News & Commentary
Latest Content
Page 1 / 2   >   >>
Intelligence-Sharing Suffers Growing Pains
News  |  4/23/2014  | 
For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds.
Android Heartbleed Alert: 150 Million Apps Still Vulnerable
News  |  4/23/2014  | 
Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X.
Workplace Data Privacy Vs. Security: The New Balance
Commentary  |  4/23/2014  | 
Is it time to rethink the traditional lock-down approach to employee use of corporate networks at work?
Michaels Data Breach Response: 7 Facts
News  |  4/22/2014  | 
Could the retailer have done more to spot the eight-month intrusion in the first place?
Bots Attack US Mainly During Dinnertime
Quick Hits  |  4/22/2014  | 
Most bot-infected machines hail from the US and wage attacks there between 6 and 9 p.m. Eastern Time, new report finds.
Black Hat USA 2014: Digital Forensics (a.k.a. CSI Online)
Event Updates  |  4/22/2014  | 
As more and more crimes occur online, digital forensics becomes ever more important in identifying hostile entities who would do your company harm. Today's trio of Black Hat 2014 Trainings highlight the skills modern investigators need to pick up on breaches, collect evidence, and see things through to a successful conclusion.
7 Tips To Improve 'Signal-to-Noise' In The SOC
Commentary  |  4/22/2014  | 
When security analysts are desensitized to alerts because of sheer volume, they miss the true positives that can prevent a large-scale data breach. Here's how to up your game.
Free Scanning Tool Promises To Find Heartbleed On Any Device
Quick Hits  |  4/22/2014  | 
CrowdStrike says tool identifies the flaw on web servers, VPNs, servers, routers, printers, and phones.
Stolen Passwords Used In Most Data Breaches
News  |  4/22/2014  | 
New Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93 percent of security incidents in the past decade.
FAQ: Understanding The True Price of Encryption
Commentary  |  4/21/2014  | 
In the wake of recent events like Heartbleed, the search for cost-effective, easy, and scalable encryption solutions has never been more important.
Heartbleed Attack Targeted Enterprise VPN
News  |  4/21/2014  | 
Attack spotted using the OpenSSL Heartbleed bug to steal session tokens and bypass two-factor authentication.
Michaels Retail Chain Reveals Details Of Breach: Nearly 3M Affected
Quick Hits  |  4/18/2014  | 
Attack on point-of-sale systems went on for more than six months, officials say.
Poll: Dark Reading Community Acts On Heartbleed
Commentary  |  4/18/2014  | 
Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.
Heartbleed: A Password Manager Reality Check
News  |  4/18/2014  | 
Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?
Phishers Recruit Home PCs
News  |  4/18/2014  | 
Residential broadband machines spotted hosting phishing attacks.
SQL Injection Cleanup Takes Two Months or More
Quick Hits  |  4/17/2014  | 
A new report highlights the prevalence and persistence of SQL injection attacks.
Satellite Communications Wide Open To Hackers
News  |  4/17/2014  | 
Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.
11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue
News  |  4/17/2014  | 
Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.
Microsoft Delays Enterprise Windows 8.1 Support Doomsday
News  |  4/17/2014  | 
Responding to criticism, Microsoft gives businesses until August to adopt Windows 8.1 Update and continue receiving security updates. Consumers still face May 13 deadline.
How A Little Obscurity Can Bolster Security
Commentary  |  4/17/2014  | 
Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?
Did A Faulty Memory Feature Lead To Heartbleed?
News  |  4/16/2014  | 
Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use.
The Real Wakeup Call From Heartbleed
Commentary  |  4/16/2014  | 
There's nothing special about Heartbleed. Itís another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.
Mobility: Who Bears The Brunt Of Data Security & Privacy
Commentary  |  4/16/2014  | 
OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.
Don't Blame It On The Web Programming Platform
Quick Hits  |  4/15/2014  | 
New data shows no one Web development platform generates more vulnerabilities than another -- and website security is still a problem.
White House Details Zero-Day Bug Policy
News  |  4/15/2014  | 
NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.
