- One man's quest to fix the Internet
- Stupid hacker tricks, part two
- Be careful of transitive trust
- VMs are not more secure
- Daily news beat for April 16, 2008
- The dangers of security that is secretly secure
- Daily news beat for April 11, 2008
- Don't disable ActiveX, after all
- Burned by Windows and Acrobat updates on same day
- Test Center guide: Mail security appliances
May 09, 2008 | Comments: (0)
One man's quest to fix the Internet
InfoWorld's Roger Grimes is a man on a mission: He thinks of nothing else but how to secure the Internet. Think that's an exaggeration? How may people do you know who "spent [their] honeymoon thinking and writing about a possible solution"?
In today's Security Adviser blog, Grimes gives a summation of two of his biggest ideas that have independently ended up in other group's proposals and standards.
He has also released a formal whitepaper entitled Fixing the Internet: A Security Solution that encompasses all his main ideas.
Posted by Caroline Craig on May 9, 2008 06:34 AM
May 05, 2008 | Comments: (0)
Stupid hacker tricks, part two
In this latest installment of "Stupid hacker tricks," Andrew Brandt takes a look at the follies of youth and finds the current generation of cyberschnooks have transformed themselves "from Those Neighborhood Kids Who Set Fires and Torture Small Animals into international menaces who destroy online communities, damage the reputation and utility of online services, and steal anything worth taking from the Net -- all while mangling the English language as thoroughly as possible."
Fortunately for the rest of us, "most are as sloppy and egotistical as we've come to expect from the young and delinquent, leaving a bread-crumb trail a mile wide for authorities to follow."
Check out the complete list of "Stupid juvy hacker tricks," and while you're at it refresh your memory of the original "Stupid hacker tricks" story for further tales of bone-headed cyberschnookery.
Posted by Caroline Craig on May 5, 2008 05:39 AM
April 25, 2008 | Comments: (0)
Be careful of transitive trust
Nowadays, even well-known, seemingly legitimate Web sites are prone to inadvertently hosting code that redirects visitors to a malicious site.
"Gone are the days when you could tell your end-users not to visit 'untrusted' Web sites to minimize their exposure to malware," Roger Grimes writes in Be careful with transitive trust.
Several recent studies have revealed that outsourcing development to third parties is responsible for the majority of Web site vulnerabilities of this sort, Grimes adds. "We've always known that contractors don't have the same intense commitment to a company as the company's own employees, and now we are seeing the results."
For that reason, "you should strive to measure transitive trust in every extending operation you're involved with."
Posted by Tom Sullivan on April 25, 2008 07:00 AM
April 18, 2008 | Comments: (0)
Anyone who thinks VMs can be used to improve customers' security is, in the words of Roger Grimes, "either drunk on the marketing Kool-Aid, misinformed, or simply trying to misrepresent VM capabilities to sell more product."
In all but a small minority of cases, they will not improve your overall security posture, Grimes explains in Virtual machines are not really more secure.
"By their very nature, VMs have the same security risks as physical computers, plus they have additional guest-to-guest and guest-to-host security risks."
Posted by Tom Sullivan on April 18, 2008 05:31 AM
April 16, 2008 | Comments: (0)
Daily news beat for April 16, 2008
There's a reason we're losing the war on spam and it's not the anti-spam vendors. They're doing a decent job, though their advancements pale in comparison to the swelling ranks of spammers. But quelling the spam tide just might require shaking up the world of e-mail. Is it time for an e-mail tax?
Open Source Census, an effort to collect hard data regarding the implementation of open-source software around the world kicks off on Wednesday.
Researchers find that some Web browsing and ad-blocking software introduce security vulnerabilities into pages, thereby making Web surfing more dangerous.
Hack the chip. It's a new technique for gaining unauthorized access to computer systems and it's not easy but it could be devastating and virtually undetectable. A malicious microprocessor opens new doors for attack.
And a slightly confused and bemused Robert X. Cringley weighs in on voting accidents and other avoidable tragedies. "Election fraud isn't limited to one party or one technology (see 1960 presidential elections, City of Chicago). But it's deeply troubling when one side says we can't afford to ensure free and fair elections or that voting machine manufacturers shouldn't be held accountable."
Posted by Tom Sullivan on April 16, 2008 10:45 AM
April 15, 2008 | Comments: (0)
The dangers of security that is secretly secure
During a merger, the plan seemed simple enough: a firewall between the parent company and the newly-acquired division would stay in place until the process completed.
As the day for turnover approached, problems arose when requested details did not come in from the outsourcer, but plenty of pictures, documents and diagrams did.
"I think this particular group adhered to the baffle-them-with-bull-stuff rule," our Off the Record author writes in Our security is secretly secure.
Eventually, our author asked for a "show tech" command to be run. "I knew we were in trouble when the people on the other end asked me to e-mail them the command so they could get the spelling correctly."
Three days later the outsourcer finally responded, insisting that it didn’t share that because it contained proprietary information.
"How can I possibly verify their proprietary configuration is indeed the rock solid policy they say it is without being able to actually examine it?"
Posted by Tom Sullivan on April 15, 2008 06:21 AM
April 11, 2008 | Comments: (0)
Daily news beat for April 11, 2008
Oracle says it will issue critical database patches next Tuesday to the tune 41 bug fixes, including two for particularly nasty vulnerabilities in the database that can be exploited without a username and password.
A pair of Gartner analysts said that Windows is collapsing and Microsoft must make radical changes to its operating system – lest it be rendered a has-been.
Storage Networking World came and went this week and Fibre Channel over Ethernet, it appears, is now poised to change the rules of storage. FCoE catches fire at SNW.
Sun Microsystems foreshadows environmentally-friendly power management features for servers that allow customers to set usage policies such that a server could be tuned to either get the job done as fast as possible, or to take longer but burn fewer watts.
And Robert X. Cringely, in this Geek week in review, finds that the problem with Sequoia e-voting machines is worse than originally thought, while the U.S. Census Bureau turns back to paper and pencil after completely bollixing attempts to digitize its data collection process.
Posted by Tom Sullivan on April 11, 2008 09:39 AM
April 11, 2008 | Comments: (0)
Don't disable ActiveX, after all
Barely a week goes by without one or more ActiveX controls from various vendors being declared unsafe.
So Roger Grimes understands IT pros' collective caution. It's always a good idea to disable unneeded and unauthorized software.
"But running a browser without ActiveX enabled when other more reasonable alternatives exist is throwing the baby out with the bathwater," he writes in Don't throw out ActiveX or Java.
"Some people, rightly or wrongly, simply hate ActiveX. They've been burned before," Grimes continues. "But disabling ActiveX when you can prevent the unsafe controls from loading seems a little heavy-handed. Is JavaScript next?"
Posted by Tom Sullivan on April 11, 2008 06:25 AM
April 09, 2008 | Comments: (0)
Burned by Windows and Acrobat updates on same day
Microsoft's Patch Tuesday fixes came for Windows Server 2008 and, even though Randall Kennedy had previously disabled Automatic Updates, the patches went ahead and installed themselves.
