Blog - Author Posts

Network vs. Application Security

By Adrian Lane
Should network and application security proceed along separate, independent tracks? Should software security focus solely on the in-context business issues concerning security, and have network security focus on not allowing the software and infrastructure to be undermined? This is one of those concepts that has been brewing in the back of my mind for some time how. Different data, different availability, and different contexts provide different value propositions and I am not sure they are effective surrogates for one another. A bunch of Hoff’s posts add fire to this thought, and the whole Kaminsky debate shows the value of

UMG Piracy Trial

By Adrian Lane
The piracy trial is getting interesting. Vivendi SA’s Universal Music Group won a $222,000.00 verdict against defendant Jammie Thomas for making songs available via Kazaa. The problem is that no one downloaded the songs; they were only discovered by MediaSentry. The entire case hangs what constitutes “making available”, and how it differs from distribution. The judge in the case actually stated he may have committed a “manifest error of law” by instructing the jury that making files available is the same as distribution. Oops. What happens if I leave partition open on my computer accidently, and that partition has music

Clear Database Stolen

By Adrian Lane
Nice! The Clear database was on a laptop that was stolen at SFO. What a great database breach to shed light on this implied-security-related-but-really-not revenue opportunity known as Clear. I guess I am chuckling about this, but as I don’t know what is contained in that data set, I do not know how dangerous this leak is to the members who signed up for it. Since this really does not have much to do with security or official identity, is it really a crime if you create a fake version of this Clear card to cut to the front

Security Researchers Discover ... 5 Stages of Disclosure Grief

By Adrian Lane
Denial: “Dan may be smart, but Tom Ptacek states the obvious that this isn’t a new threat. Maybe a new spin on an old flaw.” Anger: “Dan didn’t find shit. He read RFC3383 …” and “Dan has brought NOTHING new to the table. Simply made a name for himself by regurgitating the same old problems.” Bargaining: “… the sky was already falling before Dan opened his mouth, …”, and “This is just another reason why we need DNSSEC”, and “What Should Dan Have Done?” Depression: “What can we say right now? Dan has the goods.” Acceptance: “Dan Kaminsky Disqualified from Most

The Art of Dysfunction

By Adrian Lane
Another off-topic post. They say when you are frustrated, especially with someone in an email dialog, write-delete-rewrite. That means write the reply that you want to write, chock full of expletives and politically incorrect things you really want to say, and then delete it. Once you are finished with that cleansing process, start from scratch, writing the politically correct version of your reply. This has always been effective for me and kept me out of trouble. One problem is I never delete anything. Quite the opposite- I save everything. Some of the best stuff I have ever written falls into

NitroSecurity’s Acquisition of RippleTech

By Adrian Lane
‘I was reading through the NitroSecurity press release last week, thinking about the implications of their RippleTech purchase. This is an interesting move and not one of the Database Activity Monitoring acquisitions I was predicting. So what do we have here? IPS, DAM, SIM, and log management under one umbrella. Some real time solutions, some forensic solutions. They are certainly casting a broad net of offerings for compliance and security. Will the unified product provide greater customer value? Difficult to say at this point. Conceptually I like the combination of network and agent based data collectors working together, I like

Individual Privacy vs. Business Drivers

By Adrian Lane
‘I ended a recent Breach Statistics post with “I start to wonder if the corporations and public entities of the world have already effectively wiped out personal privacy.” It was just a thowaway idea that had popped into my head, but the more I thought about it over the next couple of days, the more it bothered me. It is probably because that idea was germinating while reading a series of news events during the past couple of weeks made me grasp the sheer momentum of privacy erosion that is going on. It is happening now, with little incentive for

Stolen Data Cheaper

By Adrian Lane
‘It’s rare I laugh out loud when reading the paper, but I did on this story. It is a great angle on a moribund topic, saying that there is such a glut of stolen finance and credit data for sale that it is driving prices down. LONDON (Reuters) - Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says. The thieves are true capitalists, and now they are experiencing one of the downsides

Upcoming: Database Encryption Whitepaper

By Adrian Lane
We are going to be working on another paper with SANS- this time on database encryption. This is a technology that offers consumers considerable advantages in meeting security and compliance challenges, and we have been getting customer inquiries on what the available options are. As encryption products have continued to mature over the last few years, we think it is a good time to delve into this subject. If you’re on the vendor side and interested in sponsorship, drop us a line. You don’t get to influence the content, but we get really good exposure with these SANS

Oracle Critical Patch Update- Patch OAS Now!!!

By Adrian Lane
I was just in the process of reviewing the details on the latest Oracle Critical Patch Advisory for July 2008 and found something a bit frightening. As in could let any random person own your database frightening. I am still sifting through the database patches to see what is interesting. I did not see much in the database section, but while reading through the document something looked troubling. When I see language that says “vulnerabilities may be remotely exploitable without authentication” I get very nervous. CVE 2008-2589 does not show up on cve.mitre.org, but a quick Google search turns
Page 72 of 74 pages ‹ First  < 70 71 72 73 74 >