Data Security

TV network CBS has become the latest big name to have it website used to host malware, a security company has reported.

The criminal market online for buying and selling stolen credit cards, pirated software and information about financial accounts is thriving, according to a report published Monday by Symantec.

Symantec is warning of a sharp jump in online attacks that appear to be targeting a recently patched bug in Microsoft's Windows operating system, an analysis that some other security companies disputed Friday.

The University of Texas at San Antonio Tuesday announced a technology incubator aimed at fostering IT security-based start-ups within the state.

A systems administrator was arrested in New Jersey Monday for allegedly trying to extort money and even good job references out of a New York-based mutual fund company that had just laid him off.

Proscriptive adoption of information security standards like ISO27001 is bound to fail, according to Joel Weise, principal engineer and chief technologist, Sun client services security program office, Sun Microsystems.

New survey results from Sophos find the number of spam emails with dangerous attachments have soared. The report reveals the malicious messages rose eight-fold in just three months.

Up to 79 percent of the 156 Australian IT managers and C-level executives responding to a recent survey have suffered IT data breaches.

The U.S. government has taken several steps to combat identity theft during the past two years, including increased prosecutions of criminals and decreased use of Social Security numbers to identify constituents, according to a report released Tuesday.

The hackers who launched cyberattacks against the former Soviet republic of Georgia two months ago probably had links to the Russian government, even though no hard evidence has been uncovered of official involvement, a report by an all-volunteer group of experts said Friday.

With a faltering economy resulting in increased jobs cuts and corporate belt tightening, security analysts are warning companies to be especially vigilant about protecting their data and networks against disgruntled employees.

IBM, LexisNexis and the Secret Service are among a group of corporations, government agencies and academic institutions that has formed to study and help solve identity management challenges around cybercrime, terrorism and narcotics trafficking.

A former employee at the US Department of State has pleaded guilty to illegally accessing the confidential passport records of hundreds of celebrities, politicians and other public figures.

After Adobe Systems asked them to keep quiet about their findings, two security researchers have pulled out of a technical talk where they were going to demonstrate how they could seize control of a victim's browser using an online attack called 'clickjacking.'

Nearly 99,000 payment cards used by customers at several Forever 21 retail stores may have been compromised in a series of data thefts dating back to August 2004.

In a country that's seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective.

Frank Boldewin had seen a lot of malicious software in his time, but never anything like Rustock.C.

A refresher course on some of the most prevalent social engineering tricks used by phone, email and Web.

Network behavior analysis tools can help tune operations as well as improve security. Here are five tips for getting the job done.

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures.

Malware and botnets and phishing, oh my! Symantec's latest report on the Internet threat landscape highlights trends in cybercrime.

Passed your first PCI compliance audit? You've only just begun! Veterans say ongoing challenges with log management, database encryption and upper management buy-in mean the task is never finished.

Robert Duran of Time and Allan Kintigh of National Card Services share their PCI auditing experiences. Why one's experience was unpleasant and the other fared better.

The Internet will mark an infamous anniversary on Sunday, when the Morris worm turns 20.

Robert Tappan Morris, the 21-year-old Cornell University student who unleashed the first worm attack on the Internet in 1988, has fully rehabilitated his reputation in the computer science community. Today, he is a respected associate professor of computer science at MIT.

Whether they're in branch offices or home offices, workers are increasingly telecommuting instead of working in a traditional centralized office environment.

The ability of malware writers to consistently stay ahead of those seeking to stop them has been a constant factor in the security industry over the past several years.

The inside of the Symantec Security Operations Center looks like a scene out of the movie "War Games," and in many ways, the connection is fitting. The SOC, as it is known by Symantec employees, is in the business of detecting and analyzing network threats. And as malicious activity online gets increasingly more sophisticated, the war against cybercrime is definitely on.

The annual report from Georgia Tech Information Security Center identifies five evolving cyber security threats, and the news is not good.

According to a report from Fox News, several servers at the World Bank Group, an organization that offers economic assistance to developing countries around the globe, were repeatedly compromised and breached over the course of the last year.

Employment and training firm CVGT has installed a network management toolkit to enforce compliance and protect the financial and personal data of its 40,000-plus apprentices and trainees.

