News & Commentary
Latest Content
Page 1 / 2   >   >>
Be Aware: 8 Tips for Security Awareness Training
Slideshows  |  9/29/2014  | 
Hint: One giant security training session to rule them all is not the way to go.
New Bash Bugs Surface
News  |  9/29/2014  | 
Time to patch again: Newly discovered flaws in Bash put Linux-based systems at risk.
Making Sense Of Shellshock Attack Chaos
News  |  9/29/2014  | 
Attacks against the Bash bug increase in volume and variety, with an emphasis on information gathering and botnet building.
Can We Talk? Finding A Common Security Language
Commentary  |  9/29/2014  | 
How engineers can get beyond the crippling vocabulary and semantic barrier of infosec and actually communicate about cyber risk with bosses and business colleagues.
When Layers On Layers Of Security Equals LOL Security
News  |  9/29/2014  | 
Defense-in-depth is often poorly executed when architecture is not carefully considered.
Apple: Majority Of Mac OS X Users Not At Risk To 'Shellshock'
News  |  9/26/2014  | 
According to Apple, Mac OS X systems are not exposed to remote exploits of Bash unless users have certain UNIX services configured.
Breach Awareness Made Easy
Breach Awareness Made Easy
Dark Reading Videos  |  9/26/2014  | 
What if companies had to disclose breach history in the same way food companies display nutritional information?
Shellshocked: A Future Of ‘Hair On Fire’ Bugs
Commentary  |  9/26/2014  | 
Most computers affected by Bash will be updated within 10 years. The rest will be vulnerable for the lifespans of all humans now living. This should concern us. But then, global warming should also concern us.
Breached Retailers Harden PoS, For Now
News  |  9/25/2014  | 
Yet another point-of-sale (POS) breach at a major retail chain, and the victim adds encryption.
Malvertising Could Rival Exploit Kits
News  |  9/25/2014  | 
Spate of malvertising campaigns gain steam in recent months, including the Kyle and Stan network, which researchers now believe is nine times bigger than initially estimated.
'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild
News  |  9/25/2014  | 
CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.
'BERserk' Bug Uncovered In Mozilla NSS Crypto Library Impacts Firefox, Chrome
News  |  9/25/2014  | 
Attackers can exploit the bug to create forged RSA certificates -- it affects versions of Firefox, Thunderbird, Chrome, and SeaMonkey.
How SaaS Adoption Is Changing Cloud Security
Commentary  |  9/25/2014  | 
Sanctioning cloud-based services requires a new approach to security that "assumes breach" and accounts for the limitations of endpoint and perimeter defenses.
Bash Bug May Be Worse Than Heartbleed
News  |  9/24/2014  | 
Linux, Unix, and Internet of Things devices affected by critical vulnerability.
Jimmy John's Gourmet Sandwiches POS Systems Hacked
Quick Hits  |  9/24/2014  | 
Sandwich chain is the latest data breach victim, with credit and debit card data breached in 216 of its restaurants.
Incident Response Fail
News  |  9/24/2014  | 
Fortune 500 companies with incident response teams and plans in place are pessimistic about their effectiveness amid a climate of data breach domination.
From Securities To Security: Why The SEC Is Bringing Cyber To The Boardroom
Commentary  |  9/24/2014  | 
The SEC is emerging as a key proponent of corporate cyber security responsibility and diligence. What does that mean for the CISO?
Are Directories The On-Premises Sacred Cow?
News  |  9/23/2014  | 
As a server orchestration startup reengineers itself into a directory-as-a-service play, the question is why the market hasn't moved to say goodbye to Active Directory and LDAP.
ISIS Cyber Threat To US Under Debate
News  |  9/23/2014  | 
ICS/SCADA systems and networks hackable but not easily cyber-sabotaged without industrial engineering know-how, experts say.
Creating A DDoS Response Playbook
News  |  9/23/2014  | 
A new report details challenges posed by DDoS attacks that you might not have considered.
'Hand-To-Hand Digital Combat' With Threat Actors
Quick Hits  |  9/23/2014  | 
CrowdStrike CEO and co-founder George Kurtz explains how to fight attackers, not fight malware.
Hacking Hackers: Taking Matters Into Private Hands
News  |  9/23/2014  | 
Private groups are fighting back against foreign sources of malware and credit fraud. But methodologies put these digital crusaders and their employers at serious legal risk.
Dark Reading Radio: Trends In Application Security
Commentary  |  9/23/2014  | 
How can we get more security baked into applications? Join us for a discussion today, Wednesday, September 24, at 1:00 p.m. New York, 10 a.m. San Francisco time.
Mobile-Only Employee Trend Could Break Security Models
News  |  9/22/2014  | 
One-third of employees exclusively use mobile devices for work, but security organizations still aren't shifting their risk management focus.
The Truth About Ransomware: You’re On Your Own
Commentary  |  9/22/2014  | 
What should enterprises do when faced with ransomware? The answer is, it depends.
