InformationWeek
Business Innovation Powered By Technology
Powered by InformationWeek Business Technology Network
 |
|
World Bank (Allegedly) HackedIt seems, based on a FoxNews.com report that broke Friday that The World Bank Group suffered a series of cyber-attacks during the past few months. The claims of the level of access gained by the attackers are troubling – but the real extent of the breach remains in dispute, and unknown. Continue reading "World Bank (Allegedly) Hacked..." New Backdoor Targeting Windows Users SurfacesSecurity firm Barracuda Networks says they’ve spotted a new virus that attempts to install a backdoor on the systems of its victims. It’s spread via an e-mail purporting to be a Microsoft security update. Continue reading "New Backdoor Targeting Windows Users Surfaces..." Symantec Buys MessageLabs: SaaS Security Ready To RockSymantec snaps up e-mail security services, IM, and Web-filtering company MessageLabs for $695 million. It's a great fit and shows Symantec is (finally) serious about how security software will be delivered in the years to come. Continue reading "Symantec Buys MessageLabs: SaaS Security Ready To Rock ..." About That Verizon Breach ReportI've just interviewed Dr. Peter Tippett from Verizon Business. If you're in the security business, you're probably already aware of the 2008 Data Breach Investigations Report issued in June of this year. The same team has just issued a followup supplement to that report -- Dr. Tippett is one of the contributors to that report. Continue reading "About That Verizon Breach Report..." Ignoring Vista Entirely Is ShortsightedMaine's skipping Vista, and I'm skipping like a broken record. The government of the state of Maine has joined the burgeoning group of organizations planning to sidestep Windows Vista and go straight from Windows XP to Windows 7. I continue to say that completely ignoring Vista is a shortsighted decision that may cause both usability and security troubles not too far down the line. Continue reading "Ignoring Vista Entirely Is Shortsighted..." Fed Stiffens ID Theft Penalties, Schwarzenegger Kills California Breach BillIdentity thieves, if a new federal ID theft law is enforced, will now face stiffer federal penalties for their crimes. Federal prosecutors also will have increased leeway to pursue more ID theft cases. Also, for the second time in 12 months, California Gov. Arnold Schwarzenegger vetoed a new California Data Breach Bill. Was that a good idea? Continue reading "Fed Stiffens ID Theft Penalties, Schwarzenegger Kills California Breach Bill..." TCP Flaw An Abject Lesson On Responsible DisclosureThe pendulum swing between responsibly disclosing a vulnerability privately to affected vendors so they can create a fix versus telling the world so IT can be aware of potential problems is swinging back into the vendors' favor. The result is that without public awareness, vendors aren't motivated to institute fixes on a timely basis. Continue reading "TCP Flaw An Abject Lesson On Responsible Disclosure..." Crook Hires Decoys For Bank Robbery Through CraigslistAbout a dozen men who answered a job ad on Craigslist discovered too late that their employer was a bank robber who had hired them to assist his getaway by dressing as decoys. Continue reading "Crook Hires Decoys For Bank Robbery Through Craigslist..." Authorities May Know Identity Of Gpcode AuthorThe author of the so-called ransomware virus Gpcode may have made a serious mistake when he or she recently approached Kaspersky Lab to attempt to sell a tool that would decrypt victims' files. Continue reading "Authorities May Know Identity Of Gpcode Author..." End Users Lax With Company DataA new security study shows end users from around the world treat data and corporate systems with little respect for the potential consequences. When it comes to corporate data, which is actually often customer data, there's little regard for security. Continue reading "End Users Lax With Company Data..." Can You Prove Compliance In The Cloud?Whether you're in the midst of an audit or a forensic investigation, thorough logs are the key to proving compliance with security regulations. So how do you prove your organization is/was compliant when you aren't able to maintain logs? This is the nagging question that gnaws hungrily at my weary brain every time I ponder cloud computing. Continue reading "Can You Prove Compliance In The Cloud?..." Scareware Purveyors To Get Legal ThrashingWe've previously warned about the rising number of scareware threats attempting to scam Internet users. Now Microsoft and the state of Washington are gnashing their legal teeth. Will it work? Continue reading "Scareware Purveyors To Get Legal Thrashing..." Key Management? Don't Hold Your BreathBen Tomhave posted a lengthy set of observations from the IEEE Key Management Summit 2008. He did walk away confident that key management standards will be forthcoming. That's