According to a report this week from Verizon Business, risk factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, which is why Verizon has revisited an earlier report. The goal of both the new and the prior report is to offer detailed insight into how data breaches occur, so that companies can address the problems within their specific industry. The June 2008 report spanned four years and included more than 500 forensic investigations involving 230 million compromised records. The new report uses that same data but drills down within four key industries: financial services, tech, retail, and food and beverage. The four constitute 82 percent of all the attacks in the original Verizon report. Verizon found the attacks on the financial industry tend to be sophisticated. A majority come from outside hackers, although a healthy amount could also be attributed to insiders who have been granted access to the data. Retail and food and beverage, which includes restaurants and grocery stores, are the polar opposite. In both retail and food, less sophisticated attacks are used and are often the result of a compromised third-party vendor. Bryan Sartin, co-author of the report and director of investigative response for Verizon Business security solutions, talks with CNET News' Robert Vamosi about some of the investigations Verizon has done into thefts by third parties, and the possible ties to organized crimes and terrorism. Listen now: Download today's podcast

This week Tom Rusin, president and chief executive officer of Affinion's North America operation, is Robert Vamosi's guest. His company monitors the criminal underground for several thousand banking institutions by lurking in carder chat rooms. "Carders" are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores. Affinion is global, with offices in more than a dozen countries. And over the years they have provided a wealth of information to the U.S. Secret Service and the FBI. A few weeks ago, Affinion identified .Mac users who found themselves victims of a phishing scam. "Any piece of info is priceless to these people," says Rusin. Listen now: Download today's podcast

It may seem trivial to you what applications are on your desktop, but from a business or organization's perspective, it can be a serious matter. If an application provides unfiltered access to the outside world, this could create regulatory issues. Certain desktop applications can also indirectly or directly introduce malware inside the perimeter through file sharing. At the very least, some applications simply take away bandwidth (for example, streaming audio or video). In its second report on Application Usage and Risk, Palo Alto Networks finds that 56 percent of the desktop applications surveyed use HTTP. Use of port 80, which the server uses to listen to requests from a Web client, makes it hard for organizations to filter or firewall the content. Chris King, who appeared on Security Bites last April, talks this week with CNET News' Robert Vamosi about the report's findings, including the hidden risks in running Microsoft SharePoint or Lotus Notes. To see all the risks associated with several hundred common desktop applications, Palo Alto Networks provides an online Applipedia. Listen now: Download today's podcast

Google has entered the browser space. Chrome, its browser still in beta, is based on the open source Webkit project. Some will recognize Webkit as the foundation for another browser, Apple Safari. But Chrome also borrows heavily from Mozilla Firefox and Microsoft Internet Explorer, giving this new browser an old and familiar feel. There is, however, innovation. Tabs are arrayed atop the browser instead of in the traditional toolbar. And users can drag and drop the tabs on the desktop outside the browser. There is also a way to make an icon for GMail and Google Calendar on your desktop. Deep down, Google has also upgraded how the browser handles Javasript. Gone are the days when Java applets simply gave you dancing babies on a Web page. Today we're running robust applications. Joining CNET News' Robert Vamosi this week is Billy Hoffman, manager of HP's Web security group. Hoffman, along with Bryan Sullivan, also co-authored AJAX Security. In this podcast, Hoffman offers what he thinks Google did right with Chrome, and what could be trouble down the road. Listen now: Download today's podcast

A few weeks ago, the Dutch High Tech Crime Unit identified and arrested a 19-year-old Dutch man who allegedly was operating a botnet known as Shadow. This botnet, unlike more recent examples, used IRC, meaning its traffic was easier to trace than the Web-based command and control traffic used today by most new botnets. Shadow would infect users via Windows Live Messenger or MSN Messenger. What's unusual here is that the crime unit then asked Kaspersky Lab to provide the identified victims, people who had unknowingly allowed their computers to become compromised, with instructions on how to neutralize the malware on their systems. While antivirus companies and law enforcement work together all the time, rarely has law enforcement been concerned about cleaning up a victim's machine. This week CNET's Robert Vamosi spoke by phone with Roel Schouwenberg, senior antivirus researcher at Kaspersky, who happens to be based in the Netherlands, about the Shadow botnet. Listen now: Download today's podcast

