Dyrand Systems

How to Stop Political Attacks

2007-05-31T09:29:00.000-07:00

Not all hackers are motivated by money. In fact, there is a growing number of politically-motivated attacks on businesses and government agencies, and the methods they use are different -- and potentially harder to stop -- than their cash-hungry counterparts, experts say.
Is your company ready to stop them?
Click here for the full story.

New Laws Don't Solve Global Problems

2007-05-30T08:35:00.001-07:00

Legislators around the world are taking a stab at the computer crime problem. But experts say, in most cases, they don't have enough jurisdiction to solve it.
The U.S. House of Representatives made a splash last week by passing the Internet Spyware Prevention Act of 2007 and the Spy Act, two bills designed to reduce the use of spyware and give law enforcement more resources to pursue and prosecute spyware perpetrators.

At the same time, German legislators were passing a controversial new anti-cybercrime measure that defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing it. Offenders are defined as any individual or group that intentionally creates, spreads, or purchases hacker tools designed for illegal purposes. The law also extends prosecution to those who attack individuals, as well as businesses or government.

Click here for the full story.

Google makes GreenBorder its first security acquisition

2007-05-29T12:52:00.000-07:00

Acquisition-happy Google has made its first security purchase by quietly snaring start-up GreenBorder Technologies, a provider of virtualized web browsing anti-malware software, for an undisclosed amount.

But industry experts do not believe the deal signals Google is planning to further flex its muscles in the IT security marketplace. Instead, experts told SCMagzine.com today, the search giant likely will use the purchase to secure its recently unveiled business application suite, not as the kick-off to a portfolio that would compete with the likes of Symantec and McAfee.

Click here for the full story.

SonicWall Unveils Security App

2007-05-28T08:56:00.000-07:00

SonicWALL, Inc. (NASDAQ: SNWL - message board), a leading provider of Internet security solutions, today unveiled the SonicWALL Network Security Appliance (NSA) E7500, a new gateway security appliance that makes deep packet inspection security productive and easy to manage in larger network deployments. Designed to enable the highest level of Unified Threat Management (UTM) performance at its price point, the NSA E7500 is intended for campus networks, distributed environments and data centers. The NSA E7500 is the industry's first UTM appliance to harness the power of multiple processing cores in a single network platform.
Click here for the full story.

Report slams FBI network security

2007-05-25T09:57:00.000-07:00

FBI network vulnerable to insider attacks, government watchdog group says

The Government Accountability Office, the federal government’s watchdog agency, Thursday released a report critical of the FBI’s internal network, asserting it lacks security controls adequate to thwart an insider attack.

In the report, titled “Information Security: FBI Needs to Address Weaknesses in Critical Network,” the authors -- Gregory Wilshusen, GAO’s director of information security issues, and Chief Technologist Keith Rhodes -- said the FBI lacks adequate network security controls.

The FBI “has an incomplete security plan,” the report concluded.
Click here for the full story.

New Spec Could Cut Phishing, Spam

2007-05-24T10:53:00.000-07:00

Phishers and spammers beware: It may soon be a lot harder to pretend you're somebody you're not.

The Internet Engineering Task Force, which sets the technical standards for the Internet, yesterday approved the DomainKeys Identified Mail standard as a proposed standard (RFC 4871). The specification, a three-year effort pioneered by Yahoo!, Cisco, Sendmail, and PGP, is an email authentication framework that uses cryptographic signature technology to verify the domain of the sender.

In a nutshell, DKIM allows email senders to "sign" each email to verify that it comes from their domain. If the receiving domain handles an email that does not contain the signature, it can raise a red flag to warn the recipient that the message might be a fake.

Click here for the full story.

DHS publishes sector-specific protection plan for IT infrastructure

2007-05-23T08:08:00.000-07:00

It aims to protect 17 specific sectors against a range of terrorist and natural threatsThe U.S. Department of Homeland Security (DHS) yesterday released a broad blueprint of actions that technology companies and government entities can take to mitigate terrorist and other threats against the nation's IT infrastructure.

The Sector Specific Plan (SSP) for IT was released as part of a broader National Infrastructure Protection Plan (NIPP) developed by the DHS under a 2003 presidential mandate. That mandate called for the development of risk-mitigation strategies for protecting critical infrastructure targets in 17 specific sectors against a range of terrorist and natural threats.
The plans are designed to help infrastructure stakeholders in each area to identify and prioritize key assets that need to be protected and to provide recommendations on how to go about doing that.

Click here for the full story.

Thousands of Illinois realtors, mortgage brokers warned of data compromise

2007-05-22T09:53:00.000-07:00

Alert prompted by May 3 breach of state agency server
The Illinois Department of Financial and Professional Regulation (IDFPR) is sending out letters to an estimated 300,000 licensees and applicants informing them of a potential compromise of their names, Social Security numbers and other personal data.

The warning follows the May 3 discovery of a security breach involving a storage server at the agency. Among those affected by the breach are real estate and mortgage brokers, pawn shop owners and loan originators licensed to operate in the state. The potentially compromised data is between six and 12 months old and includes names of people who may have applied for licenses with IDFPR, said Susan Hofer, a spokeswoman for the agency.
Click here for the full story.

Alcatel-Lucent reports employee data lost or stolen

2007-05-18T08:56:00.000-07:00

CD with unencrypted data may have walked off a UPS truck
A CD containing personal information about thousands of Alcatel-Lucent SA employees and their dependents has been lost or stolen, the company said on Thursday.
The disk contains the names, addresses, Social Security numbers, dates of birth and salary information for U.S. employees who worked for Lucent prior to its merger with Alcatel SA, as well as Lucent retirees and dependents of both groups, the company said.
The disk was prepared by Hewitt Associates LLC, which administers Alcatel-Lucent's benefits plans, for delivery via United Parcel Service to another contractor, Aon Corp., Alcatel-Lucent said.

"We are still investigating this matter, but we believe the disk was lost or stolen between April 5 and May 3," Alcatel-Lucent told employees in a letter on its Web site.

Click here for the full story.

IBM contractor loses employee data in transit

2007-05-17T07:59:00.000-07:00

Apparently fell off the back of a truck, more or less literally
IBM on Tuesday said it has been unable to recover lost storage tapes containing sensitive employment-related information of some former and current IBM workers.

The tapes were lost more than two months ago just a few miles south of IBM's corporate headquarters, because of what a company spokesman called a "transportation incident" involving an IBM vendor.

The lost tapes primarily stored the archived personal information -- including Social Security numbers, dates of hire and dates of departure from IBM -- of an undisclosed number of individuals.

Click here for the full story.

