Cyber Security Institute

Tuesday, September 30, 2008

Infoblox Unveils “DNS Firewall” to Address DNS Vulnerability Concerns

Infoblox has enhanced its full line of core network services (CNS) appliances that provides DNS security capabilities such as alerting, reporting, and attack mitigation.  These capabilities and automated software update capabilities of Infoblox grid technology can help enterprises thwart current and future DNS vulnerability exploits.


Thursday, September 25, 2008

ISC)2: (ISC)2 Launches Security Certification To Reduce Application Vulnerabilities

The Certified Secure Software Lifecycle Professional (CSSLP) aims to stem the proliferation of security vulnerabilities resulting from insufficient development processes by establishing best practices and validating an individual’s competency in addressing security issues throughout the software lifecycle (SLC).  Code-language neutral, it will be applicable to anyone involved in the SLC, including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers.  Over 70 percent of security vulnerabilities exist at the application layer*, presenting a significant, immediate threat to users worldwide.  All too often, security is bolted on at the end of the SLC as a response to a threat or after an exposure,” said Howard A. Schmidt, CISSP, (ISC)” board member and newly appointed president of the Information Security Forum (ISF).


Shadowserver to Build ‘Sinkhole’ Server to Find Errant Bots


Tuesday, September 23, 2008

‘Profiler’ Hacks Global Hacker Culture

A hacker once called the Italian Kevin Mitnick has spent the past two years surveying various types of hackers from around the world to profile the hacker culture—all in an effort to help combat cyber crime.  Raoul Chiesa, a reformed black-hat hacker who in his heyday was a notorious social engineer and X.25 hacker, is about to publish the first fruits of research from the so-called Hackers Profiling Project he launched nearly two years ago.


For US Enterprises, Computer Crime Starts at Home

According to separate research reports published yesterday, the United States is the most common source of attacks, and that trend could continue as attackers find ways to exploit networks here at home.  This year alone, some 20.6 million attempted attacks have originated from computers within the U.S., the company says.  China ran second, with 7.7 million attempted attacks emanating from computers within its borders.  Brazil was third with about 166,987 attempted attacks.


Survey: Web-based malware puts corporations at risk

A new study found that 85 percent of malware is being distributed through Web applications, which is creating a growing threat for corporations as employees increasingly do online social networking, video watching, and personal e-mail at work.  Nearly one-third say their Web security was compromised as a result of employees using computers at work to access social networks, Web-based e-mail, and video sites.


Cybercriminals Utilize the Latest Web 2.0 Techniques to Inject Their Obfuscated Malware in PDF and F

Finjan Inc., a leader in secure web gateway products, today announced that its Malicious Code Research Center (MCRC) discovered examples of obfuscated code embedded in rich-content files, and not only in HTML-webpages on legitimate websites.  Finjan’s H1/2008 Web Security Survey Report indicates that 46% of respondents stated that their organization didn’t have a Web 2.0 security policy in place.


Monday, September 22, 2008

McAfee to pay $465 million for Secure Computing

Computer security company McAfee Inc (MFE.N) plans to buy Secure Computing Corp (SCUR.O) for $465 million, adding specialized equipment that keeps hackers from breaking into computer networks.  The move, McAfee’s biggest acquisition to date, helps the No. 2 computer security company expand the bundle of products it can sell to businesses.


Friday, September 19, 2008

Only 35% Of Oracle Users Continuously Monitor For Suspicious Activity

Oracle and the International Oracle Users Group commissioned Unisphere to survey the user group’s members in July and August and, out of 316 respondents, found 20% anticipated some kind of data security breach over the coming year.  Three out of four acknowledged they do not consider all of their database systems to be “locked down.”  “The breach by an external party tends to be more visible, but internal breaches are more frequent,” said Ian Abramson, president of the IOUG and a database consultant working in Canada.


SandBox Analyzer for Linux and addition of file-format exploit support

Norman’s SandBox technology continues to lead the fight against malware, helping security experts more quickly and accurately mitigate security threats.  Norman today released the SandBox Analyzer for Linux to the product line giving customers an important option to the popular Windows version of the SandBox Analyzer.


Tuesday, September 16, 2008

Microsoft to release secure coding model

Microsoft announced on Tuesday that the company plans to release three security programs in November to help companies reduce vulnerabilities in their software products and design more secure products for the future.


Monday, September 15, 2008

DHS Report Says Leave Laptops At Home

The U.S. Department of Homeland Security appears to be of two minds about the security of information on portable devices.  On the one hand, it defends border searches of laptops as necessary to limit the movements of terrorists, to deter child pornography, and to enforce U.S. laws.  On the other hand, it has warned business and government travelers not to carry laptops or other electronic devices when traveling abroad, as a way to prevent “unauthorized access and theft of data by criminal and foreign government elements.”


UN Agency Working On Tech Standards To Get Rid Of Anonymity

Declan McCullagh has a somewhat scary report about how the UN’s International Telecommunication Union has been quietly working away on a proposal for new core internet technology that would allow a “traceback mechanism” to effectively get rid of anonymity, and allow those with access to identify who provided any particular piece of content.


