IT Security

Security bloggers help keep you up to date on how to protect your network through news, updates, advice, and opinions on how you can stay ahead of hackers.

  • Chad Perrin // November 27, 2008, 2:53 AM PST

    Use cryptographic hashes for validation

    You can use cryptographic hash functions to provide a little more security when exchanging files.


  • Tom Olzak // November 25, 2008, 8:00 PM PST

    Highly Predictive Blacklists: What, how, and caveats

    General blacklisting is not always efficient. To enable organizations to be more proactive, and minimize firewall processor allocation for blacklist filtering, SRI International and the SANS Institute have developed highly predictive blacklists (HPB), creating a blacklist unique to each participant.


  • Chad Perrin // November 25, 2008, 9:08 AM PST

    5 tips to improve physical access security

    One of the most overlooked facets of security is casual physical access. Don't let the need to use the restroom turn into a security breach.


  • Tom Olzak // November 23, 2008, 8:03 PM PST

    Shifting from compliance to security requires patience

    It is not just government managers who require behavior changes when it comes to securing sensitive assets. Managers in private industry often mistakenly see compliance as security. But changing this view takes patient persistence.


  • Paul Mah // November 22, 2008, 3:59 PM PST

    Security News Roundup: Yoggie opens up its miniature hardware firewall

    This week's security events include news that Sun has released a new patch for StarOffice 8, a malicious Web site link that can force iPhones to dial a number, news of a computer virus bringing the networks of three London hospitals to a standstill, and Yoggie opening up its miniature hardware firewall.


  • Chad Perrin // November 20, 2008, 1:28 PM PST

    The safest way to sanitize input: avoid having to do it at all

    Sanitizing user input is a critical part of secure software development, but software can be made more secure by avoiding having to sanitize input altogether.


  • Tom Olzak // November 18, 2008, 8:00 PM PST

    You don't have to wait to deploy DNSSEC

    A look at DNS security with a high-level examination of DNSSEC, why DNSSEC is still not globally deployed, and some things you can do to improve DNS transaction integrity until it is.


  • Chad Perrin // November 18, 2008, 5:29 AM PST

    No such thing as effective license enforcement

    License security is not the same as software security. In fact, sometimes they are at odds with one another.


  • Paul Mah // November 17, 2008, 1:55 AM PST

    Simple hardware approaches to secure laptops

    Users are increasingly buying laptops and netbooks, attracted by their portability and low prices. The inevitable result is more employees bringing personal laptops into the office, where they are used to access and store corporate data. Here are some ways to mitigate the risks of data breaches.


  • Tom Olzak // November 16, 2008, 8:00 PM PST

    DNS resource record integrity is still a big, big problem

    The need to secure DNS has never been greater. Attacks against DNS cache integrity, including entire zone references, are an easy way for criminals to redirect your unsuspecting users to malicious sites. Current controls are still lacking.


  • Chad Perrin // November 13, 2008, 2:33 AM PST

    Microsoft finally catches the eight year bug

    Microsoft released a patch this week for a critical vulnerability. The catch: this vulnerability has been known since 2000, and it's a bug in a service active on almost every MS Windows system in the world. How safe do you feel?


  • Tom Olzak // November 11, 2008, 8:00 PM PST

    How do new private browsing capabilities affect forensics?

    Chrome has it. IE8 and Firefox 3.1 have it. So what does it mean to forensics investigators? I'm talking about private browsing--the ability to visit sites, conduct research, or participate in illegal/unethical activities without leaving tell-tale signs behind.


  • Chad Perrin // November 11, 2008, 2:45 AM PST

    More email security tips

    Email security is about a lot more than just using a good password on your POP or IMAP server. Perhaps the most important part of email security is ensuring you don't shoot yourself in the foot.


  • Tom Olzak // November 9, 2008, 8:00 PM PST

    Prevent your employees from "going rogue"

    There is often a personal crisis trigger that causes an already borderline employee to cross the border. Would intervention prevent information compromise or system loss? Can an employee be helped in a way which prevents an incident?


  • Paul Mah // November 9, 2008, 3:59 PM PST

    Security News Roundup: Security researchers to demonstrate WPA packet injection

    This week's security events include news that there will be just two updates for Microsoft's Patch Tuesday this month, the appearance of an exploit for Adobe Reader spotted in- the-wild, Adobe releasing an update to resolve a ColdFusion vulnerability, and news that security researchers will demonstrate WPA packet injection for the first time.


  • Chad Perrin // February 25, 2008, 5:33 AM PST

    Basic e-mail security tips


  • Chad Perrin // February 28, 2008, 2:07 AM PST

    10 tips for effective use of OpenPGP with GnuPG

    Using a private encryption system based on the OpenPGP standard can provide a great improvement to the security of your sensitive data. To maximize the value of that improvement, however, you need to make sure your OpenPGP system itself is secured against the efforts of malicious security crackers. This article provides a few simple policies you can employ to ensure greater security for an OpenPGP system such as GnuPG.


