FOLLOW US
Security Careers: A Closer Look At Digital Investigations
Jan 26, 2012 |
Security incident response and forensics are, at heart, people problems. Here are some tips for making the most of them
Smartcards: Still A Smart Choice?
Jan 26, 2012 |
Despite recent security compromises, smartcard technology still has high potential
Hopping Aboard The Mobile Payment Bandwagon? Bring A Helmet
Jan 26, 2012 |
Implementing mobile payment systems presents a high risk, high reward opportunity
Six-Year-Old Breach Comes Back To Haunt Symantec
Jan 26, 2012 |
Security firm warns users to halt use of pcAnywhere until it finishes patching it, but says older Norton products not at risk from previously 'inconclusive' 2006 security incident
Database Password Storage Exposes Need For Better ID Management
Jan 25, 2012 |
DreamHost and other password breaches show weaknesses in the way passwords are stored
DNSSEC Error Caused NASA Website To Be Blocked
Jan 25, 2012 |
Comcast’s new DNSSEC-based service detected improper signing of NASA site
Hopping Aboard The Mobile Payment Bandwagon? Bring A Helmet
Implementing mobile payment systems presents a high risk, high reward opportunity
When Good Apps Go Bad
Experts warn that many otherwise non-malicious mobile apps are trampling privacy with overgenerous device permissions
QR Code Malware Picks Up Steam
Attackers tricking users into scanning fake QR codes that lead to malicious sites and apps
EU's More Stringent Data Privacy Proposal Poses Challenges For Businesses
Proposed changes to data privacy laws in Europe have garnered mixed praise
The Day (Some Of) The Web Went Dark
Online protests today of SOPA/PIPA legislation blur future of anti-piracy efforts as several legislators back down
Top 10 PCI Compliance Mistakes
Configuration mistakes, access control gaffes and scoping issues top the list of common PCI errors
Facebook Hit By Classic Worm Attack
Zeus Trojan spreads when user views 'photos,' Facebook now blocking malicious domains spreading the attack
Cloud Services Credentials Easily Stolen Via Google Code Search
After finding many cloud access credentials using simple code search, researchers conclude public cloud services are not safe for storing sensitive data
Security Still An Afterthought, Study Says
Despite widespread threats and breaches, most enterprises still ignore security issues when building new apps, Ernst & Young survey says
Six-Year-Old Breach Comes Back To Haunt Symantec
Security firm warns users to halt use of pcAnywhere until it finishes patching it, but says older Norton products not at risk from previously 'inconclusive' 2006 security incident
Hacktivists Turn To DNS Hijacking
Coach, UFC fallvictim to attacks that redirect their Web traffic
Are You Contributing To A DDoS Attack? Researcher Says You Might Be
Links distributed by Anonymous and others could make your computer part of the DDoS, Sophos says
IP D-Day: Major Providers, Vendors To Go IPv6 June 6
IPv6 implementations 'scrutinized' for security issues so no panic necessary, experts say amid concerns of as-yet undiscovered bugs
Tech Insight: Building A SOC, From Outsourcing To DIY
Building blocks for developing the most effective security operations center
'Anonymous' Back With A Vengeance: Downs DoJ, MPAA, RIAA, Universal Music Websites
White House also being targeted as federal anti-piracy moves fuel widespread online attacks
Smartcards: Still A Smart Choice?
Despite recent security compromises, smartcard technology still has high potential
DNSSEC Error Caused NASA Website To Be Blocked
Comcast’s new DNSSEC-based service detected improper signing of NASA site
Is SSL Cert Holder ID Verification A Joke?
