 |
|
Exploit Code Targets Internet Explorer Zero-DayThere's exploit code circulating that can be used to target certain versions of Internet Explorer, Microsoft says it's working on a fix. Continue reading "Exploit Code Targets Internet Explorer Zero-Day..." Chrome OS Security: Initial ImpressionsThere is much developers can do to build a secure operating system when limits are set on what devices are supported, and there's no regard for compatibility with all types of software applications. I'm sure it's a luxury some software designers in Redmond and Cupertino certainly envy. But that's the clean shot Google has with its new Chrome OS. Continue reading "Chrome OS Security: Initial Impressions..." Phishers Target Apple Customers In New AttackWhile OS X is targeted by a far fewer number of viruses than other operating systems, that's not stopping fraudsters from trying to hit Mac users with fraud. Continue reading "Phishers Target Apple Customers In New Attack..." Reporting Health IT Security Compliance Gets EasierThe Health Information Trust Alliance (HITRUST) has unveiled a new program that helps streamline how healthcare organizations report to their business associates their status of compliance to security regulations such as HIPAA and others. Continue reading "Reporting Health IT Security Compliance Gets Easier ..." The Web Application Security New Top 10 RisksWith a focus on risks, rather than only ranking software vulnerabilities, the Open Web Application Security Project (OWASP) has made a significant - and welcomed - change in how the organization rates Web application security weaknesses. Continue reading "The Web Application Security New Top 10 Risks..." Despite Security Concerns, Social Networks SoarSecurity firm Palo Alto Networks peeked at the application use of more than 200 organizations around the globe, and found social networking growth on corporate networks is on fire. Will security concerns be the extinguisher? Don't count on it. Continue reading "Despite Security Concerns, Social Networks Soar..." JailBroken iPhones Targeted By Rick-Rolling WormThe SANS Institute Internet Storm Center is warning users of jailbroken iPhones that a new worm is targeting their hacked phones. So how dangerous is it, really? Continue reading "JailBroken iPhones Targeted By Rick-Rolling Worm..." Microsoft To Patch 15 VulnerabilitiesAs part of its monthly ritual, Microsoft in its Security Bulletin Advanced Notification for this month warned of a number of nasty vulnerabilities in its operating systems and productivity software. Continue reading "Microsoft To Patch 15 Vulnerabilities ..." Tech Pros Want Security, Healthcare, Green CertificationsTechies are seeking professional certifications in emerging areas like healthcare and green IT, and especially old standbys like IT security, according to a new survey. Continue reading "Tech Pros Want Security, Healthcare, Green Certifications..." Manhattan DA Announces Major ID Theft IndictmentA Manhattan DA brought an 149-count indictment accusing a computer technician of stealing the identities of more than 150 employees of the Bank of New York Mellon and using those identities to orchestrate more than $1.1 million in thefts against charities and non-profits, among other institutions. Continue reading "Manhattan DA Announces Major ID Theft Indictment..." New Project Takes Aim At Web VulnerabilitiesNew open source honeypot sets bait to lure attackers and to gain first hand information on current attack techniques underway. Continue reading "New Project Takes Aim At Web Vulnerabilities..." Blue Coat Identifies Halloween TrickBlue Coat has identified a new malware trick just in time for Halloween. Unsuspecting victims are redirected to one of two malware sites after searching for Halloween related sites. These distribution sites are typically used for hosting of warez, pirated digital content, but have been switched to malware distribution in the past 12 hours. Continue reading "Blue Coat Identifies Halloween Trick..." Patch Your FirefoxMozilla just released 16 patches for vulnerabilities in Firefox. Eleven of the flaws are critical, and affect a number of components in the browser. Continue reading "Patch Your Firefox..." UK Jobs Website HackedThe news site Guardian is warning members of its UK jobs site that the site has been breached, and that personal data may been snagged. Continue reading "UK Jobs Website Hacked..." Application Security Is National SecurityHacks targeting U.S. government computers are coming from China. We knew that. The Chinese hackers are relying on zero-day software vulnerabilities to exploit critical systems. So, tell me again: why aren't we doing more to require applications be built secure from the start? Continue reading "Application Security Is National Security..." My Hat Is BlueFor the past two days I have been back in Seattle. It was almost two years ago I left the city, and was not sure when I'd get a chance to return. Microsoft's BlueHat security conference was a great reason to come back to my favorite rainy city. What is BlueHat? Continue reading "My Hat Is Blue..." Gumblar: Back With A VengeanceEarlier this year, the botnet Gumblar made a splash when it infected more than 2,300 Websites, including popular destinations such as Tennis.com, Variety, and Coldwellbanker.com. Now, security researchers say Gumblar is back in strength and is changing its tactics. Continue reading "Gumblar: Back With A Vengeance..." Scammers Up The ‘Rogueware’ WarAttackers have been known to encrypt user files (such as happened with Gpcode), and then demand payment for the decryption key, for some time. These so-called