Access Control

The spam and malware tsunami continues to cast a mounting shadow over the Internet this week.

More than 6,500 CNET Networks employees and relatives are being notified of a possible data breach after burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans.

The Web sites of three of the security industry's best-known companies include security flaws that could be used to launch scams against customers, according to a new report.

A security company on Friday asked for help cracking an encryption key central to an extortion scheme that demands money from users whose PCs have been infected by malware.

The federal government has today launched a $1.2 million national security alert service to round-out its plans to sanitise Internet feeds to families and small businesses.

Paris-based bank Societe Generale made headlines when it disclosed that one of its traders made a series of unauthorized transactions over the previous few years that ultimately cost the financial institution a staggering US$7.2 billion in losses.

While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports.

With the business of Internet banking changing and online threats growing, the industry needs to adapt and integrate security technology across more channels and be more collaborative to reduce fraud, according to one electronic payments specialist.

The Department of Defence has chimed in on the network security debate, stating organizations need to be more proactive if they expect to ward off attackers that readily exploit the high levels of trust usually reserved for employees and known systems.

A controversial bill to make wiretapping easier for law enforcement was shot down by Senate last week.

A botnet is now using a SQL-injection attack tool designed to hack legitimate Web sites, a move meant to add more hijacked PCs to its collection, according to a security researcher.

A security researcher has developed malicious rootkit software for Cisco Systems' routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.

The vendor HyBlue says it can prevent the "cold boot" encryption hack discovered by Princeton researchers with a laptop security product announced Tuesday.

The massive wave of SQL injection attacks that started striking Microsoft-based Web sites around the world more than a week ago claimed as one of its victims Autoweb, a UK-based advertising and marketing site.

It used to be easy for US Bank to determine which users and systems could be trusted, and which should be viewed with suspicion. Then along came Web 2.0.

When risk is present it calls for treatment, and security is a never-ending process... right? Yes, but as a security professional, it's easy to become focused on the hard problems (download PDF) of security -- falling into the arms race for more, more, more security controls -- and lose sight of the impact of the controls themselves.

Security issues often seem to smolder more than burn, but these six are certainly capable of lighting a fire under IT professionals at a moment's notice. Handle with care.

Theft of laptops and other mobile devices is spiraling, and the consequences -- financial and other -- are getting increasingly dire.

It takes a lot to shock Chris Goggans; he's been a pen (penetration) tester since 1991, getting paid to break into a wide variety of networks. But he says nothing was as egregious as security lapses in both infrastructure design and patch management at a civilian government agency -- holes that let him hack his way through to a major FBI crime database within a mere six hours.

Whether you hire outside consultants or do the testing yourself, here are some tips for making sure your time and money are well spent.

Security assessment and deep testing don't require a big budget. Some of most effective security tools are free, and are commonly used by professional consultants, private industry and government security practitioners. Here are a few to start with.

Bookmarking these sites will help you protect your network, comply with government regulations and stay ahead of all the latest threats.

These forward-thinking IT managers are working at dismantling the stereotype of the risk-averse security professional-cum-business foe. How? By showing business colleagues they understand company operations and appreciate corporate goals.

Many companies spend a small fortune and deploy a small army to secure themselves from the many security threats lurking these days. But all those efforts can come to naught when making any of these common mistakes. The results can range from embarrassing to devastating, but security experts say that all are easily avoidable.

Jeff Jonas knows the Las Vegas gambling industry inside and out. As the founder and chief scientist of Systems Research & Development (SRD), Jonas helped build numerous casino systems before 2005 when his company was purchased by IBM.

Vendors of data leakage prevention (DLP) systems claim that customers will avoid integration issues by using packaged tools that encompass all the different elements of the technology, but some early adopters of DLP are already running into serious problems.

Faced with looming regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, Craig Shumard, chief information security officer for healthcare provider Cigna, knew he needed better tools for role-based access control.

Web security is at the top of customers' minds after many well-publicized personal data breaches, but the people who actually build Web applications aren't paying much attention to security, experts say.

Network access control stands out as one of the most promising security technologies, but it also is one of the most misunderstood. Here are explanations that may clarify some of your questions.

A secure connection between browser and back end underlies Internet commerce. But what if it's already compromised?

Employment and training firm CVGT has installed a network management toolkit to enforce compliance and protect the financial and personal data of its 40,000-plus apprentices and trainees.

Version 3.0 of BackTrack has been released. BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools.

When determining the risk to a system and the data stored on it, insider threats are generally regarded as lower risk. Despite the complete access (high risk) that insiders generally have, most of the time insiders are trusted agents (very low risk) on the network. When it breaks down, it can break down in a catastrophic manner, especially if there is money at stake.

A less known part of the recent ARP attack against H D Moore's MetaSploit site was an attempted Denial of Service attack that coincided with the successful ARP attack.

People don't notice change when it's gradual. Sometimes, however, small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.

Question: We have contractors perform a number of critical services, such as managing our IBM blade servers. These staff have to be on the LAN, and they're long-time contractors, so trust levels run pretty high, but I know they shouldn't be able to go everywhere on the LAN. How can I limit their access while still letting them do their jobs, and most important, not making them feel like I don't trust them?

At their core, Check Point Integrity and Sygate Enterprise Protection are effectively policy-based firewalls. That's the cake. The icing is their capability to monitor other applications for compliance with configuration requirements and send errant machines to quarantine until they can be updated with the latest anti-virus definitions, Windows patches, or other necessities.