too bad. One of the best ways to protect data at rest is to encrypt it. However, enterprise encryption requires enterprise key management, not a bunch of proprietary systems in use today. Continue reading "Key Management? Don't Hold Your Breath..." Mozilla Fixes Password Management GaffeJust after Mozilla released Firefox version 3.0.02, which fixed a bevy of security problems, the foundation had to issue a notice to users about a flaw that could keep users from accessing and even creating passwords under some conditions. Continue reading "Mozilla Fixes Password Management Gaffe..." Senate Committee Approves Updated FISMA BillThe Senate Homeland Security and Government Affairs Committee just approved S.3474, which will update the Federal Information Security Management Act (FISMA), in the hope of lifting federal security efforts beyond what many have deemed a paperwork shuffle that does little to boost security. Continue reading "Senate Committee Approves Updated FISMA Bill..." India's Government Claims BlackBerry Crypto CrackAfter months of wrangling with Research In Motion to hand over its crypto keys, the country now claims to have attained the ability to snoop on some RIM users in that country. Continue reading "India's Government Claims BlackBerry Crypto Crack..." North American Companies Embracing Security OutsourcingThe U.S. managed security services market is booming, and set to double in size in the next few years? MSSPs have been around, in one iteration or another, for as long as I can remember. Why is the market set to rock now? Continue reading "North American Companies Embracing Security Outsourcing..." Information Cards Are Awesome; But Are Identifying Parties Really Ready To Do This Right?Perhaps the greatest thing about information cards is that they might finally free us from the purpose-defeating and idiotic practice of using Social Security numbers as a nigh-universal identifier. But it won't work unless the Identifying Parties find a way to balance security with portability, and can smartly manage distribution, expiration, and destruction. Continue reading "Information Cards Are Awesome; But Are Identifying Parties Really Ready To Do This Right?..." McAfee Secures Place In UTM Market With $465 Million AcquisitionThere's still big demand for unified threat management (UTM) devices, especially in the SMB part of the market, and with its $465 million acquisition McAfee is making a big move that will shore its network security products. Continue reading "McAfee Secures Place In UTM Market With $465 Million Acquisition..." Australian Spy Warns Of Rising Corporate EspionageThe deputy-director general of the Australian Security Intelligence Organization, who cannot be named under Australian law, warned attendees of Australia's Security in Government Conference 2008 earlier this week that commercial and national espionage are becoming more intertwined. Continue reading "Australian Spy Warns Of Rising Corporate Espionage..." Palin E-Mail Hack Was "Easy"; FBI InvestigatingPerson who purportedly hacked VP hopeful Sarah Palin’s Yahoo E-mail account posted what he or she claimed to be a first-person account of the attack. Meanwhile, the FBI is on the case of the pwned candidate’s account. Continue reading "Palin E-Mail Hack Was "Easy"; FBI Investigating..." Lack Of Standards Adoption Is Softening NAC UptakeThere are a lot of reasons why NAC adoption is slower than expected -- it's expensive, it's complicated, there isn't always a clear benefit, competing IT projects are taking priority, and there's still a lot of confusion about NAC technologies. Until IT grasps these issues, they won't move forward. Continue reading "Lack Of Standards Adoption Is Softening NAC Uptake..." VP Hopeful Sarah Palin's Yahoo E-Mail Account HackedA team of hackers dubbed "Anonymous" claims to have breached vice presidential hopeful Gov. Sarah Palin's Yahoo e-mail account, based on a number of announcements and screenshots posted to the Web and Wikileaks.org Continue reading "VP Hopeful Sarah Palin's Yahoo E-Mail Account Hacked ..." Network Recorders Are A Window To The PastAnnounced at Interop, Endace Analytics Center 2000 provides network analysis for Endace's NinjaProbe, while Solera Networks announced an OEM program providing data-capture services to others. In both cases, the ability to play back captured network traffic eases troubleshooting and resolution. Continue reading "Network Recorders Are A Window To The Past..." GAO States Obvious: U.S. Cybersecurity Is StinkoThe Government Accountability Office finds government's cybersecurity efforts lacking. Continue reading "GAO States Obvious: U.S. Cybersecurity Is Stinko..." Beating The NAC Standards BushHalfway through NAC Day at Interop, I moderated a panel populated by representatives from the sponsors. What became clear during and after the panel is that attendees are very concerned about standardizing NAC. Who wants to buy a proprietary product that won’t play well with others? Continue reading "Beating The NAC Standards Bush..." SEC Fines Wall Street Firm LPLThe Securities and Exchange Commission took -- relatively -- harsh action against financial services firm LPL Financial for failing to protect its customer data. While the fine levied against LPL certainly isn't the most important news to break on Wall Street this week, it is the first step in what I hope is a long-term harsher stance taken by the SEC. Continue reading "SEC Fines Wall Street Firm LPL..." UAE Bank Breach SpreadsInternational investigators still aren't sure, or they're not saying, how criminals managed to generate counterfeit bank and credit cards of legitimate users and conduct fraudulent charges from about 20 countries. Continue reading "UAE Bank Breach Spreads..." Password Crackers For HireEarlier this week we wrote about how attackers are selling bogus security software suites to not only rip unsuspecting Web surfers off, but also infect their systems with malware. Now, an IBM researcher says many of those Webmail online password "recovery" services may actually be hackers for hire. Continue reading "Password Crackers For Hire..." Amazon Pitches The Security Of Its CloudAmazon Web Services, in an effort to foster faith in the security of its infrastructure, on Thursday published a white paper about its security processes. Continue reading "Amazon Pitches The Security Of Its Cloud..." Video: KFC Hires Armed Guard To Transport Chicken RecipeThis is a cute publicity stunt: The president of KFC decided that the famous original recipe lockdown wasn't secure enough, so they hired a Brinks guard to transport the document to a new, more secure location. Continue reading "Video: KFC Hires Armed Guard To Transport Chicken Recipe ..." XP Security 'Scareware' Scams SkyrocketingMore users than ever before seem to be falling for scams being levied by fraudsters looking to make a quick -- and lucrative -- buck from bogus security applications. It's sad to see people get scammed from their money when they're seeking some level of protection from Internet threats -- but instead they end up paying to install software that does nothing, at best, or is in fact itself malware. At least one security firm says criminals are raking in hundreds of thousands a month doing so. Continue reading "XP Security 'Scareware' Scams Skyrocketing..." NAC Happenings At InteropEarlier this summer I was tapped for NAC Day 2008. It's a day-long event on the topic of Network Access/Admission Control at Interop NY held at the Javits Center. I'll agree to almost anything if I can get a trip to Manhattan out of the deal. I hope to cover nearly every aspect of NAC in 5 hours and 45 minutes. Continue reading "NAC Happenings At Interop..." Microsoft: Four Patches, Eight Vulnerabilities, One BiggieEarlier this week we predicted that Microsoft would release a massive update, and the software giant certainly did. While it's not big in megabytes, it touches nearly every Windows user on the Internet. Make sure you're aware of the risks, and get yourself patched. Continue reading "Microsoft: Four Patches, Eight Vulnerabilities, One Biggie..." Google Chrome Polishes Its First Security UpdateLast week, Google released its shiny new Chrome browser. However, before the week finished, Google also had to issue a patch for one of security's most common -- and most well-known to developers -- application security issues: a buffer overflow vulnerability that would make it possible for an attacker to completely take over your system. Continue reading "Google Chrome Polishes Its First Security Update..." Living With NAC - A Report From The .EDU TrenchesAs readers of my earlier blog entries will know, SUNY's Purchase College, where I work my day job keeping the network and Servers humming peacefully along, has had a rather checkered past with network admission control systems. This fall we're making our third attempt to implement a NAC system that will keep our student's systems safe from malware without making their lives too miserable. Continue reading "Living With NAC - A Report From The .EDU Trenches..." Patch Tuesday: Potentially Massive Windows XP, Vista Update AheadOn Tuesday, Microsoft will release four security fixes as part of its monthly patch update cycle. There are four patches slated for release and all are rated as critical. Yet, one of the bulletins strikes me as unusually vague. Is this cause for alarm? Continue reading "Patch Tuesday: Potentially Massive Windows XP, Vista Update Ahead ..." The Steady Rise Of Targeted Trojan AttacksLook before you click may be a good idea for a new IT security public awareness campaign. Consider the reports coming out of South Korea that North Korean spyware made it's way onto the computer of a S. Korean army Colonel. There's no reason why this can't happen to you. Continue reading "The Steady Rise Of