The University of Western Sydney (UWS) has today gone live with a managed Intrusion Detection System (IDS) for its 5000 users.

A new Symantec report reveals just how large and sophisticated the online underground economy has grown.

Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board, is one of the biggest critics of virtualization security out there. Not because it isn't important - but rather because it is vital and needs to mature rapidly.

A jewellery store chain is having much better luck catching burglars in real time, thanks to a little help from the IT side of the house. Loss Prevention Manager Dennis Thomas explains how the company built its high-tech command center from scratch.

John Stewart doesn't talk like your typical corporate executive. He said that his company, Cisco Systems, has been lucky when it comes to security and that his company's Self-Defending Network marketing push has painted "a big bull's-eye" on its products.

The Convention on Cybercrime is the work of the Council of Europe and is aimed at facilitating international cooperation in the investigation and prosecution of computer crimes. Since the Convention came into being in 2001, the COE has been working to address the growing international concern over the threats posed by hacking and other computer-related crimes.

The PCI Security Standards Council was established in the US by the major credit card companies in September 2006 as an independent organization to manage the Payment Card Industry Data Security Standard. In an interview, general manager Bob Russo talks about the council's efforts to administer the PCI standard amid continuing concerns about credit and debit card security. And he defends the standard, despite the recent data breaches at Hannaford Bros. and Okemo Mountain Resort.

Does my company need to be more proactive about insiders during hard times?

Security expert Gadi Evron has plenty of experience helping governments fight cyber attacks. In this column, he offers a roadmap companies can use to prevent computer espionage.

Thirty-one percent of customers--nearly one-third of a company's client base and revenue source--are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute.

If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin's gov.palin@yahoo.com Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address, gov.sarah@yahoo.com, have been suspended.

The proliferation and popularity of collaborative Web 2.0 sites – there are around 250,000 new registrations to Facebook everyday – has changed the threat landscape and the way businesses need to think about security. Each year, newer technologies and weapons are being unleashed to leave Web users surprised, annoyed and at greater risk.‘Whaling’ or ‘spear phishing’, is one such threat and refers to phishing scams which specifically target high-worth individuals.

The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

When the US Transportation Security Administration (TSA) was first created, it created a sudden need for tens of thousands of screeners. Getting a job as an airport screener was a pretty easy process. It seemed as though if you had a pulse, you were in. Jump forward to 2008 and becoming a screener is a bit harder as the TSA has instituted background checks, has upped the educational requirement to include a high school diploma or GED, and added other significant requirements.

Separation of duties is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.

While external data breaches involving household brand names such as TJX tend to grab more headlines, insider data thefts are emerging as compliance and reputational risks for organizations. Recent studies suggest that over 60 per cent of data breaches originate from an internal source or event. One reason for this is that in today's data-rich environment organizations continue to struggle with the 'human element' at the heart of data security. It can be extremely difficult to balance the protection of sensitive data with granting access to employees who need it to complete their daily job requirements. To that end, organizations have implemented several new security measures including employee education programs, data access monitoring, and strict policies regarding USB ports and portable devices. Although these are steps in a positive direction, little has been done to study and understand how the data is exploited once it leaves an organization.

There has been a lot of speculation devoted to the impending release of information about a DNS vulnerability discovered and initially announced by Dan Kaminsky almost two weeks ago. A lot of the coverage has been back and forth arguing about whether what has been discovered is relevant or not but the best thing to have done in the intervening period is to have sat on your hands and waited.

Information Security can sometimes be a funny field to work in. Some days it seems as if anybody with their hands on unpublished exploit code can sell it for all they're worth, and others it seems that they are set to become the target of law enforcement and the companies the code affects. It does help if you don't work for one of the companies that is set to be affected by the exploits you are trying to sell and aren't trying to bootstrap a competing company in the process.

With the cold an flu season most definitely upon us, there is much that the common cold can show us about network intrusion and what can happen once a single compromise has taken place.

The devil of identity theft is in the details that follow: Russ Jones tells a tale of woe that isn't particularly dramatic -- or rare -- and yet it's exactly the kind of story that worries me enough to ignore my better judgment and buy identity-theft protection from my insurance provider.

Version 3.0 of BackTrack has been released. BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools.