logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 267 days ago
Via: http://lists.jammed.com | Tags: re business time elevate infosec conversation comments Discuss  


Forwarded from: security curmudgeon <jericho (at) attrition.org>



: http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=207100989

:

: By Rob Preston

: InformationWeek

: April 12, 2008

: (From the April 14, 2008 issue)

:

: Last year, RSA chief Art Coviello championed industry consolidation,

: arguing that as a handful of major vendors (EMC, Cisco, IBM,

: Microsoft) built security into their infrastructure platforms,

: standalone security challengers would fall by the wayside--all within

: three years. "If I'm proven wrong about the timing," Coviello said

: last year, "I won't be proven wrong in the need for this." The likes

: of Symantec and McAfee begged to differ, and the industry continues to

: debate the strengths and weaknesses of all-in-one security

: architectures.



I think Mr. Coviello should also champion "all hackers laying down their

virtual weapons" as it is probably just as likely to happen as vendors

like Cisco or IBM eliminating simple vulnerabilities (let alone the

complex ones).



IBM is still having problems with simple buffer overflows:



2008-03-11 - IBM AIX reboot Local Overflow

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1601



Cisco is still using default accounts and passwords:



2008-01-23 - Cisco Application Velocity System (AVS) System Accounts Default Password

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0029



RSA still can't properly enforce a blacklist:



2008-03-17 - RSA SecurID WebID RSA Authentication Agent (IISWebAgentIF.dll)

postdata Variable Blacklist Bypass

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1470



When companies can get over the small hurdles, then perhaps we can

tackle the bigger issues and shoot for three year time frames.



: More than 80% of the IT, security, and business executives RSA

: recently surveyed with IDC "admit that their organizations have shied

: away from business innovation opportunities because of information

: security concerns," Coviello told the RSA audience. The main

: challenge: Move the internal conversation about security away from

: fear mongering and worst-case scenarios toward how security can

: augment new products and services. Or at least don't get in the way.

: It's tantamount to the security pro's Hippocratic oath: First, do no

: harm.



Move away from fear-mongering, but RSA proudly lists Ira "I can steal a

billion dollars from any company" Winkler as a blogger. Good start!





-==-

Let identityLoveSock take your personal information into

their wanting hands. http://www.identity-love-sock.com/

Because victims have money too.





addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security