News

News

• February 26, 2013 26 Feb'13

  Security B-Sides presenter questions value of penetration testing

  At Security B-Sides San Francisco, Brett Hardin asked why organizations hire penetration testers and assessed the value of penetration testing.

• February 26, 2013 26 Feb'13

  B-Sides: Akamai's Corman calls for new information security focus

  At Security B-Sides 2013, Joshua Corman railed against PCI DSS and vendor profit measures, calling for a renewed information security focus on what really matters.

• February 25, 2013 25 Feb'13

  Kaminsky: Fostering improved security culture demands societal change

  At B-Sides San Francisco, Dan Kaminsky discussed how society inhibits its own security culture, and the need to look beyond status-quo technology.

• February 25, 2013 25 Feb'13

  DHS cybersecurity boss pushes 'cyber 911', new voluntary standards

  At the CSA Summit 2013, Mark Weatherford said the DHS 'cyber 911' service will better support the private sector, and new voluntary standards are in the works.

• February 25, 2013 25 Feb'13

  Well-rounded information security education benefits IT professionals

  A security-savvy IT staff can help reduce risk. Learn about information security training and education options for IT professionals.

• February 25, 2013 25 Feb'13

  Big data creates cloudy security forecast

  Security in the cloud has come a long way and it’s now possible to control the quality of security you get in Web deployments, and to monitor what’s going on in your slice of the cloud.

• February 18, 2013 18 Feb'13

  Enterprise app security tops list for enterprise mobile deployments

  Enterprises have yet to roll out mobile versions of most of their applications, a recent survey says. One key factor moving forward is security.

• February 13, 2013 13 Feb'13

  Obama's cybersecurity executive order issued for critical infrastructure

  President Obama issued an executive order aimed at fostering public-private information sharing among critical infrastructure sectors.

• February 13, 2013 13 Feb'13

  McGraw's mobile app security strategy: Three legs of 'trusted on busted'

  Struggling to define your mobile app security strategy? Gary McGraw offers a manifesto to help get infosec and app developers on the same page.

• February 08, 2013 08 Feb'13

  TLS security: Background on the 'Lucky Thirteen' attack

  Professor Kenneth Paterson and graduate student Nadhem AlFardan have discovered a TLS attack that tracks the timing of error messages to reveal plaintext.

• February 06, 2013 06 Feb'13

  The body count is new, but UPnP security issues are embarrassingly old

  HD Moore unveiled research showing wide-scale UPnP security issues last week, but some of the problems have been known for years.

• January 30, 2013 30 Jan'13

  Critical infrastructure security: Electric industry shows the path

  Expert Brian Zimmet believes the electric industry is the one to watch for a look at the future of critical infrastructure security regulations.

• January 29, 2013 29 Jan'13

  Lacking privacy laws aid growing CISO role in data privacy management

  More CISOs may be taking on data privacy management. Fortunately, old, outdated privacy laws may lend them a helping hand.

• January 28, 2013 28 Jan'13

  Testing, assessment methods offer third-party software security assurance

  No ultimate test can give third-party software a clean bill of health, but careful assessment can help organizations gain more control over vendors.

• January 28, 2013 28 Jan'13

  Offensive security involves proactive deception tactics

  Going on the offense doesn’t mean actively targeting cybercriminals, experts say. Deceptive tactics, phony documents can help trip up attackers.

• January 28, 2013 28 Jan'13

  Information assurance training programs create new cadre of IT security pros

  University information assurance programs are varied, but they are beginning to provide technology disciplines a level of security knowledge.

• January 23, 2013 23 Jan'13

  Red October malware attacks highlight attribution problems

  The recent Red October attacks show not only a new level of complexity, but an ongoing problem with attack attribution.

• January 21, 2013 21 Jan'13

  Java vulnerabilities continue to crop up with Java 7, Update 11 release

  Oracle continues to encounter security issues with Java as the Java 7, Update 11 release is found to have two significant vulnerabilities.

• January 17, 2013 17 Jan'13

  Thirteen principles to ensure enterprise system security

  Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades.

• January 11, 2013 11 Jan'13

  Dell SecureWorks adds vulnerability management services for cloud

  Dell SecureWorks is bringing security vulnerability management services to its cloud customers, along with its Global Threat Intelligence Service.

