Keeping PCs Safe on the Internet

PC Security Journal

Subscribe to PC Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get PC Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

A few months back, Gartner placed big data at the peak of its hype cycle for cloud computing, meaning most big data products are solutions looking for a problem. I always find this bad entrepreneurial habit to be one of the most frustrating of our industry. Having recently joined Meltwater as head of marketing and product (BTW Meltwater is hiring marketing and product managers!), I think a lot about big data and how to unleash it’s value to solve important business problems, because that is our business. How does big data go from “so what” to “must have”? The Big Data Challenge Big data is a by-product of the Internet and the ever increasing power of computers. Kind of like petroleum sludge. We know there must be great value buried within this vast, raw resource, but the challenge lies in figuring out how to turn it into something useful like plastic, or the other th... (more)

The Growth of Cybercrime

Cybercrime saw significant growth in 2009. It increased in prevalence and geographic spread. The only thing that didn't grow was the skill level required to participate. It was easier for non-skilled attackers to conduct sophisticated attacks because of the availability of toolkits. The increase in manpower has led to an increase in most areas of cybercrime. The growth of cybercrime has come despite a global recession that has stunted the growth of almost every other industry. The growth of cybercrime has been fueled by an increase in Internet users, especially those in developing countries. However, businesses can protect their information from these pervasive dangers. Understanding the threat landscape is the first step. The following highlights from the Symantec Internet Security Threat Report XV can help organizations understand just what they're up against. Cy... (more)

When Is More Important Than Where in Web Application Security

While you spend your time arguing over where application security belongs, miscreants are taking advantage of vulnerabilities. By the time you address the problem, they’ve moved on to the next one. Dmitry Evteev @ Positive Technologies Research has discovered (yet) another method of exploitation that allows for the injection of malicious SQL into sites and databases. A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF. MySQL servers allow one to use comments of the following type: /*!sql-code*/ and /*!12345sql-code*/ As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value. As I have been repeatedly asserted ... (more)

Cloud Computing Implementation Road-Map

Cloud Expo on Ulitzer Step 1- Determine the Bad and Good "Candidates" for the Cloud First, start by taking a broad look at the applications and other IT resources and systems under your "control" (both existing ones and planned ones); categorize them into mission-critical (i.e., if it goes offline your company will not "survive") and non-mission-critical. Both mission-critical and non-mission-critical can be further sub-categorized into core business practices (those that provide competitive differentiation) and non-core practices (typically internal activities such as HR services, etc.) Then apply the following rules of thumb: 1. If mission-critical and non-core, then the application is a good candidate for deployment in the public clouds 2. If mission-critical and core, then definitely keep it behind the firewall (you may choose to put them in a private cloud or non-... (more)

Upgrading WLS via Oracle Support Maintenance Patchsets

Oracle Journal on Ulitzer Recently I blogged about Upgrading WLS using the Oracle Smart Update utility. We discovered that while this utility will happily patch our developers' machines, we had h3lls own trouble trying to get it to work on our server. After much head scratching, gritting of teeth, yelling, begging and sobbing at our firewall administrators, without a solve, we decided a new approach was required. As per Andreas Koop's comment in that original blog post, you can in fact run the Smart Update utility in offline mode, which implies you can download the patches and install them from the utility locally without directly connecting to the Oracle web services. However what I couldn't see was how to run the Maintenance Patch option in offline mode. Yet given the offline mode support it seemed reasonable that you could download a patchset from somewhere, and ... (more)

'Internet of Things' OWASP Top Ten

The Open Web Application Security Project (OWASP) is focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks and their OWASP Top 10 provides a list of the 10 Most Critical Security Risks. For each risk it provides a description, example vulnerabilities, example attacks, guidance on how to avoid and references to OWASP and other related resources. Many of you are familiar with their Top 10 Most Critical Web Application Security Risks. They provide the list for awareness and guidance on some of the critical web applications security areas to address. It is a great list and many security vendors point to it to show the types of attacks that can be mitigated. Now the Internet of Things (IoT) has its own OWASP Top 10. I... (more)