Some complain that certificate authorities don’t do enough to verify identities for ‘domain-validated’ certificates
Top 10 Security Mistakes SMBs Make
SMBs need to work on fundamental security errors to reduce risk of costly incidents
Half Of All The World's Spam Now Out Of Asia
New 'Dirty Dozen' spam report still has the U.S. as the number one spammer, but South Korea becoming a major producer as well
Yet Another Bank Sued By A Small Business For Fraudulent Hacker Transfers
Village View says Professional Business Bank says bank responsible for $465K loss to hackers plus fees and damages suffered in online account breach
Famed Hacking Contest Gets Facelift
‘Pwn2Own’ will up the ante with more prolonged contest, fewer targets, more payout for first-, second-, third-place winners -- plus an extra Google bounty for cracking Chrome
Third-Party Vulnerability Counts Down? Not Quite
Trend data from Frost & Sullivan shows that vulnerabilities reported by third parties were lower in 2011, but companies such as Secunia and TippingPoint are seeing greater demand
New Version Of Carberp Trojan Targets Facebook Users
Malware attempts to steal money by duping the user into divulging an e-cash voucher
Database Password Storage Exposes Need For Better ID Management
DreamHost and other password breaches show weaknesses in the way passwords are stored
Federal Reserve Bank Contractor Arrested For Alleged Code Theft
Suspect admitted to stealing U.S. Treasury Dept.-owned program from the bank for use in his own private business
Oracle CPU Contains Lowest Number Of Database Fixes Ever
Database security community concerned about Oracle's patch bottleneck
Gartner: Security Services Spending On Pace For Record Growth
Many enterprises looking to managed security services to save on operational costs, Gartner report says
Startup To Launch New Brand Of SaaS For Post-Incident Response
'Data loss management' firm officially launches this week
Product Watch: New Service Aims To Improved Botnet Detection Among Service Providers
Damballa CSP 1.6 automates subscriber notification and remediation of botnet infections
Study: The Aftermath Of A Breach
New Ponemon-Experian study
Videoconferencing Can Be The Bug In The Boardroom
Recent research underscores that insecure video conferencing systems can allow hackers to listen into a company's confidential discussions. Firms should take steps to evaluate their systems and secure them
Microsoft Names Alleged Botnet Operator Behind Kelihos
Russian suspect worked for antivirus and software development firms in Russia
Vormetric Announces Record Revenues For 2011
Symantec Reports Record Third Quarter Fiscal 2012 Results
Mobile Marketing Association Releases Final Privacy Policy Guidelines For Mobile Apps
Dome9 Unveils Industry First Multi-Cloud Security Groups
Sophos Reveals Assessment On Threat Landscape In Security Threat Report 2012
FireHost's European-Based Secure Cloud Hosting Services Go Live
Fluke Rolls Out New Threat Signatures Released To Protect Against Wireless Attacks
Packet Plus Introduces Interactive Networking Stack Debugger
WatchDox Introduces Secure Annotation, Collaboration For iPad, iPhone
BB&T Payment Solutions Offers Free Data Security Webinar For Small Business Owners
STANFORD CYBERLAW
MegaUpload: A Lot Less Guilty Than You Think
JANUARY 27, 2012
| The legal ramifications of the case are complicated, including the jurisdictional implications over whether the U.S. has jurisdiction over someone who uses a hosting provider in the Eastern District of Virginia, and over a company that uses PayPal
NETWORK WORLD
Google Says Privacy Change Won't Affect Government Users
JANUARY 27, 2012
| Google says its new privacy policy will not create problems for customers of Google Apps for Government (GAFG) -- it won't change existing contracts for how it handles and stores government customers' data
CSO ONLINE
Middle East Stock Exchanges Hit By Hackers
JANUARY 27, 2012
| The Saudi Arabia and Abu Dhabi stock exchanges were the target of hackers in what appears to be part of online protests
THREAT POST
FBI Looking For App To Monitor Twitter And Facebook For Threat Data
JANUARY 27, 2012
| The FBI is planning to craft an application for monitoring news feeds, Twitter, and Facebook to gather information on emerging threats and new events
FINEXTRA
SEC Charges Latvian Trader With Account Hijacking
JANUARY 27, 2012
| A Latvian man has been charged by the Securities and Exchange Commission with hacking into online brokerage accounts and altering stock prices -- he made some $850,000 in the scam, which cost others millions of dollars
NAKED SECURITY BLOG
Poll Reveals Widespread Concern Over Facebook Timeline
JANUARY 27, 2012
| Facebook's new Timeline feature for the social network's profiles goes live soon and is mandatory, but half of Facebook users say they are concerned about it, according to a new poll
SECURITY WEEK
85 Percent Of Malware Comes From The Web, 30K Sites Infected Daily, Says Sophos
JANUARY 27, 2012
| More than 30,000 websites are infected daily -- 80 percent of which are legitimate sites infected by attackers -- and two-thirds of them were hijacked by the Blackhole Trojan crimeware kit
WASHINGTON POST
Google Announces Privacy Changes Across Products; Users Can't Opt Out
JANUARY 26, 2012
| Search engine provider will stitch together data from YouTube, Gmail, and other Google tools to harvest more complete data about users
A look at the 25 most popular stories ever posted on the pages of Dark Reading.