Profit-Minded Trojans

2007-05-15T09:39:00.000-07:00

The first Trojan horse was designed to win the war and get the girl. But according to new research from PandaLabs, Trojan software makers now have gone commercial.
Sixty-six percent of the new Trojans that emerged in the first quarter of 2007 were designed for financial gain, according to the security company's quarterly research report, which was published Wednesday.

Click here for the full story.

Security: Thumb sucking, slurping, snarfing…Excuse me?

2007-05-14T10:07:00.000-07:00

The Dictionary of Wacky Security Threat TermsRemember when thumb sucking was considered an innocent activity, except that if you did it as a young child you might need braces as a teen? Today you’d need a lot more than a mouthful of metal to protect from thumb sucking.

This phrase is one of the latest in a new genre of IT terminology: Wacky Security Threat Terms. While the incidents described by such terms are indeed serious, security vendors and others have broken the rules of spelling and relied upon double entendres to develop this new collection of buzz words that succinctly refer to the latest threats, with the hope that giving the threat a memorable tag will raise awareness.
Click here for the full story.

The Phisher King

2007-05-11T09:03:00.000-07:00

You see phishing attack attempts nearly every day, but what you don't see is the face behind the attack. In a rare glimpse into the mind of a phisher, hacker and security expert RSnake recently engaged an attacker who says he makes $3,000 to $4,000 dollars a day and was willing to share a bit about himself and how he operates.
RSnake, a.k.a. Robert Hansen, CEO of SecTheory and Dark Reading blogger, asked the phisher, called "lithium," how he operates, what technology he uses, and just how much money he makes off these scams. Lithium, who says he's 18 and has been phishing since he was 14, said he has stolen over 20 million identities, mostly via social networking worms. "I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through," he wrote to RSnake, who today published the responses on the ha.ckers.org blog.
Click here for the full story.

TSA Loses 100,000 Employee Records

2007-05-09T09:16:00.000-07:00

Every day, in airports across the country, they ask people to lose their keys, their shoes, and their belts. This time, though, the Transportation Security Administration has lost something of its own: a removable hard drive containing about 100,000 employee records.
The (TSA) Friday notified employees that an external hard drive containing personnel data -- including name, Social Security number, date of birth, payroll information, and bank account/routing information -- was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital on Thursday, May 3. The data includes records of TSA employees from January 2002 until August 2005.

"It is unclear at this stage whether the device is still within Headquarters or was stolen," said TSA Administrator Kip Hawley in a letter to TSA employees.

Click here for the full story.

StopBadware says majority of malware sites hosted by five ISPs

2007-05-08T11:37:00.000-07:00

StopBadware.org on Friday identified five Web-hosting companies with myriad infected Web sites residing on their servers, which the industry watchguard says puts unwitting Internet users at risk.

Based on analysis of close to 50,000 sites, the group identified five companies as hosting a majority of those Web sites known to distribute malicious code. The hosting companies -- iPowerWeb, Layered Technologies, ThePlanet.com Internet Services, Internap Network Services and CHINANET Guangdong province network -- have the largest number of infected Web sites residing on their servers. For instance, some 10,834 infected sites were identified on iPowerWeb's servers.

Click here for the full story.

SEC: WFI Insider Stole $7.7M

2007-05-07T10:36:00.000-07:00

The Securities and Exchange Commission (SEC) has filed charges against a stock options manager at Wireless Facilities Inc. for using software and online services to steal $7.7 million in stock from his company.

Vencent Donlan, 44, was charged with using the company's Equity Edge stock plan management and reporting application and E*Trade to route more than 700,000 shares of his company's stock into an account held by his wife, Robin Colls Donlan. He also is accused of falsifying entries in Equity Edge to cover his tracks.

WFI, ironically, is an outsourcing provider in the wireless industry that provides (among other offerings) "security systems and engineering services."

Click here for the full story.

Intro to hackernomics

2007-05-02T09:37:00.000-07:00

Five laws of hacker economics
Legislation, financially driven attackers, and high profile breaches have changed the economics of security. We need to rethink the motivations of attackers and the new attacker economy given a growing stolen identity information trade and the rise of organized electronic crime. We need to study hackernomics. This is a new term so allow me to offer a definition:

Hackernomics (noun, singular or plural): A social science concerned with description and analysis of attacker motivations, economics and business risk. It is characterized by five fundamental laws and eight corollaries.

Click here for the full story.

Experts: US Not Prepared for Cyber Attack

2007-05-01T08:52:00.000-07:00

The United States is vulnerable to a "strategically crippling cyber attack" by enemies around the world, experts told Congress yesterday.
Testifying before the House Committee on Homeland Security, high-profile experts said the federal government's cyber defenses have become dated and may leave the country open to an attack -- "not by a conventional weapon, but by a cyber weapon."

Click here for the full story.

Entrepreneurial hackers buy sponsored links on Google

2007-04-30T09:11:00.000-07:00

Ad links sidetracked users, installed password stealer
A hacker scheme that involved buying search keywords on Google and then routing users to a malicious site when they clicked on sponsored links was revealed yesterday by a security company.

According to Roger Thompson, chief technology officer at Exploit Prevention Labs, the ploy involved sponsored links (the text ads that appear alongside search results on Google), a malicious intermediary and malware that steals online banking usernames and passwords.

"It's quite an investment on the bad guys' part," said Thompson. "Instead of just hacking into sites, they bought keywords."

Click here for the full story.

Olympics to bring London IT security challenges

2007-04-24T12:34:00.000-07:00

ID cards may be an answer, but sponsorships pose a problem
Britain's IT industry is likely to see business surge as London prepares to spend at least $2 billion on security when it hosts the 2012 Olympics.

The cost could rise as the U.K. tries to fortify itself during the world's most prominent sporting event from a repeat of the July 2005 bombings on London's transport system, said Derek Wyatt, a member of Parliament who spoke at InfoSecurity Europe in London on Tuesday.

"I hope this gives you an inkling of what I think will be the biggest piece of business your industry is going to face over the next five years," Wyatt told a crowd of IT executives.

Technology will play a major role, although decisions on how it will be integrated are far from decided, Wyatt said. One security issue is authentication: how to ensure a person who holds a ticket is indeed the same person who bought it.

Click here for the full story.

Grading On a Curve

2007-04-20T08:08:00.000-07:00

The government's security report card should be taken with a great big grain of salt
By now, almost everyone's heard about the "Federal Computer Security Report Card" released last week. Issued by the House Government Oversight and Reform Committee, the report card is based on the Office of Management and Budget's analysis of each federal agency's own reporting on its compliance with the Federal Information Security Management Act (FISMA).

