Subscribe to the RSS feed

After a few weeks of low activity, the infamous Waledac botnet is lighting things up once again. This time, its hook is the promise of a "fabulous" July 4 video on YouTube.

Comment on this blog entry

We all knew this was coming. As Social Networks gained in popularity, they'd become more juicy targets. Now we're starting to see some data.

Comment on this blog entry

There's been plenty of complaints about the Payment Card Industry Data Security Standard (PCI DSS), since it went into effect in 2005. Next week, stakeholders, will have a chance to do something about it.

Comment on this blog entry

The nearly four dozen security holes filled in the iPhone 3.0 software published by Apple yesterday have gone nearly ignored with all of the buzz surrounding the new features. But these flaws aren't anything you want to put on hold.

Comment on this blog entry

Cloud models are starting to provide an attractive option for large and influential regional medical centers to get lots of small, local, laggard doctor offices trading in their paper patient files for electronic medical records. Are there clouds in your forecast?

Comment on this blog entry

Apple released security updates today for Java for Mac OS X for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X 10.5.7 and later. The unfortunately reality is that Sun fixed these flaws more than six months ago. Why did Apple take so long?

Comment on this blog entry

It's not the kind of forum post an executive would like to see created about their company. It's not a leaked rumor about an upcoming product or service, or even a ranting upset customer. Nope. It's a group claiming to have controlled portions of your IT network for a long time.

And they published what looks to be proof of the breach. T-Mobile is investigating.

Comment on this blog entry

The Obama administration has said it wanted to bring a new approach to government, and a renewed emphasis on national cybersecurity efforts. And maybe that's what the administration was shooting for when it appointed Jeff Moss (also known as "Dark Tangent") and founder of the annual DefCon and Black Hat hacker conferences to the Homeland Security Council.

Comments(1)

The software maker said today that it deliver a total of ten patches next week, which is about average for a Patch Tuesday. Six of the 10, however, are rated critical.

Comments(1)

Any of us who regularly use the micro blogging site Twitter do it all of the time: we broadcast our whereabouts in real time. It's kind of the point of the entire Twitter experience. Yet, this video podcaster believes he may have been robbed because of his Tweeting his vacation status.

Comment on this blog entry

A comment that I liked on cloud computing came out of Sun's CommunityOne conference June 1 in San Francisco. It was from Tim Mather, a member of a panel on "Securing the Cloud--Why, What and How?" He said: "The trust boundary has moved with cloud computing but no one is clear where to."

Comment on this blog entry

The software maker plugs 10 significant security vulnerabilities in its QuickTime media player, as well as flaws within iTunes. A number of flaws could lead to denial of service conditions, or remote exploit. Looks like most of these flaws affect Mac OS X, Vista, as well as XP SP3.

Comment on this blog entry

Over the last two years, Intel commissioned a study on how companies were delivering virtualization to end users. It's one of the few indicators of where this confused segment is headed. Several approaches are still on the table, but the fastest growing one is where the virtual machine resides on the end user's PC.

Comments(2)

Today the White House released its 60-day review on cybersecurity policy, and the report -- as well as the administration's plan -- consists of five primary prongs: top-down leadership, education, distributed responsibility, information sharing, and encouraging innovation.

Comment on this blog entry

Our exclusive InformationWeek survey shows that IT and executives are on the same page when it comes to information security threats, policies and more.

Comment on this blog entry

Today the Center for Internet Security released a set of benchmarks designed to help consumers and businesses alike communicate using their favorite toy. Whoops, I meant smartphone. The guidance is worth a look.

Comments(3)

President Obama is set to announce, sometime this week, that the post of a cyber czar will be created. So far, the news creates more questions than answers.

Comments(1)

At the Google I/O developer conference this week, Google Inc. will host more than 80 technical sessions on all of the Google apps and platforms we've come to know -- Android, Chrome, App Engine, Web Toolkit, AJAX and others. When reviewing the Google I/O Schedule this morning, I was disappointed by what could not be easily found.