Then the nagging messages about having to reboot started showing up, which Kennedy elected to postpone, until Windows decided that enough was enough and engaged in the practice of reboot without consent.
"This despite the fact that I was still actively typing at the keyboard! I was left to watch helplessly as my unfinished Web posting disappeared in a blur of closing windows and fading UI effects," Kennedy explains in Burned by Acrobat and Windows update -- on the same day.
And that's not all.
"Shortly after my system was forcibly rebooted, it hung solid. The culprit: Adobe Acrobat Reader."
Kennedy, in fact, had to revert to what he calls the infamous "ACPI override" technique.
"I'd like to assign sole blame to Adobe for the bug," Kennedy writes, "but the fact is that no application should be able to lock-up the Windows desktop in this fashion ... After all, nobody should be able to take-down a multi-million dollar server farm simply by loading a PDF document at the system console."
Posted by Tom Sullivan on April 9, 2008 11:53 AM
April 09, 2008 | Comments: (0)
Test Center guide: Mail security appliances
As e-mail security solutions evolve to handle a growing number of tasks, the products differ in technique, accuracy and ease-of-use.
"Appliance installation is generally a matter of setting basic network information and telling the appliance where to send e-mail once it's been filtered," Logan Harbaugh explains.
We test nine such appliances to find the best one for your business.
Read the full Test Center guide.
Posted by Tom Sullivan on April 9, 2008 06:32 AM
April 09, 2008 | Comments: (0)
Microsoft: A security force to be reckoned with?
Reporting from RSA Conference 2008, Matt Hines writes that Microsoft's "growing array of security tools is maturing quickly, and its burgeoning security business should be taken seriously by major rivals, including Symantec and McAfee, according to analysts."
Microsoft on Tuesday unwrapped a beta of Stirling, its forthcoming package of integration and management tools aimed at helping administrators gain firmer top-down control of their IT security infrastructure. Stirling marks the first opportunity for companies to begin driving their systems defense strategy using Microsoft technologies, company executives said in Microsoft security maturing fast.
Microsoft's security rivals, however, claim that the company's biggest selling point is also its greatest weakness.
In addition to the level of concern that most customers harbor about trusting the software maker to protect its OS, desktop, and infrastructure technologies -- especially in light of the security vulnerabilities frequently found in all of those products -- Microsoft's technologies don't address one of the biggest complexities of today's IT environment: heterogeneity, said John Thompson, chief executive of Symantec.
Are you ready to take Microsoft's security seriously yet? Talkback below.
Posted by Tom Sullivan on April 9, 2008 05:25 AM
April 08, 2008 | Comments: (0)
Lite might be right for cheap beer, but for data leak prevention technologies?
"Gateway device providers have begun preaching that the DLP capabilities in their security appliances can provide a much simpler approach to the same problem," Matt Hines writes in Is DLP 'lite' heavy enough?
While experts debate the extent to which the idea will catch on with customers, the appliance makers are already cashing in on demand for stripped-down DLP tools, Hines explains.
"Perhaps the biggest opportunity that messaging gateway vendors have to sell the concept is the huge effort that traditional DLP tools require in creating policies around data usage, proponents maintain."
Posted by Tom Sullivan on April 8, 2008 06:27 AM
April 04, 2008 | Comments: (0)
Daily news beat for April 4, 2008
A program director in IBM's Data Governance solutions unit explains why IT risk is opaque and that security executives need to practice more progressive risk management to get ahead of data breaches, malicious attacks and emerging compliance regulations.
Intel says it will issue anti-theft technology for laptops that, in the event of a stolen machine, will essentially lock down the system and the disk so that thieves cannot reach the data within.
With Windows Mobile 6.1, Microsoft takes a big step in managing enterprise handhelds; a new piece of code hooks into Microsoft's System Center Mobile Device Manager 2008 server application, which the company hopes will make handhelds as manageable and secure as PCs.
Michael Dell says that Dell layoffs could exceed initial expectations as the hardware maker plans to cut at least 8,800 jobs.
And this week's wrapup of tech's most important stories includes a raft of new gadgets landing at CTIA, a Mac getting hacked first at CanSecWest, Steve Wozniak talking technology, Intel's Atom processors, and more. Watch the video.
Posted by Tom Sullivan on April 4, 2008 07:49 AM
April 04, 2008 | Comments: (0)
4 tactics for educating users about security
"It's the applications, stupid."
Roger Grimes offers that as a banner to security pros and systems administrators.
If CanSecWest's hacking contest proved anything, it's that "Windows, Mac, and Linux zealots don't really have any more ammunition to attack each other after the contest than they had before," he writes in this week's installment of Security Adviser. "And the positive note was that none of the computers were felled by remote exploits, which, when they exist, can be devastating. That's good for everyone, no matter which platform you are partial to."
Yet client-side applications remain a problem, indeed.
"If your applications are unpatched, it is much more likely that simply visiting a Web site can silently infect your computer. And remember, visiting only well-known, legitimate Web sites is no longer a defense."
Grimes continues that the defenses are to make sure your systems are fully patched, both OS and applications, and to educate your end-users about client-side vulnerabilities. With that in mind, Grimes shares four tactics for educating your end-users.
Posted by Tom Sullivan on April 4, 2008 06:20 AM
April 03, 2008 | Comments: (0)
Daily news beat for April 3, 2008
After quietly showing it to users over the last few months, Microsoft plans to unwrap "Stirling" next week to offer administrators a single product that manages all of its security offerings.
The fact that deploying apps to the iPhone requires Apple's permission is, in the words of one industry CEO, "offensive to me." Oh yes, and there happen to be other technologies than the SDK for getting the job done. Exec touts developing iPhone apps without SDK.
AT&T Mobility's chief says that if customers want it, the carrier will offer Google's Android like any other OS.
High-profile data leaks, compliance measures, and ceaseless malware attacks push businesses to place greater emphasis on security testing tools and best-of-breed companies are riding that wave. But as IBM and HP get in the game, will there always be a role for smaller specialists?
And a technical loophole allows users to upgrade to Vista with Service Pack 1, and without the necessary prior editions. Psst. Wanna save $110 on Windows Vista SP1?
Posted by Tom Sullivan on April 3, 2008 10:39 AM
March 28, 2008 | Comments: (0)
Daily news beat for March 28, 2008
After the rules were relaxed a bit, it took Charlie Miller only 2 minutes to hack a MacBook Air and win it along with $10,000 in CanSecWest's hacking contest.
A speaker at Black Hat says that money will fuel mobile spying programs, and as more sophisticated developers get in the game, programs will be harder to detect.
Google search is behind most phishing sites, according to brand protection firm MarkMonitor, and some 750 Google search terms are used to find sites likely to have easily exploitable vulnerabilities.
