September 2009
26 posts
PCI virtualization SIG closer to proposing changes... →
A special interest group studying virtualization for the payment industry is preparing guidance on the use of virtualization and ways to maintain PCI DSS compliance.
Security Squad: Privacy gone awry →
SearchSecurity editors discuss Internet privacy issues, the Apache disclosure, VMworld and Apple security.
First Data, RSA push tokenization for payment... →
The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions.
Security challenges with cloud computing services →
Panel discusses cloud computing security issues including encryption and user authentication.
New Bahama botnet evades search engines, fuels... →
Researchers at Click Forensics have discovered a new botnet that is evading search engines and responsible for a spike in click fraud traffic and popup adware.
Experts rebuke programmers who use SQL injection... →
Security experts point to online advertising campaigns that distributed faulty code to affiliates as the source of spikes in SQL injection attacks.
Melissa Hathaway urges more cooperation,... →
Former acting director for cyberspace Melissa Hathaway called for public-private cooperation on cybersecurity and pressed government to develop standards and foster innovation.
Secure virtual desktop software enables remote... →
Virtual desktops control endpoints and cut costs for an Atlanta-based financial company. The setup helps IT control core essentials and enforce acceptable use policy.
Brute force attacks target Yahoo email accounts →
Attackers target a background Web services authentication application used by ISPs and Web applications to authenticate users.
SANS: Application threats, website flaws pose... →
A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.
Symark acquires BeyondTrust →
Privileged access management provider expands beyond Unix and Linux environments to the Windows platform with acquisition.
DNSSEC deployment challenges can be overcome →
Experts deploying DNSSEC across the .ORG domain share the issues encountered during the early-adoption of the technology. Key management remains an issue.
Trustwave acquires data loss prevention vendor... →
MSSP and PCI compliance firm buys one of dwindling field of independent DLP vendors.
Security vendors can learn from ConSentry Networks... →
The switch-oriented NAC vendor serves as a sad reminder that security often only has niche appeal, says security expert Eric Ogren.
Microsoft issues SMB vulnerability advisory, patch... →
With attack code widely available, companies could take steps to mitigate the threat. Windows 7 and Vista users are at risk.
Microsoft repairs Windows media, TCP/IP... →
Microsoft released five critical updates fixing a serious flaw in the Windows Media Format Runtime engine and TCP/IP processing errors that could crash Web and mail servers.
Attackers target Microsoft IIS; new SMB flaw... →
New exploit code targets a zero-day flaw in Microsoft Server Message Block, a protocol used by Windows to communicate messages to printers and other devices on a network.
Microsoft five critical updates won't include IIS →
A patch repairing a critical zero-day flaw in Microsoft’s IIS Web server will not be ready in time for Patch Tuesday, the software giant said.
2009 Information Security magazine Readers' Choice... →
For the fourth consecutive year, Information Security readers voted to determine the best security products. A record 1721 voters participated this year, rating products in 17 different categories.
Microsoft issues IIS FTP advisory, exploit code... →
Exploit code is circulating for the FTP zero-day flaw in Microsoft IIS Web server.
Truth, lies and fiction about encryption →
Encryption solves some very straight-forward problems but implementation isn’t always easy. We’ll explain some of the common misperceptions so you’ll understand your options.
Security threats to virtual environments less... →
The demonstration of a hacking tool at Black Hat that allows attackers to escape from virtual machines to attack their guest OS elevates the seriousness of security threats to virtualization.
At VMworld 2009, companies focus on virtual... →
While security is not a major theme at VMworld 2009, companies are turning attention to virtual desktop infrastructures to improve security and address remote employees.
Schneier-Ranum Face-Off: Is Perfect Access Control... →
Security experts Bruce Schneier and Marcus Ranum debate whether perfect access control is possible.
Unpatched vulnerability discovered in Microsoft... →
Database security vendor Sentrigo today released some detail about a flaw discovered a year ago in Microsoft SQL Server that exposes passwords stored in memory as cleartext. Microsoft is not planning…
Security fundamentals remain focus of... →
Companies are avoiding virtualization security technologies until the market matures and established security vendors address threat mitigation and compliance issues.