• January 08, 2013 08 Jan'13

  Will TurkTrust incident raise certificate use to Chrome standard?

  Enterprises can disrupt cybercriminals and deter future attacks, explained Dmitri Alperovitch, CTO of CrowdStrike Inc. The approach has its critics.

• December 27, 2012 27 Dec'12

  Project Mayhem hack details enterprise accounting system flaws

  Proof-of-concept code targets Microsoft Dynamics Great Plains platform and can enable an attacker to transfer funds to accounts of their choosing.

• December 24, 2012 24 Dec'12

  Unwrapping a new smartphone? Experts deliver device security tips

  A new smartphone or tablet under the Christmas tree should be giftwrapped with a list of security and privacy guidelines, experts say.

• December 20, 2012 20 Dec'12

  IT security job market is hot but tricky, expert says

  The IT security skills required by some firms have become a lot more specific. The demand for security generalists is waning.

• December 20, 2012 20 Dec'12

  IT Salary Survey 2012: IT security, compliance pros anticipate raise in 2013

  Security and compliance pros taking TechTarget's 2012 IT Salary Survey aren't complacent, indicating openness to new jobs, eagerness for a promotion.

• December 19, 2012 19 Dec'12

  Dell acquires Credant Technologies for device encryption

  Dell said the addition of Credant bolsters its data protection strategy by adding encryption capabilities for laptops and mobile devices.

• December 18, 2012 18 Dec'12

  US-CERT warns of Adobe Shockwave Player threat

  An attacker can exploit weaknesses in files intended to extend the functionality of Shockwave Player. No practical solution is available, US-CERT said.

• December 17, 2012 17 Dec'12

  Blue Coat to acquire UTM networking firm Crossbeam

  Blue Coat said Crossbeam gives it a platform for its software and also helps bolster its network optimization strategy in high-end data centers.

• December 14, 2012 14 Dec'12

  Verizon joins Criterion to bolster online credentials

  Verizon and Criterion Systems will conduct a series of tests of a new validation process being designed for sensitive online transactions.

• December 14, 2012 14 Dec'12

  Crafty click fraud Trojan uses left mouse click to evade detection

  A Trojan horse waits for a left mouse click to execute each step of the infection process, according to new research from FireEye Inc.

• December 13, 2012 13 Dec'12

  Cybercrime 2012: Malware attacks prominent in retail, financial industries

  Malware attacks were the most prominent in the retail and financial services industries in 2012.

• December 12, 2012 12 Dec'12

  FBI arrests attackers associated with Facebook cybercrime ring

  Cybercriminal gang associated with the Butterfly Botnet is believed to have netted more than $850 million by stealing credit card and bank account data.

• December 12, 2012 12 Dec'12

  Social engineering, employee gaffes require full attention, says expert

  Technologies like data loss prevention boost protection, but a determined adversary will get past the sensors, explains security expert Hugh Thompson.

• December 12, 2012 12 Dec'12

  Lessons learned from real-world DLP technology deployments

  Successful data loss prevention deployments require data governance maturity, a great deal of tuning and acknowledgement that it's not a panacea.

• December 11, 2012 11 Dec'12

  Internet Explorer vulnerabilities fixed in December 2012 Patch Tuesday

  Microsoft released seven security bulletins, addressing flaws in Internet Explorer, Word and Windows kernel-mode drivers.

• December 11, 2012 11 Dec'12

  UK job search website vulnerability allows unchecked job postings

  The website flaw was exposed by hackers who registered as employers and posted a fake job advertisement.

• December 11, 2012 11 Dec'12

  Deploying DLP technology requires hands-on approach, experts say

  Preventing data loss incidents involves sound policy, knowledge of the threat landscape and constant vigilance over your DLP system, experts say.

• December 10, 2012 10 Dec'12

  Converging audit and risk management programs a flawed approach, says expert

  Most risk management programs fail because they end up being another audit function, explains Alex Hutton, a faculty member at IANS.

• December 07, 2012 07 Dec'12

  Twelve common software security activities to lift your program

  Software security expert Gary McGraw explains the processes commonly found in highly successful software security programs.

• December 06, 2012 06 Dec'12

  Study finds firms lagging in health care privacy, data security protections

  Inadequate security controls, a heavy use of cloud-based services, and employee negligence are resulting in multiple breaches at the same firms.

