News

News

• October 05, 2011 05 Oct'11

  DHS cloud computing: Homeland Security’s model private cloud strategy

  Using private cloud at separate data centers has allowed the Department of Homeland Security to strike a balance between security and cost savings.

• September 22, 2011 22 Sep'11

  (ISC)2 at a crossroads: CISSP value vs. security industry growth

  Should the (ISC)2 look to grow the pool of CISSPs to meet demand, or boost CISSP value for those who already have it? Eric B. Parizo looks at both sides.

• September 21, 2011 21 Sep'11

  NIST guidelines seek to minimize risk of BIOS attacks

  Amid emerging attack methods and the rollout of a new generation of BIOS, NIST offers guidelines to help enterprises reduce the risk of BIOS attacks.

• May 05, 2011 05 May'11

  Maiffret: Configuration changes, attack mitigation can reduce attack surface

  A new report produced by noted security researcher Marc Maiffret outlines free steps companies can take to greatly reduce the attack surface.

• May 03, 2011 03 May'11

  Sony attack: Sony expands scope of its massive data security breach

  Sony executives said an attack on its PlayStation Network systems, also exposed the data of 24.6 million users at its Online Entertainment division.

• April 26, 2011 26 Apr'11

  Software remediation can get caught in organizational issues

  Running an application security program requires more than a solid budget. It needs a person with deep knowledge of the organization and its engineering processes.

• April 04, 2011 04 Apr'11

  RSA SecurID breach began with spear phishing attack

  Two waves of email attacks targeted small groups of RSA employees, the company said in a blog post last week revealing the first details of the attack since the breach was announced March 22.

• March 23, 2011 23 Mar'11

  Comodo warns of serious SSL certificate breach

  A breach at a registration authority caused Comodo to issue nine fraudulent certificates, enabling an attacker to impersonate some major websites and servers.

• February 10, 2011 10 Feb'11

  Emerging theme at RSA Conference 2011 may be 'mostly cloudy'

  Security vendors at RSA Conference 2011 need to be more specific about the security technologies they are aiming at the cloud, industry analysts say.

• January 31, 2011 31 Jan'11

  Cost of non-compliance outweighs cost of maintaining compliance, report finds

  A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million.

• September 15, 2010 15 Sep'10

  IBM to acquire OpenPages for GRC, operational risk management

  OpenPages will be integrated with IBM's business analytics software portfolio.

• August 30, 2010 30 Aug'10

  Opinion: Security information sharing is a shared responsibility

  Senior Site Editor Eric B. Parizo says infosec pros need to participate in the public dialog for the good of the industry and offers harsh words for companies who silence their own security talent.

• June 22, 2010 22 Jun'10

  Gartner: Companies shouldn't bother banning Facebook, social networking

  The research firm argues social networking isn't the responsibility of enterprise information security, but social media governance policies and monitoring practices are important.

• May 11, 2010 11 May'10

  Aite Group: Take action now to manage remote deposit capture risks

  Fraud losses involving RDC technology have the potential to skyrocket if banks don't work proactively to deal with the risks, research firm says.

• March 24, 2010 24 Mar'10

  Apple iPhone, Microsoft IE 8 get hacked in Pwn2Own contest

  Hackers also exploited zero-day vulnerabilities in Apple Safari and Mozilla Firefox browsers in the first day of TippingPoint's Pwn2Own contest Wednesday.

• March 23, 2010 23 Mar'10

  Insurance company finds relief with Forefront user provisioning tool

  First American Title Insurance Company cuts identity management user provisioning time from days to seconds with Microsoft Forefront Identity Manager 2010.

• March 12, 2010 12 Mar'10

  MD5 hash vulnerability is expert's top Web security flaw

  Jeremiah Grossman told RSA Conference 2010 attendees that a successful defense against Web-based flaws requires both a secure browser and a secure website infrastructure.

• October 13, 2009 13 Oct'09

  Five mistakes banks make in pandemic planning

  Experts cite five areas where financial institutions could improve their planning for a potential H1N1 outbreak

• September 22, 2009 22 Sep'09

  First Data, RSA push tokenization for payment processing

  The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions.

• September 15, 2009 15 Sep'09

  Brute force attacks target Yahoo email accounts

  Attackers target a background Web services authentication application used by ISPs and Web applications to authenticate users.

