Category: Trends

The rampant use of default passwords within live database environments continues to plague the security of enterprise data, researchers say. “It’s a problem that has been around for a long, long time,” says Alex Rothacker, manager of Team SHATTER, Application Security Inc.’s research arm. “A lot of default passwords out there get installed when you deploy a database, you install an add-on to it, or even if you install a third-party application that uses the database.” As he puts it, the problem of default passwords lingering in the wild has built up during the years as a result of cumulative errors by both vendors and database administrators.

In the past, the majority of vendors had no compunction about pushing out installers that automatically created default accounts to expedite the deployment of new databases, add-ons, or applications on top of the database.

Rothacker says the situation on the vendor front has improved considerably in recent years, but default passwords continue to be a problem for a number of reasons.

Organizations that choose to skip such a review could be leaving themselves at serious risk, says Rich Mogull of Securosis.

Team SHATTER last week launched a series of week-long database vulnerability-a-day awareness campaigns to draw attention to a wide range of database deployment deficiencies in the enterprise.

http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225200102&cid=RSSfeed

“The Green Grid is working with organizations around the world to develop a clear and well-defined language for the way we communicate about energy efficiency metrics, which will give us a common measuring stick for all data centers regardless of their location,” said Tom Brey, an IBM employee who is secretary of The Green Grid, in a statement.

PUE, which was developed by the Green Grid, divides the total energy consumed by a data center by the amount of energy used to power the IT equipment. It has emerged as the most popular metric for measuring data center efficiency, and some large companies, notably Microsoft and Google, have been publishing PUE numbers as a way to show off the efficiency of their newest facilities.

“A global task force with representatives from each of the above mentioned organizations will continue to move this initiative forward and reconvene later this year to evaluate progress,” the Green Grid says in the statement.

In January representatives from the EPA met with several data center industry groups from the U.S., including 7×24 Exchange and ASHRAE (The American Society of Heating, Refrigerating and Air-Conditioning Engineers).

Rising energy costs and the amount of powerful IT equipment that has been added to data centers in recent years has made them a cost center on the radar of senior executives.

http://www.computerworld.com/s/article/9174701/US_Europe_Japan_agree_on_data_center_efficiency_metric?source=rss_news

“The degree of failure to meet acceptable standards on first submission is astounding — and this is coming from folks who care enough to submit their software to our [application security testing] services,” says Roger Oberg, senior vice president of marketing for Veracode.

The data for Veracode’s State of Software Security Report comes from a combination of static, dynamic, and manual testing of all types of software across multiple programming languages — everything from non-Web and Web applications to components and shared libraries. Veracode tests commercial, internally developed, open-source, and outsourced applications, all of which were represented in its findings.

And nearly 90 percent of internally developed applications contained vulnerabilities in the SANS Top 25 and OWASP Top 10 lists of most common programming errors and flaws in the first round of tests, Oberg says.

Despite the relatively gloomy picture of developers still missing the mark initially on security, there were some bright spots in the report: Open-source software isn’t as risky as you’d think, and financial services organizations and government agencies tend to have more secure applications from the get-go; more than half of their apps passed as acceptable in the first submission to testing, according to Veracode’s report.

And it was the quickest to remediate any flaws: “It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,” he says.

“There’s been intense focus on cross-site scripting, and there are lots of different libraries and utilities available to eliminate it, but it’s still extremely prevalent,” says Chris Eng, director of security research for Veracode. Eng says it’s likely due to a lack of education on how to quell XSS, plus it’s not uncommon to find 100 XSS bugs in one application.

http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=223100875&cid=RSSfeed

The devices typically include a scanner, transmitter, camera, and, most recently, Bluetooth- or wireless-enabled links that shoot the stolen data back to the bad guys.

A similar attack occurred with a rigged ATM machine last year in Las Vegas during the Defcon hacker show: Security researcher Chris Paget lost $200 to an ATM machine in the Rio All-Suite Hotel & Casino that appeared to be operating normally, but failed to spit out cash.

The U.S. Secret Service was investigating the incident, and it was unclear whether the machine was outfitted internally with a skimming device or had been tampered with for someone to grab the cash withdrawals at a later time.

Bruce Schneier, CTO for BT Counterpane and author of the Schneier on Security blog, says attackers in Europe are also moving skimming devices inside gas pumps as a way to avoid detection.

Troy Arnold from the Sandy police department told a local news outlets that the device in the 7-Eleven gas pump was the size of a cellular phone SIM card and was affixed to the card reader inside the pump.

“It’s a small device — Bluetooth, the size of a SIM card — that is attached to the actual credit card reader.

Back in December, a similar spree occurred in the Sacramento, Calif., area, where gas pumps at an AM/PM convenience store were outfitted with card skimmers, transmitters, and small cameras that siphon victims’ debit card data.

http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=223100233&cid=RSSfeed

[Link to an article showing a typical ATM skimmer setup: http://www.snopes.com/fraud/atm/atmcamera.asp. But remember all they really need, is the skimmer to be installed and a good camera!]

The security landscape has been seeing new threats growing explosively in number and complexity – attacks that exploit the vulnerabilities of applications, insider sabotages, identity fraud and unauthorized access to corporate systems and networks.

Companies are required to align with international regulations, standards and best practices when collaborating with business partners around the world.

Many of these companies have turned to SVM products to establish a security management framework for various compliance requirements such as policy compliance, log archiving and auditing,” said Judy Wu, Research Manager for IDC Asia/Pacific Security Research.

At the same time, previous purchase and deployment of security products over the years have increased management and integration complexity.

The SVM segment is a key growth area across Asia/Pacific as companies turn to SVM’s capabilities – such as patch management, policy enforcement and security incident analysis and management – to reduce complexity and increase management efficiency.

Compared with the first half of 2008, there was a minor decline in 1H09 for security spending due to the global recession which reared its ugly head at the end of 2008.

We expect companies to continue to find ways and leverage new security technologies such as policy and IT compliance suites, as well as vulnerability assessment and risk management products to increase management efficiency.

http://www.idc.com/getdoc.jsp?pid=23571113&containerId=prHK22160710

Statistics from the 2009 fiscal year weren’t included because the GAO released its report just after that fiscal year ended.

“While some breaches may represent dry runs by terrorists or others to test security or criminal incidents involving airport workers, most are accidental,” the report said.

Joe Terrell, TSA’s federal security director at Pittsburgh International Airport, said through a spokeswoman no breaches occurred at the Findlay airport since he assumed his post in August 2005.

In that incident, a woman squeezed through a 1-foot gap between a checkpoint metal detector and an X-ray machine and continued to the airside terminal, where she boarded a flight to Houston. She got by because the nearest TSA screener — overseeing two checkpoint lines — was dealing with another woman who tried the same stunt.

In its report, the GAO said airports have several secure areas with varying levels of security. They include baggage loading areas, exterior areas near terminals and what the TSA calls air operations areas, including the airfield; areas near parked aircraft; and air cargo and aircraft maintenance facilities, the report said.

Pittsburgh International Airport is situated on more than 9,000 largely wooded acres, making it one of the largest airports in the country by area — and an attractive hunting ground for overzealous hunters. Hunters who go over or under the perimeter fence surrounding the airport’s 9,000 acres would have to go beyond a second fence around the air operating area to breach security, he said.

Davis also attributed the jump in breaches nationally to heightened awareness or enforcement triggered by high-profile breaches elsewhere; management changes; and increased, random government inspections of airport security.

http://www.pittsburghlive.com/x/pittsburghtrib/news/cityregion/s_661513.html