• December 05, 2012 05 Dec'12

  Cutwail botnet spam campaign tied to Zeus banking Trojan

  The cybercriminals connected to the notorious Zeus Trojan are using the Cutwail botnet to distribute spam designed to steal account credentials.

• December 05, 2012 05 Dec'12

  Experts develop protections for product piracy, intellectual property theft

  Detecting product piracy and intellectual property theft is expensive, but adding a hidden 'watermark' may make the process easier and cost-effective.

• December 04, 2012 04 Dec'12

  Software development maturity driving down ZDI flaw submissions

  Secure software development training is having an impact on vulnerability submissions, according to Brian Gorenc of HP TippingPoint DVLabs.

• December 04, 2012 04 Dec'12

  Symantec launches Endpoint Protection 12.1, VDI support

  Symantec joins other security firms in supporting VMware vShield Endpoint in a bid to reduce the problem of AV storms.

• December 03, 2012 03 Dec'12

  NetWars CyberCity missions to improve critical infrastructure protection

  The SANS Institute NetWars CyberCity aims to boost critical infrastructure protection and incident response in a unique training environment.

• December 03, 2012 03 Dec'12

  Many in industry at odds over pending cybersecurity executive order

  Some security industry veterans fear regulatory overreach, others believe an executive order won't go far enough.

• November 29, 2012 29 Nov'12

  Study finds spear phishing at heart of most targeted attacks

  Malicious file attachments are typically used as the payload, according to a report issued this week by Trend Micro.

• November 27, 2012 27 Nov'12

  Unrealistic expectations, skills gap mire market for IT security jobs

  Unrealistic HR and hiring manager expectations and a widening security skills gap is challenging CISOs trying to find the right security talent.

• November 27, 2012 27 Nov'12

  US-CERT warns of new Samsung, Dell printer threat

  Hard-coded passwords on some Samsung and Dell printers could enable an attacker to take control of an affected device.

• November 27, 2012 27 Nov'12

  Study finds most antivirus products ineffective

  Slow updates to signature databases cause some antivirus products to be ineffective against known threats, according to a study by security firm Imperva.

• November 27, 2012 27 Nov'12

  Marcus Ranum chat: Network threat detection and wireless attacks

  Security expert and Information Security magazine columnist goes one-on-one with Aaron Turner, co-founder of security consulting firm N4Struct.

• November 27, 2012 27 Nov'12

  Chief information security officer skills go beyond customary technical roles

  A trusted advisor and a strong communicator and promoter, a good CISO should be a jack-of-all-trades to rally the IT security team to support the business needs by minimizing risk.

• November 27, 2012 27 Nov'12

  Emerging vulnerability markets, mobile biometrics prompt security concerns

  Information Security Magazine examines key security concerns in the field of critical infrastructure protection and explores options for mobile biometric authentication because you’ll need to think about a new security strategy as mobile devices ...

• November 26, 2012 26 Nov'12

  Petraeus scandal holds lessons in email security policy, e-discovery

  Mixing business and personal email accounts has serious drawbacks, as well as consequences on IT teams managing data integrity.

• November 26, 2012 26 Nov'12

  Go Daddy responding to malicious DNS entries

  Weak passwords may be enabling attackers to hack the DNS records of some Go Daddy hosted websites to spread ransomware.

• November 21, 2012 21 Nov'12

  Phishing attack, stolen credentials sparked South Carolina breach

  A phishing attack and stolen credentials gave an attacker access to the systems of the South Carolina Department of Revenue for two months.

• November 20, 2012 20 Nov'12

  Deception, proactive defenses can better protect IP, says expert

  Deceptive environments, phony data in the enterprise can fool attackers and increase the cost of hacking, says noted cybersecurity expert Paul Kurtz.

• November 20, 2012 20 Nov'12

  RSA president: Better analytics, info sharing lifts enterprise security

  Sharing practical threat data can reduce the "dwell time" of an attacker and better detect and contain problems, said Tom Heiser, president of RSA.

• November 19, 2012 19 Nov'12

  PCI Council: Risk assessment methodology unique to company environment

  The PCI Risk Assessment Special Interest Group concludes that risk assessments are based on a company's unique risk tolerance and environment.

• November 16, 2012 16 Nov'12

  Report highlights supply chain insecurities, downplays mobile threats

  A Georgia Tech report on cybersecurity is downplaying mobile threats, but explains that supply chain weaknesses will continue to dog manufacturers and software makers.