• July 30, 2009 30 Jul'09

  Machiavelli Mac OS X rootkit unveiled at Black Hat

  Researcher Dino Dai Zovi presented details on a rootkit called Machiavelli, a proof-of-concept Mac OS X rootkit that seeks to dent what many Mac enthusiasts believe is an impervious OS.

• July 30, 2009 30 Jul'09

  MMS messaging spoof hack could have global ramifications

  Researchers have figured out a way to spoof sender numbers, bypass carrier protections and trick mobile devices to pull content from an attacker's server. This would leave users vulnerable to phishing attacks and other scams.

• June 24, 2009 24 Jun'09

  TJX to pay $9.75 million for data breach investigations

  The company agrees to pay legal expenses related to investigations conducted by 41 Attorneys Generals and establish a data security fund for states.

• April 28, 2009 28 Apr'09

  Forensic accounting success depends on information security support

  There's no room for error in forensic accounting – the process of gathering financial-related information for legal review and potential use in a court of law – as "every mistake will be put under a magnifying glass and made much worse ...

• April 08, 2009 08 Apr'09

  PCI DSS Q&A: Answering your questions

  Payment Card Industry Data Security Standard (PCI DSS) expert Ed Moyle of CTG recently joined SearchSecurity.com for a live Q&A to address your ...

• February 27, 2009 27 Feb'09

  Wells Fargo deploys Voltage for secure email

  Bank uses email encryption to securely exchange confidential information with commercial customers.

• February 18, 2009 18 Feb'09

  CVS pays $2.25 million HIPAA violation settlement

  CVS pharmacy employees allegedly committed a HIPAA violiation when tossing pill bottle labels with patient information into the trash.

• February 18, 2009 18 Feb'09

  SSLstrip hacking tool bypasses SSL to trick users, steal passwords

  Moxie Marlinspike explains how his hacking technique fools Web users into thinking they are on an SSL-protected site, leaving them feeling quite safe, but pwned all the same.

• December 09, 2008 09 Dec'08

  Data masking hides information from testers

  Start-up DataGuise enters the data masking market fueled by regulatory compliance pressures. One analyst says companies prefer masking over other techniques.

• October 24, 2008 24 Oct'08

  Trojan exploiting MS08-067 RPC vulnerability

  There are reports emerging Friday morning of a new Trojan exploiting the MS08-067 RPC vulnerability in Windows that Microsoft patched with an emergency fix yesterday. Known as Gimmiv.A, the Trojan ...

• June 12, 2008 12 Jun'08

  Perimeter eSecurity acquisition shapes managed security services

  Small businesses are turning to managed security service providers. The industry is growing and Perimeter eSecurity's aggressive acquisition spree is shaping the market.

• June 06, 2008 06 Jun'08

  Tumbleweed merger seen as a negative for email security customers

  Email security vendor Tumbleweed will merge with Axway, in a deal that one analyst calls a death knell for the vendor.

• April 21, 2008 21 Apr'08

  New hacking technique exploits common NULL programming error

  A researcher has discovered a new hacking technique that exploits a programming vulnerability common in many applications.

• April 02, 2008 02 Apr'08

  Kerberos: Authentication with some drawbacks

  Kerberos is one of the most-widely used authentication methods today, but experts explain that it comes with some weaknesses.

• March 19, 2008 19 Mar'08

  Misconfiguration issues could have contributed to Hannaford breach

  Hannaford takes heat from officials who believe the supermarket chain was slow in disclosing its breach. Meanwhile, one of Hannaford's security vendors gets defensive.

• March 19, 2008 19 Mar'08

  The pros and cons of data breach insurance

  The security incident at the Hannaford supermarket chain and elsewhere have some wondering if it's time to purchase data breach insurance. But experts say there are drawbacks.

• March 18, 2008 18 Mar'08

  Hannaford breach illustrates need to have a survival plan

  The Hannaford Bros. Co. supermarket chain is the latest company to suffer a data breach. It illustrates the need for companies to have a survival plan tucked away, experts say.

• March 05, 2008 05 Mar'08

  Misconfigured networks create huge security risks

  Security experts say IT pros should be more concerned about the risks created by misconfigured networks than all the flaws and exploit code they read about.