This report card, like every one since FISMA was enacted in 2002, was abysmal. The federal government as a whole recieved a C-. The Nuclear Regulatory Commission and departments of Defense, State, Treasury, Commerce, Education and Agriculture all received failing grades. The Department of Homeland Security received a D, while the Department of Energy (which is responsible for the nation's nuclear weapons and energy programs) received a C-.

So what does this tell us about the security of government networks? Not all that much, actually.

Click here for the full story.

No data stolen in 2006 computer intrusions, says Commerce Dept.

2007-04-19T15:50:00.000-07:00

Hackers managed to get into 33 agency computers
Unknown intruders last year managed to infect 33 computers belonging to a bureau of the U.S. Department of Commerce (DOC) with data-stealing Trojans and other malware.

But the compromises were quickly detected and no information is believed to have been stolen, according to testimony presented today at a congressional subcommittee hearing on the extent to which federal networks and critical infrastructure have been compromised by foreign hackers. The hearing is being held by a subcommittee of the Committee on Homeland Security and is being chaired by Rep. James Langevin (D-R.I.).

Click here for the full story.

Targeted Attacks on the Rise

2007-04-18T09:17:00.000-07:00

It's the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it's one message, sent to a single user, containing a backdoor Trojan -- or worse.

Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks last month. The attacks targeted 263 different domains, belonging to 216 different customers.

Click on here for the full story.

Study: Browser Warnings Don't Work

2007-04-16T08:44:00.000-07:00

The lock-and-key icon was broken. The site-authentication image was not there. A security message popped up, warning that the site was not properly certified.

And still, more than half of them entered a password and tried to log in.

That's the bottom-line finding of a new study from researchers at Harvard University and MIT, who conducted a live test of banking users to measure the effectiveness of browser-based authentication and anti-phishing features earlier this year. The research is scheduled to be presented at the IEEE Symposium on Security and Privacy next month.

Click here for the full story.

Feds Under Fire Over Security

2007-04-13T10:38:00.000-07:00

Congress is ticked off about computer security.
Over the last two days, members of both the House and Senate have registered complaints over the way government agencies are dealing with the security issue, and they've called for action to address the problems.

Earlier today, Rep. Tom Davis (R-Va.), ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems.

Click here for the full story.

Just how much will that data breach cost your company?

2007-04-12T10:17:00.000-07:00

An online calculator lets companies estimate costs
Want to know just how much a data breach is likely to end up costing your company? Darwin Professional Underwriters Inc. may be able to help.

The Farmington, Conn.-based technology liability insurance company has released a free online calculator that it said allows businesses to estimate -- with a fair degree of accuracy -- their financial risk from data theft.

Click here for the full story.

How to avoid falling into the phishing hole

2007-04-10T14:04:00.000-07:00

You never can defend yourself too much while online.
A PC World reader alerted me to a flaw on eBay's Web site that enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw last week, but experts I spoke with are wondering how long the fix will hold.

The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting , or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it's a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.

Click here for the full story.

Nearly 500 IRS Laptops Lost or Stolen Over Three Years

2007-04-09T13:47:00.000-07:00

Audit also finds unencrypted data of taxpayers on 44 laptops now in use
Nearly 500 Internal Revenue Service laptops — many likely containing unencrypted personal information of taxpayers — were lost or stolen over a 30-month period ending in June 2006, according to an audit released last month.

The audit, conducted by the Treasury Inspector General for Tax Administration, found that between Jan. 2, 2003, and June 13, 2006, a “large number” of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from various agency facilities.
Although auditors were unable to determine exactly what information was contained on the missing laptops, they did conclude that personal information of taxpayers is not adequately protected.

Click here for the full story.

Dude, Where's Your PC?

2007-04-04T09:53:00.000-07:00

Do you know where all of your company's computers are?
The U.S. Department of Energy's Counterintelligence Directorate doesn't. In fact, the intelligence agency -- which is tasked with protecting sensitive data and operations against espionage by foreign entities -- is missing 20 computers that may contain classified data, according to an inspection report issued last week by the DOE's Office of the Inspector General.

At least 14 of the computers were known to have processed classified information, the report says. The Counterintelligence Directorate's inventory records "were so imprecise and inaccurate that [the agency] had to resort to extraordinary means to locate an additional 125 computers."

Click here for the full story.

Spam Costs $712 Per Employee Annually

2007-04-03T09:48:00.000-07:00

As a luncheon meat, Spam is a bargain. As unsolicited marketing, spam is a rip-off: $712 per employee per year, or $71 billon to all U.S. businesses annually.

That's the cost of spam in terms of lost productivity, according to a survey released Monday by IT research firms Nucleus Research and KnowledgeStorm.

These figures come from a survey of 849 e-mail users conducted last month that found that two of every three e-mail messages received by businesspeople are spam, despite the fact that 60% of companies filter spam. The survey results are based on a $30-per-hour pay rate, a 2,080-hour work year, 100,249,046 U.S. e-mail-using workers, and that e-mail users are spending 16 seconds on average identifying and deleting spam that has evaded detection and landed in an in-box.

Click here for the full story.

TJX breach may spur greater adoption of credit card security standards

2007-04-02T09:39:00.000-07:00

Experts say TJX either failed to encrypt or truncate credit card numbers or did not secure encryption keys

The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.

Click here for the full story.

Eight Faces of a Hacker

2007-03-30T08:48:00.000-07:00

You fight against them every day: hackers, attackers, insiders. You know what they do, but not who they are. They are often nameless, usually faceless. You'd like to be able to guess their next move, but that can be pretty difficult when you don't even know what motivates them or why they're attacking you.
Is there a way to "profile" a hacker, the way the police might profile an arsonist or a serial killer? Not exactly. But quietly, a collection of university researchers and law enforcement agencies has been developing a taxonomy of the hacker community, much as an entomologist studies and classifies insects. And police and security experts hope that taxonomy will eventually help them identify and root out the vermin.
Click here for the full story.

TJX data breach: At 45.6M card numbers, it's the biggest ever

2007-03-29T09:06:00.000-07:00

It eclipses the compromise in June 2005 at CardSystems Solutions

After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data.

Click here for the full story.

Web attacks get personal

2007-03-28T10:02:00.000-07:00

Malware purveyors are increasingly tailoring their virus distribution and attack techniques to take advantage of different classes of end-users, according to researchers with the Internet Security Systems' X-Force team at IBM.

Top experts with the Atlanta-based research operation said that malware writers, phishing scheme operators, and botnet herders are more frequently employing so-called personalization tools to make their attacks more effective.

Much like the online marketing companies that gather bits of information to target advertising at individual Web users, cybercriminals are creating malware outlets and code executions that scan readily-available details about people's' computing posture to find appropriate recipients for their work.

Click here for the full story.