Microsoft renames CRM Live to CRM Online, a change that one official says is intended to distinguish its consumer lines from its business offerings.
And in the latest geek week in review Robert X. Cringely meets a gin-soaked barroom queen, a well-endowed blond nymphomaniac, Comcast plays the role of Big Brother and Cringe, in an unusual moment of sincerity, asks that you visit Heal Emru and tell your friends about it. Emru Townsend has leukemia and wants your blood marrow if you're a healthy person under age 60 of West African descent.
Posted by Tom Sullivan on March 28, 2008 09:31 AM
March 28, 2008 | Comments: (0)
How a whitelist can save personal computing
When unique malicious programs outnumber unique legitimate programs, it makes sense to do something about it.
A whitelist is one option, Roger Grimes proposes in Can a whitelist save personal computing?
"In my thinking, the necessary whitelisting program would be heavily integrated with the underlying OS, work across multiple platforms, and intercept downloads and content execution of any type. This would include intercepting browser downloads, instant messaging transfers, p-to-p exchanges, installable programs, and locally loaded content (such as USB flash drives, CD-ROMs, and more). The program would have to intercept executable programs at the very least, but the best-of-breed program would also intercept content that could be used maliciously (JavaScript, ASP, Flash files, PDFs) and potentially cover Web pages and Web sites."
Posted by Tom Sullivan on March 28, 2008 07:49 AM
March 25, 2008 | Comments: (0)
Daily news beat for March 25, 2008
Mozilla's CEO has some harsh words for Apple, likening the Safari browser to malware, and calling Apple's approach to Software Update on Windows "wrong."
NEC breaks two TPC-E records with its Itanium server, but the company will only be boasting about one of them.
The Web site that nailed Vista SP1's RTM date, TechARP.com, now says that XP SP3 will ship during the second half of April. Related: How to Dump Vista SP1.
Security vendor FaceTime releases Greynet Enterprise Manager, the first security product to scan Skype's encrypted IM.
And criminals target CA's BrightStor in a new attack, just days after Microsoft warned of attacks against its Jet Database Engine.
Posted by Tom Sullivan on March 25, 2008 09:17 AM
March 21, 2008 | Comments: (0)
"Organized criminal groups are hacking Web sites by the tens of thousands to steal money, identities, and passwords."
Roger Grimes sets that stage for this week's Security Advisor column, Thousands of Web sites under attack.
"One of the biggest changes over the past year, as reported by Google and this column, is the inclusion of malicious advertisements on legitimate Web sites. Many legitimate sites end up unintentionally carrying advertisements from malware providers," Grimes explains.
There are ways to safeguard against such attacks, and Grimes offers some tactics. Don't underestimate the power of education, either.
"It's a new way of thinking, and most end-users haven't made the mental update, yet. You can help them."
Posted by Tom Sullivan on March 21, 2008 06:06 AM
March 19, 2008 | Comments: (0)
Remember that documentary that was designed to literally scare kids away from a life of crime by giving them a hard look inside a real prison? Scared Straight.
Applying a similar thought, Cisco Chief Security Officer John Stewart claims that the spoken word, not all the security tools at his disposal, is the most powerful tactic he has to get users to do their part in security.
"Stewart said that his practice of sharing gory details of the attacks that get leveled at the company's computing systems every day is one of his most effective means for pushing everyone in the massive firm to keep security on their minds as much as possible," Matt Hines reports in Scaring users into IT security.
"Each Friday, the company's senior executives are asked to join a call on which one of Stewart's 250 security staffers recounts the most dangerous attacks and incidents that have occurred at Cisco over the previous week."
Have any tales to tell that might scare users straight? Share them via the comments function below...
Posted by Tom Sullivan on March 19, 2008 10:33 AM
March 19, 2008 | Comments: (0)
Daily news beat for March 19, 2008
Apple issues a whopper of a security update replete with 90 fixes that may seem "frighteningly large."
The U.S. FCC closes its 700MHz spectrum auction after raising $19.59 billion; winners got the right to build wireless networks that operate in the given spectrum band.
Adobe Systems, meanwhile, unwraps rights management server software for protecting video content from, say, ending up on YouTube.
Google brings 'gadgets' to Google Docs' spreadsheets to give the ability to display data in new ways.
And Robert X. Cringely weighs in on Scientology, The China Syndrome and wiki ways. "Can't get wikis off my mind these days," Cringe muses. But there's still room in there for those protestors taking aim at China and the Church of Scientology.
Posted by Tom Sullivan on March 19, 2008 09:52 AM
March 18, 2008 | Comments: (0)
Daily news beat for March 18, 2008
Cybercriminals got away with an estimated 4.2 million credit and debit card records in one of the largest reported data heists from a retailer in U.S. history.
Sybase adds support for the iPhone to its Information Anywhere Suite, thereby enabling businesses to securely push Lotus Notes messages to iPhone users.
Intel says it will shrink Nehalem chips for laptops after initially targeting the architecture at servers and high-end desktops.
Toshiba and Samsung, meanwhile, rank atop Greenpeace's latest environmental report, which rates consumer electronics companies based on recycling practices and the toxic content of products.
JasperSoft claims to be the most widely-deployed BI tool, at least among open source offerings.
And experts speaking at the CSO Perspectives conference in Atlanta say that building an IT security team that stays focused on your organizations' top priorities demands a mix of hiring, promoting, and training employees to maintain a desired level of corporate protection, all of which requires year-round attention.
Posted by Tom Sullivan on March 18, 2008 09:53 AM
March 17, 2008 | Comments: (0)
Even the best laid plans and efforts of the security-elite can crumble when any of these common mistakes are made.
Trusted partners wind up being anything but, a finger slip reveals company secrets, and employees give away passwords without thinking first. Those are just three of the Top 10 security land mines that plague enterprise IT shops.
"Security experts say that all are easily avoidable," Matt Hines reports. "And almost all can be done without spending one more dime."
Posted by Tom Sullivan on March 17, 2008 07:37 AM
March 14, 2008 | Comments: (0)
Geek week in review: AOL and Spitzer
Friday again and that means Cringely weighs in on the woes of the past 5 days.
This time around it's Geek week: AOL goes for younger breed, Spitzer girl gets ID'd. Poetic, no?
"All week long I've been biting my tongue about the Spitzer thing (which, as it turns out, is far cheaper than paying someone else to do it for me)," Cringe writes. "But now that the identity of the mysterious and highly priced 'Kristen' has been revealed, I've finally succumbed to temptation."
It's not all politics and kids, though. Cringe also hits on security vendor Trend Micro getting struck by a Web attack.
Posted by Tom Sullivan on March 14, 2008 09:45 AM
March 14, 2008 | Comments: (0)
Solving the unsolvable security problem
Security Adviser columnist Roger Grimes explains that frequently, even as much as once a week, someone will seek his counsel about an unexplainable problem they chalk up to malware.
A recent example is, "we upgraded the file servers for a particular application last week, and now we are having random printing problems. Do you think it might be a computer virus?"
