exploit

DNS flaws opens the door to an array of attacks

Paul Mah — Fri, 08 Aug 2008 08:41:12 -0400

Security researcher Kaminsky, who first discovered the DNS exploit that had organizations around the world scrambling to patch their Domain Name Servers (DNS), spoke to a packed session at the Black Hat conference this week. He took the opportunity to describe a dizzying array of attacks that can result from an exploited DNS. Two attack vectors caught my attention: one is the fact that even SSL connections are not impervious to a DNS-based attack. Kaminsky noted that "[c]ompanies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates."

The second vulnerability is described as a "forgot my password" style attack. Criminals could claim to have forgotten a user's password to get a site to send out a user's password. DNS hacking techniques could then be exploited to trick the targeted site into sending the secret password to the hacker's computer.

To learn more about DNS-based attack vectors:
- check out this NetworkWorld article

Lotus Notes catches a bug

Thu, 29 Nov 2007 06:59:59 -0500

Lotus Notes has a new headache. Researchers at Core Security Technologies say there is a serious bug in the Autonomy KeyView software used by Lotus Notes to process Lotus 1-2-3 files. Ivan Arce, Core's chief technology officer, says it would not be hard for an attacker to write the code that provides passage into the software. "Previously there have been other flaws like this published for the same software development kit," Arce said. "So anyone keeping track of that could write an exploit pretty quickly."

When Core researchers opened a specially-crafted Lotus 1-2-3 email attachment in Lotus Notes, they found they could run unauthorized software on the PC. This kind of vulnerability is not new, however--it's a kind of flaw called a "file parsing bug." However, there have been improvements in stopping attacks that take advantage of such bugs, which are called "fuzzers." They send a barrage of data to programs in order to see if they can be made to act in unexpected ways.

IBM disclosed this problem in a Nov. 26 security alert, and the company is offering a software patch for Notes 7 users. For those using an older version of Notes, IBM has suggested several workarounds, including deleting the Windows DLL (dynamic link library) file that is associated with Notes.

For more on this software bug:
- See this ComputerWorld article

Survey: CIOs aligning business and IT successfully

Wed, 09 May 2007 20:01:39 -0400

According to a new survey by the McKinsey Group, most senior IT executives are successfully aligning IT strategy with business needs, collaborating with the business in ways that add significant value rather than just reacting to the demands of the business. But even with these gains, that IT strategy has not yet reached its full potential. The goal is to better exploit innovation to drive constant improvement in the operations of a business and to provide a significant advantage over competitors with new products and capabilities. According to the survey, less than two-thirds of CIOs say that technological innovation shapes their strategy and only 43 percent say they are either very or extremely effective at identifying areas where IT can add the most value. What's more, only 34 percent say they are more effective at introducing new technologies than their competitors, and 46 percent consider the IT capabilities of their competitors when shaping their own strategies. The study concludes that CIOs must be more attuned to the way technology is being applied throughout their industry and related markets if their companies are to use innovation to create a competitive edge. IT executives should also take advantage of their vendors' investment in innovation.

Read more about CIOs' gains:
- read the article at The McKinsey Quarterly

Survey: Lack of Web 2.0 experience is a weak link

Mon, 23 Apr 2007 20:01:38 -0400

Web 2.0 technologies offer many capabilities to organizations that know how to exploit them, but a lack of Web 2.0 experience by the IT staff can hold them back. A survey by search software developer Fast found that despite a high level of commitment from IT managers, skills often aren't at the point where these technologies can be implemented effectively. And even when skills exist, more than one-third of those surveyed said there aren't enough to go around. In the long term, IT departments will be the key to making Web 2.0 successful, although it may take a while.

Read more about Web 2.0 in the enterprise:
- read the article at The Register

ALSO:
- read this on making Web 2.0 work for you
- this on Web 2.0 for the enterprise
- this on Web 2.0 as a competitive maneuver
- and this on reasons to jump on the Web 2.0 bandwagon

People as the greatest security threat

Wed, 11 Apr 2007 20:01:36 -0400

Companies are often so focused on network attacks that they forget that real human beings pose a great threat as well. Called social engineering, people pretending to have credentials they don't can exploit human vulnerabilities rather than technical ones. For example, an attacker could simply phone and ask for security details. Part of the problem is that HR thinks information security is an IT issue. To fix the problem, start by bringing IT, physical and human security together under a true information security management system. Also think about how you allocate your security budget. Is it balanced in proportion to the threats you face and the spread of vulnerabilities within your organization? Develop a thorough understanding of human vulnerabilities, with an appropriate balance between systemic improvements to shield human weaknesses, and effectively targeted training and awareness building.

Read more about social engineering:
- read the article at Computer Weekly

The changing role of the modern CIO

Wed, 14 Feb 2007 19:01:39 -0500

The driving forces changing the business world at large will change the role of the CIO. For example, CIOs with experience setting up or operating IT shops in the Far East will be in greater demand as collaboration with companies in China and India reach a zenith. Another example is the demand for access to content anywhere, anytime. As a result, CIOs who can exploit new alternatives in content delivery, as well as those who know how to collaborate with partners, other C-level executives and supply chain managers, will be in great demand. Other areas of demand for CIOs will include those who can create a competitive advantage for their companies via IT; those who can deliver reliable, scalable solutions in the area of social networking and web-based marketing; and those with security expertise and understanding. Keep your eyes open: your job is changing right under your nose.

Learn more about the changing role of the CIO:
- read the article at Optimize

Gaining your employees' respect

Mon, 05 Feb 2007 19:01:39 -0500

Not all managers deserve to be managers and even those who start out with good intentions can fall into bad habits along the way, gradually losing their employees' confidence and support. The result? Subordinates who believe that their leaders are ineffective, or worse yet, inept. Of course, no worker is good at everything--and that includes C-level execs. Often, there's one aspect of the job that you need to work harder at. If you don't, employees will seize on that weakness and exploit it, ruining morale. Try to fix your shortcomings, but don't forget that we're all human.

Read more about the foibles of managers:
- read the article at ComputerWorld

A bounty for Vista bugs

Thu, 11 Jan 2007 19:01:39 -0500

If you've discovered code that creates a security vulnerability in Microsoft's newest operating system Vista, you could be rewarded with some big bucks. VeriSign iDefense Labs is launching another bounty program, this time offering $12,000 for bugs in both Vista and Internet Explorer. While the security vendor wouldn't comment on expectations for bug contributions, it's ready to pay the first six bug finders $8,000, with a bonus payment of $2,000 to $4,000 if the contributor also produces a working exploit code for the found bug. VeriSign is hoping that the program encourages hackers to disclose bugs instead of using them but considering that a Vista exploit can fetch far more on the black market, the company's bounty might be a surprisingly hard sell. The bounty program runs through March.

For more on the Vista bug bounty effort:
- check out the news at TechWeb

UCLA making databases less sensitive, more secure

Tue, 12 Dec 2006 19:01:38 -0500

It was recently discovered that since October 2005, a hacker has been accessing the personal records of 800,000 faculty, students and alumni at UCLA. After UCLA's computer security technicians noticed a suspect number of database queries this November, UCLA CIO Jim Davis has worked to remove sensitive data from common usage, as a means to soften future damage from security breaches. "With 20/20 hindsight, the best way to deal with this kind of situation is not to have Social Security numbers there in the first place," explained Davis. Particularly at issue is the decentralized structure and extreme accessibility of most universities' IT set-ups. Davis explained that "out of hundreds of applications, they found a small vulnerability and found a way to exploit it."

For more on the UCLA case:
- read this article in Time Magazine

Hackers have a target strategy

Thu, 12 Oct 2006 20:01:39 -0400

When it comes to email vulnerabilities, targeted Trojan attacks aimed at one to ten users seems to be all the rage these days with those trying to steal information. According to a leading security vendor, email hackers are doing their homework in researching specific companies and identifying targets to craft sophisticated email messages that house a zero day exploit hidden in a business application file, such as a Word or Excel document. The apps then install a back-door on the targeted system. The big problem is that the attacks are so small that security antivirus products don't detect the risk element.

For more on the new email target approach:
- read the column at InfoWorld