Stocking Stuffers For Happy Hacking
2014: The Year of Privilege Vulnerabilities
5 Pitfalls to Avoid When Running Your SOC
'Grinch' Bug May Affect Most Linux Systems
The Coolest Hacks Of 2014
News & Commentary
Attackers Leverage IT Tools As Cover
Jai Vijayan, Freelance writerNews
The line between attack and defense tools has blurred.
By Jai Vijayan Freelance writer, 12/26/2014
Comment0 comments  |  Read  |  Post a Comment
Why Digital Forensics In Incident Response Matter More Now
Craig Carpenter, President & COO, Resolution1 SecurityCommentary
By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.
By Craig Carpenter President & COO, Resolution1 Security, 12/24/2014
Comment7 comments  |  Read  |  Post a Comment
JPMorgan Hack: 2FA MIA In Breached Server
Kelly Jackson Higgins, Executive Editor at Dark ReadingQuick Hits
Sources close to the breach investigation say a network server missing two-factor authentication let attackers make their way into JPMorgan's servers.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/24/2014
Comment9 comments  |  Read  |  Post a Comment
Backoff Malware Validates Targets Through Infected IP Cameras
Ericka Chickowski, Contributing Writer, Dark ReadingNews
RSA report on Backoff dives deeper into clues about the POS software and hints at attackers potentially located in India.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/23/2014
Comment1 Comment  |  Read  |  Post a Comment
How PCI DSS 3.0 Can Help Stop Data Breaches
Troy Leach and Christopher Strand, Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9Commentary
New Payment Card Industry security standards that take effect January 1 aim to replace checkmark mindsets with business as usual processes. Here are three examples.
By Troy Leach and Christopher Strand Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9, 12/23/2014
Comment1 Comment  |  Read  |  Post a Comment
North Korea's Internet Restored
Sara Peters, Senior Editor at Dark ReadingQuick Hits
Restoration of service weakens arguments that the US was responsible for the outage.
By Sara Peters Senior Editor at Dark Reading, 12/23/2014
Comment7 comments  |  Read  |  Post a Comment
North Korea Experiencing Internet Outages, Raising Questions About US Retaliation
Sara Peters, Senior Editor at Dark ReadingNews
Is it coincidence, or is a DDoS on North Korea's Internet infrastructure a "proportional response" by the US?
By Sara Peters Senior Editor at Dark Reading, 12/22/2014
Comment3 comments  |  Read  |  Post a Comment
The Coolest Hacks Of 2014
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative -- and yes, scary -- hacks this year by security researchers.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/22/2014
Comment8 comments  |  Read  |  Post a Comment
CISO Holiday Bookshelf
Ericka Chickowski, Contributing Writer, Dark Reading
A selection of interesting security reads perfect as gifts from and to the typical CISO.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/22/2014
Comment1 Comment  |  Read  |  Post a Comment
Security News No One Saw Coming In 2014
John B. Dickson, CISSP,  Principal, Denim GroupCommentary
John Dickson shares his list (and checks it twice) of five of the most surprising security headlines of the year.
By John B. Dickson CISSP, Principal, Denim Group, 12/22/2014
Comment12 comments  |  Read  |  Post a Comment
Startup Profile: Seculert Prioritizes Response Over Prevention
Andrew Conry Murray, Director of Content & Community, InteropCommentary
The cloud security newcomer Seculert aims to identify and validate data breaches to enable faster response and remediation.
By Andrew Conry Murray Director of Content & Community, Interop, 12/22/2014
Comment0 comments  |  Read  |  Post a Comment
The Internet's Winter Of Discontent
Paul Vixie, Chairman & CEO, Farsight Security, Inc.Commentary
The new great cybersecurity challenge in trying to sum up the most dangerous weaknesses in the worldís connected economy is that the hits just keep on coming.
By Paul Vixie Chairman & CEO, Farsight Security, Inc., 12/19/2014
Comment1 Comment  |  Read  |  Post a Comment
Obama: U.S. Will Respond 'Proportionately' To Sony Cyber Attack
Brian Prince, Contributing Writer, Dark ReadingNews
President Obama says the United States will take action against North Korea in response to the cyber-attack on Sony.
By Brian Prince Contributing Writer, Dark Reading, 12/19/2014
Comment20 comments  |  Read  |  Post a Comment
Time To Rethink Patching Strategies
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
In 2014, the National Vulnerability Database is expected to log a record-breaking 8,000 vulnerabilities. That's 8,000 reasons to improve software quality at the outset.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 12/19/2014
Comment14 comments  |  Read  |  Post a Comment
SDN And Security: Start Slow, But Start
Greg Ferro, Network Architect & BloggerNews
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul policies
By Greg Ferro Network Architect & Blogger, 12/19/2014
Comment0 comments  |  Read  |  Post a Comment
ICANN Hit By Cyberattack
Jai Vijayan, Freelance writerNews
Spear phishing campaign led to attackers gaining administrative access to one system.
By Jai Vijayan Freelance writer, 12/18/2014
Comment0 comments  |  Read  |  Post a Comment
Bad Bots On The Rise
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Humans remain outnumbered by bots online, new data shows.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/18/2014
Comment0 comments  |  Read  |  Post a Comment
Vawtrak: Crimeware Made-To-Order
Sara Peters, Senior Editor at Dark ReadingQuick Hits
A compartmentalized botnet with a wide selection of specialized web injects makes it easier to attack bank accounts across the globe.
By Sara Peters Senior Editor at Dark Reading, 12/18/2014
Comment0 comments  |  Read  |  Post a Comment
5 Pitfalls to Avoid When Running Your SOC
Jeff Schilling, CSO, FirehostCommentary
The former head of the US Army Cyber Command SOC shares his wisdom and battle scars about playing offense not defense against attackers.
By Jeff Schilling CSO, Firehost, 12/18/2014
Comment6 comments  |  Read  |  Post a Comment
Sony Cancels Movie, US Confirms North Korea Involvement, But Were Bomb Threats Empty?
Sara Peters, Senior Editor at Dark ReadingNews
After the Sony hackers issue threats of physical violence and 9/11-style attacks, The Interview is being killed before it even premieres. But would the attackers have really blown up theaters?
By Sara Peters Senior Editor at Dark Reading, 12/17/2014
Comment8 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
PR Newswire
Security News No One Saw Coming In 2014
John B. Dickson, CISSP, Principal, Denim Group,  12/22/2014
JPMorgan Hack: 2FA MIA In Breached Server
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/24/2014
The Coolest Hacks Of 2014
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/22/2014
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Balancing Accounting Policy & Security Strategy
A long-term approach involves focusing on security as a platform, instead of a selection of individual products and point defenses. Read >>
Partner Perspectives
What's This?
Cartoon
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Flash Poll
Video
Slideshows
Twitter Feed