but that doesn't mean there aren't large lessons for small and midsize businesses in how VMWare handled the problem and, in a couple of important areas, failed to.
Tiered storage can be difficult to manage and one of the challenges to its acceptance is the amount of effort it takes to move data between those tiers. We've written about several methods to move data between tiers in previous blogs, but in some cases the decision isn't that complicated.
Securing Virtualization, Or Is That Virtualizing Security?
One of the big topics at last week's Black Hat and Defcon security confabs was virtualization security, but few speakers talked about what is really important: how we approach virtualizing security, and how virtualization itself changes the way we approach information security. All of that changed when I was trampled over by The Four Horsemen Of the Virtualization Security Apocalypse.
Alert: Major VMWare Flaw Revealed, Cutting Off Customers' Virtual Machines
A flaw in the latest VMWare hypervisor update resulted in product licenses being declared invalid at midnight, with customers being rendered unable to run virtual machines (and as a result some applications) in their data centers. The license-recognition flaw was announced earlier today and a permanent patch is hoped for by tomorrow.
Threat Report News: The Good, The Bad And The Blended
Spam is down, and so are zombies, but guards have to stay up -- new types of attacks are picking up the slack, and picking it up in particularly nasty ways, according to a quarterly report from Secure Computing. Just because old threats appear to be diminishing, doesn't mean they're going away. In fact, they're being blended into more dangerous threats than ever.
Tiered Storage Redefined
In the never-ending world of tiered storage, it really breaks down into two types of storage; transactional (active) and passive storage. For obvious reasons these two worlds overlap, but it is surprising how many levels of granularity there are within these tiers. Gone are the days of three tiers. There are more tiers of storage than ever, so it's helpful to see where we are.
Black Hat Conference: Hackers Hacked At Hacker-Hacking Journalists
This year's Black Hat conference made more than the usual "Hackers Gather" headlines when three journalists were expelled for allegedly sniffing the digital trails of other media representatives covering the conference. That they did so via a wired rather than wireless connection is a reminder that nothing's as secure as we think it might be -- even at a security conference.
Defcon/Black Hat: Social Network Security = Fail!
Social networks such as LinkedIn, MySpace, Facebook, and microblogging sites such as Twitter are all fertile grounds for both social engineering and technical attacks. It can get even nastier when you combine the two. Too bad we haven't learned anything about secure coding practices and proper authentication in the past 20 years or so.
Defcon 16 Kicks Off In Controversy
Would you expect the 16th annual hackfest to begin any other way? Whether it's the arrest of security researchers, or the outted undercover TV producer of years gone by, Black Hat's sister security and hacking conference, Defcon, always causes a stir. This year, it was the press conference that wasn't to be.
Data retention and archiving aren't just for large enterprises. Small to medium-sized businesses need to be concerned about e-mail retention, data retention, and data archiving. I know the first response is, "We are not a public company, we don't have to worry about that." You might be right, but the need to retain and store e-mails and other forms of data goes well beyond being a public company. While I won't go into all the reasons why, here are some simple ones:
Olympic Surfing Can Cost Businesses More Than Time
With the 2008 Summer Games' opening ceremonies now completed (though not broadcast until tonight in the U.S) it's a safe bet that small and midsize businesses are going to be losing more and more time to employees surfing for Olympic news. Time to be sure their clicks don't turn up malware as well as event standings.
Black Hat: The Microsoft Exploitability Index: More Vulnerability Madness
On Tuesday, Microsoft introduced the "The Microsoft Exploitability Index." The software maker hopes this index will help companies more effectively prioritize the patches they need to deploy. I don't believe it will. And it may even make the vulnerability madness that exists today even more maddening.
Black Hat Disputes Charles Edge Talk Even Submitted
Last week we covered two incidents surrounding Apple's (non) participation at this year's Black Hat conference. Apparently, the first was a potential talk pulled for consideration because Apple just doesn't like its engineers explaining anything about how they handle software security. The other, Black Hat contends, was never even submitted.