My firm was recently hired to perform a network assessment for a fairly large bank. The emphasis on this engagement was circumventing physical controls and gaining access to the bank's internal network infrastructure. As with most financial institutions, we were asked to compromise remote locations (bank branches) and then make an attempt on the main office. The branches were easily compromised by our posing as copier repairmen requesting access to the equipment, unplugging the printer or digital copier, and then connecting our laptop with folders of network-snooping tools.

When using "private browsing mode" included in many of the current (and beta) Web browsers, do you know just how well it is working at preventing your Internet browsing from being tracked? What about the protection provided when you hit the button to clear your Web browsing history, cookies, and cached files?

Data loss prevention (DLP) is a topic I've covered in the past because it's important in these times of targeted attacks and accidental data loss. It also tends to be a controversial topic since many people view it differently due to the variation in definitions of what the technology really is. For example, DLP vendors have solutions that range from basic content filtering at the network gateway to complex network- and host-based monitoring solutions, leaving the definition up to the vendor who is selling the solution.

Very often a founder is the heart of a unique, successful company, or in the case of IBM it was actually the son of the founder, Thomas Watson Jr. All the focus this week on the likely departure of Steve Jobs from Apple has me thinking back about one of my very first jobs at Disney shortly after Walt died. In many ways these men embodied more than their companies' brands: They embodied a way of thinking about business that wasn't defined in dollars and cents; it was defined by imagination, caring about more important things, and often in the unique work environments they created.

There is a unique magic to the firm that is lost when someone like Steve Jobs leaves. If this magic is critical to the company's identity, success, customer loyalty, and employee satisfaction, why isn't more done to protect it and ensure that it never leaves?

When asked why he robbed banks, the flamboyant criminal Willie Sutton answered, "Because that’s where the money is." That's the perfect example of how the principle of Occam’s razor applies to crime: the simplest solution to a problem is often the best one. With the economic downturn, high unemployment rates, and the booming business of identity fraud, would-be criminals are on the lookout for easy methods to get access to personal information. And we stumbled across one such way during a recent penetration test involving eavesdropping on police traffic stops.

Rob Lee of Mandiant and a faculty fellow from the SANS Institute gave the forensic community an early Christmas present with the release of version 1.2 of the SIFT Workstation. It is a Linux-based VMware appliance pre-configured with the tools needed to conduct a forensic examination. Rob has developed the SIFT Workstation for the SANS course he developed and teaches, which is vendor-agnostic, so the included tools are all free and/or open source.

This is the time of year when the editor of a publication usually issues a warm and fuzzy holiday message that's supposed to make you want to gather around the fire with your family for a group hug.

Unless, of course, your publication has to do with information security.

A copy of "SQL Server Forensic Analysis," by Kevvie Fowler, arrived in my mailbox today. I'd been looking forward it to because it is a highly topical subject given all of the data breaches that have occurred in the past couple of years involving databases. David Litchfield has produced numerous whitepapers and presented on the topic of Oracle forensics, but little has been published on forensics of Windows SQL Server systems.

Many in the United States think the party in power has sacrificed too much privacy and liberty in order to address security concerns, particularly in regard to terrorism. The incoming administration is likely to undo a lot of this, but, at the same time, a massive number of very upset people with and without tech skills are going to find themselves jobless.

The recent zero-day IE7 vulnerability is a big deal. Hackers used it to hack into hundreds of thousands of machines, if not millions. Both IE7 and Vista are vastly more secure than their predecessors, yet this bug sliced right through them to give the hacker a robust exploit. We need to do a post mortem of this event to figure out what we should do in the future.

With two out-of-cycle security updates from Microsoft this fall, organizations are getting the opportunity to evaluate the maturity of their patch management processes through trial by fire.

The Estonian Parliament has passed a law that will allow citizens to vote via cell phone by 2011. In the past, Estonians were able to cast their votes over the Internet, which apparently worked seamlessly despite security concerns. (See Sara Peters' coverage of e-voting in Estonia in the November 2005 Alert, Academic Group Publishes Criticisms of e-Voting; membership required.)

I spent last week serving as a juror in a murder trial. Jury duty is a bit like living in an alternate universe: You live and breathe the trial, but you can't say a word about it to anyone until it's all over. I was unable to discuss what I was hearing each day in the courtroom and prohibited from watching or reading the news so that I wouldn't inadvertently hear any press on the case. And my fellow jurors and I weren't allowed to talk at all about the case until our deliberations.

Malware analysis has been a small obsession of mine for at least the past four years. I always have a virtual machine sitting around just waiting to be subjected to the next unknown executable that lands in my lap. A psychologist might say I have some "issues" since I get excited from the thought of infecting hapless Windows machines.

