Security » Vulnerabilities

Trends coming together make a plan for small business

George Peppard said as his character Hannibal Smith on The A-Team, "I love it when a plan comes together." Several trends, if not a plan, are coming together in interesting ways in technology for small businesses. Mix equal parts of online applications, netbooks, and constant wireless networking together, and you get new ways to do more work in more places for less money.

By James E. Gaskin | 20 February, 2009 09:36

Tags: SMB

Good security in recessionary times

If you've had any money in the stock market, it's been a bloodbath the last few weeks. It's hard to remember that any 10-year period in stock market history has always ended up with better returns than any other investment. As financial analysts argue over whether we are already in or just headed into a deep global recession, we are facing a rough, contracting period. People with good jobs are holding on to them tighter than ever.

By Roger A. Grimes | 20 October, 2008 09:21

Tags: risk management

Anatomy of a SQL injection attack

While there are a number of security risks in the world of electronic commerce, SQL injection is one of the most common Web site attack techniques used to steal customer data such as credit card numbers, hold customer data hostage by encrypting it or destroy data outright.

By Ryan Barnett | 10 October, 2008 10:49

Tags: sql

Partially disclosing vulnerabilities does no one any good

What if I was to tell you that I have a secret that could end the Internet as you know it? What if I was only going to tell you at a fee-based conference once speculation had gone on for a month or more? How would you respond to that?

By Carl Jongsma | 30 September, 2008 12:00

Tags: clickjacking, dns flaw, vulnerability disclosure

Due diligence works, onenote patch reveals

Last week Microsoft released MS08-055 [1], patching a remote code execution vulnerability affecting the handling of onenote:// URLs in different versions of Office. What was surprising about the patch is that the vulnerability being fixed only bore a passing resemblance to the one that was notified to Microsoft in March of this year.

By Carl Jongsma | 15 September, 2008 12:26

Tags: due dilligence, microsoft patches

New Ways to Approach Security in a Web 2.0 World

Business isn't what it used to be.

By Brian Foster | 08 September, 2008 09:32

Tags: web 2.0

Conference papers - academic vs. commercial

Information Security is an odd environment in that most of the leading edge research takes place away from academic and designated research institutions, out in the industry. As a result there is a curious approach to publishing new information that doesn't really exist anywhere else.

By Carl Jongsma | 21 August, 2008 08:50

Tags: information security, infosec

Reflections on a new internal data theft study

While external data breaches involving household brand names such as TJX tend to grab more headlines, insider data thefts are emerging as compliance and reputational risks for organizations. Recent studies suggest that over 60 per cent of data breaches originate from an internal source or event. One reason for this is that in today's data-rich environment organizations continue to struggle with the 'human element' at the heart of data security. It can be extremely difficult to balance the protection of sensitive data with granting access to employees who need it to complete their daily job requirements. To that end, organizations have implemented several new security measures including employee education programs, data access monitoring, and strict policies regarding USB ports and portable devices. Although these are steps in a positive direction, little has been done to study and understand how the data is exploited once it leaves an organization.

Microsoft to share vulnerability data. Will you be rocked?

Microsoft's impending announcement at Black Hat on the 7th of this month, titled "Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World", being delivered by some of the best security names inside Microsoft, has already gained the attention of many in the wider community.

Data security meets disco fever

Here's a travel advisory: The next time you find yourself in a foreign city at night with nothing to do, take my advice: rent a movie in your hotel room. Don't go to discos. And if you do go out, don't bring a smart phone with you.

Lessons learned from the Kaminsky DNS vulnerability

There has been a lot of speculation devoted to the impending release of information about a DNS vulnerability discovered and initially announced by Dan Kaminsky almost two weeks ago. A lot of the coverage has been back and forth arguing about whether what has been discovered is relevant or not but the best thing to have done in the intervening period is to have sat on your hands and waited.

Major Sites Fall Victim to Web Hijack

Security company Finjan Wednesday reported it has found more than 1,000 sites infected by an attack toolkit called "Asprox," which exploits discovered flaws in a vulnerable site's programming to add hidden attack code. The attack code in turn searches for flaws on a browser's PC, and if any such holes are found it will download malware onto the computer.

Five lessons learned about computer security

Reformed hacker-turned-security-consultant Kevin Mitnick served five years in federal prison for breaking into phone and software company networks. He talks about his past hacking exploits, computer security, and how he turned an illegal hobby into a useful career.

Security is all about reputation

Australian organizations are now more vigilant when it comes to safeguarding sensitive information. It is a necessary measure when you consider that cybercriminals are constantly devising new ways to breach business security systems, from creating new spam techniques to using popular Web 2.0 Web sites such as Wikipedia and YouTube as a front for malicious Web sites that lure users to download malware. Add to that, social networking sites, like Facebook and MySpace, have an enormous impact on workplace security as use of these sites becomes more popular among employees.

Selling zero-day exploits has a down side

Information Security can sometimes be a funny field to work in. Some days it seems as if anybody with their hands on unpublished exploit code can sell it for all they're worth, and others it seems that they are set to become the target of law enforcement and the companies the code affects. It does help if you don't work for one of the companies that is set to be affected by the exploits you are trying to sell and aren't trying to bootstrap a competing company in the process.

Are smartphone viruses a threat to your network?

All evidence points to the fact that smartphone viruses will be a threat to your network even though they aren't at this moment. After all, the latest mobile devices are packed with more and more applications and corporate data, are enabled for real Web browsing and online collaboration, and can access corporate servers. What's more, they live outside your firewall and often make use of three wireless networks (Bluetooth, Wi-Fi and cellular).

Reader Voices: Autorenewal defenses

How can we protect ourselves from online services that employ hidden autorenewal clauses to keep charging us? Readers responded to my recent story about how credit card companies like American Express handle disputed autorenewal charges with some ideas on what we can do about it.

How not to solve the Disclosure Dilemma

Following TJX's major loss of credit card data last year, the company implemented a series of internal changes that were meant to make it more difficult for theft to take place again in the future. The only problem was that the implementation was not exactly ideal and at least one TJX employee identified this and made an effort to report the situation internally. When faced with no response from the company, he chose to release the information publicly.

Silence of top security voices a cause for concern

Remaining platform and technology agnostic in Information Security is a progressively more difficult task as people and companies develop the skills and abilities to form professional fee-based relationships with the vendors that they previously reported about.

Notes from AusCERT 2008

I've had the pleasure of speaking and attending this year's AusCERT 2008 security conference held in Gold Coast, Australia. If you've never been to Australia, you're missing some of the best that life has to offer, and I feel the same way about the conference. Although a bit smaller than most US security conferences, it's intentionally kept small (around 1,000 participants) and makes up in quality speaker presentations and vendor participation what it lacks in headcount. One of the great attributes of the typical Aussie is their aversion to marketing hype, along with their ability to "cut the fat off a chicken" (as my grandmother used to say) and pull out the salient points. If a vendor tries to push marketing fluff about their product too much, they are likely to get verbally assailed rugby-style. Here are some of my favorite notes and quotes from selected speakers:

Twitter Feed

Whitepapers

- + c

Latest News

- + c
more