Targeted Trojan Attacks..." Will Comcast's New Bandwidth Limits Bring Rise In Wireless Broadband Hijacking?Starting next month, Comcast says it will start metering the amount of bandwidth its customers can consume each month, and users that exceed the threshold may be cut. If I understand anything about human nature, this means that more people will steal the additional bandwidth they need. Continue reading "Will Comcast's New Bandwidth Limits Bring Rise In Wireless Broadband Hijacking?..." BNY Mellon Data Breach Potentially MassiveIt was in May when we noted an investigation launched by the authorities in the state of Connecticut into a backup tape lost by the Bank of New York Mellon. The results of that investigation are in, and they don't look good. Continue reading "BNY Mellon Data Breach Potentially Massive..." Web Application Hacks: Upping The Arms RaceIt doesn't seem that long ago since Web applications attacks supplanted network and worm attacks. But they have, and now the attackers are finding ways to obfuscate these attacks. It's an ever-evolving arms race. And we have an updated Top 10 Web site vulnerabilities list. Continue reading "Web Application Hacks: Upping The Arms Race ..." Security Breach: More Laws Needed. Let's Add Health CareEarlier this week, colleague Thomas Claburn covered the unfortunate trend that the tally of data breaches this year already has surpassed all breaches recorded for the entire year in 2007. This isn't entirely bad news, as I'll explain. Continue reading "Security Breach: More Laws Needed. Let's Add Health Care..." Any Extra Change Jingling In Your Pocket Lately?Tech salaries inched up recently after slumping earlier this year, according to a new wage report from an IT services and staffing firm. Could this the beginning of an upward trend or just a blip? Continue reading "Any Extra Change Jingling In Your Pocket Lately?..." Getting A Perspective On Man In Middle AttacksResearchers at Carnegie Mellon University have proposed a system whereby you can ensure that when you attach to a server that uses SSH or a self-signed digital certificate and you haven't verified the authenticity of the host identity beforehand, you aren't subject to a man in the middle attack. Continue reading "Getting A Perspective On Man In Middle Attacks..." Best Western Disputes Depth Of Suspected BreachDispute the depth of the breach is an understatement. A Best Western spokeswoman just issued a statement to InformationWeek stating that the breach, so far, has only been confirmed to involve 13 guests at a single hotel. Continue reading "Best Western Disputes Depth Of Suspected Breach ..." UPDATE: Best Western Refutes (Some) Claims Of Hacker CompromiseShortly after our post, Best Western Hotel Chain Pwned, which is based on the story that appeared here, Best Western e-mailed us a response that raises more questions than it answers. That statement, which is available here, refutes some of the claims surrounding its breach, but certainly not all. Here's a deconstruction: Continue reading "UPDATE: Best Western Refutes (Some) Claims Of Hacker Compromise..." Best Western Hotel Chain PwnedAccording to news reports that started to surface over the weekend, Best Western, one of the world's largest hotel chains -- if not the largest -- is investigating a breach that purportedly has placed millions of its guests' data at-risk, and in the hands of Russian mobsters. Continue reading "Best Western Hotel Chain Pwned..." Radio Implants And GPS To Thwart Kidnappers? Don't Think SoIn the face of rising kidnappings in Mexico, a number of more affluent Mexicans are opting to have minute radio transmitters implanted under their skin so they can, presumably, be located by the authorities if they're ever kidnapped. This is a bad idea. Continue reading "Radio Implants And GPS To Thwart Kidnappers? Don't Think So..." Untrusted SSL Certificates Indicate A FailureAn unknown certificate is a failure in SSL/TLS, and that's how it should be. Ever since Firefox 3 came out, the way it presents SSL-enabled Web sites with self-signed certificates has been called scary and hurtful. Untrusted self-signed certificates should be scary because untrusted self-signed certificates are a failure in SSL/TLS, and a failure in your authentication and encryption mechanism should be treated as serious. Encryption with unknown parties is useless. Continue reading "Untrusted SSL Certificates Indicate A Failure..." FEMA Phones Get HackedIf you are going to hack a phone system, do you really want to hack DHS? That's what happened this weekend when someone made hundreds of illegal calls from a Federal Emergency Management Agency (FEMA) Private Branch Exchange (PBX) to the Middle East and Asia. It appears that it was the usual culprits of poor change control and misconfigurations that left FEMA's digital doors open. Continue reading "FEMA Phones Get Hacked..." Go on to the weblog archives... |
|