- Security Pros With Written Career Plans Make More Money
- 'Robin Sage' Profile Duped Military Intelligence, IT Security Pros
- Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps
- Anatomy Of A Targeted, Persistent Attack
- Security's Top 4 Social Engineers Of All Time
- Six Messy Database Breaches So Far In 2010
- Kaminsky Issues Developer Tool To Kill Injection Bugs
- Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property
- Slideshow: Fashion Statements From Defcon 2010
- Turkish Hackers Take Out Top Porn Site
- Attack Unmasks User Behind The Browser
- Five Ways To (Physically) Hack A Data Center
- New IM Worm Spreading Fast
- Facebook's Security Team Frustrates Cybercriminals
- 'Aurora' Exploit Retooled To Bypass Internet Explorer's DEP Security
- U.S. Fails Test In Simulated Cyberattack
- Six Healthcare Data Breaches That Might Make Security Pros Sick
- Secure USB Flaw Exposed
- Suspected Child Porn Hub Taken Offline
- Why Employees Break Security Policy (And What You Can Do About It)
- N.J. Supreme Court Rules Employers Can't Always Read Personal Email
- Social Engineering, The USB Way
- Antivirus Rarely Catches Zbot Zeus Trojan
- 7 Steps For Protecting Your Organization From 'Aurora'
- Busted Alleged Russian Spies Used Steganography To Conceal Communications
Take The Value of Information Security Certifications Survey
Just what value information security certifications really provide the security professional is a widely debated topic. Information Security Leaders, an independent security career website, wants to hear from you, the information security pro, on whether these certifications are meaningless or valuable to your career. Take the anonymous survey on how security pros feel about this topic here. You can also receive the final results via email.
Free Vulnerability Management Trial
Qualys is offering a free 14-day trial of its vulnerability management solution, which helps enterprises identify, fix, and report on network security threats.
Free Security Tools from Sophos
Scan for security risks, threats, rootkits and unauthorized applications.
Info-Tech Research Group
A specialist in small and medium-sized businesses, Info-Tech offers a different perspective than research houses that focus on the Fortune 1000.
Sponsored Resource Center
Current Issue
In this issue:
- Digital Detectives: The right forensic tools in the right hands are just a start. Here's how to better apply the lessons they teach.
- Take The Offensive: It's time to be proactive, not reactive, with digital forensics.
- And much more!
- Read the Current Issue
Video
Evil Bytes
BY John H. Sawyer
Penetration Tests: Not Getting 'In' Is An Option
November 28, 2011 | 1 Comments
12:29 PM -- Pen testers must get beyond just breaking in and clients need to understand how the tester's results map to business risk
SophosLabs Insights
BY Chester Wisniewski
We Make Widgets -- Let Someone Else Handle Security
January 20, 2012
10:54 AM -- If you're a customer-facing organization, then security can't take second place behind your services
In Search of Malware
BY Mary Landesman
Mass-Meshing A Gumblar Creation
June 30, 2011
04:52 PM -- Compromised and backdoored websites are frequently used interchangeably to act as conduit, redirector, and malware host.
Hacked Off
BY Mike Rothman
Looking Over The RIM And Into The Chasm
January 25, 2012
01:56 PM -- What security folks need to learn from RIM's rapid and accelerating downfall...
Security Views
BY Richard E. Mackey, Jr.
Breach Notification: Know The Rules
January 20, 2012
06:23 PM -- State and Federal laws require notification when a breach of protected information occurs. You need to know which laws apply and how to comply
Dark Dominion
BY Tim Wilson
Dark Reading Launches New Tech Center On Security And Compliance
August 15, 2011
12:01 AM -- New Dark Reading Compliance Tech Center will cover relationship between security initiatives and compliance initiatives
CS Island
BY Robert Richardson
The SpiderLabs Report
January 29, 2011 | 1 Comments
08:14 AM -- A look at the Trustwave Cyber Crime report
Featured Resources
Security Whitepapers
- What is SaaS, and Should SMBs Consider Using It?
- The Compliance Trap: Compliance for compliance's sake is not a best practice in protecting cardholder data
- Secure Managed Web Hosting Saves 960.gs from Malicious Hackers
- Access Governance as a Business Service: An Integrated Strategy for Automation with ITSM
- Business Driven Access Management and Governance: Simplifying the Delivery and Governance of Access Throughout
14th Annual CSI SurveySecurity pros generally happy with products; not so much with awareness programs
MORE
|
Published:2010-11-03
Severity:High
Description:Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX control (Aventail.EPInstaller) before 10.5.2 and 10.0.5 hotfix 3 allows remote attackers to execute arbitrary code via long (1) CabURL and (2) Location arguments to the Install3rdPartyComponent method.
Published:2010-11-03
Severity:High
Description:Untrusted search path vulnerability in VIM Development Group GVim before 7.3.034, and possibly other versions before 7.3.46, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse User32.dll or other DLL that is located in the same folder as a .TXT file. NOTE: some of these details are obtained from third party information.
Published:2010-11-03
Severity:Medium
Description:Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
Published:2010-11-03
Severity:High
Description:Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0.x before 5.0.81, 5.1.x before 5.1.51, and 6.0.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) namecondition or (2) namesearch parameter.
Published:2010-11-03
Severity:Medium
Description:SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