“They seemed surprised when I tell them I don't know of a malware program that causes random printing problems on upgraded server applications.” Grimes writes in To solve the unsolvable problem. “What are they thinking?”
There is nothing random in the computer world, Grimes continues. “Ask any crypto programmer. They spend their lives trying to create realistic randomness but know it doesn't truly exist in the computer world. They can get to very good approximations of randomness, but true randomness does not exist.”
Posted by Tom Sullivan on March 14, 2008 06:35 AM
March 11, 2008 | Comments: (0)
Daily news beat for March 11, 2008
Networking giant Cisco says it will begin issuing firmware security updates twice yearly to patch IOS, starting this month.
Microsoft’s IE8 balks at Windows Update, meaning that it blocks access to the service, a fact that has confused users of the test-version browser.
Hewlett-Packard shows off future printing technologies, including Latex Ink and the InkJet Web Press, a printer that spits out thousands of pages per minute.
At least in the U.K., IT spending is likely to rise and a considerable portion of that will be allocated to Windows Vista and new hardware, according to a survey by the National Computing Centre.
And in Keeping up with Verizon’s sneakwrap changes, Gripe Line author Ed Foster opens with some comedy. “The fact that online service providers expect you to check in periodically to see if they've made any changes to their Terms of Service (ToS) is already an old, bad joke. But if you're in the mood for a really bad joke, take a look at what's involved in really tracking those changes even if you wanted to try.”
Posted by Tom Sullivan on March 11, 2008 10:27 AM
March 11, 2008 | Comments: (0)
Review: RedSeal Security Risk Manager
Where to begin information security?
RedSeal SRM is one of a cadre of products designed to automate that analysis by arming IT managers with visual access into the risk state of their information technology, Steve Hultquist explains.
“With the growth of both the importance and the complexity of information technology within an enterprise, the implications for protecting and then managing the security of those systems are great. The challenge in doing that is very high,” Hultquist writes.
While Hultquist did register a pair of minor complaints, he explains that, “although the RedSeal product isn't cheap, organizations with networks large enough to take advantage of SRM should find it an affordable way to add critical security management functions to their administration suite.”
Posted by Tom Sullivan on March 11, 2008 07:59 AM
March 10, 2008 | Comments: (0)
What great security leaders are made of
Hint: It’s not just tech-savvy. That never hurts, of course, but a Forrester Research report on the topic uncovered some surprises -- namely that a strong moral compass is key.
"Having the integrity, the visibility, and letting people know that you as an individual will always do the right thing is of great importance when you are being trusted to protect a lot of sensitive information," said Khalid Kark, a Forrester analyst and the report's chief author is quoted as saying in How great IT security leaders succeed. "Before doing the research, I wouldn't have guessed how important this aspect might have been, even having managed security operations myself."
Senior writer Matt Hines reports that “other key attributes of the most successful CISOs include having the flexibility to look for creative solutions to problems and move quickly from one project to the next, remaining patient whenever possible, and running security as if it were a business unit.”
Posted by Tom Sullivan on March 10, 2008 06:43 AM
March 06, 2008 | Comments: (0)
Computer and network security is challenging enough. Making it worse, though, are data-leak prevention tools that are so tricky some customers, even after having them in place for years, are questioning whether DLP will ever manage to live up to its primary objectives.
“DLP tools may someday mature to the point where IT departments can more easily create enforcement policies that don't get in the way of day-to-day business,” Matt Hines writes in Data-leak security proves to hard to use. “Until then, DLP systems may be better suited for forensics purposes -- to analyze incidents after they happen and give IT a clearer view into how users actually work with the data they want to protect.”
Hindering DLP are many weighty realities: the time it takes to understand how an organization uses information, the volume and complexity of that information, establishing governance policies that address risks but doing so without writing rules that get in the way of daily business operations. And on and on.
Posted by Tom Sullivan on March 6, 2008 08:32 AM
March 05, 2008 | Comments: (0)
Admitting that the subtleties of the law sometimes elude him, the honorable Robert X. Cringely points out that a couple of recent court decisions raise big questions about anonymity and privacy on the Internet.
Wikileaks, obviously, is one. Spammer Jeremy Jaynes not being protected by the First Amendment is another that Cringely covers in Netaholics anonymous. And there’s the whole flap about Google and IP addresses.
“A Net where no one can ever be anonymous is opening the door even wider for Big Brother. Anonymous speech is obviously necessary for serious reasons. The Net would also be a far less interesting place.”
Posted by Tom Sullivan on March 5, 2008 08:44 AM
February 29, 2008 | Comments: (0)
Security development lifecycle trumps code complexity
As software becomes more complex, security only becomes more difficult. More lines of code, indeed, bring greater potential for bugs. At least, that's one side of the debate.
"In general, I wholly believe in this axiom, but it doesn't always have to be true. In fact, there is empirical evidence that better coding practices can more than offset the complexity argument," Roger Grimes explains in this week's installation of Security Adviser.
That's where Security Development Lifecycle, SDL for short, comes into play.
SDL is a practice that has worked well at Microsoft, continues Grimes, who is a full-time Microsoft employee, and he offers statistics not just to inflame anti-Microsoft zealots, but to promote two points.
First, increasing complexity doesn't have to mean more vulnerabilities and, second, it's time for developers not using SDL to get on it.
"If you want to improve your company's security programming, teach SDL and build it into the company culture. It might take a little while to get the ship turned around, but once you do, the results are tangible, and they'll benefit everyone."
Posted by Tom Sullivan on February 29, 2008 06:17 AM
February 22, 2008 | Comments: (0)
Social networking and the long con
It's back: the long con.
Social networking sites, such as Facebook and MySpace, are proving to be fertile ground for cybercriminals.
Not only can they launch malware and adware schemes, but attackers can also "start running long cons on people through which they can play on sympathies to distribute malware or infiltrate an organization to hold data for ransom," said Michael Whitehurst, vice president of global support with Marshal, a maker of Web and e-mail filtering technologies.
Which means the time is nigh for IT to enact, and enforce, protection policies. "Beyond that they need technical safeguards to back those policies, but the outlook for all this is still pretty grim," said Paul Henry, vice president of technology evangelism at network gateway maker Secure Computing. "Most companies are barely providing sufficient protection in the context of Web 1.0."
Posted by Tom Sullivan on February 22, 2008 10:19 AM
February 22, 2008 | Comments: (0)
Why security will only get worse
Roger Grimes clearly remembers, though it was a decade ago, security guru Bruce Schneier telling him that computer security was only going to get worse.
"This was in the face of increasingly accurate antivirus programs, improved patch management, and solid improvements in OS security across all platforms," Grimes explains in Computer security's dubious future.
Now, Grimes poses the same question to Schneier. "Computer security is not likely to improve in the near future because of two reasons ... The overarching reason for both of these trends is complexity. Complexity is the worst enemy of security; as a system gets more complex, it gets less secure."