5 Top Tips For Outsourced Security
Infographics  |  9/22/2014  | 
It's one thing to hire a third-party developer to build a mobile app. It's quite another to trust a pen tester, MSSP, or DDoS protection firm. But the fact is, the threat landscape is complex, and few organizations can keep security completely in house. Here's how to decide what to outsource and select and manage providers.
5 Ways To Think Outside The PCI Checkbox
News  |  9/19/2014  | 
New PCI Council GM plans to help organizations move their practices beyond compliance mentality into risk-based security.
Home Depot Breach Surpasses Target In Scope
News  |  9/19/2014  | 
New details have emerged about the breach affecting Home Depot, which exposed 56 million payment cards in stores in the US and Canada and utilized custom malware.
Mobile Device Security Isn't All About Devices
Mobile Device Security Isn't All About Devices
Dark Reading Videos  |  9/19/2014  | 
Roberto Medrano, executive vice president of SOA Software, explains why securing mobile applications and APIs is so essential.
An AppSec Report Card: Developers Barely Passing
Commentary  |  9/19/2014  | 
A new study reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, Web services, and threat modeling.
Is Enterprise IT Security Ready For iOS 8?
News  |  9/19/2014  | 
Apple bakes in more security features, but iOS 8 won't come without security ops headaches.
5 Ways To Monitor DNS Traffic For Security Threats
Commentary  |  9/18/2014  | 
Check out these examples of how to implement real-time or offline traffic monitoring using common commercial or open source security products.
Google Backs New Effort To Simplify Security
Quick Hits  |  9/18/2014  | 
New organization Simply Secure aims to promote and shape more user-friendly security and privacy technologies on the Internet.
US Military In The Dark On Cyberattacks Against Contractors
News  |  9/18/2014  | 
A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report.
7 Reasons To Love Passwords
Slideshows  |  9/17/2014  | 
Passwords are often ridiculed, but there are some reasons they should be your nearest and dearest authentication factor.
Cyberspies Resuscitate Citadel Trojan For Petrochemical Attacks
News  |  9/17/2014  | 
The Citadel Trojan is a rare and odd choice of malware for cyber espionage purposes, experts say.
Data Privacy Etiquette: It's Not Just For Kids
Commentary  |  9/17/2014  | 
Children are the innocent victims of the worst effects of social media. That’s why it’s vital for adults to establish privacy values that are safe for them -- and the rest of us.
Meet The Next Next-Gen Firewall
News  |  9/16/2014  | 
Or at least the latest iteration of one of the oldest-running security tools that continues to evolve and transform with the times.
Browser Vulnerability 'Privacy Disaster' For 3 Of 4 Android Users
Quick Hits  |  9/16/2014  | 
An exploit of an unsupported Android browser bypasses the ever-important Same Origin Policy.
New CVE Naming Convention Could Break Vulnerability Management
News  |  9/16/2014  | 
MITRE sets deadline for releasing new CVEs with different ID format syntax, regardless of how many vulnerabilities we see in 2014.
DR Radio: A Grown-Up Conversation About Passwords
Commentary  |  9/16/2014  | 
Cormac Herley of Microsoft Research will challenge everything you think you know about password management.
In Defense Of Passwords
Commentary  |  9/16/2014  | 
Long live the password (as long as you use it correctly along with something else).
Worm Illuminates Potential NAS Nightmare
News  |  9/15/2014  | 
A researcher at Black Hat Europe hopes to demonstrate a homegrown, self-replicating worm to illustrate major threats to popular network-attached storage systems.
Internet Of Things Devices Are Doomed
News  |  9/15/2014  | 
Security researchers hack Canon printer firmware to run the classic 90s video game Doom as well as to wreak havoc with other manipulations.
5 Myths: Why We Are All Data Security Risks
Commentary  |  9/15/2014  | 
I am absolutely sure that I could be tricked by a well-crafted spear phishing attack, and I am equally sure I could do the same to you.
Security Ops Confidence Levels Drop
News  |  9/12/2014  | 
Survey shows most organizations unable to keep up with new and emerging threats from state-sponsored attackers.
Why Email Is Worth Saving
Commentary  |  9/12/2014  | 
What if an Internet-scale, federated policy, authentication, and enforcement framework for trusted email delivery were available? It is.
Veracode Secures $40M In Funding As IPO Looms
News  |  9/12/2014  | 
Security firm plans to increase investments in sales, marketing, and research and development.
Franchising The Chinese APT
News  |  9/11/2014  | 
At least two different cyber espionage gangs in China appear to be employing uniform tools and techniques, FireEye finds.
Home Depot Breach May Not Be Related To BlackPOS, Target
News  |  9/11/2014  | 
New analysis of the malware earlier identified as a BlackPOS variant leads some researchers to believe that they are two different malware families entirely.
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.