Dangerous Internet Explorer QuickTime Flaw Surfaces
Spanish security researcher Ruben Santamarta has discovered a way to exploit Apple QuickTime on Microsoft Windows systems and bypass advanced security defenses to take complete control of targeted systems.
The Essentials Of Database Assessment
The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.
Microsoft Software Security Development Lifecycle (SDL) Unleashed
While many industry watchers may not acknowledge it, Microsoft has been one of the few software makers to put a serious, and highly public, effort behind the development of secure software. Now, much of what the company has learned about secure software development is going to be even more accessible.
Make Security About Security, Not Compliance
The lack of follow-through and belief in any type of lifecycle for security is one that really bothers me when working with clients who are looking only to meet the minimum compliance requirements.
Are We Missing the Point?
Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?
Buy Storage From A Storage Vendor
As a company gets larger it becomes increasingly difficult for it to innovate and storage is a market that thrives on innovation. It has not become commoditized like the server market despite multiple predictions to the contrary. Server vendors have repeatedly bought their way into storage attracted by the higher margins. My recommendation is to resist and buy your storage from a storage only, or at least mostly, vendor.
The Case For Zero-Day Penetration Testing
Penetration testing is a tightrope act where you balance existing knowledge with a mixture of freshly released- and zero-day knowledge. As a penetration tester, I often hear the argument that zero-day attacks do not belong in a test, that there is no time to prepare for them, so of course the target will be compromised. But I have the exact opposite philosophy: zero-day testing should occur to gauge an organization's response to such an attack. If mitigating controls are in place, an unknown att
What Solid State Storage Form Factor Is Best?
Solid state storage comes in several form factors. Each has its value to both suppliers and to users of the technology. In the data center there seems to be three popular choices emerging; solid state disk drives, PCIe solid state cards and solid state appliances or memory arrays. Choosing the right one for your environment is critical in making sure that you get the most out of your solid state investment.
What Storage Is Best For Server Virtualization, Part II
In my last entry and the first part of this series we discussed some of the key capabilities to look for when selecting a server virtualization strategy, but as a friend of mine pointed out I never really declared one storage type the best. In this entry we will start to give you some steps to follow in making that selection.
CloudAudit Gets Real
For enterprises, one of the biggest challenges with cloud computing include transparency into the operational, policy and regulatory, and security controls of cloud providers. For cloud providers, one of their pressing challenges is answering all of the audit and information gathering requests from customers and prospects. CloudAudit aims to change that.
Intel Buys McAfee: Is The PC Security Model Dead?
When it comes to emerging platforms like smartphones, tablets, and embedded networked systems, the old model of separate antivirus security companies is officially dead. And Intel's purchase of McAfee puts a stake in it.
What Storage Is Best For Server Virtualization?
One of the biggest challenges to expanding a virtual server infrastructure is dealing with the storage challenges that often come with the deployment. The way storage is used in the virtual infrastructure is unlike most use cases. In this environment we want the same storage area to be accessed by almost every connecting server and each of those servers may have dozens of workloads trying to access that storage at the same time.
Embedded Systems Can Mean Embedded Vulnerabilities
I'll admit that I've been having a lot of fun with the VxWorks vulnerabilities lately, but it's important to step back and look at our networks to see what other devices could be sitting there waiting to be the next harbingers of doom.
Anti-Virus Suite Protection? Not Much
It's no secret that anti-virus software doesn't do much to protect you against new and rapidly moving viruses, so it shouldn't come as much of a surprise that these suites don't do much good defending you against exploit code, either. A fresh evaluation from NSS Labs reveals just how vulnerable you really are.
Database Threat Modeling And Strip Poker
Threat modeling used to be an arcane process handed down from one security expert to another. But it's the single most valuable skill I have learned in security. It involves looking at every system interface or function and trying to find different ways to break it.
Advanced Persistent Threat: The Insider Threat
APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.
Is Dell Set To Become A Storage Juggernaut?
Dell today announced its intention to buy 3PAR. Assuming for a moment that everything goes through and Dell is successful at the integration strategy they suddenly become a force to be reckoned with in the storage industry. The combination of 3PAR, EqualLogic, Ocarina Networks all supported by Perot Services makes for a compelling combination.
Analysis: Healthcare Breach Costs May Reach $800 Million
According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.