Governments Waltzing on OSS, Trusting Your Search Engine for Privacy, GPL Houses and Apache Cars

…all this and more in this week’s compendium of open source news!   Two Steps Forward, One Step Back Sounds like a Strauss Waltz? Almost. After 10 years the city of Munich’s love affair with open source may be coming to an end.  Despite saving $16 million by using the custom Linux distribution LiMux, the city is considering switching back to Windows due to user complaints.  Read more about the motives surrounding the discussion at Network World.    Governments on GitHub Governments across the globe have long been dabbling with open source software.  Use of Open Source products like OpenOffice, Linux and Drupal are becoming commonplace. To further this trend, many governments are beginning to open source their own code as illustrated by the 10,000 active government users on GitHub. You could argue that since it is our taxes, then the code should be open.  Read more abo... (more)

Lastline Secures $10 Million Funding Round

Lastline, an advanced malware defense platform provider, has raised $10 million from new investors Dell Ventures and Presidio Ventures, as well as existing investors Redpoint Ventures and e.ventures. With the new round of funding, Lastline will continue to focus on serving its rapidly growing, global enterprise customer base as well as new and existing partnerships to improve information security and threat intelligence worldwide. This round of funding adds to the $13.7 million raised in earlier rounds to bring total funding raised to nearly $24 million since the company’s founding in 2011. “Today's strategic investment in Lastline expands our commitment to bring innovation and breakthrough technology to our customers,” said Victor Chang, Director of Dell Ventures. “Combining Dell IP with Lastline technology positions us to deliver differentiating solutions to help ... (more)

Cyber Security Industry Alliance Issues Findings from Summit on Sarbanes-Oxley and IT Security

ARLINGTON, Va., Aug. 15 /PRNewswire/ -- Cyber Security Industry Alliance (CSIA), the only public policy and advocacy group dedicated exclusively to cyber security, today released a report that summarizes key findings and conclusions from a conference held to discuss the adequacy of guidance given on IT security in Sarbanes-Oxley. Today's announcement follows a Sarbanes- Oxley compliance initiative that began in 2004 with a CSIA report outlining the implications of Section 404 for information security. Attendees at IT Security and Sarbanes-Oxley Compliance: A Roundtable Dialogue of Lessons Learned, addressed whether the statutory and administrative materials governing Section 404 provide enough guidance on IT security to enable management and auditors to carry out their compliance obligations. "The conference proceedings and subsequent announcements from the Securities... (more)

Abdulhayoglu: Avoiding Porn and Gambling Not Enough to Avoid Infection

Security on Ulitzer Jersey City, NJ, July 28, 2009 - "People who should know better think that by avoiding porn and gambling sites, they can avoid getting malware on their computers," said Melih Abdulhayoglu, CEO and President of Comodo. "Not today." "People who do know better know that there are some basic requirements everyone needs to have before they even think of using the Internet. One of those requirements is malware protection." Comodo distributes free award-winning antivirus and firewall protection. More than 18,000,000 copies of Comodo security software have been installed on computers around the world. "If your computer is compromised, you may not even know it. You could be like a polio carrier, with no symptoms. But your PC harbors the disease and spreads it to other users. Like a vaccine, using security software benefits you, of course. It also benefit... (more)

Security and the Cloud

I was talking with Avanade’s Senior Director for Enterprise Security, Ace Swerling, earlier today. The conversation touched on a wide range of security and identity management issues that I’ll probably return to, but one of Ace’s comments brought my attention back to an issue that has been nagging at me for a while. As I’m sure we all know, security concerns often figure highly in discussions about moving Enterprise applications and data to the Cloud. Indeed, I spoke with other Avanade executives earlier this year to report on a survey they had commissioned that suggested just how significant these concerns can be for potential customers. In today’s conversation, Ace appeared to agree (as do I) with the frequent assertion that Cloud providers’ own systems will tend to be more secure than those that the majority of potential customers have in-house today. These ser... (more)