August 2009
30 posts
Skype Trojan records VoIP communications →
Called the first wiretap Trojan, Peskyspy, targets Skype conversations by intercepting and recording audio between the Skype application and the victim’s audio device.
SSH key compromise shuts down Apache website →
Attackers forced Apache to shut down its website for several hours Friday morning, using a compromised SSH key to gain access to one of its servers.
Security expert's PCI analysis misguided, says PCI... →
The PCI Council asserts that everyone in the payment chain should play a role to keep payment information secure, says Bob Russo, general manager of the PCI SSC.
IBM finds sharp spike in malicious content on... →
Latest midyear trend report finds users being bombarded with malicious Web links. Attackers target trusted search engines, blogs and mainstream news sites to pass malicious code.
Social network privacy study finds identity link... →
Researchers raise privacy concerns as a person’s browsing habits could be paired with their identity and passed to third-parties.
DEFCON survey suggests hacker community on... →
Hackers beat the heat prior to the lucrative holiday season, according to a survey given to attendees at the DEFCON hacker conference.
External attacks start with unintentional... →
More control over user rights and access privileges could help mitigate the risk of employee errors that lead to costly data breaches.
Security technologies fail to address insider... →
Detecting troubled employees before their activities lead to a data security breach could help mitigate the risk of insider threats.
Security Squad: Examining the Heartland breach →
Editors discuss the recent debate over comments made by Heartland CEO Robert Carr blaming the PCI QSA for the breach, the federal cybersecurity coordinator and banning social networks.
Mozilla security chief on Firefox improvements →
Mozilla’s “human shield” Johnathan Nightingale discusses Firefox browser privacy and security issues at the recent Black Hat briefings in Las Vegas.
Adobe updates ColdFusion, JRun, Flex →
Application vendor focuses on vulnerabilities in its Web application development tools.
SQL injection continues to trouble firms, lead to... →
Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.
Data breach avoidance begins with security basics,... →
Investing millions in new security technology will not prevent a data breach if employees aren’t educated and security policy goes unchecked, say experts.
Hacker charges also an indictment on PCI, expert... →
PCI places the burden of security costs onto retailers and card processors instead of on the card payment brands, says security columnist Eric Ogren.
Three indicted for Hannaford, Heartland data... →
A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies.
FTC extends breach notification to Web-based... →
Companies that collect and retain health data and aren’t covered under HIPAA are now subject to similar breach notification rules, according to a new FTC ruling.
Marine Corps' Twitter ban example of security... →
The Marine Corps’ move is an example of paranoia seeping into security decisions, according to columnist Eric Ogren. Browser security and training is the right approach.
Trusteer CEO criticizes Adobe, touts better patch... →
Despite critical Flash and Adobe Reader updates July 30, only a fraction of Adobe users have installed them, Trusteer says. Trusteer’s CEO urges better patching mechanisms.
Patch management study shows IT taking significant... →
IT pros need to take patch management processes seriously and more dilligently understand the plethora of applications being used by end users.
Microsoft fixes Office Web Components... →
Microsoft repaired critical vulnerabilities in Microsoft Office Web Components affecting Office Word, Excel and PowerPoint viewer as well as its ISA and BizTalk servers.
Data has become too distributed to secure,... →
A Forrester Security Forum will address ways security pros can relax security policy and focus on mitigating the risks associated with employee use of Web-based tools and services.
Microsoft Security Essentials (MSE) shows no... →
Microsoft’s launch of Microsoft Security Essentials (MSE) doesn’t give it a boost over competitive antivirus products, according to security columnist Eric Ogren.
Vulnerability mitigation study shows need for... →
Qualys CTO Wolfgang Kandek says vendors and administrators need to find ways to speed up the patching cycle.
Burton Group warns of cloud computing risks →
There are many benefits to the various cloud computing models. But for each benefit, such as cost savings, speed to market and scalability, there are just as many risks and gaps in the cloud…