Posted by Tom Sullivan on February 22, 2008 05:58 AM
February 22, 2008 | Comments: (0)
The first edition of Hacking was a best-seller, at least according to the publisher.
Martin Heller picked up the second edition and, when he finished, "put it down with mixed feelings," he writes in this mini-review.
Posted by Tom Sullivan on February 22, 2008 04:10 AM
February 15, 2008 | Comments: (0)
FIPS key to working with gov't
If your product or service is not FIPS compliant/certified, the government can't use it, Roger Grimes explains.
He adds that many security standards, including the new Federal Desktop Core Configuration requirement, insist that participating computers be FIPS compliant. What's more, FIPS-enabled computers can only connect to Web sites with FIPS-compliant ciphers for SSL/TLS.
That said, there is a common confusion point between FIPS certified and FIPS compliant.
"If Web sites fall under your control, make sure they are FIPS compliant, or soon tens of millions of customers will not be able to access them."
Posted by Tom Sullivan on February 15, 2008 05:43 AM
February 14, 2008 | Comments: (0)
Spam and malware are for lovers
The Valentine's Day assault has become something of an annual tradition.
So this year Matt Hines rounds up all the "threats that may assail you on this day of lovers and lechery."
And there are plenty of them. It's not just the CyberLover attack, no, this year's list is long and distinguished.
"Rather than assuming that some long-lost love, or someone still close to your heart has put together a gripping tribute detailing their affection for you via e-card, e-mail or Web link ... think twice before opening anything unsolicited, because there's a good chance that it's a trap," Hines advises.
Gotta love the romance.
Posted by Tom Sullivan on February 14, 2008 11:17 AM
February 13, 2008 | Comments: (0)
Daily news beat, Feb. 13, 2008
One day before the Hallmark holiday, a new Storm worm is whirling around the 'Net, trying to lure users with the promise of a card to download. Not quite as bloody as Al Capone's St. Valentine's Day Massacre, this modern attack will try to steal personal information from your PC, disarm security defenses, and tap it to send millions of junk e-mails, at least according to Symantec.
Attendees at Microsoft's Office developer conference this week are learning how to leverage new capabilities in Office System, including the ribbon-based Fluent UI. But even those drinking the KoolAid and calling the development platform "excellent" are finding some difficulties.
The E.C.'s raid of Intel's Munich offices is but the latest instance in related cases facing the chipmaker over the past two decades. It all began in 1990 when microprocessor Cyrix accused Intel of unlawful exclusionary practices. Intel and antitrust: A brief history.
This week's Blackberry service outage, the second such disruption is less than a year, has given RIM a black eye. Analyst house Gartner, in fact, told its clients not to rely on Blackberrys alone for critical e-mail.
Since yesterday was Patch Tuesday, Microsoft marked the occasion with a massive set of fixes addressing 17 flaws, including the known ActiveX bug, and others that affect XP, Vista, Server 2003, Office, Word.
And the now ubiquitous markup language XML turns 10. As such, the W3C is planning to honor the year XML was first recommended as a specification by distributing related items at events, and posting a video series of interviews with people in the XML community.
Posted by Tom Sullivan on February 13, 2008 10:29 AM
February 13, 2008 | Comments: (0)
Cringely sides with founding fathers, not customs officers
Myriad international travelers are being greeted with the phrase "show me your laptop" at U.S. borders. Too many, indeed, for Robert X. Cringely's comfort.
"As security wonk and former federal prosecutor Mark Rasch notes, the dangers from this kind of digital body cavity search are far reaching," Cringe reports in Borderline illegal: Your laptop is not your own.
Gripe Line guru Ed Foster also wrote about the same topic earlier this week, in Laptop searches and insecure borders, essentially seeing fit to ask, even though security is a top priority "does that mean when entering the country we must all submit to a search not only of what's in our luggage, but what's in our heads?"
To Cringe, it all comes down to yet another question. "What do you trust more, the US Constitution or the US government? When in doubt, I tend to side with the founding fathers ... they enacted laws that put the rights of individuals on at least a par with the rights of the state."
Posted by Tom Sullivan on February 13, 2008 09:57 AM
February 11, 2008 | Comments: (0)
On laptop searches and insecure borders
While most everyone would agree that we need to more competently secure our borders, Ed Foster asks, "does that mean when entering the country we must all submit to a search not only of what's in our luggage, but what's in our heads?"
Foster continues that, "at least in some circumstances, it would seem that being forced to divulge information inside your head, like a password, is not constitutional. On the other hand, Customs officials often make the argument that searching a laptop is no difference in essence that going through the contents of a briefcase," he explains in this Gripe Line post.
Naturally, the underlying issues in this are very big, and very knotty, to be sure. "We can all agree those who protect our borders need the right to see what anyone is bringing into the country, but how do we keep them from trying to see what's in our head as well?" Talkback via the comments function below, or at Foster's blog by following the above link.
Posted by Tom Sullivan on February 11, 2008 07:48 AM
February 08, 2008 | Comments: (0)
SaaS: The future wave of security
Security: The software-as-a-service model has been spreading throughout other areas of IT and, now, is becoming nothing less than the future of security, so say executives from McAfee, Symantec and Trend Micro. "IT budgets are not growing, but the threats and regulatory demands are, and customers are finding themselves thin on resources," according to Jeff Hausman, Symantec's senior director of product management as quoted in Security by subscription. "SaaS will be a great way for businesses to save on infrastructure and maintenance costs while improving protection."
SOA: The discussion around SOA governance continues at David Linthicum's blog, where some fellow SOA pros agree and others pushback against his spin on nailing down a definition, or two, for SOA governance. "SOA governance is indeed something you do, and there is some good technology supporting the notion," he writes in this Real World SOA entry. "That technology has certain emerging patterns that allow you to better define the features and function of the tools." Related: Defining SOA governance.
Data management: Database and insurance are not exactly two words that go together naturally, which is all the more reason to examine the concept. "DBAs are an insurance policy. Sure, they're there to guide your data efforts, but they're mainly there in case of a serious disaster," Sean McCown writes in Database insurance. "Be mindful of the type of DBA you have in your shop, however. If you want someone to work on all the projects and do lots of coding, etc., then you want a database dev, not a DBA. DBAs are systems folk."
Save Windows XP: Sign the petition.
Posted by Tom Sullivan on February 8, 2008 04:48 AM
February 04, 2008 | Comments: (0)
Security: This mini-guide can help you start down the road to getting a handle on authentication. Education is the first, and plays a role in the second, of the six steps of authentication. First, educate everyone about the problem, Roger Grimes writes, then educate them about the various authentication components. Naturally, from there, set the strategy. "Even if you can't help your company work through all of these steps, you've improved security and lowered risk just by getting your colleagues, employees, and management to think about AAA in a strategic way. At least it will be on the radar as a consideration, versus the growing deck of cards that keeps you up at night."