ID Theft Doubles in Two Months

2007-03-27T10:30:00.000-07:00

Online identity theft grew at an unprecedented rate during the first two months of 2007, as its two chief components -- malware and phishing -- skyrocketed at rates of 50 to 200 percent.

A study scheduled to be released tomorrow by Internet monitoring firm Cyveillance Inc., found more than 3 million pieces of personal information available on the Web, including approximately 320,000 debit and credit card numbers, 1.4 million Social Security numbers, and 1.3 million account login credentials.

Click here for the full story.

What to Do When Your Security's Breached

2007-03-26T08:39:00.000-07:00

Well, it's finally happened. Despite all your efforts to stop both internal and external attackers, someone has penetrated your defenses and stolen or damaged your data.

You've got a full-blown security incident on your hands. What are you going to do about it?

If you've been smart, experts say, you'll already have a computer security incident response team -- and a plan -- in place. You'll even have tested the team and plan in some sort of live simulation.

Click here for the full story.

Stolen TJX data used in Florida crime spree

2007-03-22T09:09:00.000-07:00

Police told company months before company told customers
Law enforcement officials in Florida have arrested six individuals suspected of carrying out a fraud scheme built around the misuse of credit card data stolen from retailer TJX Companies.

In partnership with the Gainesville Police Department, officials from the Florida Department of Law Enforcement said they have taken six of 10 suspects into custody for allegedly using the TJX customer data to purchase large quantities of gift cards from discount chains Wal-Mart and Sam's Club.

The series of arrests marks the first specific instance of crime to be connected to the TJX data heist, although some banks have previously reported that accounts held by consumers affected by the incident had been used in attempted fraud around the globe.

Click here for the full story.

Biggest security threat? Your users

2007-03-21T08:28:00.000-07:00

How to protect against naive, careless or malicious users
Whether it is the FBI's sheepish acknowledgement that at least 10 of the 160 agency laptops that have gone missing in recent years contained "sensitive or classified information" or the drama of retailer TJX's February admission that the incident that put its customer credit card information in the hands of thieves impacted more people than originally thought, security incidents keep making headlines and vexing organizations.

Click here for the full story.

Huge Leak Revealed at Japanese Firm

2007-03-20T09:08:00.000-07:00

One of Japan's largest printing companies today reported the theft of more than eight million pieces of customer information, including addresses and credit card numbers.

Dai Nippon Printing said around 8.64 million pieces of customer information related to 43 client companies -- including Toyota Motor Corp. and Aeon Co. -- were stolen in July by a former employee of a subcontractor, who absconded with a magnetic optical drive containing the data.

Click here for the full story.

Users Go for Data Lockdown

2007-03-19T09:29:00.000-07:00

Removable storage devices are turning firms' employees into data security time bombs, forcing many CIOs to rethink their security strategies, according to concerned IT managers here today.

USB drives, in particular, are a major source of anxiety. "The ordinary person is like a mini-data center -- he is walking around with a lot of data in his pocket," warned Kumar Mallavalli, chief strategy officer of InMage and co-founder of Brocade, during a keynote this morning. "The most critical issues that we face today [involve] endpoint security [for] laptops, PDAs, and removable media."

Click here for the full story.

Seven Steps to Safer WiFi

2007-03-16T10:10:00.000-07:00

We've all done it: You need quick access to email, so you jump on that free WiFi connection at the local coffee shop, the airport, or a conference hotel. What are the chances you'll get hacked, anyway?

Think again. If you use unsecured WiFi in the clear, without any encryption or security, you're asking for it. Your laptop is routinely broadcasting seemingly innocuous data that when put together, can compromise your system as well as your company's. Hackers have the sniffer tools that can grab login and passwords, or gather bits of information that can reveal who you are and possibly gain entry into your corporate applications. (See Joke's on Me, Tool Uncovers Inadvertent 'Chatter', and Data That Doesn't Drip... Drip... Drip....)

Ask any security expert, and they will say "just say no" to naked WiFi.

Click here for the full story.

Smart USBs Gone Bad

2007-03-15T09:50:00.000-07:00

You know those handy, smart USB drives that let you carry the contents of your computer around your neck when you're on the move, applications and all? These portable drives can also be used by an attacker to steal your user privileges and data.

That's what Bob Clary, a consultant with Secure Network Technologies, recently discovered within just a few minutes of purchasing a smart USB. "The minute I saw the U3 USB drive, I thought 'I can do anything with this.' Five minutes after I had bought it, I had it hacked," says Clary, whose company performs social engineering and penetration testing for its clients.

Click here for the full story.

Photocopiers: The newest ID theft threat

2007-03-14T12:14:00.000-07:00

Newer models have hard drives that record what has been duplicated
Photocopiers are the newest threat to identity theft, a copier maker said today, because newer models equipped with hard drives record what's been duplicated. At tax time, when Americans photocopy tax returns, confidential information may be easily available to criminals.

Click here for the full story.

Burger, Fries & Security

2007-03-13T15:34:00.000-07:00

Whipping out that credit or debit card at your local fast-food restaurant may be convenient, but it has also put the so-called quick-service restaurant (QSR) sector under the Payment Card Industry (PCI) standard microscope.

Just ask Wendy's franchisee Paul Haire, who co-owns seven Wendy's restaurants in the Monroe, La., area. Haire's restaurants were some of the first to accept credit cards. The Wendy's stores had also been rife with email-borne malware that spread from the manager's XP-based workstation in the back office to the XP-based electronic point-of-sale (POS) systems in the front of the stores.

"That would bring the whole system down and step these restaurants back into the 60s, with hand-written orders and checks," he says. "We had a huge issue with viruses."

So Haire outsourced his franchises' Internet and security services to BHI . The Eden Prairie, Minn.-based Internet hosting and managed services security provider for SMBs provides a turnkey service for QSRs like Wendy's. He's been using the MSSP for nearly two years now.

Click here for the full story.

'One of our laptops is missing'

2007-03-12T11:06:00.000-07:00

These are words no IT manager ever wants to hear. Beyond the embarrassment, there is the danger of seriously bad publicity, damage to brand equity and legal liability. It is possible that losing even a single mobile computer loaded with sensitive information can kill an otherwise thriving business.

The good news is that current technologies and best practices can lower the risk dramatically when mobile computers are lost or stolen.

Click here for the full story.

ID theft forecast: Gloomy today, worse tomorrow

2007-03-08T08:14:00.000-08:00

Thieves are staying a few steps ahead of banks, retailers and the hoi polloi
Virtually every trend line for identity theft is bad news, a research analyst said today as she released a survey showing that 15 million Americans were victimized during a recent 12-month span.