• November 16, 2012 16 Nov'12

  Custom, targeted malware attacks demand new malware defense approach

  Widespread use of custom malware in targeted attacks requires better attack preparation and response, and a variety of new malcode defenses.

• November 15, 2012 15 Nov'12

  Government, industry leaders share cybersecurity funding priorities

  Research projects focusing on embedded device security, system resiliency and security metrics are gaining the most attention, experts say.

• November 15, 2012 15 Nov'12

  NASA to deploy whole-disk encryption following breach

  Stolen laptop contained the sensitive data on a large number of employees and contractors. The information was not encrypted.

• November 14, 2012 14 Nov'12

  Malware identified as latest Mac Trojan targeting activists

  Apple platform security firm Intego has discovered OSX/Imuler.E, a new variant of the Imuler Trojan.

• November 14, 2012 14 Nov'12

  Enterprises can obtain value from red teaming exercises, expert says

  Red teaming assesses the security of an organization and can be a more effective way to assess the organization's security posture.

• November 14, 2012 14 Nov'12

  Ransomware variant works on Windows 8, Symantec says

  The Ransomlock.U Trojan can successfully lock computers running Windows 8, according to a test performed by researchers at Symantec.

• November 14, 2012 14 Nov'12

  Eugene Kaspersky outlines secure operating system plans

  Hardened operating system will give industrial control system manufacturers a more secure platform for their software.

• November 13, 2012 13 Nov'12

  Microsoft fixes critical issues in Internet Explorer, Windows Kernel

  Microsoft issued six bulletins in November's Patch Tuesday, including fixes in Internet Explorer, Windows Kernel and the .NET Framework.

• November 13, 2012 13 Nov'12

  BYOD challenges deter enterprises from adopting policies, survey finds

  More than half of mobile-device security decision makers surveyed say that BYOD challenges remain.

• November 13, 2012 13 Nov'12

  Enterprises at core of vendor software security testing, Veracode finds

  Less than one in five enterprises have requested code-level security tests from at least one vendor, but the volume of assessments is growing.

• November 12, 2012 12 Nov'12

  Report highlighting SCADA insecurities alarmist, says ICS expert

  Study from vulnerability management firm Positive Technologies Security contends that 39% of systems in the U.S. and Europe are vulnerable to attack.

• November 09, 2012 09 Nov'12

  Adobe investigates zero-day that bypasses Reader X sandbox

  Zero-day exploit Zero-day exploit was added to a custom version of the Black Hole attack toolkit, according to a Russian-based security firm Group IB.

• November 08, 2012 08 Nov'12

  Huawei security chief says vendor supports U.S. cyberespionage defense

  At a panel discussion on cyberespionage and critical infrastructure protection, Huawei CSO Andy Purdy said his firm would help find solutions to the problem.

• November 08, 2012 08 Nov'12

  Despite Windows 8 zero-day, vendors laud security of new Microsoft OS

  Despite a recent Windows 8 zero-day vulnerability, security experts say the new Microsoft platform is the most secure OS on the market.

• November 06, 2012 06 Nov'12

  Remote access Trojan evades detection using mouse functions

  Trojan highlights need to tune automated detection systems to spot malicious software attempting to use Windows hooks, expert says.

• November 01, 2012 01 Nov'12

  CrowdStrike advocates offensive security, proactive defense approach

  Enterprises can disrupt cybercriminals and deter future attacks, explains Dmitri Alperovitch, CTO of CrowdStrike Inc. The approach has its critics.

• November 01, 2012 01 Nov'12

  Protecting Intellectual Property: Best Practices

  Organizations need to implement best practices to protect their trade secrets from both internal and external threats.

• November 01, 2012 01 Nov'12

  Gary McGraw: Proactive defense prudent alternative to cyberwarfare

  Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons.

• October 30, 2012 30 Oct'12

  Cybersecurity legislation mired as executive order looms

  Internet Security Alliance President Larry Clinton sees little hope that Congress would act on legislation aimed at bolstering cybersecurity lapses.

• October 30, 2012 30 Oct'12

  DDoS, SQL injection discussions trending in hacking forums, study finds

  Hackers share attack techniques and vulnerability information, shedding light on what threats matter most, according to a new study.