Iron Chef returns to Black Hat. No, its not the Food Network import from Japan broadcasting live, but the Fortify edition featuring lead security researchers as they struggle against the clock to find vulnerabilities. This year, the secret ingredient is open-source code. Brian Chess, chief scientist at Fortify Software, and Jacob West, who manages Fortify Software's Security Research Group, tell CNET's Robert Vamosi that one team will use static analysis while the other will use fuzzing. Chess confirmed that Charlie Miller and Jacob Honoroff will be on the fuzzing team, and Sean Fay and Geoff Morrison from Fortify will make up the static analysis team. Fortify says the Black Hat audience and co-hosts West and Chess will provide running commentary and encourage the competitors. Ultimately, the audience will judge the results based on originality of created tools, presentation of the number of bugs, and creativity of using the tools when searching for vulnerabilities. At the end, a winner will be named. Listen now: Download today's podcast

From gadgets that slide-show pictures of vacations past to calendars that show events in the future, Google Gadgets look cool. But they also have the potential to contain vulnerabilities like anything else within Web 2.0. By design, Google Gadgets allow scripted code to be uploaded by the end user, creating interesting new attack vectors for those with malicious intent. CNET's Robert Vamosi talked with Robert Hansen (aka Rsnake), chief executive of SecTheory, and Tom Stracener (aka Strace) of Cenzic. Both will be presenting a talk called "Xploiting Google Gadgets: Gmalware and Beyond" at the annual Black Hat conference in Las Vegas next week. During the talk, they plan to disclose a zero-day vulnerability in Google Gadgets that will make Gmalware (Gmodules-based malware) a significant threat. Listen now: Download today's podcast

For years, one of the arguments for using open-source software instead of proprietary software held that open source was more secure. After all, having thousands of eyes looking at the code can't but help find and mitigate potentially dangerous bugs. A new report from Fortify challenges that assertion. Open-source software can be found in over half of the enterprises today. And open source code can be found within the Mac OS 10 operating system. But how are open source vulnerabilities and, more importantly, their patches handled? This week a report from Fortify found that, while vulnerabilities exist and are reported within the open-source community, not every open-source project had a clearly defined contact or security alias. Nor was it clear what the process would be for issuing a patch, or how the projects conduct their own vulnerability assessments. The report looked at several known open-source projects such as JBoss and Tomcat. CNET's Robert Vamosi spoke by phone with Roger Thornton, CTO at Fortify about the report and its findings. Listen now: Download today's podcast

To put it simply, the concept of "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past. In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million antivirus signatures or even a percentage of that if generic signatures are used is a pretty serious undertaking. The idea here is that maybe we should only be loading signatures for the good files. So far, the idea is only being implemented in the enterprise space. Still, it's a interesting idea. On the desktop it's already being used to stop spam, so why not use white lists to block malware as well? Massachusetts-based Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings. Recently, desktop antivirus vendor Kaspersky announced a partnership with Bit9 that will allow it to use the GSR in its upcoming desktop products in 2009. This week on the Security Bites podcast, CNET's Robert Vamosi talks with Tom Murphy, chief strategy officer for Bit9, about white listing and its potential for the future. Listen now: Download today's podcast

To put it simply, the concept of "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past. In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million antivirus signatures or even a percentage of that if generic signatures are used is a pretty serious undertaking. The idea here is that maybe we should only be loading signatures for the good files. So far, the idea is only being implemented in the enterprise space. Still, it's a interesting idea. On the desktop it's already being used to stop spam, so why not use white lists to block malware as well? Massachusetts-based Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings. Recently, desktop antivirus vendor Kaspersky announced a partnership with Bit9 that will allow it to use the GSR in its upcoming desktop products in 2009. This week on the Security Bites podcast, CNET's Robert Vamosi talks with Tom Murphy, chief strategy officer for Bit9, about white listing and its potential for the future. Listen now: Download today's podcast