Tech Analysis: Microsoft has more reasons to swallow Yahoo than just its advertising and portal business. "Such an acquisition could help Microsoft execute its software-plus-services strategy for delivering business apps over the Internet faster and better," Galen Gruman reports in The real reason Microsoft wants Yahoo. And, of course, Microsoft wants Yahoo to better compete with Google when it comes to search.
Gripe Line: Should early termination fees still apply when the cellular service becomes unusable due to the provider? "That's what one T-Mobile customer has been wondering," Ed Foster reports in T-Mobile tower topples but termination fee still stands. The reader, a longtime Verizon customer, switched her whole family to T-Mobile, and everything worked okay for the first month or so. Then calls started dropping. Service got less and less and less. A tower was lost and so was the coverage. "In spite of having acknowledged they're missing a tower, T-Mobile officials would not give an inch on the termination penalties." The upshot? T-Mobile is no longer the one providing her service. "But I still have to pay them," she writes.
Storage: The Storage Bridge Bay Working Group announced SBB 2.0, a set of specs for storage devices and components. "For vendors, they are fast proving essential," Mario Apicello reports in this Storage Insider installment. Thus far, of course, such interoperability remains what Apicella describes as incidental and dependant on backroom deals. "Although these specs won't make future devices vendor-agnostic, compared with the original set, they will favor injecting new technologies, creating incentive to move away from dated, less efficient products."
Posted by Tom Sullivan on February 4, 2008 04:47 AM
January 30, 2008 | Comments: (0)
Tapping herd intelligence to take on malware
Security: Our own reporter Matt Hines appeared on the radio show Homeland Security Inside & Out, discussing his article about herd intelligence and malware. "The idea of herd intelligence is to essentially turn the end-point into a monitoring station for new viruses and to report them back to antivirus vendors to help them keep an eye on the latest and greatest attacks. It's a very new idea." Mr. Hines is the first to be interviewed, and other guests include none other than the man who conquered smallpox. Related: Herd intelligence benefits IT security.
Notes from the field: Robert X. Cringely is singing today, and the tune is Happy Birthday -- to Windows Vista. "It was one year ago today that Microsoft foisted Windows Vista onto a wary world. (OK -- OEMs and enterprises had Vista foisted on them in November 2006, but January was the 'big launch' for most of us," Cringe writes. Recall Microsoft's "The wow starts now" slogan, but Cringe asserts that in hindsight, "January 30,2007 was more like the 'When Started Then.'" Happy Birthday Vista? Microsoft claims roughly four out of ten new machines shipped with Vista, but back in XP's first year it shipped in nearly 70 percent of PCs. "Microsoft has finally figured out what it takes to earn respect for one of its operating systems: release a new one that sucks harder than the last." Related: Save Windows XP. Sign the petition.
The news beat: ICANN considers a proposal to stop domain tasting, the seedy practice of purchasing thousands of domain names and watching to see which ones get searched for in hopes of then selling those to the interested party at a profit. Stanford's Linear Accelerator Center, aka SLAC, adopts Sun's datacenter-in-a-box for extra capacity. And SAP's profit drops 6 percent for the fourth quarter, a loss the company attributes to new offerings.
Show of the week: Demo 2008 Tomorrow's tech today. Demo's got 77 demonstrators all vying for VC and investment funding for what they hope will become the next big thing. (Full Disclosure: Demo is owned by IDG World Expo, the parent company of InfoWorld.)
Posted by Tom Sullivan on January 30, 2008 10:23 AM
January 10, 2008 | Comments: (0)
Outing open source security flaws
Security: Indeed, they're in there. Security holes and vulnerabilities lurking throughout open source programs. Source code analysis specialist Coverity, in fact, has unearthed some 7,800 such defects since kicking off its investigation, under contract from the U.S. Department of Homeland Security, in March, 2006. Those flaws span 11 major open source projects. Amanda, Perl, PHP, Python and Samba, just to name the most well-known. "DHS got involved in the process and awarded the contract under the idea that the work to secure major open source platforms would improve the overall security of businesses and organizations using the involved programs -- including the U.S. government," Matt Hines reports in this Zero Day Security entry. Coverity is finding new holes hourly, according to one official.
The news beat: It appears that Yahoo is testing support for OpenID, the authentication standard that could mean surfers no longer have to remember myriad passwords. Vendors including Dell, Hewlett-Packard and Sony are banding together to ease recycling costs on users via a proposed legislative mandate to make reuse and recycling of electronics product the highest priority during the manufacturing process. The EU drops its antitrust probe against Apple after the company agreed to cut the price of music downloads from iTunes in the U.K. And new rootkit Trojan.Mebroot uses old tricks to hide itself from antivirus software.
Ongoing coverage: Geek's Guide to CES.
Columnist's corner: Running cable without a clue sounds like a bad idea but, as our Off the Record author found, it was more common than one might think. Back in the day, that is. "It was the 90s, by the way, which explains why the entity I worked for was still doing all token-ring networking. It wasn't until much later that IBM even acknowledged the existence of Ethernet -- and our CIO wore Blue underwear." Oh, that's only the beginning. One of the company's campuses was begun in the 40's, and standard practices of the ensuing decades came back to haunt. Our author tracked one user's problem back to a 600 pair feed cable AT&T has spliced into Y to continue to another wing of the building. "I had to open a 600 pair splice case, tone out which 25 pair Y splice bracket carried her connection, and snip off the other leg of the Y."
Posted by Tom Sullivan on January 10, 2008 04:48 AM
January 09, 2008 | Comments: (0)
New to our site: As security information management products and practices become more accepted in the enterprise, Curtis Franklin explains, so too has the need to understand criteria for selecting SIMs. "It's important to briefly consider the difference between SIM, SEM, and anomaly detection software," Franklin recommends before proceeding to outline just such criteria, including ease of installation and configuration, what it takes to share information with other applications, and how long you can look at highlighted incidents, just to name a few. Buyers' Guide: Security information management also features a directory of SIM vendors and their solutions. Related Test Center review: Symantec SIM brings friends.
Careers: Leave it to Nick Corcodilos to find the link between a job and a heart attack. "If you wait til the last minute, you're almost begging for great pain and a bad outcome," he writes in Is there an emergency exit? "The only [one] when you lose your job is the front door. If you have another job waiting, that's great. But, if you don't, what matters is where you will go in the meantime. Are there people out there who would quickly refer you to their boss -- because they already know your value? Would you want to start asking around for a good cardiologist while your heart is going into arrest?"
Ongoing coverage: Highlights from CES 2008.
Best of the blogs: In reaction to Microsoft's $1.2 billion move for Fast Search and Transfer, Bill Snyder espouses that Microsoft is trying an end run around Google. And a hefty one at that, weighing in at 5.9-times Fast's sales and 5.5 percent of Microsoft's cash reserves. Google, of course, dominates search but since "the deal has obviously been cooking for a while, we may not have to wait too long to see how much of a difference it will make." Related news: Microsoft bids to buy Fast Search and Transfer.
