« Archives in July, 2011

Oracle Deletes Sun Blog Posting From 2007 That Showed CEO’s Approval of Java’s Use Inside Android

Since I love Oracle so much, I thought I would pass this on.

Attack On Pacific Northwest National Lab Started At Public Web Servers

If you haven’t noticed, I’ve been out for a while. So, let’s get back on track with this article found over at Darkreading.

The cyberattack discovered at Pacific Northwest National Laboratory (PNNL) during the Fourth of July holiday weekend used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash attack, according to officials at the Department of Energy-contracted facility.

While I agree that this was most likely a sophisticated attack, I have a problem with some of the statements made by the CIO. Jerry Johnson, Chief Information Officer for Pacific Northwest National Laboratory, made the following statement:

These servers are considered “low impact” by government security standards, meaning that they require only minimal security under NIST standards.

Would you consider them as “low impact” now? This attack compelled the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. The disturbing thing is the statement that “they require only minimal security under NIST standards.” If you based your security posture only on NIST standards on a server by server basis, then you are bound to fail.

Read more…