 |
|
Misguided Security Leads To InsecurityIt's once again travel time. Full disclosure: I was the first to publish an exploit against travel systems. Co-released with iDefense (since acquired by Symantec) this simple denial of service exploit was capable of halting operations at most airlines and airports in the United States. Continue reading "Misguided Security Leads To Insecurity..." National Cyber Security: Are We Focused On The Right Stuff?With major cyber-security initiatives by the Department of Homeland Security underway, and the U.S. House of Representatives passing nearly $400 million in IT security research, I wonder if the efforts are being placed where they are most needed, and if more would be achieved by focusing on application security - and unleashing the bug finders. Continue reading "National Cyber Security: Are We Focused On The Right Stuff? ..." Anatomy Of A Modern HackIn a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look. Continue reading "Anatomy Of A Modern Hack..." Barracuda Networks Enters the Enterprise Firewall MarketThrough its acquisition of Phion, Barracuda Networks has launched a line of seven enterprise firewalls meant to consolidate network security devices and reduce management overhead when dealing with numerous distributed firewalls.
Continue reading "Barracuda Networks Enters the Enterprise Firewall Market..." Healthcare Providers Want "Red Flag" ExceptionDentists, physicians, and veterinarians are asking the Federal Trade Commission to exclude healthcare professionals from regulations designed to mitigate the risks of identity theft. I say: Step up and protect your customers from identity theft. Continue reading "Healthcare Providers Want "Red Flag" Exception..." Phishing Attacks Steadily RiseA report this week shows the number of phishing attacks continue to climb, year over year. Ditto for the number of Web servers dishing out malware. And the country that hosts the most phishing sites? That one just may surprise you. Continue reading "Phishing Attacks Steadily Rise..." Warning Signs Preceded Cyber Attack On GoogleThe news of a cyber attack from within China on Google and other companies has prompted a range of reactions, including Google's decision to reassess its operations there and a rebuke from U.S. Secretary of State Hillary Clinton. But no one should be surprised by what happened. Two months earlier, a U.S. government report warned that the private sector was susceptible to this very risk. Continue reading "Warning Signs Preceded Cyber Attack On Google..." Cost of Data Breaches Continue Their RiseBusinesses that suffered a data breach in 2009 paid a higher price for the incident than any previous year, according to a study released today. Also, the average cost for a data breach reached an eye-opening $6.75 million. Continue reading "Cost of Data Breaches Continue Their Rise..." Privacy Network Tor Suffers BreachThe virtual network, Tor, designed to provide private and secure Web browsing to people around the world had a number of servers hacked recently. The Tor anonymous network is helpful to those living in nations that oppress free speech, such as China and Iran, and need unfettered access to information. Continue reading "Privacy Network Tor Suffers Breach ..." Is The US Afraid To Admit That China Declared War On It?Had the Chinese shot intercontinental ballistic missiles into 33 US-based businesses including those in the finance and defense industries as well as the Mountain View-based headquarters of Google, there would be no question in anyone's mind as to whether war had been declared on the US. Is there any difference now that a Chinese government-backed organization has cyber-attacked 33 US businesses? Let's be honest with ourselves. It was an act of war and it deserves more of a response from the US government than it is getting. Continue reading "Is The US Afraid To Admit That China Declared War On It?..." Sloppy Software Dev Exposes Google Hacker HolesI've ranted on the subject before, but it's worth sounding off again in light of the recent China hacker breaches of Gmail: Poor software development procedures are the big reason major firms are apparently running around scared witless that their products are vulnerable to cyberattacks. (The corollary, about which we haven't read anything, is that firms with buttoned-down dev rules are likely feeling, if not entirely safe, then at least free of the panic which plagues the cluelessly unprepared.) Continue reading "Sloppy Software Dev Exposes Google Hacker Holes..." Websense To Monitor Facebook PagesToday Websense released what is touted as the