FOLLOW US
Project Finds, Purges Vulnerable Code Snippets From The Net
May 23, 2012 |
Community effort hopes to clean up insecure code found in the public domain
Poorly Managed Firewall Rule Sets Will Flag An Audit
May 23, 2012 |
Auditors and compliance managers alike are depending on firewall management principles and tools to cut through the complexity
Malware 'Licensing' Could Stymie Automated Analysis
May 22, 2012 |
The use of encryption and digital-rights management techniques by the authors of malicious code could make automated analysis of malware take longer and require human intervention more often
Researchers 'Map' Android Malware Genome
May 22, 2012 |
New initiative promotes sharing of Android malware research worldwide, beefing up mobile anti-malware tools
Anonymous Hacks, Leaks U.S. Bureau of Justice Database
May 22, 2012 |
'Monday Mail Mayhem' campaign by hactivist group posts 1.7-GB archive of emails and other data online
Revamp Mobile Policy To Secure The Cloud
May 21, 2012 |
A majority of employees bring their own devices into work and connect out to the cloud -- now it's time to gain greater control over the security of these devices
Tech Insight: Practical Threat Intelligence
Today's ever-changing threat landscape requires proactive security efforts to identify threats and adapt defenses quickly
Threat Intelligence Becoming A Do-It-Yourself Project For Enterprises
Building your own threat data collection and analysis function needn't be complex or expensive
What A DDoS Can Cost
Around 65 percent of IT pros say a DDoS costs their organizations $240,000 in lost revenue per day of the attack, and one-fifth say it would mean a loss of $1.2 million per day, new survey finds
Researchers 'Map' Android Malware Genome
New initiative promotes sharing of Android malware research worldwide, beefing up mobile anti-malware tools
Windows Gets Privacy Boost For DNS
New public-domain 'VPN For DNS' technology encrypts exposed link between Windows machines and DNS
6 Discoveries That Prove Mobile Malware's Mettle
Trojans, botnets, adware, and more are jumping from theoretical to practical
Poorly Managed Firewall Rule Sets Will Flag An Audit
Auditors and compliance managers alike are depending on firewall management principles and tools to cut through the complexity
Obama Cybersecurity Czar Schmidt Steps Down
Howard A. Schmidt, the first-ever U.S. cybersecurity coordinator, has resigned and will retire later this month to enter academia
10 Symptoms Of Check-Box Compliance
These telltale signs show you care more about what the auditors think than what the attackers do
Revamp Mobile Policy To Secure The Cloud
A majority of employees bring their own devices into work and connect out to the cloud -- now it's time to gain greater control over the security of these devices
Crypto In The Cloud Secures Data In Spite Of Providers
With companies increasingly worried about their data in the cloud, a number of providers have cropped up to offer various types of encryption
Microsoft Skype IP Leakage Not New, Report Contends
Microsoft says it is investigating a report of a vulnerability that can expose the IP addresses of Skype users
How To Detect And Root Out Sophisticated Malware
New report offers insights on excising that hard-to-detect malware
Malware 'Licensing' Could Stymie Automated Analysis
The use of encryption and digital-rights management techniques by the authors of malicious code could make automated analysis of malware take longer and require human intervention more often
SCADA/Smart-Grid Vendor Adopts Microsoft's Secure Software Development Program
Meanwhile, utilities lag when it comes to cyberattack preparedness and risk management at the executive and board level
Iranian Hackers Claim They Compromised NASA SSL Digital Certificate
'Cyber Warriors Team' says it stole information on thousands of NASA researchers via a man-in-the middle attack
Security Index Marks A Year Of Doing Business Dangerously
The Index of Cyber Security has measured top security officers' sentiment on cyberthreats for more than a year. So what does the index's steady rise mean?
Logs Still Tough To Decipher, SANS Survey Says
More organizations employ log management and SIEM tools, but are still struggling to sort the bad traffic from the good
Are You A Human Confirms Man Or Machine With Games
Start-up offers new type of CAPTCHA that doesn't rely on discerning and typing letters and numbers from distorted text prompts
New .secure Internet Domain On Tap
'Safe neighborhood' top-level domain will require SSL, DNSSEC, and other security measures for websites
Trustworthy Internet Movement Builds SSL 'Avengers'
Industry's top names in SSL development agree to join task force
Why Some SMBs Still Fear The Cloud
Blind study commissioned by Microsoft shows disparity between those small to midsize businesses that have adopted cloud computing and security-as-a-service and those that have not
Fake Caller ID Attacks On The Rise
"Vishing" attacks increased by 52 percent in the second half of last year
More Than Half Of Cyberattacks Come From Asia
DDoS attacks worldwide on the rise, report finds
BeyondTrust Buys eEye
eEye co-founder Marc Maiffret now CTO of BeyondTrust
FBI Warns Travelers Using Hotel Networks About New Attack
The FBI says attackers are trying to trick users into installing malware with promises of software updates
Linux Users Beware: Patch New Samba Flaw 'Immediately'
Samba bug could spur targeted attacks or a worm -- but not all affected systems will get patched
Project Finds, Purges Vulnerable Code Snippets From The Net
Community effort hopes to clean up insecure code found in the public domain
Anonymous Hacks, Leaks U.S. Bureau of Justice Database
'Monday Mail Mayhem' campaign by hactivist group posts 1.7-GB archive of emails and other data online
State Of Utah Fires Tech Director Over Breach
Utah IT director 'lacked oversight and leadership' in incident that exposed personal details of 780,000, governor says
Selling A Secure Internet Domain
PayPal among organizations invited to help shape security protocol for .secure that also can be used in existing domains
Flashback Botnet Click-Fraud Operation Could Have Been More Profitable
The massive botnet of Mac computers left millions of dollars in potential profits on the table, researchers at Symantec say
Websites Select Security Services To Suppress DDoS, Other Attacks
Web application firewalls are a popular way to protect sites, but cloud and managed security services offer strong benefits to protect against denial-of-service attacks and compromise
5 Ways To Lose A Malicious Insider Lawsuit
Making the case against an insider takes preparation and proactive work with HR and legal
UNC Charlotte Breach Affected More Than 350,000
Data compromise at university is much larger than initially thought, report says
Microsoft Fingers Chinese Firewall/IPS Vendor In Windows Exploit Leak
Chinese firewall and IPS vendor Hangzhou DPTech Technologies kicked out of Microsoft Active Protections Program (MAPP) for its role in disclosure of Windows Remote Desktop (RDP) flaw earlier this year
Trend Micro Pioneers Integration Of Data-Loss Prevention (DLP) Across The Enterprise
User-Generated Content Singled Out In Military Dating Hack
ICSA Labs Launches First Testing Program Of VPN Security For Mobile Device
Intel Introduces Cloud-Based Identity Solution For Salesforce And Other Cloud Applications
Nominum Mobile Security Solution Protects Both The User And The Network
General Dynamics And Samsung Team To Deliver Secure Wireless Products
Execs To Study Cyber Security In New NYU-Poly Master's Degree Track
Cyber-Ark Partners With Carahsoft To Deliver IT Security Solutions To Government Sector
Guidance Software Launches Encas App Central
CNET
FBI Quietly Forms Secretive Net-Surveillance Unit
MAY 23, 2012
| The Domestic Communications Assistance Center will develop new electronic surveillance technologies, including intercepting Internet, wireless, and VoIP communications
WIRED
NSA Teams Up With Colleges To Train Students For Secret Cyber-Ops Jobs
MAY 23, 2012
| The National Security Agency is partnering with Dakota State University, Naval Postgraduate School, Northeastern University, and University of Tulsa, to train students in cyberoperations for intelligence, military, and law enforcement jobs -- work that will remain secret to all but a select group of students and faculty who pass clearance requirements, according to Reuters
HEALTHCARE INFOSECURITY
20 Million Affected By Health Breaches
MAY 23, 2012
| The U.S. government's count of individuals affected by major healthcare information breaches since September 2009 has now exceeded 20 million and 435 incidents
APPLE INSIDER
IBM Bans Apple's Siri From Its Internal Networks For Security
MAY 23, 2012
| IBM has barred Apple's Siri and Dictation features for iOS because Apple converts them to text and gathers them
COMPUTERWORLD
Pwnium Hacking Contest Winners Exploited 16 Chrome Zero-Days
MAY 23, 2012
| Google yesterday revealed that 'Pinkie Pie' used six unknown flaws and Sergey Glazunov, 10, to hack Chrome in March during the company's Pwnium hacking contest
THREAT POST
Common Firewall Feature Enables TCP Hijacking Attacks
MAY 23, 2012
| University of Michigan researchers found that a feature common among many firewalls and networking equipment could be used to abused to hijack Web sessions on mobile and desktop devices
NAKED SECURITY BLOG
Bredolab: Jail For Man Who Masterminded Botnet Of 30 Million Computers
MAY 23, 2012
| Georg Avanesov, who made $125,000 a month from the massive Bredolab botnet and lived a lavish lifestyle, was sentenced to four years in jail in Armenia
TORRENT FREAK
Megaupload's Kim Dotcom Refuses To Give Up Passwords
MAY 23, 2012
| Megaupload founder Kim Dotcom wants access to 135 computers and hard drives that were seized from his home in January and refuses to provide his passwords to encrypted data stored on them until he gets them back
A look at the 25 most popular stories ever posted on the pages of Dark Reading.