Comment on this blog entry

In the past number of years Adobe Systems hasn't seemed to have its act together when it comes to mitigating security risks in its PDF. Hopefully, that's about to change.

Comments(1)

In its broadest sense, social engineering is deception to manipulate or exploit people. That's exactly how more than 50 Mexican inmates were freed this weekend. How much proprietary corporate data is "liberated" in much the same way?

Comment on this blog entry

Being that the tagline of the Secure360 Conference was Evolving Threats, Practical Solutions I figured a session on How To Build an Effective Application Security Program would be appropriate. Fewer areas of information security have more evolving threats, or are in more need of practical, applied, solutions.

Comment on this blog entry

Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.) Assaf Keren, information security manager at the Israeli e-government recently briefed me on the challenges and lessons he is learning whilst implementing a SIEM center in the Israeli e-government ISP Project (called “Tehila”)--a topic he first told us about during the SIEM Summit at the CSI Annual 2008 conference in November.

Comments(2)

While listening to former special adviser for cyberspace security for the White House this morning, Howard Schmidt, talk candidly about information security at the Secure360 conference here in Saint Paul, MN – I began wondering: why didn't we implement the original National Strategy To Secure Cyberspace?

Comment on this blog entry

Governments and their agencies are clearly over their head when it comes to IT security and governance. In fact, a number of recent reports highlight just how poor a job governments perform when it comes to securing our data.

Comments(1)

According to a British Telecom survey, to be released later this week, 94 percent of the 200 IT professionals surveyed from around the globe expect to suffer a breach.

Comment on this blog entry

Let me sum up the state of information security for you, save you a little time: the problems are more complex, the threats more ominous, the vulnerabilities more numerous, the attacks are more sophisticated, the intruders nearly invisible.

Comments(1)

What is special about a virtual computer—a VM? It’s a computer in a file. That’s it. It’s just a computer stored in a file with similar foibles and management issues as a physical computer. So why do some people invest virtual computers some magical transformative powers? Do they not understand what a virtual computer is?

Comment on this blog entry

The Cloud Security Alliance (CSA) made its inaugural splash at last week's RSA Security Conference 2009 in San Francisco. The group kicked off an ambitious white paper that attempts to define everything from the architecture of cloud services to the impact of cloud services on litigation and encryption. It was a herculean effort to try to get this off the ground. And there is still much more work to do -- especially in the one area the group left out.

Comments(1)

HP ProCurve announced a new module for their ProCurve 8212 and 5400 modular switches. The Threat Management Module offers firewall, VPN, and IPS functions simultaneously on the switch backplane which is unlike Cisco’s approach with the Catalyst 6500 requiring separate security modules firewall, VPN, and IPS. The cost, however, is lower performance per module. ProCurve needs to increase module performance to make it a replacement for appliances.

Comments(2)

When times get tough, it's all too tempting to push security concerns aside -- especially at small and midsize companies with shrinking IT budgets. Fortunately, you don't have to make that mistake, there are ways to address security issues without breaking the bank. Today -- Wednesday, April 29 -- the bMighty bSecure virtual event brings together business and security experts to show you how to do exactly that.

Comments(1)

I've always had a pick with the trite and hackneyed marketing hype among IT security vendors who repeated the "insiders conduct the most attacks," or "Insiders are the greatest risk." This most recent arrest stokes the debate that was rekindled with the recent release of Verizon Business' 2009 Data Breach Investigations Report.

Comment on this blog entry

At last week's RSA Conference in San Francisco, there was as much talk about the economy as there was on IT security. And while the show appeared to pull a healthy number of attendees, at times the show floor seemed filled with more vendor reps and consultants, than IT buyers. But a few studies released last week show while vendor's may like to hype fear, the infosec economy certainly isn't all gloom and doom.

Comment on this blog entry

USA Today ran an interesting story about how cybercriminals are using social media in greater numbers to attack users. What started as a trickle last year has quickly sprung to an open fire hydrant, as criminals turn to low-paid grunts to crack captchas.