Last month, the U.S. Department of Defense took drastic measures to stomp out a "rapidly spreading worm crawling across their networks" by banning USB flash drives and other removable media (see Wired's "Under Worm Assault, Military Bans Disks, USB Drives"). While knee-jerk reactions like this are sometimes useful to curb particular issues, quite often they wind up ineffective in the long term because decisions were made when too little information was known.

There are some ways to effectively begin securing your information in the cloud. We’ve recently been pondering whether one can prove compliance with security and privacy regulations in the cloud. Luckily, while cloud services still may not be right for handling health or payment card information, security vendors and cloud service providers are beginning to offer ways to effectively secure your cloud-based computing resources and satisfy some compliance requirements.

Coping with a Microsoft "Black Tuesday" is bad enough when there's 28 vulnerabilities being patched, but add to it a zero day vulnerability in Internet Explorer 7 (IE) that's being exploited in the wild and it could turn into a pretty bad week. Since none of the patches released by Microsoft during their normal December patch cycle address the exploited vulnerability, enterprises are left with almost no mitigation options to protect their users until Microsoft does release a patch...possibly a month from now.

The current predicament leaves us wondering two things; will Microsoft release another out-of-cycle like they did with MS08-067 that was also being exploited in the wild, and how do we prevent our users from being exploited? I'm a little unsure about the first question considering the ramifications of having a currently exploited unpatched vulnerability floating out there. I'm sure MS will receive considerable heat since there are so many organizations where IE is the only browser option because of a variety of reasons, many of which stem from enterprise web applications not being cross-platform.

Everywhere I go, virtualization is being used. No matter the size of the organization, virtualization has taken off with, what appears to be, very little concern about security. As security professionals, we know not to mix security domains across the same physical machines or cluster. Why? The answer is simple. A vulnerability could exist in the virtualization product that would allow an attacker to exploit a less secure, or lower value, guest VM allowing them to run arbitrary code on the host server. Far-fetched? Absolutely not!

There was a lot of focus a few weeks ago about whether President-elect Obama was going to be allowed to keep his BlackBerry. The discussion seemed kind of silly given how many BlackBerrys are in wide use in the U.S. government. However, you may recall that a foreign national stole a couple a few months ago, which certainly raised the security profile for these devices.

So what about Obama's Mac?

How many Web browsers can you name? Besides the most common -- Internet Explorer (IE), Firefox, and Safari -- I know of Google's Chrome, Opera, and some Linux-specific browsers. That's it. So I was interested to read Computerworld's article ("Too good to ignore: 6 alternative browsers,") which gives a good overview of six alternative browsers (really five if you don't count separate PC and Mac versions of Opera). Still, while it's cool to know there are so many options out there for browsing the Web, I'm left wondering: How secure are these other offerings?

Earlier this week it was implied that early warnings of an Islamic terrorist attack were "lost in the system." At this time, I am not able to find a credible enough source to prove whether this was actually the case, but it is rumored that the warning was specific in that the attack would come from the sea.

I do a lot of penetration tests and vulnerability assessments for an assortment of business of all sizes. While doing these types of tests, I run into a lot of goofy configurations, strange setups, and wacky ideas that are an attempt by the client to improve security. The most head-scratching setup I constantly run into involves SSH on a port other than the one it is assigned, Port 22.

It's not uncommon that organizations experience security breaches during the holidays. Malicious attackers who are determined to get in aren't going to take time off. They also know that there is most likely a skeleton crew, or less, manning the operations, so their activities have a greater chance of going unnoticed. Hopefully, none of you returned to work this morning to find your users complaining of strange behavior on their desktops, unexplainable network slowdowns, or other odd occurrences.

Dear Readers,
If you've been clicking through the pages of Dark Reading regularly for the past several weeks, you've probably noticed lots of changes. As we told you back in October, the site has undergone an overhaul that included moving to a new server and a new production system, and we've implemented a new design that's intended to make the site easier to navigate and use.

As with most new releases, however, the revamped site has encountered a few bugs. You may have noticed that some of the sections haven't worked as usual, or they might have been populated with dated material. If you're a longtime reader, you've probably noticed that the message boards now work much differently than they used to, and that the new boards are a bit spam-prone. And those of you who receive our newsletters may have had trouble getting them in your preferred HTML format.

When software vendors release a "free" version, there is often a catch or some limitation that leaves you wanting for more. Rarely is the release good enough to fill a void that you've been missing. But that's not always the case. A good example is the NetWitness Investigator product that I've been testing and wrote about in Friday's Tech Insight. It's a good product, and the limitation of being able to open up to only 25 1-GB capture files is so trivial that I hate to call it a limitation. Another example is Mandiant Memoryze.