For the year-long period that ended last August, 15 million people were burned by some kind of fraud related to identity theft, said Avivah Litan, a Gartner Inc. analyst. That number is 50% higher than 2003 data released by the Federal Trade Commission.

Click here for the full story.

Deep Threat

2007-03-07T09:18:00.000-08:00

Enterprises are leaking an increasing amount of data from the inside, and they aren't sure what to do about it.

Those are the conclusions of two new studies -- one from the Ponemon Institute and one from Enterprise Strategy Group -- being published today. Both of the reports suggest that enterprises should be shifting their security attention from the outside to the inside.

"The insider threat is far and away the number one threat," says Eric Ogren, an analyst at Enterprise Strategy Group and one of the authors of the research.

Click here for the full story.

Getting to Know the Enemy Better

2007-03-05T09:01:00.000-08:00

Experts agree: The best way to secure applications is to build security in during the development phase. The problem is that there are few standards or templates for doing it.

But that situation is about to change, according to speakers at the Black Hat conference here today. In fact, draft guidelines for specifying common security weaknesses and common attack patterns could be just weeks away.

Click here for the full story.

Lessons from the DuPont breach: Five ways to stop data leaks

2007-03-01T09:49:00.000-08:00

Follow the data, and protect it, say security experts
In the five months Gary Min was stealing $400 million worth of proprietary information from a DuPont database, he downloaded and accessed more than 15 times as many documents as the next-highest user of the system. But he wasn't caught until after he left the company for a rival firm.

Min pleaded guilty last November to misappropriating DuPont data and is scheduled to be sentenced on March 29. His case is only the latest to highlight a lack of internal controls for dealing with insider threats at many companies. Earlier in February, a cell development technologist at battery maker Duracell Corp. admitted to stealing research related to the company's AA batteries, e-mailing the information to his home computer, and then sending it to two Duracell rivals.

Click here for the full story.

Top 10 Admin Passwords to Avoid

2007-02-26T09:06:00.000-08:00

In the end, it's all a big guessing game. You create passwords to protect your systems; hackers try to guess the password you created.

It's a game that's going on all the time. As we reported last week, researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period. (See Study: Two Hacks a Minute.)

During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day. And these were relatively anonymous servers, sitting in a university data center and intentionally loaded with mundane, uninteresting data. We can only imagine what these attempt statistics might look like at, say, Bank of America or the U.S. Department of Defense.

Click here for the full story.

How to protect yourself at wireless hot spots

2007-02-20T08:47:00.000-08:00

They can be an invitation to disaster, says Preston Gralla, who offers a surefire plan to avoid security breachesWi-Fi hot spots in airports, restaurants, cafes and even downtown locations have turned Internet access into an always-on, ubiquitous experience. Unfortunately, that also means always-on, ubiquitous security risks.

Connecting to a hot spot can be an open invitation to danger. Hot spots are public, open networks that practically invite hacking and snooping. They use unencrypted, insecure connections, but most people treat them as if they are secure private networks.

Click here for the full story.

What would you do first as chief information security officer?

2007-02-19T08:24:00.000-08:00

Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, “chief security officer,” which might include physical security as well -- isn’t either. The four security professionals who share their priorities with us make it clear there’s nothing cookie-cutter about the top IT security job.
Click here for the full story.

Massive Insider Breach At DuPont

2007-02-16T09:29:00.000-08:00

The Delaware U.S. attorney on Thursday revealed a massive insider data breach at chemicals company DuPont where a former scientist late last year pleaded guilty to trying to steal $400 million worth of company trade secrets. He now faces up to a decade in prison, a fine of $250,000, and restitution when sentenced in March.

Click here for the full story.

Getting Users Fixed

2007-02-15T08:43:00.000-08:00

Dark Reading’s editorial advisory board held a meeting at last week’s RSA Conference in San Francisco, bringing together security experts from several different walks of life. During the meeting, hackers, industry analysts, and enterprise security people discussed some of the chief problems facing security managers today, and their views on the industry’s greatest obstacles. The following are excerpts from that conversation.

Botnets are the chief exploit facing IT managers today, according to Ira Winkler, security expert and author of Spies Among Us.

Click here for the full story.

Data Destruction, at Your Disposal

2007-02-14T08:47:00.000-08:00

So what do you do with those old PCs and servers when you buy new equipment?

Some organizations out them in storage, delaying the inevitable, while others donate, auction, landfill, or recycle the equipment. Most companies still take responsibility today for wiping their own hard drives clean of data, although not always safely and thoroughly, which leaves data vulnerable to falling into the wrong hands. (See Second-Hand Drives Yield First-Class Data and A Garbage Can for Hard Drives.)

Click here for the full story.

E-mail retention policies, Part 2

2007-02-13T08:50:00.000-08:00

Tips for defining e-mail retention policies
In the previous column, my friend and colleague Prof. Don Holden, MBA, CISSP-ISSMP, and I reviewed some of the issues arising from pre-trial discovery orders involving stored e-mail and e-mail archives.

As we looked through several articles on the subject and thought about the issues, we put together the following list of practical pointers for readers:

Click here for the full story (Part 2).

E-mail retention policies, Part 1

2007-02-13T08:43:00.000-08:00

Why e-mail retention is not just a good idea
One of the big factors driving proper retention and destruction of e-mail is that e-mails are discoverable evidence in both civil procedures as well as criminal investigations. Retention of e-mail and other unstructured content such as instant messaging is also required in certain industries, particularly in the financial industries where brokerage house have been fined millions of dollars for failure to produce e-mails in a timely fashion.

For example, Morgan Stanley was fined $15 million by the Securities & Exchange Commission for failing to produce e-mail messages promptly in response to court-authorized demands for evidentiary discovery.

Click here for the full story (Part 1).

Are 'Sealed' Websites Any Safer?

2007-02-12T09:45:00.000-08:00

Hacker Safe, ControlScan, VeriSign, Cybertrust -- what's in a Website label, anyway?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray.)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Click here for the full story.

Hackers find a wealth of victims on corporate Web sites

2007-02-08T08:40:00.000-08:00

Secure software can help fight Web attacks, experts said at RSA Conference
Insecurely written software still looms as one of the greatest threats to Internet commerce, and user-generated Web content is becoming a vast new vulnerability hackers want to exploit, according to experts at RSA Conference.

Cross-site scripting attacks on Web sites can lead to malware taking over the browsers of machines that use the sites, said Caleb Sima, a member of the Secure Software Forum and co-founder of SPI Dynamics.

Click here for the full story.

Attackers Take Trojans to the Bank

2007-02-07T08:13:00.000-08:00

Mobility, money, and malicious intent have formed a toxic brew, a researcher at Kaspersky Lab said yesterday on the eve of the security conference here. And it's a mix that threatens banks and their customers alike.