• February 27, 2008 27 Feb'08

  The security benefits and risks of virtualization

  IT shops are looking at virtualization as a way to improve data security and make patch deployments more efficient. But IT pros and analysts say there are security risks as well.

• February 01, 2008 01 Feb'08

  Microsoft touts security in Windows Server 2008

  Windows Server 2008, expected to release Feb. 27, is first server product built from scratch since the advent Trustworthy Computing at Microsoft. Bill Laing, general manager of the Windows Server Division at Microsoft, says security in this product ...

• January 14, 2008 14 Jan'08

  How to protect and harden a database server

  Expert Michael Cobb explains how to keep malicious hackers out of enterprise databases.

• December 10, 2007 10 Dec'07

  Top 10 access-related controls for PCI compliance

  Companies that identify, monitor, report and investigate audit trails and conduct risk analytics are taking the right steps to protect critical data, according to one expert.

• December 05, 2007 05 Dec'07

  Cisco injects role-based access control into the network

  Cisco Systems Inc. is adding role-based access control into its switches to carry role information to every enforcement point in the network.

• November 13, 2007 13 Nov'07

  Sun acquiring Vaau for identity management

  To better serve customers preoccupied with regulatory compliance and identity management, Sun has agreed to acquire enterprise role-management vendor Vaau.

• November 05, 2007 05 Nov'07

  Symantec acquires Vontu for DLP know-how

  In a move that was widely expected, Symantec announced Monday that it will acquire data loss prevention (DLP) vendor Vontu for $350 million.

• October 09, 2007 09 Oct'07

  McAfee acquires SafeBoot for endpoint encryption

  McAfee is acquiring endpoint encryption vendor SafeBoot Corp. in a $350 million deal to bolster the antivirus vendor's mobile device security software.

• September 06, 2007 06 Sep'07

  Government warns of dangerous QuickBooks Online flaw

  Attackers could exploit two flaws in the popular Intuit QuickBooks Online Edition to cause buffer overflows and download or upload files in arbitrary locations, US-CERT warned.

• August 17, 2007 17 Aug'07

  VMware acquires HIPS provider Determina

  VMware, the leader in virtualization software, has acquired Determina, a provider of host IPS technology.

• May 18, 2007 18 May'07

  Experts doubt Russian government launched DDoS attacks

  Distributed denial-of-service attacks against Estonian computer systems probably originated from smaller groups in control of botnets rather than the Russian government, experts say.

• May 07, 2007 07 May'07

  TJX breach tied to Wi-Fi exploits

  The TJX hackers started their assault two years ago by attacking security holes in the retail giant's wireless system outside a Minnesota Marshalls.

• March 01, 2007 01 Mar'07

  PCI DSS auditors see lessons in TJX data breach

  Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned from TJX's mistakes.

• January 18, 2007 18 Jan'07

  Did TJX take the right steps after data breach?

  Security experts are mixed on whether TJX acted properly following a massive data breach last month. One expert says potential victims should have been notified sooner.

• November 15, 2006 15 Nov'06

  Fiber optic networks vulnerable to attack

  Fiber optic networks aren't hack-proof: A savvy attacker can crack them with ease.

• October 13, 2006 13 Oct'06

  Security Blog Log: Taking Google Code Search for a spin

  This week, the blogosphere is buzzing about Google Code Search. Despite concerns that the tool will aid attackers, some see it as a boost for security.

• October 11, 2006 11 Oct'06

  Google Code Search gives security experts a sinking feeling

  The new search tool from Google can help developers find useful code examples. But security experts worry that it also will make attackers' jobs that much easier.

• June 29, 2006 29 Jun'06

  RSA Security acquired by EMC for $2.1 billion

  EMC confirms that it will buy RSA Security for just under $2.1 billion. Observers say RSA faced a choice of either selling out at its peak or carrying on with a questionable strategy dependant on acquisitions.

• June 05, 2006 05 Jun'06

  Security without firewalls: Sensible or silly?

  The San Diego Supercomputer Center has had only one compromise in nearly six years, without using a firewall. The SDSC's security manager explains how.

• May 18, 2006 18 May'06

  Opinion: What is a security professional, anyway?

  The problem with information security certifications isn't that they're being offered to those without experience, writes Pete Herzog. The real issue is that security pros are often measured by their test-taking skills, not their ability to apply ...

