Cyber Security Institute

Friday, August 29, 2008

“One-Character Patch” for DNS? Not so fast

A domain-name system (DNS) researcher proposed on Wednesday that the addition of a single character to the popular BIND name server software could severely limit cache poisoning attacks, such as those described by researcher Dan Kaminsky.  The suggestion, made by computer scientist Gabriel Somlo, would make exploitation of name server caches more difficult.  However, the “one-character patch” also has some serious side effects, Dan Kaminsky, director of penetration testing for IOActive, said in an e-mail interview with SecurityFocus.


Thursday, August 28, 2008

Most IT staff would steal company secrets: survey

Most IT staff would steal sensitive company information, including CEO’s passwords and customer details, if they were laid off, according to a new survey from Cyber-Ark.  One third of IT staff keep passwords on post-it notes A staggering 88 percent of IT administrators admitted they would take corporate secrets, if they were suddenly made redundant.


Security visualization helps make log files work

Many companies are required to keep certain log files detailing important system events, but until now, most firms haven’t been properly analyzing them, if they analyze them at all.  If there were more tools out there to make this easier I think a lot more people would actually use visualization.  One researcher is trying to make the data easier to use.  Raffael Marty, a security expert with log management firm Splunk Inc., wrote Applied Security Visualization, a book trumpeting the advantage of using sophisticated charts and graphs to better view log data.


U.S. to deploy DNS Security in two years

The U.S. government issued a memo last week mandating that all major agencies adopt a proposed technology to enable trusted lookups of domain information by December 2009.


Wednesday, August 27, 2008

Report: Popular Web Attacks Go Stealth

Encoded SQL injection and cross-site scripting (XSS) attacks are becoming all the rage as Web defenses are getting better at catching these popular scripting attacks, according to WhiteHat Security’s Website security statistics report released today.  Attackers have begun hiding the malicious code by encoding so they can keep using these old-school attacks, which organizations are getting better at detecting in the clear, says Grossman.  Mary Landesman, senior security researcher at ScanSafe, says her Web security services firm is also seeing more obfuscation, including encryption, of malicious code being injected into Websites.


US data breaches booming in ‘08

With four months left in 2008, the firm found that 449 US businesses and government agencies have thus far reported lost or stolen customer and employee data.  All told, ITRC said its 2008 list represents compromised records of more than 22 million individuals—- although it calls that number “grossly incomplete” because in about 40 per cent of events the number of records exposed is not reported or fully disclosed.  Yet ITRC founder Linda Foley attributes part of the growth to companies becoming more open to reporting data loss and the group’s access to state notification lists.


WhiteHat Report Finds Web Site Security Vulnerabilities Persist

WhiteHat Security’s latest report on Web site security shows cross-site scripting remains the most common Web site vulnerability.  WhiteHat Security’s latest report on Web site vulnerabilities has found the Internet in slightly better shape—-emphasis on slightly.  In the fifth installment of the “WhiteHat Website Security Statistics Report,” the company has found that 82 percent of the 687 Web sites assessed by the company have had at least one security issue since WhiteHat began assessing them, a drop-off from the previous report released in March.


Tuesday, August 26, 2008

Data breach discovery, disclosure outpaces 2007

The number of data breaches reported in 2008 has surpassed those reported in 2007, according to the Identity Theft Resource Center (ITRC), a non-profit organization tracking the statistics.  The pros and cons of data breach insurance: The security incident at the Hannaford supermarket chain and elsewhere have some wondering if it’s time to purchase data breach insurance.  ITRC, an organization that tracks data breaches and educates consumers about identity protection, said its 2008 breach list surpassed the total of 446 reported in 2007.