Sunday, September 14, 2008

Patching Offline VMware Machines

Though NetChk Protect 6.5 is focused only on Microsoft Windows and VMware environments, Shavlik’s products offers IT administrators a way to save time and effort updating offline virtual machines.


Friday, September 12, 2008

Keys to Locking Down Storage Security on a Database

Enterprises most often keep their most valued data in structured storage inside a database of some kind, and hackers know it.  Security consultant Ted Julian of Application Security offers a detailed look in several steps at how he believes database security should be implemented, starting with data discovery and moving all the way through the implementation of intrusion detection.


Thursday, September 11, 2008

CookieMonster Can Steal HTTPS Cookies

The Python-based tool actively gathers insecure SSL information and records that as well as normal HTTP cookies to Firefox-compatible cookie files.  A so-called CookieMonster attack is coming, and if you use Web-based services that involve login credentials, such as Web e-mail or online banking, you may want to turn your fear and paranoia dial to 11, one researcher warns.  “CookieMonster is a Python-based tool that actively gathers insecure HTTPS cookies, and records these as well as normal http cookies to Firefox compatible cookie files,” explains Mike Perry, the security researcher who created the software, in a documentation file.


Enterprises Struggle to Identify Sources of Risk

Enterprises are putting a good deal of emphasis on risk management these days, but they don’t all agree on how to measure risk, according to a new industry study.  The annual security study, which will be published Friday by service provider BT, offers a look at enterprise security priorities and perceived threats.  The upshot: Although managing risk has become an important thread in IT security, making a business case for security technology is still a challenge.


Wednesday, September 10, 2008

Report: In-Depth Analysis Finds More Severe Web Flaws

A new report on Web threats released today by the Web Application Security Consortium says that in-depth manual and automated assessments found nearly 97 percent of sites carry a severe vulnerability.  “About 7.72% [of] applications had a high-severity vulnerability detected during automated scanning,” according to the WASC report.  The pervasive cross-site request forgery (CSRF) vulnerability didn’t get a high ranking in the report (it was found in only 1.43 percent of the apps) however—even though it’s “the most prevalent vulnerability,” according to WASC.  That’s because “it is difficult to detect automatically and because a lot of experts take its existence for granted.”


CIS looks to community for security metrics

The Center for Internet Security (CIS) announced that the group would work with a community of security professionals to create a set of eight metrics to help companies measure their progress in locking down their networks.  The project—which distills the recommendations of 85 security experts from government, industry and academia—aims to give companies a single set of data points to track their organization’s security over time and to collect information in a consistent manner, said Bert Miuccio, CEO of the Center for Internet Security.


Tuesday, September 09, 2008

A [Phone] Alarming Development at Tech Conference

The first day of the DEMO conference here saw a range of clever applications that drew the occasional hoots of appreciation, laughter for presentation and polite applause for functionality.  There wasn’t much to indicate the company had anything but another mobile security solution as CEO Sujit Jain explained how the company’s Maverick Secure Mobile software can help protect a phone that’s been stolen.  Once a thief swaps out a phone’s SIM card (define), the application works in the background to notify the owner of the change by sending an alert to a pre-designated alternate number—a second phone you own, or one belonging to a friend, colleague or family member.


Friday, September 05, 2008

IT security devours 10% of operating budgets

IT security budgets are consuming 10% of operating budgets and rising amidst growing concern over data breaches and an increasing need to protect sensitive data, according to Forrester Research.  In a survey of 1,255 security decision-makers at North American companies, 21% expect to increase IT security spending in 2009, compared with 6% who expect security spending to decrease.


Gartner Spells Out Changing Tech Scenarios

The coming few years will feature continued consolidation, financial pressures and changes to the hardware business, requiring different IT strategies for the future than what people have been using in the past.  IT consultancy Gartner made these predictions during its Hardware Insight conference here Thursday.  Employees of firms like Intel, HP and Sun listened to presentations that often focused on where their companies may be headed in the coming years.  Some of the usual trends will continue, like market consolidation.  Research Vice President Roger Cox noted that 85 percent of the storage business is in the hands of seven vendors, and “they are not advancing the technology.


Thursday, September 04, 2008

Survey: VARs Concerned About Cybersecurity, Health Care

Many U.S. businesses fail to take cybersecurity protection seriously and are unwilling to spend money on additional protection, according to a recent survey of value added resellers (VARs) by the Computing Technology Industry Association.  Cybersecurity was the top policy concern for VARs in the August survey by CompTIA, but right behind security was the rising cost of health care for VAR employees, CompTIA said.  Ninety-seven percent of the 109 respondents said they believe U.S. businesses are not secure enough, while 96 percent of respondents said they were concerned about rising health-care costs.


Tuesday, September 02, 2008

Zombie network explosion

The number of compromised zombie PCs in botnet networks has quadrupled over the last three months, according to figures from the Shadowserver Foundation.  The clear trend within these figures is upwards, with a rise in botnet numbers of 100,000 to 400,000 (if 30 day entropy is factored into equations) or from 20,000 to 60,000 (for five day entropy).