Cybercriminals are targeting financial services and consumer banking customers, which is no great surprise, acknowledged Eugene Kaspersky, head of research and development for the international antivirus vendor. But "bank Trojans," in particular, he told Dark Reading, have recently demonstrated more malevolence and effectiveness, threatening to overwhelm antivirus researchers and the methods they use to shut down such malware.

Click here for the full story.

Gates, Ellison to tout security at RSA

2007-02-05T08:49:00.000-08:00

The annual RSA Conference, expected to draw 15,000 security professionals and more than 325 vendors from around the world to San Francisco's Moscone Center exhibit hall, kicks off this week with keynotes from industry luminaries Bill Gates and Larry Ellison.

Microsoft Chairman Bill Gates, accompanied by Craig Mundie, chief research and strategy officer, is expected to tout the security of Microsoft's new Vista operating system, plus how e-commerce can improve if Web sites make use of the industry's new Extended Validation Secure Sockets Layer (EV SSL) certificate for authentication.

Click here for the full story.

Call the cops: We're not winning against cybercriminals

2007-02-02T12:12:00.000-08:00

Kaspersky seeks police help with fighting cybercrime
Kaspersky Lab Thursday will acknowledge that cybercriminals have the upper hand and cooperative international policing is needed to protect honest users.

"We don’t have the solutions," says Natalya Kaspersky, CEO of the company. "We thought it was possible to do antivirus and that was adequate protection. That time is gone."

Click here for the full story.

Three fundamental guidelines for determining backup health

2007-01-31T08:49:00.000-08:00

A high backup success rate doesn't mean a risk-free environment
In previous columns, I've emphasized the need for backup reporting and metrics to ensure that data is protected appropriately. However, even with the benefit of regular, successful backup reports, the fact remains that the devil is in the details. It is important to go beyond a raw statistic, like the percent success or failure, to properly analyze and interpret the actual meaning. To that end, here are three fundamental guidelines to apply when attempting to determine backup health.

Click here for the full story.

FBI Faces Fresh Cyber Threats

2007-01-30T13:19:00.000-08:00

From dirty bombs and high-tech spies to teenagers planning DOS attacks with Sony PlayStations, the F.B.I. has its hands full with a growing number of cyber-threats, according to David Thomas, deputy assistant director of the agency's science and technology branch.

The official, a keynoter at a conference here today, warned that the Internet is more important to U.S. national security than ever before. "We know that terrorists would like to create a dirty bomb," he said, explaining that his agency has to keep this know-how within the U.S. "Spying is changing -- whereas before people had to travel to the U.S., now they don't have to."

Click here for the full story.

Cybertrust Enters EV SSL Fray

2007-01-29T10:50:00.000-08:00

Cybertrust today launched its Extended Validation SSL certificate offering, joining VeriSign and other certificate authorities in supporting the new browser security standard. But some experts are still skeptical that the emerging specification will really hinder serious hackers.

Click here for the full story.

Company Cuts Privileges to Cut Malware

2007-01-23T13:41:00.000-08:00

One way to minimize your exposure to malware is to reset your Windows client machines to run without system administrator rights, a.k.a. least-privilege user. But is a least-privilege user underprivileged? (See The Truth About User Privileges.)

"Ideally when they come in and use their machine, they shouldn't see any difference," says Keith Brown, network administrator at Gwinnett Health Systems, which has eliminated systems admin rights on over 2,700 of its Windows XP clients. Gwinnett is an Atlanta-area nonprofit healthcare system with over 4,000 employees and 750 physicians.

Click here for the full story.

New secure VPN tunneling protocol in the works at Microsoft

2007-01-22T09:21:00.000-08:00

SSTP intended for remote accessMicrosoft is working on a remote access tunneling protocol for Vista and Longhorn Server that lets client devices securely access networks via a VPN from anywhere on the Internet without concern for typical port blocking issues.

The Secure Socket Tunneling Protocol (SSTP) creates a VPN tunnel that travels over Secure-HTTP, eliminating issues associated VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) that can be blocked by some Web proxies, firewalls and Network Address Translation (NAT) routers that sit between clients and servers.

The protocol, however, is only for remote access and will not support site-to-site VPN tunnels.

Click here for the full story.

Five Unsolved Mysteries of Security

2007-01-19T09:33:00.000-08:00

Ever wonder what happened to a once-hot security revelation that went from the radar screen to near-obscurity -- or to so much exposure that it became passé -- with no apparent resolution? What was really behind big blow-ups like the defunct Week of Oracle Database Bugs (That Never Was)?

Some security issues remain a mystery, even to the experts, either because they're too tough to fix right now (think cross-site scripting), or because we want to know what's really going on behind the scenes among the players involved.

Click here for the full story.

Retail breach may have exposed card data in four countries

2007-01-18T10:38:00.000-08:00

TJX discloses network intrusion, says full extent of info theft not yet known

The credit and debit card data of a large number of shoppers in the U.S., Puerto Rico and Canada, and possibly in the U.K and Ireland, may have been compromised as the result of a hacking incident at The TJX Companies Inc. last month.

According to a statement issued today by the Framingham, Mass.-based retailer, the network intrusion took place in mid-December and involved systems used to process credit, debit, check and merchandise-return transactions at its TJ Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S and Puerto Rico.

Click here for the full story.

Spam Hidden in Email Newsletters

2007-01-17T08:19:00.000-08:00

Careful what you read -- spammers are now hijacking legitimate newsletters and electronic advertisements from big-name brands such as the NFL, Amazon, Wal-Mart, eBay, ESPN, US Airways, Kohls, Verizon, and 1-800-Flowers.
Click here for the full story.

Worldwide IT spending to hit $1.5 trillion by end of decade

2007-01-16T07:47:00.000-08:00

Global IT spending is expected to reach $1.5 trillion by 2010, according to new research.
Worldwide IT spending will grow by six percent each year until 2010, according to a newly-published IDC report. Global spending last year totaled $1.2 trillion.

Click here for the full story.

Two universities disclose data breaches

2007-01-15T09:34:00.000-08:00

Personal data on more than 331,000 people may have been exposed in one breach

The University of Idaho in Moscow yesterday began sending letters to more than 331,000 people warning them about the potential compromise of their personal data following the theft of three desktop computers in November.

Meanwhile, in a separate incident, officials at the University of Arizona in Tucson are investigating a computer break-in that disrupted several school services this week and continued to keep an online procurement system offline even today.

Click here for the full story.

Canadian IT starting salaries to rise 3.5 per cent

2007-01-12T09:12:00.000-08:00

A recruiting firm's compensation guide shows demand in several positions. CIOs lament their hiring woes as desparate employers troll for "passive candidates".

Canadian IT professionals will see a starting salary boost of 3.5 per cent this year, with operations managers and data security analysts enjoying the highest raises in base compensation.

Click here for the full story.

10 Ways to Get Users to Follow Security Policy

2007-01-12T08:53:00.000-08:00

It's official: Users are the weakest link in the IT security chain. You can have firewalls, encryption, and NAC up to your ears, but it still won't save you from the guy who gives all of his access information to the members of his fantasy football league.

What does it take to get end users to follow company security policy? How can you ensure they understand the rules and respect them?

There are no easy answers, but after interviewing security pros and our crack team of industry experts, we came up with 10 that are pretty good. Is your organization employing all of these enforcement techniques? Take a look and see if there's more you and your managers can do to make security happen in your organization.

Click here for the full story.

PayPal hopes it's got the key to thwart phishing

2007-01-11T13:42:00.000-08:00

$5 gadget delivers a new numeric password every 30 seconds
Over the next few months, Ebay Inc. will be offering its PayPal users a new tool in the fight against phishers: a $5 security key.

The PayPal Security Key is actually a small electronic device, designed to clip on to a keychain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.

Click here for the full story.

Data Demolition

2007-01-10T10:27:00.000-08:00

The IT manager for a multi-site law firm was stumped. As part of a companywide security crackdown, he'd been given orders to ensure any disk drives that were replaced in his data center got destroyed. Overwriting disks with software would not be sufficient. Baffled but eager to please, he asked two of his technicians to bring in hand-drills and sledgehammers. An afternoon's hard work outside the company loading docks, and the job was done.

Sound extreme? Think again. A growing number of IT pros are faced with replacing NAS gear, tape drives, or storage arrays without risking the loss of sensitive data. And depending on their company's position on the matter, they may be going to the shed -- the garden shed -- for the solution.

Click here for the full story.

2007: Trouble Ahead

2007-01-08T08:31:00.000-08:00

One thing's for sure about the security threat landscape in 2007: It'll get a lot more personal.

Everybody has an opinion about what the key security threats will be for next year. But the common thread among the plethora of punditry is that security is getting more of a human face, whether you're the victim of an identity theft scam or corporate espionage, or whether you're the double-agent bad guy behind the attack on your own company.

Click here for the full story.

Four Sure-Fire Spam Reducers

2007-01-05T08:12:00.000-08:00

Is holiday spam bloating the inbox? Even if you haven't seen quite as much holiday-themed spam as expected sneaking by your email server -- hey, even spammers need a holiday once in a while -- you're probably ready to trim the fat from your email traffic.

But that isn't always so simple. The most frustrating thing about spammers is they keep getting smarter in their quest to evade detection. And spam volume is exploding: Spam-watchers at Symantec say they've witnessed a 55 percent increase in spam over the last six months.

Click here for the full story.

The Six Dirtiest Tricks of 2006

2007-01-03T11:29:00.000-08:00

Since the dawn of humanity, man has taken pride in his achievements of days past. The courageous defense of his cave from long-toothed predators. A fruitful hunt of the elusive wildebeest. The successful programming of his complicated BlackBerry.

In ancient times, these great achievements were told and re-told in tales, in song, in poetry. Today, journalists have evolved this retelling to a higher art form: the annual "year in review" story. This story is done and re-done each year by virtually every publication in existence, from Sports Illustrated to Hog Monthly.

As a new, innovative Web destination, we thought about not doing one of those stories. Break the mold and all that. But it's the end of the year. The drums are beating. The fire is burning high. The smell of roasted wildebeest hangs pungent in the air. The ceremonial conch shell is passed to us -- it's our turn to, uhh, blow.

So, what the hell. Who are we to argue with evolution?

The following is Dark Reading's look back at six of the most clever and devious IT security exploits of 2006, which we call "The Six Dirtiest Tricks of 2006."

Click here for the full story.

Banks Ready for Compliance Deadline

2007-01-02T09:45:00.000-08:00

Dec. 31, 2006 will bring out an array of party hats, confetti, and noisemakers across the globe. But in the recesses of data centers in many banks and financial institutions, that date may give IT workers another reason to pop the champagne cork.

New Year's Eve is the final deadline for financial organizations to meet multifactor authentication requirements outlined by the Federal Financial Institutions Examinations Council (FFIEC), which helps to govern security requirements for banks and other organizations that handle consumer funds. The FFIEC guidelines, which were issued in October of last year, require financial institutions to deploy a second form of user authentication by Dec. 31 or face fines of $10,000 and up.

Bots and rootkits among top 10 threats, said McAfee

2006-12-22T08:37:00.000-08:00

The days of big virus outbreaks like MyDoom, Melissa and SQL Slammer are gone, said Joe Telafici, director of operations for McAfee's Avert Labs.

Telafici was speaking at the recent AVAR (Association of Antivirus Asia Researchers) conference, which was held in Auckland. Today's cyber criminals don’t want to draw attention to themselves as the main motivation for cyber crime now is money, not fame, he said.

Click here for the full story.

Top tips on destroying data on your hard drives

2006-12-21T16:39:00.000-08:00

Reformatting a drive or deleting its partition doesn't truly erase its files

Data thieves don't have to be programming wizards to get their hands on your personal information. They often find hard drives that contain financial and other sensitive data at flea markets, charity shops, the city dump and even on eBay. These tips will help you render an old drive's files unreadable.

Click here for the full story.

Risk Management's Bell Curve

2006-12-19T10:02:00.000-08:00

IT security managers have two basic problems: getting their managers to understand the need for security resources; and figuring out how to prioritize and spend the resources they already have.

Both problems could potentially be solved if security people spent a little less time thinking like IT experts and a little more time thinking like insurance experts, according to new report from the London School of Economics and McAfee.

Click here for the full story.

Risk Management's New Bell Curve

2006-12-19T09:56:00.000-08:00

Email security techniques we wish would work, but just don't

2006-12-18T09:06:00.000-08:00

At the height of its hype cycle, XML was supposed to solve the "interoperability problem," but in the end, only had a marginal level of success that was better than any other file format. In much the same way, many legacy spam detection techniques promised to rid us of much or all spam. Instead, they fell short of their promise and, in many cases, just did not work.

Click here for the full story.

Boeing laptop with data on 382,000 employees stolen

2006-12-15T08:41:00.000-08:00

And in Dallas, the University of Texas reported a network intrusion

A laptop containing the personal information on 382,000 current and retired workers of Chicago-based Boeing Co. was stolen from an employee's car earlier this month, according to Boeing spokesman Tim Neale. He declined to say exactly where the laptop was stolen.

The information included employees' Social Security numbers, home addresses, telephone numbers and birth dates, as well as salary information, Neale said. Although the laptop was turned off and was password protected, Neale said the data on it was not encrypted.

Click here for the full story.

Report: Phish Jump

2006-12-14T08:35:00.000-08:00

As if you didn't already know that phishing is growing, the Anti-Phishing Working Group's latest numbers hammer it home even harder, showing a 50 percent increase in phishing sites from September to October.

The APWG's latest report shows 37,444 unique phishing sites were detected in October, versus 24,565 in September. The APWG attributed much of this jump to phishing campaigns using URLs with multiple subdomains in an attempt to evade spam filters and antiphishing filters in browsers, which use blacklists of known phishing sites.

Click here for the full story.

Worms Get Smarter

2006-12-12T14:54:00.000-08:00

The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated worms -- ones that employ the pervasive cross-site scripting (XSS) flaws found on many Websites.

Early worms were more for wreaking havoc and proof-of-concept purposes (think Code Red and Melissa), but the new worms discovered earlier this month on MySpace are more about stealing data. Example: the XSS exploit that spreads as a worm and tries to force spyware onto a user's machine for nefarious purposes. That attack is a QuickTime movie that is "backdoored" with an XSS exploit, which changes a user's profile to include links to a porn site that hosts spyware. Once a user goes to that site, he or she is infected with the spyware.

Click here for the full story.

2006: The year in security

2006-12-08T10:20:00.000-08:00

Though Internet-crippling virus attacks now seem to be a thing of the past, PC users didn't feel a lot more secure in 2006. That's because online attacks have become more sneaky and professional, as a new breed of financially motivated cyber criminals has emerged as enemy number one. Microsoft Corp. patched more bugs than ever and whole new classes of flaws were discovered in kernel-level drivers, office suites and on widely used Web sites. Vendors' chatter about security is at an all-time high, but the bad guys are still finding lots of places to attack.

And, oh yes, spam is back.

Following are five of the top computer security stories in 2006.

Click here for the full story.

Disney protected with home-grown security, compliance software

2006-12-07T09:30:00.000-08:00

Company's Keystone Web services provide centralized identity management, access control

The Walt Disney Co. is locking down its applications with cutting edge identity management innovations developed in-house that are helping the entertainment giant meet its security, compliance, and auditing goals.

Click here for the full story.

IBM Buys Into Security Compliance

2006-12-06T15:40:00.000-08:00

IBM did its holiday shopping a little early this year, picking up security information management and compliance tool vendor Consul today for an undisclosed sum.

Consul, a 20-year-old company originally founded to do mainframe data and usage auditing, is one of several smaller security vendors that makes tools for collecting information about user access and activity across an enterprise. Such data is critical in the effort to meet security requirements outlined in a variety of government and industry policies and regulations, including Sarbanes-Oxley and HIPAA.

Click here for the full story.

Compliance Keys: Money, Monitoring

2006-12-05T09:16:00.000-08:00

When it comes to regulatory compliance, companies that spend the most on IT security, and are the most vigilant about their compliance efforts, are the most successful.

That's the result of a study published earlier today by the IT Policy Compliance Group, a collection of compliance experts formed last year to study best practices in regulatory compliance.

Click here for the full story.

Research group finds high level of IT deficiencies

2006-12-04T09:05:00.000-08:00

IT vulnerabilities such as inadequate documentation and poor PC access controls put enterprises at risk of being noncompliant with regulatory mandates and prone to security events -- and most companies have at least a few such deficiencies present in their enivornments, according to research to be released Monday.

Click here for the full story.

New Threats Loom for 2007

2006-12-01T10:53:00.000-08:00

Attackers are preparing a new array of exploits and vulnerabilities for next year, security researchers say.

McAfee Avert Labs, the research arm of the popular antivirus vendor, yesterday unveiled its predictions for 2007, based on its analysis of more than 217,000 threats collected to date.

At its current rate of growth, the threat base will grow to 300,000 by the end of next year, the company says. "It is clear that malware is being released by professional and organized criminals," the company said in a statement.

Click here for the full story.

From Wall Street to the military, the year ends with security undertakings

2006-11-29T08:16:00.000-08:00

As the year winds up, IT managers from Wall Street to the military say they've kicked off ambitious projects to bolster security within their organizations.

At New York-based investment firm Goldman Sachs, one project under the direction of Tom Quinn, vice president of information security, entails adding desktop software for digital-rights management to restrict viewing, printing or changing financial data.

Click here for the full story.

The 10 Most Overlooked Aspects of Security

2006-11-28T11:57:00.000-08:00

Before you hunker down, all comfy and cozy, in front of a crackling holiday fire, hold the fruitcake and eggnog: Feel like you're forgetting something?

Most likely, you are.

Did you post a surveillance camera in your server room? Check the trash can for discarded disk drives that weren't wiped clean of sensitive data? Do a deep background check on that new database administrator you hired? Look into that new third-party security services offering?

Encrypt the backup of the year-end financial data?

Gulp. Maybe you're not quite ready for the holidays.

Click here for the full story.

Study: Almost half of firms late in patching laptops

2006-11-24T09:27:00.000-08:00

Organizations, already knee-deep protecting the data in laptops are patching critical vulnerabilities in the mobile devices too slowly, a new study has suggested.

The findings, released Monday by analyst firm Trusted Strategies and patch management provider Shavlik Technologies, revealed that companies largely lack automated solutions to track down vulnerable laptops and apply the necessary patches.

Click here for the full story.

Oakley rolls out laptop protection software

2006-11-23T09:32:00.000-08:00

Oakley's SureFind software lets IT administrators remotely monitor and disable lost or stolen laptops.

Oakley Networks this week rolled out software that lets organizations remotely locate a lost or stolen laptop, determine whether data on the laptop has been compromised, and destroy the data to protect it from exposure.

Click here for the full story.

Data That Doesn't Drip... Drip... Drip...

2006-11-22T08:53:00.000-08:00

You've heard of data leakage, but what about data seepage?

That's when your desktop applications are set to connect to your internal mail server or shared folders -- for instance, when you boot up your machine -- and your corporate network is then exposed to a targeted attack.

Click here for the full story.

Not Your Grandpa's Microsoft

2006-11-22T07:00:00.000-08:00

OCTOBER 31, 2006 | Microsoft's a big target -- the vendor takes a lot of heat for poor products or just a lack of responsiveness. While some of that criticism may have been true and even warranted over the years, let's give credit where it's due: Windows XP SP2 turned out to be vastly better from a security standpoint than previous versions. In fact, Microsoft-based enterprises have improved their security so much that even Symantec reports that the attack vectors have shifted to employees' homes.

Full Article...