Access Control

A year ago, when a Time Magazine reporter told Tan Dailin that he'd been identified as someone who may have hacked the Pentagon, he gasped and asked, "Will the FBI send special agents out to arrest me?"

The U.S. needs to engage in a national dialog about its government's use of cyberattacks against other nations, and the government lacks a comprehensive policy about how and when it will engage in cyberwarfare, a new study says.

The need for greater e-mail integrity has never been more important as e-mail has become the primary mode of communication for most connected businesses with, according to research firm IDC, an estimated 850 million commercial mailboxes worldwide.

Mainstream media hype leading up to the Conficker worm's April 1 software update may have distracted people from legitimate cyber threats, the U.S. Federal Bureau of Investigation's head of cyber security said Thursday.

A software upgrade for ForeScout's CounterACT NAC platform will enable it to manage 400,000 endpoints, double the number of previous software releases.

A new Symantec survey finds 98 percent have dealt with the pain and loss of a recent cyber attack.

Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior Visa executive Thursday described two new initiatives to reduce payment card fraud being tested by the company.

Visa's top risk management executive Thursday dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure.

Security vendor McAfee will give grants to a European and a U.S. organization to better train law enforcement and legal officials to deal with cybercrime.

National UK daily newspaper The Telegraph was compromised by Romanian hacking group, Hackersblog late last week.

An employee of search engine startup Mahalo has been sentenced to four years in prison for infecting as many as 250,000 computers with malicious botnet computer code.

The New York Police Department (NYPD) is telling thousands of police officers that their personal information may be compromised due to a suspected data theft done by an insider in the police pension fund, according to reports in New York's daily newspapers Thursday.

Days after Visa seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems and RBS WorldPay, the credit card company is now saying that there was no new security incident after all.

A study of 57 Web site hacks from last year showed that 24 percent were aimed at defacing a site rather than financial gain.

The U.S. government needs to spend more money on cybersecurity research and development and on education programs in order to fight a rising tide of attacks against government and private groups, cybersecurity experts told U.S. lawmakers.

In one of the more famous episodes of the original "Star Trek" series - "The Trouble With Tribbles" - Capt. Kirk confines Chief Engineer Montgomery Scott to his personal quarters for getting into a bar fight.

If you think the biggest threat to your sensitive information lies in network security, think again. Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage. Take a look at your building's security. How easy is it to get inside?

Chris Nickerson is willing to push it about as far as a person can go when it comes to security assessments. The founder of Lares, a security consultancy in Colorado, Nickerson conducts what he calls "Red Team Assessments" for clients. He is paid to try and dupe a client, and the client's employees, to give them a clear picture of the weak spots in their security plan. He then advises them on how to shore up defenses more effectively in the event a real criminal comes knocking.

Websense CTO Dan Hubbard outlines four ways companies can protect their information from threats and compromise on the social Web.

Moving to a nearly fully-virtualized infrastructure in 2008 made Joel Braverman a lot more confident in both the physical and digital IT infrastructure at his (relatively new) employer Universal Audio. As manager of IT and the guy responsible for security on that infrastructure-one that supports a company whose products are both expensive and almost entirely digital-it also made him extremely nervous, he says.

How business practices have changed the risky activity on your network.

Imperva's Amichai Shulman looks at database attack and defense.

Your identity is like George Costanza's wallet. Really. Think about it. Do you remember the classic Seinfeld episode? The one where George wouldn't give up his ever-expanding wallet filled with store credit cards, Irish money, a coupon for an Orlando Exxon gas station and several Sweet and Low packets. This, in spite of the obvious physical pain it caused and the security threat all of that imposed.

Salesmen and parents know the technique well. It's called the takeaway, and as far as Keith Mularski is concerned, it's the reason he kept his job as administrator of online fraud site DarkMarket.

Despite some shortcomings, software-based network access control technology that enforces policies on network endpoints is often the first choice of customers who adopt the technology.

Whether they're in branch offices or home offices, workers are increasingly telecommuting instead of working in a traditional centralized office environment.

The annual report from Georgia Tech Information Security Center identifies five evolving cyber security threats, and the news is not good.

If there is truly a gray zone in the struggle between online good and evil, anonymous proxy servers live there.

Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past.

Reformed hacker-turned-security-consultant Kevin Mitnick served five years in federal prison for breaking into phone and software company networks. He talks about his past hacking exploits, computer security, and how he turned an illegal hobby into a useful career.

It has been a number of years since the fantasy that hackers will be offered a job by those who they hacked was even a potential reality, but there are reports that this might still be the case in New Zealand.

The Internet Storm Center, operated by SANS, is one of the leading sources when it comes to identifying emerging attacks against networks, through their DShield collaborative network analysis effort. Traffic spikes on network ports that are well above the normal rates of traffic flow can signify a rapidly spreading exploit or it could be a misconfigured network spewing rubbish across the rest of the Internet. One of the ISC's handlers noted a significant spike of traffic on port 7 recently and was surprised by what he found.

Version 3.0 of BackTrack has been released. BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools.

When determining the risk to a system and the data stored on it, insider threats are generally regarded as lower risk. Despite the complete access (high risk) that insiders generally have, most of the time insiders are trusted agents (very low risk) on the network. When it breaks down, it can break down in a catastrophic manner, especially if there is money at stake.

A less known part of the recent ARP attack against H D Moore's MetaSploit site was an attempted Denial of Service attack that coincided with the successful ARP attack.

People don't notice change when it's gradual. Sometimes, however, small, incremental changes add up in a way that isn't noticed until a change in degree becomes a change in kind.

Question: We have contractors perform a number of critical services, such as managing our IBM blade servers. These staff have to be on the LAN, and they're long-time contractors, so trust levels run pretty high, but I know they shouldn't be able to go everywhere on the LAN. How can I limit their access while still letting them do their jobs, and most important, not making them feel like I don't trust them?