• October 29, 2012 29 Oct'12

  State CISOs cite insufficient funding, lack of skilled IT professionals in survey

  The biannual Deloitte-NASCIO survey revealed what state CISOs believe are the top barriers in addressing cybersecurity.

• October 29, 2012 29 Oct'12

  South Carolina breach affects millions

  Millions of Social Security numbers and thousands of credit and debit cards were exposed after an attacker penetrated a state agency server.

• October 24, 2012 24 Oct'12

  Report details insider threats, but enterprises can respond, says expert

  Scott Crawford, a research director at Enterprise Management Associates, explains how some enterprises address the risk of a trusted insider turned rogue.

• October 24, 2012 24 Oct'12

  Verizon DBIR: Identify insider threat warning signs, safeguard IP

  Trusted insiders often play a role in IP theft, according to a new report. Spot the warning signs and apply the right data protection, say experts.

• October 23, 2012 23 Oct'12

  Verizon DBIR analysis finds intellectual property theft takes years to detect

  Intellectual property theft often involves collusion between attackers and malicious insiders, according to a study of 85 breaches conducted by Verizon.

• October 23, 2012 23 Oct'12

  Marcus Ranum chat: Next-generation SIEM

  Security expert Marcus Ranum goes one-on-one with Gartner’s Anton Chuvakin about SIEM technology and where it’s headed.

• October 23, 2012 23 Oct'12

  Pros and Cons of Information Security Certifications

  Educating the security professional requires far more than a certification exam.

• October 23, 2012 23 Oct'12

  Security 7 Award 2012: Seven Outstanding Information Security Pros

  Security 7 Award 2012 honors seven outstanding information security pros. Find out who won this year’s Security 7 Award.

• October 22, 2012 22 Oct'12

  Lack of skilled security pros challenges CISOs to fill specialties

  The market for security professionals is hot, but several experts indicate that the talent pool for IT talent with security skills is dwindling.

• October 18, 2012 18 Oct'12

  Public Wi-Fi hotspots pose real threat to enterprises, survey finds

  Public Wi-Fi usage has gone up significantly in the past year, and many people are using insecure hotspots to access work information.

• October 18, 2012 18 Oct'12

  Google no longer playing with Android malware

  Some say the Android malware problem is out of hand, and it appears Google is taking additional steps to block attacks in its Google Play store.

• October 18, 2012 18 Oct'12

  Spam campaign abuses flaw tricking thousands with shortened .gov URLs

  Spammers have spoofed shortened URLs designed to validate redirects to several states including California, Iowa, Indiana and Vermont.

• October 17, 2012 17 Oct'12

  Symantec study highlights complexity of risks posed by zero-day exploits

  Zero-day exploits are typically used in targeted attacks, but public disclosure of unpatched flaws significantly increases the use of the exploits.

• October 17, 2012 17 Oct'12

  MiniFlame spyware extremely targeted, but could pose future threat

  MiniFlame is highly specific espionage malware, but experts indicate that financially motivated cybercriminals could make the threat more widespread.

• October 11, 2012 11 Oct'12

  Application vulnerability disclosures rise, Microsoft finds

  The Black Hole attack toolkit is fueling many of the exploits targeting the vulnerabilities, according to Microsoft.

• October 10, 2012 10 Oct'12

  Rapid7 acquires Mobilisafe to assess mobile device risks

  Mobile risk management vendor Mobilisafe assesses employee smartphones and tablets for platform vulnerabilities.

• October 08, 2012 08 Oct'12

  Successful cyberattacks driving up cost of cybercrime, study finds

  A study by the Ponemon Institute found that successful cyberattacks rose from 50 attacks on average per week in 2010 to 102 on average per week.

• October 08, 2012 08 Oct'12

  Chinese telecoms cannot be trusted, congressional study finds

  A report by the House Intelligence Committee found Chinese telecoms, Huawei and ZTE, pose a significant security threat to the United States.

• October 04, 2012 04 Oct'12

  Ten commandments for software security

  Software security expert Gary McGraw provides actionable guidance based on analysis of dozens of software security firms.

• October 04, 2012 04 Oct'12

  October 2012 Patch Tuesday: One critical bulletin expected

  Microsoft's October 2012 Patch Tuesday release, slated for Oct. 9, will address an RSA key-length certificate issue exposed by the Flame malware.