first security application for Facebook, developed via its recently acquired Defensio brand. Facebook users can now monitor their pages for unwanted content, including spam comments, profanity, and links to malware. This could be valuable for companies that want to control their online images and brands. Continue reading "Websense To Monitor Facebook Pages..." Denial-of-Service Attack Intensity GrowsA survey of 132 network operators and telecommunication providers reveal that Distributed Denial-of-Service (DDoS) attacks is the top day-to-day security challenge facing service providers. Continue reading "Denial-of-Service Attack Intensity Grows..." The Fritz & David Show: Apple Tablet Cometh? Inside Google/China, Dell, And MoreFrom separate coasts, InformationWeek editorial director Fritz Nelson and I have been trying to launch the video version of the Fritz & David Show for what seems like forever. But technology has conspired against us. We're close, and we'll keep trying. But in the meantime, we've decided to offer the audio version of the weekly program that gives you a peek at how we talk about latest technology news and buzz amongst ourselves here at InformationWeek. Continue reading "The Fritz & David Show: Apple Tablet Cometh? Inside Google/China, Dell, And More..." Was Novell Too Quick To Use China/Google Incident To Disparage Cloud Computing?Had Novell's director of public relations Ian Bruce not responded to my blog post about Google's choice to change Gmail's default transmission mode from the less secure HTTP (Web) to the more secure and encrypted HTTPS (Secure Web), I would have never seen his own blog post on Novell's Web site entitled On Google, e-mail security, and cloud. But I'm glad I saw it. It's evidence of how some vendors might be too quick to throw fuel on the fire of misinformation in order to draw positive attention to themselves. Continue reading "Was Novell Too Quick To Use China/Google Incident To Disparage Cloud Computing?..." How Many (Sub) Zero-Day Attacks?We now know that one of the vectors used in the series of attacks against U.S. businesses was a zero-day vulnerability in Internet Explorer. Apparently, the way most of the world learned of this particular flaw was when it was actually used in these attacks. That's some powerful form of "disclosure," but how common is it? Continue reading "How Many (Sub) Zero-Day Attacks?..." Nothing New In Aurora HackAttackers targeting victims through phishing e-mails that lure users to maliciously crafted Web sites is nothing new. But it does highlight the sophistication of the modern attacker. Continue reading "Nothing New In Aurora Hack..." Gmail Traffic Now Encrypted By Default, But Will Organizations Heed The Shift?Kudos to the folks at Gmail who, in defaulting to a secure browser setting (as opposed to the previous insecure default) for sending and retrieving email, have decided to help users who may not know enough to help themselves. The new default (see screenshot below) tells the browser to access the Gmail service over HTTPS instead of the prior default, HTTP. This significant shift by Google is a reminder that there's probably more you can do to secure your organization's data and communications. Continue reading "Gmail Traffic Now Encrypted By Default, But Will Organizations Heed The Shift?..." Security: Exception to the Rule?In his most recent column, Art Wittmann explained that we're not going to see a "year of the cloud" because cloud is an evolutionary process, and evolution takes time. In general, that's true, but there's one area where the pace tends to be quicker—security. Attackers aren't sitting back waiting for new techs to gain maturity. They're throwing everything they have at our networks, hoping something sticks and yields a payoff in stolen data. Continue reading "Security: Exception to the Rule?..." Big Patch DayMicrosoft is releasing only one security update today. Security teams hoping for a break today: forget it. Adobe is expected to release a patch of its own, and Oracle is releasing two dozen of its own software updates. Continue reading "Big Patch Day..." Attaining Security In The Name Of Compliance?Security managers have to fight for - and justify - every nickel in their budget coffers. Unfortunately, many security managers have a tough time winning the funds they feel are necessary to reduce business risk. And many end up relying on instilling the fear of bad regulatory audit findings and fines to win funds. While often a successful tactic, does wielding the compliance hammer-of-fear pose risks of its own to an IT security program? Continue reading "Attaining Security In The Name Of Compliance?..." Office Users Targeted In Phishing, Rogueware AttacksTwo separate Internet security firms are warning customers that Microsoft Office users are being specifically targeting in these attacks. Continue reading "Office Users Targeted In Phishing, Rogueware Attacks..." Panda Security: Malware Tops 25 Million In 2009As I read PandaLab's Annual Malware Report, just published yesterday, the headline number of 25 million new malware samples struck me in this way: So What. And it leaves one wondering why some security vendors choose to focus so heavily on Fear, Uncertainly, and Doubt (FUD). Most of that "new" malware crud doesn't get anywhere. Continue reading "Panda Security: Malware Tops 25 Million In 2009..." New Threats Target Adobe PDF Zero DayAdobe Acrobat and Adobe Reader are vulnerable and under attack from a new, sophisticated zero-day Javascript exploit according to the SANS Internet Storm Center. Continue reading "New Threats Target Adobe PDF Zero Day..." Significant Worm and Virus Attacks of The DecadeWe certainly thought viruses and digital exploits were a nuisance throughout the 1990s. But there was nothing like the Morris worm that played havoc on Internet users on November 2, 1988. That all changed in the spring of 2000, and what a can of worms the oughts turned out to be. And how quaint the malware of the 1990s looks in comparison. Continue reading "Significant Worm and Virus Attacks of The Decade..." Mobile Botnets: A New FrontlineThere has been a recent rash of worms and malware targeting (jailbroken) iPhones. A group of researchers from SRI International published a study of an Apple iPhone bot client, captured just before Thanksgiving. Continue reading "Mobile Botnets: A New Frontline..." Security Reminders From "Hacked" Predator DronesThe Wall Street Journal reported today that Iraqi militants are able to intercept live feeds from U.S. military predator drones with standard hardware equipment and a $30 software application. Continue reading "Security Reminders From "Hacked" Predator Drones..." U.S. And Russia Talk Internet SecurityAccording to news reports, the American and Russian governments are engaged in talks designed to pave a way for a more secure Internet and a treaty to limit certain types of cyberweapons. Continue reading "U.S. And Russia Talk Internet Security..." How Organizations Get HackedWant a better idea of how organizations get infiltrated, including detailed synopsis of how many successful data breaches occur? Sit down with a copy of the just released Verizon Data Breach Investigations Supplemental Report and you'll get a great idea. Continue reading "How Organizations Get Hacked..." Bank Login Stealing Trojan Threat GrowsCisco released its Cisco 2009 Annual Security Report this morning, and it contains some interesting insight on many of the vulnerabilities and threat vectors we face today. Continue reading "Bank Login Stealing Trojan Threat Grows..." Researcher: iPhone Data Easy To CultivateWhile there hasn't been any attacks on iPhones that haven't been jailbroken, one researcher has shown that once a rogue application makes its way onto the device - there's not much it can't do with your data. Continue reading "Researcher: iPhone Data Easy To Cultivate..." Texas Hospital District Fires 16 For HIPAA ViolationsThe Harris County Hospital District of Houston, Texas, fired 16 employees, accusing them of violating patient privacy laws by inappropriately accessing the records of a medical resident who'd been admitted to the hospital after she was shot in a grocery store parking lot. Continue reading "Texas Hospital District Fires 16 For HIPAA Violations..." New Ransomware Attack UnderwaySecurity researchers at CA have found a new so-called "ransomware" attack underway. There are many things you can say about malware writers. Most of it would be NSFW. But you can't say they don't work hard at what they do. Continue reading "New Ransomware Attack Underway..." Famous Password Auditing Tool, L0phtCrack Is BackAfter a couple of years of rest, L0phtCrack, one of the most famous password auditing and recovery tools is back. Continue reading "Famous Password Auditing Tool, L0phtCrack Is Back..." Microsoft Provides Insight Into Password AttacksFor about a year now, Microsoft has been trying to gather data on real-world attacks, the types of attacks normal users might encounter in their day to day Internet use - and the software maker just released some interesting data on password attacks. Continue reading "Microsoft Provides Insight Into Password Attacks..." Exploit Code Targets Internet Explorer