Posted by Tom Sullivan on January 9, 2008 05:17 AM
December 18, 2007 | Comments: (0)
The motivations of busted botnet barons
Security: The FBI Bot Roast II operation snagged eight people who had committed a broad range of online crimes -- but, quite naturally, it did not reveal much beyond the nature of the activities. "When InfoWorld decided to dig a little deeper, we found that the motivations of each perpetrator were far richer, and the nature of the crimes more complex, than a simple rundown of their rap sheets could express," Andrew Brandt writes in True crime: The botnet barons. Take the Tacoma, WA man who gave an FBI agent access to a botnet which, it turns out, included an infected computer belonging to the Justice Department's Antitrust division. Another, Gregory King, was motivated by vengeance after Castlecpos deleted some of his message board posts. One more: Azizbek Mamadjanov, whose "crimes fall about as far to the fringe of what's considered a cybercrime as you can get -- in this case, it was clearly a fraud that was simply enabled by the use of stolen online banking information."
Careers: An edgy reader writes to Bob Lewis asking what to do when you've heard you're being replaced. Worse, the company has historically been known to send people packing, sans severance package, with a "Here's your last paycheck. Good-bye." The first thing to do is revisit the very nature of working for an employer. Next, be certain that what you've heard is not mere rumor. If you're positive, "quietly and discreetly start an intensive search for a new position at a different company." But if not, talking to your boss, without anger or accusation, ought to paint a pretty clear picture of what is or is not happening. "The only measure is your personal benefit, and you don't benefit from a confrontation."
Hardware: To the notion that chip vendors are unreliable, John West asserts, "this ain't news. Each of the chip manufacturers have missed schedules and shipped bad products in some years while others have had great years." The latest mishap, of course, is AMD's delayed Barcelona, due to a TLB bug, as well as the SPEC yanking all Opteron benchmark results and AMD's underestimating of the chip's power draw. "None of this is such a big deal for the desktop consumer." But West explains that when chip makers mess up the fundamentals, the future of big compute suffers. "This model is fundamentally broken. The real cost of these mistakes is born by the system vendors, and by the HPC community."
Posted by Tom Sullivan on December 18, 2007 05:14 AM
December 10, 2007 | Comments: (0)
Amazed at innovation of the bad guys
Security: Spending a week in Silicon Valley visiting with companies there has Matt Hines explaining that "things are currently thriving in the SV region -- and the security segment certainly seems to be no exception." While that is a good sign for the industry, Hines also found that, "threats continue to get scarier and stealthier. We've been writing about this trend for years, but after you spend a few days briefing with the experts about issues like botnets and polymorphic, targeted malware attacks, you can't help but feel a little more paranoid and amazed at the innovation of the bad guys." IT security fear and grow-thing in Silicon Valley. "The biggest takeaway from the entire week is that the security sector is amazingly vibrant, fast-moving and full of some of the most unabashedly brilliant individuals you could ever care to interview."
From the InfoWorld Test Center: Calling it "boring as hell," Randall Kennedy explains that, "Microsoft Office Live Workspaces has to be one of the most anti-climactic releases of the past decade." Why? Well, "not only does OLW do nothing really new, it doesn't even do what it does as well as other, competing solutions." Take Live Documents, for instance. This freebie from InstaColl makes OLW appear decidedly pedestrian, Kennedy adds. "Perhaps I’ve been spoiled. There are so many great Web services solutions out there -- most of them free like OLW -- that my expectations keep getting nudged higher and higher." Read the full review.
The news beat: Borland says it will blend business intelligence and application lifecycle management with new products that focus on business management and collect data gathered by tools from open source projects and different vendors. RIM, Yahoo and JetBlue band together to offer in-flight Wi-Fi and instant messaging such that customers will be able to use laptops and Wi-Fi phones to access customized e-mail and IM. And CompUSA said it will start winding down its retail operations as the investment firm that acquired it is looking to sell its assets.
Posted by Tom Sullivan on December 10, 2007 04:43 AM
December 06, 2007 | Comments: (0)
U.S. gov't data rights and wrongs
Notes from the field: The Feds are all over our personal information, "but when it comes to data generated by and for the White House, privacy and secrecy are the watchwords." Data rights and wrongs. Think White House attorney Scott Bloch, who called in Geeks on Call when a virus was destroying the files on his PC but, it appears, before letting them loose copied personal files to a thumb drive and now refuses to turn those over to investigators. "What's ironic is that Bloch's investigation ties directly into a bunch of other data discrepancies – including how the White House 'misplaced' 5 million emails when it upgraded from Notes to Outlook, and the use of non-official email addresses to either a) avoid Federal record keeping laws, or b) avoid violating the Hatch Act, depending on whose story you believe." Oh yes, and the plot keeps getting thicker.
App dev: Microsoft's Volta, just posted as a technology preview, is a new methodology for creating Web applications. "Instead of deciding on your architecture at the beginning, building the tiers and tying them together, you start by building a .NET client application, then designate components to run on the server and client tiers later in the cycle, and let the tool generate the plumbing for you," Martin Heller explains in Volta: Web development by tier-splitting. "The tag line is 'Web development using only the materials in the room.' Why do I keep looking around for Heidi Klum?" Related news: Microsoft offers Volta preview for Web apps development.
Careers: Don't interview. That's Nick Corcodilos' advice for employment-seekers. "Job interviewing is so over-defined an activity that it's a joke," he writes. "Don't interview. Talk about your work. Heck, do the job in your meeting. Anything but a dopey job interview." Instead, he recommends, come up with a new model. "You've gotta be free to tell stories about the work you do without notes, and you've gotta focus on your audience -- not on your resume. Don't interview. Entertain from the heart."
Posted by Tom Sullivan on December 6, 2007 04:38 AM
December 04, 2007 | Comments: (0)
Giving users control of identity
Special report: Despite federation's alluring promise, legal and governance issues have been holding it back. "In many places, such as your company Web site, federation just isn't possible using traditional methods," Philip Windley explains. That's where the notion of 'user-centric identity comes into play. "The key to this burgeoning revolution in identity is the fact that the technology places employees, clients, partners, and customers in the driver's seat when it comes to relaying their identity." Federating identity for the Web. As with many technologies, user-centric federation faces something of a battle to win widespread adoption in the enterprise. On the standards front, it comes down to CardSpace and OpenID. And it's not too early to start exploring, Windley urges. "You can use both OpenID and CardSpace now on a variety of sites on the Web. If you really want to get your hands dirty, good libraries and toolkits are available for CardSpace and OpenID." Related podcasts: An identity layer for the Web, and User-centric identity in the enterprise.
Sustainable IT: Emerson Network Power issued as a free download a how-to guide it calls "Energy Logic: Reducing Data Center Energy Consumption by Creating Savings that Cascade Across Systems." Ted Samson calls it "an impressive piece of work" that outlines ten interrelated technology strategies that comprise a holistic approach to improving datacenter efficiency. The report starts at the server component level, moves on to power supplies, then power-management software, server virtualization, and so on. Emerson delivers free blueprint for building power-efficient datacenter.