The Value Of Bursting
Having things burst in the data center does not seem like a very good idea but the term really applies to allowing components of the data center to expand on the fly when there is a peak load and then contract when it has passed. The value of bursting is that it will allow you not to have to design infrastructures for the norm not the worst case, saving capital.
Gaining A Foothold By Exploiting VxWorks Vulns
The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.
Apple Plugs Jailbreak Flaw, Exploit Code Released
About a week after JailbreakMe 2.0 surfaced, Apple has plugged the flaws in iOS that made the Jailbreak possible. If you've not jailbroken your phone, you'll want to get the update ASAP as the exploit code has been released.
Girl Quits Job! Oh, What A Meme
Who hasn't yet seen the "Girl quits her job on dry erase board, emails entire office" meme? It hit the Net like an hurricane, and I liked it immediately. In fact, fake or not -- I still do. What can we learn from it?
Cleaning The Digital Dump
One of the challenges that IT faces is getting rid of all old unused files that are clogging up primary storage. Primary storage can have data on it that has not been modified or even opened for years. The challenge is how do you deal with the digital dump, especially since most IT people don't have the authority to delete other peoples files?
Post Patch Tuesday. Don't Stop There
While you may be well underway testing and deploying this month's hefty batch of patches from Redmond, it's never too soon to ask: how secure do the rest of your applications and servers look?
Protecting Your Network From The Unpatchable
When I first saw the F-Secure blog post on installing Microsoft's fix for the LNK vulnerability on a Windows XP SP2 host, I couldn't help but ask, "Why?" Seriously. Why would anyone running a Windows XP host not be running with the latest service pack and security updates? And then it hit me.
How To Protect Oracle Database Vault
In Esteban Martinez Fayo's "Hacking and Protecting Oracle Database Vault" session at Black Hat USA in Las Vegas a couple weeks ago, he used several exploit methods that could be used to disable Oracle Data Vault. Each exploit provided an avenue by which he could hack the database. With each exploit he performed the same hack: rename the dynamically linked library that implemented all Oracle Database Vaults functions.
How RIM Could Fail
Of the handset choices that are sold broadly on the market, the BlackBerry platform is the most inherently secure. To appeal to the business market it targets, it had to be better than any other handset or mobile solutions vendor. But with Saudi Arabia blocking the service and other countries expected to follow -- coupled with mistakes on its new flagship Blackberry Torch -- RIM could be on the brink of a Palm-like failure.
Yet Another Facebook Malware Evolution
Every once in a while I like to discuss the strategic view and how different players affect each other in the realm of cybercrime. This post is about the latest evolutionary development in the fight -- with Facebook malware.
Does Every Data Center Need Storage?
As a business grows it reaches a size where it needs servers for certain functions; an email server, an application server for business financials and maybe a collaboration server to track and maintain documents.
Brace For Heavy Patch Tuesday
This Tuesday Microsoft is expected to release a record number of security bulletins that affect many versions of Windows and an assortment of applications.
Data Visualization For Faster, More Effective Pen Testing
"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.
The Truth About iSCSI
Over the next several entries we are going to explore several of the protocols that are available to IT managers as they try to select a protocol for use in their environments. First up is iSCSI. The protocol it seems most will look to first because it is believed to be both cost effective and easier to use then the currently more commonplace fibre channel. The truth about iSCSI though is that it is a real storage protocol and it needs to be treated like one.
On iPhone, Jailbreaking, And Security
It may not be the fashionable decision, but I choose not to jailbreak my iPhone. That's primarily out of security concerns. However, it turns out that Jailbreaking (read: pwning) an iPhone is now as simple as visiting a web page.
Using The 36 Stratagems For Social Engineering
I attended several great presentations during last week's BSides and Defcon. HD's VxWorks, egyp7's phpterpreter, and David Kennedy's SET talks were a few of my favorites, with great content and demos, but one that I found especially refreshing and fun was Jayson Street's "Deceiving the Heavens to Cross the Sea: Using the 36 Stratagems for Social Engineering."
Managing The Mixed Storage Environment
In my last entry we covered the value of just having one device to manage. What if that is not realistic for your environment? Either you selected a storage system that won't scale, you have business reasons for multiple units or the environment is just too large, it needs to diverse to put everything on one storage platform. You need tools to allow the different systems to be managed more easily.
VxWorks Vulnerability Tools Released
If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.