Dan Kaminsky at DefCon in 2006.(Credit: Declan McCullagh / CNET News)In the middle of a flood of news surrounding a serious vulnerability within the fundamental structure of the Domain Name System (DNS) is the story of how researcher Dan Kaminsky chose to handle his discovery and, hopefully, it's mitigation. What Kaminsky did was coordinate several vendors in a multiparty, simultaneous release of a patch--a patch that he feels doesn't lend itself to easy reverse engineering. For the moment, Kaminsky is not talking details. He's hoping that people will apply the various patches, update their DNS servers and clients, and do so before the bad guys can craft their exploits. He's giving everyone 30 days before he spills the technical details at this year's Black Hat conference in Las Vegas in August. Kaminsky, director of penetration testing at IOActive, is no stranger to discovering vulnerabilities. In this case, however, he says he wasn't looking for the DNS flaw but after three days of testing he knew he had something important. In this week's Security Bites podcast interview, Kaminsky talks about what goes through his mind when he hits upon a suspected vulnerability and how he decides to proceed from there, and what he's learned thus far from the whole DNS patch experience. Listen now: Download today's podcast

Dan Kaminsky at DefCon in 2006(Credit: Declan McCullagh / CNET News)In the middle of a flood of news surrounding a serious vulnerability within the fundamental structure of the Domain Name System (DNS) is the story of how researcher Dan Kaminsky chose to handle his discovery and, hopefully, it's mitigation. What Kaminsky did was co-ordinate several vendors in a multiparty, simultaneous release of a patch--a patch that Kaminsky feels doesn't lend itself to easy reverse engineering. For the moment Kaminsky is not talking details. He's hoping that people will apply the various patches, update their DNS servers and clients, and do so before the bad guys can craft their exploits. He's giving everyone 30 days before he spills the technical details at this year's Black Hat conference in Las Vegas in August. Kaminsky, director of penetration testing at IOActive, is no stranger to discovering vulnerabilities. In this case, however, he says he wasn't looking for the DNS flaw but after three days of testing he knew he had something important. In this week's Security Bites interview, Kaminsky talks about what goes through his mind when he hits upon a suspected vulnerability, and how he decides to proceed from there. And what he's learned thus far from the whole DNS patch experience. Listen now: Download today's podcast

McAfee released on Tuesday the results of a monthlong spam experiment. The security company provided 50 people worldwide with a clean laptop armed only with antivirus protection (no anti-spam protection) and a brand new domain for e-mail. McAfee then asked them to surf the Net and blog about their experiences. Within the first 24 hours, the individuals received their first spam e-mail in the S.P.A.M. (Spammed Persistently All Month) Experiment. Over the course of 30 days, McAfee's test subjects accumulated 104,000 spam e-mails, or roughly 70 spam messages per day per recipient. Put another way, 87 percent of all the e-mail captured on the test laptops was considered to be spam. I spoke with Dave Marcus, director of security research and communications for McAfee Avert Labs, about the experiment and the results. Listen now: Download today's podcast

McAfee released on Tuesday the results of a monthlong spam experiment. The security company provided 50 people worldwide with a clean laptop armed only with antivirus protection (no anti-spam protection) and a brand new domain for e-mail. McAfee then asked them to surf the Net and blog about their experiences. Within the first 24 hours, the individuals received their first spam e-mail in the S.P.A.M. (Spammed Persistently All Month) Experiment. Over the course of 30 days, McAfee's test subjects accumulated 104,000 spam e-mails, or roughly 70 spam messages per day per recipient. Put another way, 87 percent of all the e-mail captured on the test laptops was considered to be spam. I spoke with Dave Marcus, director of security research and communications for McAfee Avert Labs, about the experiment and the results. Listen now: Download today's podcast