Posted by Tom Sullivan on December 4, 2007 04:55 AM
December 03, 2007 | Comments: (0)
Begin RBAC, strengthen security
Security: "Good computer security is driven by role-based, least-privilege access control," Roger Grimes begins GO RBAC now. That's RBAC as in role-based access control, a practice introduced in 1992 but still in its infancy on most platforms. "If you don't have a role-based security model, you should start researching it and strive to move to RBAC, if only a tiny step at a time. You can start by defining your access control security groups by roles instead of departments. Don't designate HR, IT, and accounting security groups; instead, create security groups for each department based on their roles. Look to your company's organizational chart or job descriptions if you need a beginning point."
Gripe Line: A reader who is more in tune with Internet fraud than HSBC alerted the bank after selling an item on Craigslist for $75 and receiving a $2,150 payment. "I knew I was dealing with a fake check. That's not unusual, or even disturbing. It's expected. What was not expected was the response I received when trying to report this fraud." Cash fraudulent check, HSBC says. Check overpayment scams typically result in the seller ultimately being liable for the full amount. Even still, HSBC told him to deposit the check and see if it cleared -- thereby recommending he commit a felony. "'Well sir,' they said 'we can't tell you if it's fake or not until you deposit it.'" So he contacted Craigslist about it, but to no avail. The only company to show any interest was UPS, which delivered the check. "Now I'm wondering who's the bigger fool -- the person who falls for these scams, or the person who tries to fight back." Seen an Internet scam we all need to know about? Talkback below or via the link above.
Storage: What with the constant flux of software and hardware updates the outcome of even the best laid business continuity strategies is anything but certain, and "an overlooked change could cripple your business in the event of a disaster," Mario Apicella writes. But, you can error-proof your disaster recovery plan. Continuity Software's RecoverGuard is one such option. "I liked just about everything I heard and saw during my briefing and demonstration with Continuity Software, including its assessment challenge -- a sort of gauntlet thrown at your current DR procedure."
Posted by Tom Sullivan on December 3, 2007 04:37 AM
November 28, 2007 | Comments: (0)
Spyware, not virus or worm attacks, takes malware crown
Security: A Computing Technology Industry Association (CompTIA) survey found that 55 percent of respondents experienced larger numbers of spyware attacks over the last 12 months as other threats have cooled -- though the organization advised companies against becoming complacent about any types of attack. "Asked to identify the types of security attacks they expect to be most troubled by in three years time, viruses and worms (20 percent) still topped the list, followed by spyware (14 percent), wireless threats (9 percent), e-mail-borne exploits (9 percent), phishing (5 percent) and issues related to remote access (5 percent)," Matt Hines explains in this Zero Day Security entry. CompTIA also found that respondent companies "plan to increase spending across all areas related to security."
Best of the blogs: It was the peak of those glory days known as the dotcom boom. Naturally, the travel agency our Off the Record author worked for was gobbling up Mom-and-Pop shops "from Seattle to Miami." So they sent him up to evaluate a recently acquired one in Seattle that boasted a supposedly superior IT guy, Eric. "This was a true IT operation," and Eric "took time to give me specifics on the networking setups, spanning tree-enabled or not, and their redundant setups. He also described each server and its function," enough to impress. Until our author suggested sliding an NT4 box into the bottom rung of a rack, to which Eric laughed, snickering that would make the e-mail slow, really slow. "See, data flows faster downhill. You should always put servers at the top of a rack with switches below." Eric wouldn't budge on this, either. No joke. A call to the team leader later, and Eric was out. "We unearthed thousands of problems (virus, file corruption, and so on) and a nice stash of porn on those Windows 95 servers as we converted them."
The news beat: Dell targets the enterprise with new multi-core workstations that also feature multithreading capabilities. Microsoft thus far won't confirm a proxy configuration flaw, discovered by a hacker, that appears to exploit an eight-year old hole in Windows. The One Laptop Per Child program gets slapped with a lawsuit by a Massachusetts company, Lagos Analysis, claiming patent infringement. And, according to a new report from the Ponemon Institute, the cost of data breaches keeps rising.
Posted by Tom Sullivan on November 28, 2007 10:35 AM
November 19, 2007 | Comments: (0)
Simple steps to protect against outside threats
Security: While end-users certainly get their share of attention for presenting enormous danger to your networks, outside threats are real and many. "The idea that a remote attacker can launch a series of bytes against your computers, then gain control over them, always brings the greatest fear to administrators," Roger Grimes espouses in Protect against external threats. But you can take action, beginning with inventorying your network, then disabling unneeded services, just to get started.
From the Test Center: To Blaze Adviser 6.5, Fair Issac has added more than 20 new features and improvements, one of the most useful being the verification and testing framework. "For large scale, enterprise-wide applications, Blaze Adviser is a top choice due to the breadth and depth of the feature set," Steven Nunez writes. That said, Nunez explains that, "Some of these features, most notably the rule lifecycle maintenance tools, are still a bit immature." Read the full review.
The news beat: AMD launches Spider, its platform for boosting graphics, performance-per-watt, and high-definition video. Dell shows off an all-in-one computer, the XPS One, which houses the monitor and CPU in one. EarthLink hints that it might sell the municipal Wi-Fi unit that created networks in Philadelphia and other cities. And Mozilla says it will patch a 9-month old bug in Firefox after security researches demonstrated that the vulnerability was more serious than originally thought.
Posted by Tom Sullivan on November 19, 2007 09:36 AM
November 01, 2007 | Comments: (0)
Superbugs, cyber- criminals and IT
Best of the blogs: The recent rise of MRSA (methicillin-resistant Staphylococcus aureus) has some lessons that can be applied to the world of IT. "The parallel to email filtering is striking. Every time we block these vermin, they mutate. It's a losing battle," Martin Heller writes in this Strategic Developer post. While drug companies scramble to find another antibiotic, the CDC says the long-term solution is to only use antibiotics when they're really needed -- a practice Heller points out sounds a bit like a stopgap, albeit one that rules in the tech realm, too. "The theory is that if the cyber-vermin can't complete a sale, they can't make money, and the junk email should then dry up." Easier said that done.
Podcasts: In this week's episode of Storage Sprawl, two startups push the notion of "dispersed storage" as a means to protect data by breaking it into smaller pieces that are encrypted. "As with a shredded paper document, no single data fragment can give away the whole. Because of this, dispersed storage is inherently more secure than traditional methods. Only the owner can bring the data confetti back together."
Columnist's corner: When someone says "backup," Microsoft is probably not the first word that comes to mind, Sean Gallagher asserts in Spring ahead, Fall backup. And as for business continuity the company has thus far made life easy for third-party developers of backup software to earn their keep. "But Microsoft is starting