Comments(1)

Mi5 Networks, which makes a Web security appliance, will be integrated into Symantec's product line later this year.

Comment on this blog entry

Lt. Gen. Keith Alexander told a packed security audience here at the RSA Conference 2009 that the National Security Agency wants to help support the nation's critical IT security infrastructure efforts as part of a "team" effort. And that the NSA isn't interesting in the job of running the security of the critical IT security infrastructure.

Comments(1)

Oracle's stealing Sun at the altar of a possible marriage with IBM not only saves Oracle from a long-standing partnership going stale, but also significantly bolsters Oracle's security capabilities.

Comments(1)

Verizon Business' most recent 2009 Data Breach Investigations Report is a must-read report if you're involved in IT. The authors are quick to point out that the report is not a "state of security" report, but an analysis of breaches from Verizon Business' Risk Team and therefore based on in-the-field findings. The report winds up with recommendations. How many is your company following?

Comments(6)

Exploits are already out in the wild for a number of the vulnerabilities patched just today.

Comment on this blog entry

Organizations need to prep for a pretty significant set of patches that are scheduled to be rolling out from Redmond tomorrow. It's the most security patch updates from Microsoft in nearly six months.

Comment on this blog entry

A multi-day attack infected numerous user accounts on the popular micro-blogging platform. Reports say malicious code is still active.

Comment on this blog entry

I always enjoy the Black Hat sessions. The conference leans much more on the technical side of things, more so than the humungous brochure-fest known as RSA. Black Hat Europe is next week April 14th through 17th. And while I won't be able to (unfortunately) attend, there's a number of sessions I wouldn't miss if I was able to hope a flight to Amsterdam.

Comment on this blog entry

The Internet gets plenty of blame for facilitating crimes, but it deserves at least as much credit for solving them. Consider the case of 43-year-old Jeanne Thomas of Boynton Beach, Florida, who was at work in Fort Lauderdale on Wednesday, watching her home through a live video feed from a desktop Webcam, when she saw two intruders enter her house.

Comment on this blog entry

Anyone dependent on domain name registrar and hosting company Register.com, for either hosting their Web site or e-mail, learned first hand the pain of a distributed denial-of-service attack.

Comments(1)

Whether this worm lives up to some of the hype as the-end-of-the-world-as-we-know-it, or proves to be a minor annoyance -- you're better off getting it off as many systems as possible. These recently updated tools help you to get that done.

Comments(2)

If it's spring, it must be InformationWeek's Annual Security Survey, where we gather and analyze changes in security practices. Please join the 40,000 security professionals, IT staff, and managers who have participated in this landmark survey in recent years.

Comment on this blog entry

Despite having the code to analyze, and Conficker being in its third-generation: it seems the experts really don't know what's going to happen when Conficker.C strikes on April 1.

Comments(1)

Anyone in IT, who hasn't been living under a hard drive for the past decade, knows that poor application development processes have littered the Internet and corporate networks alike with trashy code that makes systems too susceptible to attack. Some companies, according to a new survey, are taking quality code more seriously.

Comment on this blog entry

The last two weeks have brought us two different attack vectors affecting servers and PC’s alike. First Invisible Things Lab’s Joanna Rutkowska and Rafal Wojtczuk presented the details of an attack on Intel's System Management Module which lets the malware do whatever it wants and effectively hides from everything else. Meanwhile, Anibal Sacco and Alfredo Ortega presented an attack that subverts the BIOS at CanSecWest. Can it get any worse?

Comment on this blog entry

I've been talking quite a bit about whether or not (not) users of cloud services can prove compliance with security, privacy and e-discovery laws. (Blog piece here. Alert issue here.)

Now a story at The Register has me thinking about yet another issue--the inescapable question of financial stability.

Comment on this blog entry

After covering IT security for well more than a decade, few new attacks scare the freckles off of my back. This persistent BIOS attack, as demonstrated by Alfredo Ortega and Anibal Sacco from Core Security Technologies is one of these new attack techniques.

Comment on this blog entry