rogueware, including scareware, attacks have been underway for some time. Now scammers have upped their attack tactics. Continue reading "Scammers Up The ‘Rogueware’ War..." RAND: U.S. Should Not Prioritize CyberwarfareThe think tank RAND came out with an Air Force funded paper that concludes spending money on operational cyberwarfare is a waste of budget. I agree. Continue reading "RAND: U.S. Should Not Prioritize Cyberwarfare..." Healthcare Reform Bill Means HIPAA Changes, TooThe healthcare reform bill that passed a key Senate committee today contains several health IT related provisions. Among them are new rules regarding HIPAA, including a proposals allowing the periodic update of HIPAA standards, and fines to health plans that don't comply to HIPAA "operating rules" by April 2014. Continue reading "Healthcare Reform Bill Means HIPAA Changes, Too..." October's Scary Patch TuesdayNext Tuesday Microsoft plans to release 13 separate security bulletins that will cover more than 30 individual patches. More than half of the bulletins are ranked as "critical." Continue reading "October's Scary Patch Tuesday ..." Amazon Web Services DDoS Attack And The CloudA suspected denial-of-service attack aimed at Amazon Web Services (AWS) this past weekend shut down a code hosting service for nearly 24 hours. I don't see this as a security issue specific to cloud computing, rather just another disruption to availability like all of the others. Continue reading "Amazon Web Services DDoS Attack And The Cloud..." U.S. Government Set To Clamp Down on P2P NetworksYou've probably heard the horror stories around private and confidential files being exposed via peer-to-peer network sharing. Federal lawmakers are now stepping up their efforts to keep sensitive data from inadvertently leaking to the public. Continue reading "U.S. Government Set To Clamp Down on P2P Networks ..." Cyber-Crime No Longer Smash and GrabTypically, banking customers discovered they'd been victimized by cyber-crime when they discovered their bank accounts emptied. No more. According to this report, online thieves are getting craftier at covering their tracks to go undetected for longer stretches of time. Continue reading "Cyber-Crime No Longer Smash and Grab..." Hacking Gets PhysicalThe guilty plea entered into federal court last week, by a contract IT worker, for disrupting a computer system used to monitor off-shore oil platforms shows that illegal hacking is likely to increasingly danger the physical world. Continue reading "Hacking Gets Physical..." Survey Says: PCI DSS Compliance Not StrategicThat's right. A survey conducted by the Ponemon Institute, and backed by security firm Imperva, says that the vast majority of firms don't view the Payment Card Industry Data Security Standard (PCI DSS) as a strategic initiative. Continue reading "Survey Says: PCI DSS Compliance Not Strategic ..." Security Software Market Remains StrongWhile the growth of the security software market took a hit this year, along with most every other market segment, it's still pegged to grow 8 percent, year over year, according to a market research firm. There's also stronger growth ahead. Continue reading "Security Software Market Remains Strong..." Think Your Anti-Virus Is Working? Think AgainMost enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion. Continue reading "Think Your Anti-Virus Is Working? Think Again..." Microsoft Steps Up To Squash Malicious Advertising ThreatWhile the move by Microsoft to file five civil lawsuits to help fight malicious online advertisers, the winning bet is probably not going to be on this having a big impact on malicious advertising any time soon. There's just too much money being made. Continue reading "Microsoft Steps Up To Squash Malicious Advertising Threat..." Systems Infected Tend To Stay InfectedThink most PC and end point infections are quick hits? Think again. Research released today shows that once infected, systems tend to stay that way for a long, long time. Continue reading "Systems Infected Tend To Stay Infected..." SQL Vulnerabilities Continue To Plague Web SecurityA gray-hat hacker with a reputation for outing corporate Web site vulnerabilities says he's uncovered SQL injection flaws in the Web site of RBS WorldPay. RBS responded, saying no customer data was accessed. Continue reading "SQL Vulnerabilities Continue To Plague Web Security..." Cryptographic Keys Focus Of Next-Gen Net SecurityAgainst the backdrop of rising malware threats and organized cybercriminal rings, a national cybersecurity initiative is taking shape which will bring a "locked down" mentality to the way we authenticate users, apps, and anyone or anything that touches a network. I'm talking about the Cryptographic Key Management (CKM) project that is being run out of the National Institute of Standards and Technology's Computer Security Division. Continue reading "Cryptographic Keys Focus Of Next-Gen Net Security..." Ethics, Integrity, and Playing NiceAs security professionals we are paid to know how to do bad things. We must know how to do these bad things in order to defend from bad people. What separates us from the criminals is our integrity. We hack for the good of humanity. Continue reading "Ethics, Integrity, and Playing Nice..." New Warnings On EMP ThreatMore than 800 people registered for a conference being held in Niagara Falls, NY to discuss the possible nightmare outcome of an electromagnetic pulse (EMP) attack on the continental U.S. A fix is startlingly cheap, but remains ignored. Continue reading "New Warnings On EMP Threat..." Patch Tuesday: Five CriticalSecurity managers and operation teams will be