  • Chad Perrin // February 29, 2008, 12:44 AM PST

    Use GnuPG with Mutt to sign or encrypt e-mail

    One of the most common uses of OpenPGP applications like PGP and GnuPG is digitally signing and encrypting email. While this can be accomplished "manually" with Mutt every time you want to send an encrypted or digitally signed email, by first creating encrypted or digitally signed files then using them as the basis for an email, this article explains how to configure Mutt to automatically use the GnuPG tool to do that for you.


  • Paul Mah // March 2, 2008, 3:59 PM PST

    Security news roundup: March 2

    Here’s a collection of recent security vulnerabilities and alerts, which covers Symantec releasing security fixes for both its Backup Exec for Windows Server and the Symantec Scan Engine products, a critical hole found in the ICQ 6 instant messaging client, and a new version of Wireshark that resolves flaws in three of its dissectors.


  • Chad Perrin // March 18, 2008, 5:47 AM PST

    What is cross-site scripting?

    Cross-site scripting, also known as "XSS", is a class of security exploit that has gotten a fair bit of attention in the last few years. Many users, and even Web developers, aren't entirely clear on what the term means, however. I'll explain cross-site scripting for you, so you will know where the dangers lie.


  • Chad Perrin // March 22, 2008, 7:04 AM PST

    The Big Brother Awards

    In Montreal, Canada, at the Computers, Freedom, and Privacy conference in May 2007, Privacy International presented the first International Big Brother Awards. The "winners" of the Big Brother Awards are, in the words of Privacy International, "the government and private sector organisations which have done the most to threaten personal privacy". Read on to find out who Privacy International dubbed the world's worst invaders of privacy in each of five categories.


  • Paul Mah // March 23, 2008, 4:59 PM PST

    Security news roundup: Spybot Search & Destroy scans for rootkits, multiple patches from Apple

    Here’s a collection of recent security vulnerabilities and alerts, which covers news that Spybot Search & Destroy now comes with the ability to detect rootkits, a re-release of a patch that affects Microsoft Office Excel 2003 SP2 and SP3, a slew of patches from Apple, and a warning from Microsoft that Word is a possible vector of a new vulnerability.


  • Chad Perrin // March 26, 2008, 4:33 AM PST

    The importance of being encrypted

    People often complain that using encryption in email is too much work. Sometimes, it can be fraught with difficulty for the encryption novice. Managing public and private keys can be confusing at first, and getting someone at the other end to use encryption as well can sometimes be a challenge. Worse yet, it can be difficult to maintain an encryption key "identity" properly once you've gotten everything set up -- as things stand, good encryption practice is not a "fire-and-forget" proposition where you can just go through the hassle of setup once and be done with it. I can understand the desire to forget about it, and just ignore good encryption practice altogether. There's just one problem with that attitude.


  • Paul Mah // March 27, 2008, 4:40 AM PST

    The Firewire hole

    A while back, I wrote about how the humble USB port could be a possible vector for social engineering attacks. Today, I want to talk about the IEE-1394 Firewire which contains a vulnerability that is far more dangerous than the fallibility posed by the USB port.


  • Paul Mah // February 24, 2008, 3:51 PM PST

    Security news roundup: February 24

    Here’s a collection of recent security vulnerabilities and alerts, which covers Opera releasing an update that patches three security vulnerabilities, multiple flaws found and fixed in EMC RepliStor, Symantec patching Veritas Storage Foundation, the presence of design weaknesses in wireless LAN VoIP handsets, and hard disk enclosures that fails to encrypt data as advertised.


  • Deb Shinder // February 15, 2008, 2:28 AM PST

    Security threats in a unified world

    Amid all the excitement surrounding the unification of our communications technologies, the issue of security sometimes gets lost in the shuffle. Maybe some are assuming that the threats are the "same old, same old" that plague those same communications methods in their more stand-alone forms. But it's that and more.


  • Chad Perrin // February 15, 2008, 4:40 AM PST

    How private is your Web-based service?


  • Chad Perrin // February 17, 2008, 2:52 PM PST

    Use OpenSSH as a secure Web proxy


  • Paul Mah // February 17, 2008, 3:59 PM PST

    Security news roundup: February 17

    Here's a collection of recent security vulnerabilities and alerts, which covers a serious vulnerability fixed in ClamAV, FreeBSD closing a couple of vulnerabilities, additional flaws discovered in Cisco IP telephony products, critical vulnerabilities found in Adobe Flash Media Server, and how Vista SP1 proves to be a low hurdle to pirates.


  • Paul Mah // February 3, 2008, 12:24 PM PST

    Security news roundup: February 3

    Here’s a collection of recent security vulnerabilities and alerts, which covers multiple unpatched vulnerabilities in the open sourced Mambo CMS, Gento's vulnerability to DOS and remote exploitation, the availability of an update for a disclosed flaw in the UltraVNC client, a security hole in Cisco's Wireless Control System, Security leaks in IBM's Informix Storage Manager and the release of a Parallel Windows password brute forcing tool.