Zero-DayThere's exploit code circulating that can be used to target certain versions of Internet Explorer, Microsoft says it's working on a fix. Continue reading "Exploit Code Targets Internet Explorer Zero-Day..." Chrome OS Security: Initial ImpressionsThere is much developers can do to build a secure operating system when limits are set on what devices are supported, and there's no regard for compatibility with all types of software applications. I'm sure it's a luxury some software designers in Redmond and Cupertino certainly envy. But that's the clean shot Google has with its new Chrome OS. Continue reading "Chrome OS Security: Initial Impressions..." Phishers Target Apple Customers In New AttackWhile OS X is targeted by a far fewer number of viruses than other operating systems, that's not stopping fraudsters from trying to hit Mac users with fraud. Continue reading "Phishers Target Apple Customers In New Attack..." Reporting Health IT Security Compliance Gets EasierThe Health Information Trust Alliance (HITRUST) has unveiled a new program that helps streamline how healthcare organizations report to their business associates their status of compliance to security regulations such as HIPAA and others. Continue reading "Reporting Health IT Security Compliance Gets Easier ..." The Web Application Security New Top 10 RisksWith a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses. Continue reading "The Web Application Security New Top 10 Risks..." Despite Security Concerns, Social Networks SoarSecurity firm Palo Alto Networks peeked at the application use of more than 200 organizations around the globe, and found social networking growth on corporate networks is on fire. Will security concerns be the extinguisher? Don't count on it. Continue reading "Despite Security Concerns, Social Networks Soar..." JailBroken iPhones Targeted By Rick-Rolling WormThe SANS Institute Internet Storm Center is warning users of jailbroken iPhones that a new worm is targeting their hacked phones. So how dangerous is it, really? Continue reading "JailBroken iPhones Targeted By Rick-Rolling Worm..." Microsoft To Patch 15 VulnerabilitiesAs part of its monthly ritual, Microsoft in its Security Bulletin Advanced Notification for this month warned of a number of nasty vulnerabilities in its operating systems and productivity software. Continue reading "Microsoft To Patch 15 Vulnerabilities ..." Tech Pros Want Security, Healthcare, Green CertificationsTechies are seeking professional certifications in emerging areas like healthcare and green IT, and especially old standbys like IT security, according to a new survey. Continue reading "Tech Pros Want Security, Healthcare, Green Certifications..." Manhattan DA Announces Major ID Theft IndictmentA Manhattan DA brought an 149-count indictment accusing a computer technician of stealing the identities of more than 150 employees of the Bank of New York Mellon and using those identities to orchestrate more than $1.1 million in thefts against charities and non-profits, among other institutions. Continue reading "Manhattan DA Announces Major ID Theft Indictment..." New Project Takes Aim At Web VulnerabilitiesNew open source honeypot sets bait to lure attackers and to gain first hand information on current attack techniques underway. Continue reading "New Project Takes Aim At Web Vulnerabilities..." Blue Coat Identifies Halloween TrickBlue Coat has identified a new malware trick just in time for Halloween. Unsuspecting victims are redirected to one of two malware sites after searching for Halloween related sites. These distribution sites are typically used for hosting of warez, pirated digital content, but have been switched to malware distribution in the past 12 hours. Continue reading "Blue Coat Identifies Halloween Trick..." Patch Your FirefoxMozilla just released 16 patches for vulnerabilities in Firefox. Eleven of the flaws are critical, and affect a number of components in the browser. Continue reading "Patch Your Firefox..." UK Jobs Website HackedThe news site Guardian is warning members of its UK jobs site that the site has been breached, and that personal data may been snagged. Continue reading "UK Jobs Website Hacked..." Application Security Is National SecurityHacks targeting U.S. government computers are coming from China. We knew that. The Chinese hackers are relying on zero-day software vulnerabilities to exploit critical systems. So, tell me again: why aren't we doing more to require applications be built secure from the start? Continue reading "Application Security Is National Security..." Go on to the weblog archives... |
|