McAfee released on Tuesday the results of a monthlong spam experiment. The security company provided 50 people worldwide with a clean laptop armed only with antivirus protection (no anti-spam protection) and a brand new domain for e-mail. McAfee... -

This week CNET's Robert Vamosi talks with Eva Chen, co-founder and CEO of Trend Micro. For more than 20 years Chen has been active in the antimalware community and has kept her company competitive worldwide against competition such as Symantec and McAfee Chen visited CNET to talk about Trend Micro's ambitious goal of putting anti-malware protection in the cloud. She argues that signature-based protection is still faster than running a full heuristic sandbox to detect new malicious software. Chen thinks that by having your desktop ping a signature database in the cloud you'll get a faster, lighter, and more accurate, anti-malware protection for your desktop. Also, when new malware is discovered on your desktop, a sample can be sent to the cloud, analyzed, and if necessary, a new signature created--protecting not only you but anyone else who finds it. Clearly threats and protection have both changed over the years. Recently, some security experts have been talking about doing away with antivirus protection, saying that most of the threats today are coming from Web 2.0 sources, and can be better blocked with firewalls and secure Web browsers. Of course, Chen disagrees. Listen now: Download today's podcast

This week CNET's Robert Vamosi talks with Eva Chen, co-founder and CEO of Trend Micro. For more than 20 years Chen has been active in the antimalware community and has kept her company competitive worldwide against competition such as Symantec and McAfee Chen visited CNET to talk about Trend Micro's ambitious goal of putting anti-malware protection in the cloud. She argues that signature-based protection is still faster than running a full heuristic sandbox to detect new malicious software. Chen thinks that by having your desktop ping a signature database in the cloud you'll get a faster, lighter, and more accurate, anti-malware protection for your desktop. Also, when new malware is discovered on your desktop, a sample can be sent to the cloud, analyzed, and if necessary, a new signature created--protecting not only you but anyone else who finds it. Clearly threats and protection have both changed over the years. Recently, some security experts have been talking about doing away with antivirus protection, saying that most of the threats today are coming from Web 2.0 sources, and can be better blocked with firewalls and secure Web browsers. Of course, Chen disagrees. Listen now: Download today's podcast

This week CNET's Robert Vamosi talks with Eva Chen, co-founder and CEO of Trend Micro. For more than 20 years Chen has been active in the antimalware community and has kept her company competitive worldwide against competition such as Symantec... -

Greg Hoglund is no stranger to security. In the last few years, he's founded Bugscan, Cenzic, and HBGary, where he is currently CEO. He is also the co-author of Exploiting Software, Rootkits: Exploiting the Windows Kernel, and Exploiting Online Games. Hoglund has presented at numerous Black Hat Briefings and taught several training sessions there as well. This week he stopped by the Security Bites studio for a conversation with CNET's Robert Vamosi on rookits, software vulnerabilities, and online gaming. Listen now: Download today's podcast

Greg Hoglund is no stranger to security. In the last few years, he's founded Bugscan, Cenzic, and HBGary, where he is currently CEO. He is also the co-author of Exploiting Software, Rootkits: Exploiting the Windows Kernel, and Exploiting Online Games. Hoglund has presented at numerous Black Hat Briefings and taught several training sessions there as well. This week he stopped by the Security Bites studio for a conversation with CNET's Robert Vamosi on rookits, software vulnerabilities, and online gaming. Listen now: Download today's podcast

Greg Hoglund is no stranger to security. In the last few years, he's founded Bugscan, Cenzic, and HBGary, where he is currently CEO. He is also the co-author of Exploiting Software, Rootkits: Exploiting the Windows Kernel, and Exploiting Online... -

IronPort's Pat Peterson joins Robert Vamosi this week to talk about how online criminals make money using botnets. Listen now: Download today's podcast How do online criminals make money off of botnets? Previously, we've explored how parts of the Storm worm botnet may have been rented out to others. No matter who owns the botnet, the traffic is usually the same: spam. But what kind of spam? IronPort Systems, a divison of Cisco, released a report this week (registration required) that identified some of the specific spam messages being used. Not surprising is the pharmaceutical spam. But criminals are also luring unsuspecting individuals with various "work from home" scams. People who fall for this are told to buy expensive products in the United States for delivery overseas. For their effort, they'll receive a percentage of the purchase price. These "money mules," as they are called, are actually cashing out stolen credit cards for foreign criminals. CNET's Robert Vamosi spoke via phone with Pat Peterson, who is vice president of technology at IronPort.

IronPort's Pat Peterson joins Robert Vamosi this week to talk about how online criminals make money using botnets. Listen now: Download today's podcast How do online criminals make money off of botnets? Previously, we've explored how parts of the Storm worm botnet may have been rented out to others. No matter who owns the botnet, the traffic is usually the same: spam. But what kind of spam? IronPort Systems, a divison of Cisco, released a report this week (registration required) that identified some of the specific spam messages being used. Not surprising is the pharmaceutical spam. But criminals are also luring unsuspecting individuals with various "work from home" scams. People who fall for this are told to buy expensive products in the United States for delivery overseas. For their effort, they'll receive a percentage of the purchase price. These "money mules," as they are called, are actually cashing out stolen credit cards for foreign criminals. CNET's Robert Vamosi spoke via phone with Pat Peterson, who is vice president of technology at IronPort.

IronPort's Pat Peterson joins Robert Vamosi this week to talk about how online criminals make money using botnets. Listen now: Download today's podcast How do online criminals make money off of botnets? Previously, we've explored how... -

Jonathan Nightingale of Mozilla joins CNET's Robert Vamosi to talk about the latest version of the browser and its built-in security features. - -

Jonathan Nightingale of Mozilla joins CNET's Robert Vamosi to talk about the latest version of the browser and its built-in security features. -

Jonathan Nightingale of Mozilla joins CNET's Robert Vamosi to talk about the latest version of the browser and its built-in security features.

Jonathan Nightingale of Mozilla joins CNET's Robert Vamosi to talk about the latest version of the browser and its built-in security features. Listen now: Download today's podcast If you haven't tried Firefox, what are you waiting for? The latest version, Firefox 3, will soon be out, and the release candidates are stable enough these days for daily use. (Currently, RC2 is the latest build.) What's good about Firefox 3 is that it's light on resources (even if you have 15 tabs open) and very fast--an improvement over Firefox 2 by far. What's even better are all the built-in security features. CNET's Robert Vamosi spoke this week with Jonathan Nightingale. He is Mozilla's "Human Shield," aka its security user interface designer. Nightingale, along with Window Snyder and others on the security team at Mozilla, developed some of the cool new security features baked into Firefox 3.

Jonathan Nightingale of Mozilla joins CNET's Robert Vamosi to talk about the latest version of the browser and its built-in security features. Listen now: Download today's podcast If you haven't tried Firefox, what are you waiting for? The latest version, Firefox 3, will soon be out, and the release candidates are stable enough these days for daily use. (Currently, RC2 is the latest build.) What's good about Firefox 3 is that it's light on resources (even if you have 15 tabs open) and very fast--an improvement over Firefox 2 by far. What's even better are all the built-in security features. CNET's Robert Vamosi spoke this week with Jonathan Nightingale. He is Mozilla's "Human Shield," aka its security user interface designer. Nightingale, along with Window Snyder and others on the security team at Mozilla, developed some of the cool new security features baked into Firefox 3.

Jonathan Nightingale of Mozilla joins CNET's Robert Vamosi to talk about the latest version of the browser and its built-in security features. Listen now: Download today's podcast If you haven't tried Firefox, what are you waiting for?... -