Blog - Author Posts

Security Researchers Discover ... 5 Stages of Disclosure Grief

By Adrian Lane
Denial: “Dan may be smart, but Tom Ptacek states the obvious that this isn’t a new threat. Maybe a new spin on an old flaw.” Anger: “Dan didn’t find shit. He read RFC3383 …” and “Dan has brought NOTHING new to the table. Simply made a name for himself by regurgitating the same old problems.” Bargaining: “… the sky was already falling before Dan opened his mouth, …”, and “This is just another reason why we need DNSSEC”, and “What Should Dan Have Done?” Depression: “What can we say right now? Dan has the goods.” Acceptance: “Dan Kaminsky Disqualified from Most

The Art of Dysfunction

By Adrian Lane
Another off-topic post. They say when you are frustrated, especially with someone in an email dialog, write-delete-rewrite. That means write the reply that you want to write, chock full of expletives and politically incorrect things you really want to say, and then delete it. Once you are finished with that cleansing process, start from scratch, writing the politically correct version of your reply. This has always been effective for me and kept me out of trouble. One problem is I never delete anything. Quite the opposite- I save everything. Some of the best stuff I have ever written falls into

NitroSecurity’s Acquisition of RippleTech

By Adrian Lane
‘I was reading through the NitroSecurity press release last week, thinking about the implications of their RippleTech purchase. This is an interesting move and not one of the Database Activity Monitoring acquisitions I was predicting. So what do we have here? IPS, DAM, SIM, and log management under one umbrella. Some real time solutions, some forensic solutions. They are certainly casting a broad net of offerings for compliance and security. Will the unified product provide greater customer value? Difficult to say at this point. Conceptually I like the combination of network and agent based data collectors working together, I like

Individual Privacy vs. Business Drivers

By Adrian Lane
‘I ended a recent Breach Statistics post with “I start to wonder if the corporations and public entities of the world have already effectively wiped out personal privacy.” It was just a thowaway idea that had popped into my head, but the more I thought about it over the next couple of days, the more it bothered me. It is probably because that idea was germinating while reading a series of news events during the past couple of weeks made me grasp the sheer momentum of privacy erosion that is going on. It is happening now, with little incentive for

Stolen Data Cheaper

By Adrian Lane
‘It’s rare I laugh out loud when reading the paper, but I did on this story. It is a great angle on a moribund topic, saying that there is such a glut of stolen finance and credit data for sale that it is driving prices down. LONDON (Reuters) - Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says. The thieves are true capitalists, and now they are experiencing one of the downsides

Upcoming: Database Encryption Whitepaper

By Adrian Lane
We are going to be working on another paper with SANS- this time on database encryption. This is a technology that offers consumers considerable advantages in meeting security and compliance challenges, and we have been getting customer inquiries on what the available options are. As encryption products have continued to mature over the last few years, we think it is a good time to delve into this subject. If you’re on the vendor side and interested in sponsorship, drop us a line. You don’t get to influence the content, but we get really good exposure with these SANS

Oracle Critical Patch Update- Patch OAS Now!!!

By Adrian Lane
I was just in the process of reviewing the details on the latest Oracle Critical Patch Advisory for July 2008 and found something a bit frightening. As in could let any random person own your database frightening. I am still sifting through the database patches to see what is interesting. I did not see much in the database section, but while reading through the document something looked troubling. When I see language that says “vulnerabilities may be remotely exploitable without authentication” I get very nervous. CVE 2008-2589 does not show up on cve.mitre.org, but a quick Google search turns

ADMP: A Policy Driven Example

By Adrian Lane
A friend of mine and I were working on a project recently to feed the results of a vulnerability assessment or discovery scans into a behavioral monitoring tool. He was working on a series of policies that would scan database tables for specific metadata signatures and content signatures that had a high probability of being personally identifiable information. The goal was to scan databases for content types, and send back a list of objects that looked important or had a high probability of being sensitive information. I was working on a generalized policy format for the assessment. My goal was

Google AdWords

By Adrian Lane
This is not a ‘security’ post. Has anyone had a problem with Google AdWords continuing to bill their credit cards after their account is terminated? Within the last two months, four people have complained to me that their credit cards continued to be changed even though they cancelled their accounts. In fact, the charges were slightly higher than normal. In a couple of cases they had to cancel their credit cards in order to get the charges to stop, resulting in letters from “The Google AdWords Team” threatening to pursue with the issuing bank … and, no, I am not talking

ADMP and Assessment

By Adrian Lane
Application and Database Monitoring and Protection. ADMP for short. In Rich’s previous post, under “Enter ADMP”, he discussed coordination of security applications to help address security issues. They may gather data in different ways, from different segments within the IT infrastructure, and cooperate with other applications based upon the information they have gathered or gleaned from analysis. What is being described is not shoving every service into an appliance for one stop shopping; that is decidedly not what we are getting at. Conceptually it is far closer to DLP ‘suites’ that offer endpoint and network security, with consolidated policy
Page 72 of 73 pages ‹ First  < 70 71 72 73 >