- Security Pros With Written Career Plans Make More Money
- 'Robin Sage' Profile Duped Military Intelligence, IT Security Pros
- Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps
- Anatomy Of A Targeted, Persistent Attack
- Security's Top 4 Social Engineers Of All Time
- Six Messy Database Breaches So Far In 2010
- Kaminsky Issues Developer Tool To Kill Injection Bugs
- Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property
- Slideshow: Fashion Statements From Defcon 2010
- Turkish Hackers Take Out Top Porn Site
- Attack Unmasks User Behind The Browser
- Five Ways To (Physically) Hack A Data Center
- New IM Worm Spreading Fast
- Facebook's Security Team Frustrates Cybercriminals
- 'Aurora' Exploit Retooled To Bypass Internet Explorer's DEP Security
- U.S. Fails Test In Simulated Cyberattack
- Six Healthcare Data Breaches That Might Make Security Pros Sick
- Secure USB Flaw Exposed
- Suspected Child Porn Hub Taken Offline
- Why Employees Break Security Policy (And What You Can Do About It)
- N.J. Supreme Court Rules Employers Can't Always Read Personal Email
- Social Engineering, The USB Way
- Antivirus Rarely Catches Zbot Zeus Trojan
- 7 Steps For Protecting Your Organization From 'Aurora'
- Busted Alleged Russian Spies Used Steganography To Conceal Communications
Take The Value of Information Security Certifications Survey
Just what value information security certifications really provide the security professional is a widely debated topic. Information Security Leaders, an independent security career website, wants to hear from you, the information security pro, on whether these certifications are meaningless or valuable to your career. Take the anonymous survey on how security pros feel about this topic here. You can also receive the final results via email.
Free Vulnerability Management Trial
Qualys is offering a free 14-day trial of its vulnerability management solution, which helps enterprises identify, fix, and report on network security threats.
Free Security Tools from Sophos
Scan for security risks, threats, rootkits and unauthorized applications.
Info-Tech Research Group
A specialist in small and medium-sized businesses, Info-Tech offers a different perspective than research houses that focus on the Fortune 1000.
Sponsored Resource Center
Current Issue
In this issue:
- Close The Door On Data Leaks: Stop insider theft and accidental disclosure with network and host controls--and don't forget to keep employees on their toes.
- Make Security Everyone's Business: Even the best data leak prevention tools will fail if employees don't make security a priority.
- Lessons From The Global Payments Breach: Recent attack underscores problems with knowledge-based authentication and perimeter defense.
- FTC Proposes "Privacy By Design": The agency's privacy guidelines could raise issues for e-commerce and online advertising.
In this supplement:
- Endpoint Insecurity: Employees and their browsers might be the weak link in your security plan. Here's how to close the gap.
- Get Security Savvy: Tim Wilson explains why security-aware end users make such a difference.
- Read the Supplemental Issue
Video
- Big Data at High Speed: Complex Event Processing at 10x
- Unlock the Value of Your Business Data: IBM's Integration Solution for .NET Environments
- The Dell Difference: Lessons from Dell’s Own IT Transformation
- Enhance Business Performance with Process Oriented Data Stewardship
- Insurance Workforce Optimization: How To Work Smarter To Benefit Your Customers, Employees and the Bottom Line
Evil Bytes
BY John H. Sawyer
Analyzing Android, iOS Apps For Weak Data Protection, Cleartext Passwords
May 04, 2012
02:54 PM -- Analysis reveals mobile apps designed to protect things like photos and passwords do a poor job, often storing them in plain text with no encryption at all.
SophosLabs Insights
BY Brian Royer, SophosLabs
What A Secure Top-Level Domain Can And Can't Do
May 24, 2012
08:53 AM -- Is the .secure domain a better mousetrap or does it lead only to the same dead end?
Hacked Off
BY Mike Rothman
Time To Deploy The FUD Weapon?
May 16, 2012
01:23 PM -- When suffering from compliance fatigue, you may have only one option to getting the funding you need to do your job
Security Views
BY Glenn S. Phillips
Don’t Be The Nerdiest Person In The Room
May 24, 2012
09:28 AM -- Technical language has its place, but overuse hampers compliance
Dark Dominion
BY Tim Wilson
Dark Reading Launches New Tech Center On Threat Intelligence
May 14, 2012
09:27 AM -- Subsite of Dark Reading will look at collection and analysis of data on emerging threats
Featured Resources
Security Whitepapers
- What is SaaS, and Should SMBs Consider Using It?
- The Compliance Trap: Compliance for compliance's sake is not a best practice in protecting cardholder data
- Secure Managed Web Hosting Saves 960.gs from Malicious Hackers
- Access Governance as a Business Service: An Integrated Strategy for Automation with ITSM
- Business Driven Access Management and Governance: Simplifying the Delivery and Governance of Access Throughout
14th Annual CSI SurveySecurity pros generally happy with products; not so much with awareness programs
MORE
|
Published:2010-11-03
Severity:High
Description:Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX control (Aventail.EPInstaller) before 10.5.2 and 10.0.5 hotfix 3 allows remote attackers to execute arbitrary code via long (1) CabURL and (2) Location arguments to the Install3rdPartyComponent method.
Published:2010-11-03
Severity:High
Description:Untrusted search path vulnerability in VIM Development Group GVim before 7.3.034, and possibly other versions before 7.3.46, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse User32.dll or other DLL that is located in the same folder as a .TXT file. NOTE: some of these details are obtained from third party information.
Published:2010-11-03
Severity:Medium
Description:Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
Published:2010-11-03
Severity:High
Description:Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0.x before 5.0.81, 5.1.x before 5.1.51, and 6.0.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) namecondition or (2) namesearch parameter.
Published:2010-11-03
Severity:Medium
Description:SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