• January 06, 2006 06 Jan'06

  Review: With SSH Tectia, security is solid but deployment is difficult

  If SSH Communications Security makes it easier to deploy and use, SSH Tectia will step up as a robust enterprise product.

• January 05, 2006 05 Jan'06

  McAfee pays $50 million in accounting fraud case

  The Santa Clara, Calif.-based network security provider agrees to a cash penalty to be distributed to harmed investors, per the Sarbanes-Oxley Act.

• November 28, 2005 28 Nov'05

  Busted: The inside story of 'Operation Firewall'

  A trial attorney with the Department of Justice offers an inside look at Operation Firewall, the 18-month investigation that nabbed a network of thieves responsible for 1.7 million credit card thefts.

• October 19, 2005 19 Oct'05

  Powerful payloads: The evolution of exploit frameworks

  Attackers have new tools to launch faster, more powerful attacks. Contributor Ed Skoudis offers up some examples, some of which are very clever and very evil.

• August 31, 2005 31 Aug'05

  Myfip's Titan Rain connection

  LURHQ researchers say the Myfip worm is a good example of the malcode Chinese hackers are using in the so-called Titan Rain attacks against U.S. government networks.

• August 29, 2005 29 Aug'05

  CCISP vs. CISSP certification creating confusion for security pros

  Its creator says the newer certification aims to complement, not compete with, the better known CISSP. Others aren't convinced the distinction is clear.

• August 01, 2005 01 Aug'05

  Sourcefire offers Snort certification and online training

  The security vendor creates new opportunity to show skills with its 3D System and the popular open source IDS.

• July 15, 2005 15 Jul'05

  Case study: Hardcore spyware among the 'missing'

  The IT director for the National Center for Missing & Exploited Children had a severe spyware problem that couldn't be cured by keeping his employees away from child pornography. Find out what he did instead.

• May 09, 2005 09 May'05

  High-severity vulnerability in IPsec

  Attackers could use this "very significant" flaw to read plaintext communications.

• May 06, 2005 06 May'05

  The latest heavyweight battle: CSO vs. CISO

  Want to move up the security career ladder but can't decide between CSO or CISO? First, you might consider whether either title will still exist when you're ready to assume it.

• May 03, 2005 03 May'05

  XML viruses threaten Web services security

  XML security vendors are shoring up their products to protect Web services against viruses, worms and malware.

• March 08, 2005 08 Mar'05

  Windows vulnerable to LAND attack

  Security researchers say this type of attack leaves enterprise customers of popular Windows products open to a denial of service. There is good news, though.

• January 31, 2005 31 Jan'05

  You can prevent buffer-overflow attacks

  Home-grown apps are susceptible to buffer overflows as are Windows and Linux apps; the conclusion of this two-part series will detail how to protect applications from attack.

• January 27, 2005 27 Jan'05

  DoD security clearance: What defense employers are looking for

  Who has the best shot at high-paying jobs requiring security clearances?

• December 20, 2004 20 Dec'04

  "Ten Commandments" of computer ethics

  Guidelines for good online behavior.

• December 16, 2004 16 Dec'04

  Nessus no longer free

  Developers of the popular open-source tool are starting to charge commercial customers who bring nothing to the project's development.

• December 14, 2004 14 Dec'04

  Outdated software is risky business

  The nation's IT landscape is loaded with antiquated software ripe for attack. But a new study suggests most companies don't plan to address the problem.

• November 15, 2004 15 Nov'04

  Open-source IPS testing tool released

  Free tool can gauge effectiveness, performance of IPS devices.

• October 06, 2004 06 Oct'04

  302 and 404: Key SOX requirements for security managers.

  SOX is mandatory for most public corporations and focuses on regulating corporate behavior to protect financial audit records. Read about the three main areas of SOX that affect IT: Sections 302, 404 and 802.

• October 06, 2004 06 Oct'04

  'Typical' SOX violations

  Sarbanes-Oxley contains many features, but there are two that stand out from an IT security perspective.

• October 06, 2004 06 Oct'04

  Spyware vs. spyware: Employer and employee monitoring

  What rights and responsibilities do employers and employees have when monitoring others' use of company systems?

• August 18, 2004 18 Aug'04

  Graphical passwords still far from picture perfect

  The proliferation of data and devices is making more enterprises consider graphics-based authentication, from which arises a greater pool of possibilities -- and problems.