greeted with a handful of significant Microsoft patches when they return to work Tuesday afternoon. Unfortunately for them, the most aggravation and the significant danger may come from the patch that isn't on the docket. Continue reading "Patch Tuesday: Five Critical..." Program Aims To Erase Doubts About Health Data SecurityA new certification program could make it easier for healthcare organizations to decide whether their IT security products meet their compliance needs. Continue reading "Program Aims To Erase Doubts About Health Data Security ..." Hacking Oil RigsWhen it comes to cyberwar, real cyberwar, perhaps the most damaging attacks won't come in the form of denial-of-service attacks, but be aimed directly at our energy supply. Continue reading "Hacking Oil Rigs..." Snow Leopard's Anti-Malware Lacks RoarA security firm's assessment of the malware protection capabilities that was leaked prior to Friday's release shows that Apple's Snow Leopard won't be chasing down much malware. Continue reading "Snow Leopard's Anti-Malware Lacks Roar..." Amazon's Private Cloud: Virtually Private Or Maybe Private?Amazon, purveyor of the EC2 public cloud, suddenly announced Aug. 26 it’s a private cloud supplier. Isn't there something wrong with a multi-tenant, shared resource provider transforming itself into a private cloud service? I'm not sure Amazon can offer a private cloud --yet. Then again, I see no reason why it couldn't sometime in the future. Continue reading "Amazon's Private Cloud: Virtually Private Or Maybe Private?..." Trend Micro Rips Lid Off Estonian Cybercrime HubAn important Trend Micro paper, spotlighting a cybercriminal hub operating out of Estonia, has surfaced on Slashdot. The racket here is that a seemingly legitimate Internet Service Provider is in reality the headquarters for a rogue network, which extends into Europe and the United States. The breadth of the deception outlined in the paper is scary; doubly so because cybercrime is emerging as the single biggest security threat of the next decade. Continue reading "Trend Micro Rips Lid Off Estonian Cybercrime Hub..." Is Snow Leopard Coming With Antivirus?Apple security firm Intego posted a hint that Snow Leopard, the new Macintosh operating system that is due for release this Friday, may contain some level of anti-malware detection. Continue reading "Is Snow Leopard Coming With Antivirus?..." Government Finalizing Medical Data Breach Notification RulesMedical data breaches are on the rise. Much in the same way that credit card breach notifications skyrocketed following California's enactment of SB 1386, California's medical breach laws are doing the same now with patient data. Unlike financial breaches, however, federal rules are now coming into play. Continue reading "Government Finalizing Medical Data Breach Notification Rules..." Hacker Indictments Highlight Application SecurityAs you probably know, A federal grand jury has indicted Albert Gonzales, 28, of Miami, Fla., for allegedly hacking into computers belonging to retail and financial companies and stealing more than 130 million credit and debit cards. And the hacking didn't involve anything more than standard SQL injection attacks. Continue reading "Hacker Indictments Highlight Application Security..." Banks, Credit Card Companies Take Swipe At New Encryption MethodVisa Inc. and Fifth Third Bancorp are testing a novel technique at authenticating in-person credit and debit card transactions by using a fingerprint created by the individual magstripe on each card. Continue reading "Banks, Credit Card Companies Take Swipe At New Encryption Method..." E-Voting Takes Another HitA group of computer scientists have shown how voting results, held in electronic voting machines, can be changed using a novel hacking technique. It's yet another reason why we need to have a verifiable, auditable, paper-trail for electronic voting machines. Continue reading "E-Voting Takes Another Hit..." Where Are The Groundbreaking Security Technologies?Every day I speak with numerous security product companies. The reasons for these discussions vary. Some are pitches for InformationWeek product reviews, others are for my security consulting day job at Alvarez and Marsal (yes, shameless plug), and some are for companies I advise. Here is my dilemma. I am pitched so many products each day but I rarely hear of anything that is really new and ground breaking. PR reps, keep reading and don’t bombard me with hate emails. Yet. Continue reading "Where Are The Groundbreaking Security Technologies?..." Prepare To PatchIf you are a Microsoft Windows user, chances are there's a patch waiting for you tomorrow. Continue reading "Prepare To Patch..." DDoS: Why Attackers Do the Things They DoAs news of the Facebook and Twitter DDoS trickles in, I ponder why attackers launch attacks in the way they do. I don’t even really consider why they do it, just why they take a certain approach. Continue reading "DDoS: Why Attackers Do the Things They Do..." New SSL Attacks Don’t Change Your Web RiskThere’s been a a lot of talk about SSL security since last week’s Black Hat conference. While these attacks are significant, I don’t see them as changing the security posture of the Web. Continue reading "New SSL Attacks Don’t Change Your Web Risk..." Is AES On The Way Out?Cryptographic researchers have uncovered a new attack against the ubiquitous AES encryption algorithm. While there have been a number of complex attack aimed at AES recently, this one, experts warn, may be practical enough for run-of-the-mill attackers to exploit. Continue reading "Is AES On The Way Out?..." Go on to the weblog archives... |
|