• June 17, 2004 17 Jun'04

  Application security: How much does software really cost?

  When purchasing software, asking tough questions and other steps can help you to determine application security -- a major component of the total cost of ownership.

• June 01, 2004 01 Jun'04

  Firewall and system logs: Using log file analysis for defense

  Log analysis is the most under-appreciated, unsexy aspect of infosecurity, yet Marcus Ranum says it's one of the most important.

• May 27, 2004 27 May'04

  Case study: L.A. health alerts don't miss a beat

  Los Angeles County Department of Health Services bioterrorism IT coordinator David Cardenas fields and distributes about a dozen serious health alerts to physicians, hospitals and response agencies and must ensure the flow of such sensitive ...

• April 01, 2004 01 Apr'04

  Using tax depreciation to increase security budgets

  The depreciation of capital assets, such as security hardware and software, is a tax benefit that every infosec manager should take into consideration.

• April 01, 2004 01 Apr'04

  Cyberwar myths: Are cyberwarfare and cyberterrorism overblown?

  Marcus Ranum explains why the whole notion of cyberwarfare is a scam.

• April 01, 2004 01 Apr'04

  Database security tools for preventing SQL injection attacks

  An emerging breed of database security tools is helping security teams spot attackers' favorite techniques, like SQL injection.

• March 04, 2004 04 Mar'04

  Dangers of .zip files

  Reader inquiries about security issues surrounding .zip files prompted a Q&A with Wild List moderator Bruce Hughes, who cites more than 40 worms since 1999 that have taken advantage of the compressed file format to spread.

• March 01, 2004 01 Mar'04

  Firewall comparison: Packet-filtering firewalls versus proxy firewalls

  Stateful packet-filtering firewalls account for more than 90% of the market, but the proxy firewall folks haven't rolled up their tents yet. In this firewall comparision you will discover which is better for your enterprise?

• January 05, 2004 05 Jan'04

  Face-off: Hiring a hacker

  SearchSecurity.com editors Crystal Ferraro and Mia Shopis take up the debate of whether enterprises should hire reformed hackers.

• October 14, 2003 14 Oct'03

  Logical integration: Physical and IT security

  In this interview, the security officer for Terminal 4 at JFK International Airport talks about the integration of logical and physical security, and the role biometrics can play.

• August 19, 2003 19 Aug'03

  Benevolent Nachi worm doing more harm than good

  The Nachi worm, which tries to delete the Lovsan worm and patch infected systems, is clogging internal networks with trash traffic.

• August 03, 2003 03 Aug'03

  Examining device-based authentication

  Combining device-based authentication technology with existing user-based authentication would be appealing for many organizations, but technical details remain unclear.

• June 02, 2003 02 Jun'03

  How to learn IT security in your spare time

  When considering how to learn IT security, never underestimate the power of a few minutes of downtime.

• April 01, 2003 01 Apr'03

  Network packet analyzers enable enterprise 'packet peeking'

  Marcus Ranum explains how network packet analyzers offer a worm's-eye view of what's traversing an enterprise network.

• January 22, 2003 22 Jan'03

  Remote Access Trojans warrant attention

  Smell a RAT? Some security experts predict you will at some point during 2003. Remote access Trojans often leave backdoors wide open for attackers to prowl through your company's networks or systems.

• December 20, 2002 20 Dec'02

  The virus name game

  If you're a virus writer, don't expect to have your nefarious work named after your favorite dog, diet drink or exotic dancer. Antivirus researchers have first dibs on virus names.

• November 27, 2002 27 Nov'02

  4- Virus Management

  Top issues

• October 24, 2002 24 Oct'02

  Debugging IPsec VPNs: Questions and answers

  SearchSecurity recently invited networking expert Lisa Phifer to speak about troubleshooting IPSec VPNs. We ran out of time during the Webcast for her to answer several questions from the audience, but, she answers those questions here. Phifer is ...

• October 03, 2002 03 Oct'02

  SANS, FBI identify top 20 Windows, Unix vulnerabilities

  SANS, FBI identify top 20 Windows, Unix vulnerabilities

• September 13, 2002 13 Sep'02

  Tutorial test answers: Intrusion detection basics

  Here are the answers to the intrusion detection basics test based on the tutorial Webcast.