Black Hat USA 2014: Pentesting? Thought You'd Never Ask
Event Updates  |  4/15/2014  | 
If Black Hat USA 2014 isn't quite around the corner, it's definitely on the horizon, and the team is hard at work putting together this year's programming.
Active Directory Is Dead: 3 Reasons
Commentary  |  4/15/2014  | 
These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.
Heartbleed's Intranet & VPN Connection
News  |  4/14/2014  | 
How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.
Akamai Withdraws Proposed Heartbleed Patch
News  |  4/14/2014  | 
As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.
CIO Vs. CSO: Allies Or Enemies?
Commentary  |  4/14/2014  | 
In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.
'Baby Teeth' In Infrastructure Cyber Security Framework
Commentary  |  4/14/2014  | 
NISTís modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.
Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says
News  |  4/11/2014  | 
New report details the rise of suspected Iranian and Syrian-based cyber-attacks.
Free Heartbleed-Checker Released for Firefox Browser
Quick Hits  |  4/11/2014  | 
Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk
Windows XP Alive & Well in ICS/SCADA Networks
News  |  4/10/2014  | 
End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.
Heartbleed Will Go On Even After The Updates
News  |  4/10/2014  | 
What's next now that the mindset is 'assume the worst has already occurred?'
Flash Poll: Broken Heartbeat
Commentary  |  4/10/2014  | 
What steps do you plan to take in response to the Heartbleed bug? Take our poll and share your reasons in the comments.
Heartbleed: Examining The Impact
Commentary  |  4/10/2014  | 
With Heartbleed, thereís little hope of knowing if an asset was breached, if a breach can be identified, or what, if any, data was leaked. Hereís how to defend against future attacks.
Majority Of Users Have Not Received Security Awareness Training, Study Says
Quick Hits  |  4/10/2014  | 
Many users fail to follow policies on mobile, cloud security, EMA Research study says.
More Than A Half-Million Servers Exposed To Heartbleed Flaw
News  |  4/9/2014  | 
What the newly exposed SSL/TLS threat really means for enterprises and end-users.
Whatís Worse: Credit Card Or Identity Theft?
Commentary  |  4/9/2014  | 
When it comes to data loss, itís time for the conversation to shift from credit cards to personal information like Social Security numbers, home addresses, and your favorite flavor of ice cream.
Emergency SSL/TLS Patching Under Way
News  |  4/8/2014  | 
A "Heartbleed" flaw revealed in the OpenSSL library leaks the contents of memory, including passwords, source code, and keys.
One Year Later: The APT1 Report
Commentary  |  4/8/2014  | 
One of the most positive impacts of APT1 is the undeniable rise in the stature of the threat intelligence industry. "Threat Intelligence" is the SIEM, the NAC of 2014.
Operation Stop the Exfiltration
News  |  4/7/2014  | 
Determined cybercriminals and cyberspies will find their way to the data they want, but there are ways to trip them up as they try to make their way out.
Social Engineering Grows Up
News  |  4/7/2014  | 
Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat.
If Mother Nature Were A CISO
Commentary  |  4/7/2014  | 
There are many defensive patterns in nature that also apply to information security. Here's how to defeat your predators in the high-stakes game of corporate survival and resiliency.
We Are the Perimeter
Guest Blogs  |  4/7/2014  | 
End users, not technology, define the boundaries of the enterprise. Security strategies must protect this new perimeter.
Tech Insight: Making Data Classification Work
Commentary  |  4/4/2014  | 
Data classification involves much more than simply buying a product and dropping it in place. Here are some dos and don'ts.
Advanced Attacks Are The New Norm, Study Says
Quick Hits  |  4/4/2014  | 
According to the Websense 2014 Threat Report, most malicious exploits now are advanced and targeted.
Nominum: 24 Million Home Routers Exposing ISPs to DDoS Attacks
News  |  4/4/2014  | 
Even Internet service providers that go to great lengths to protect their networks are vulnerable.
NSAís Big Surprise: Govít Agency Is Actually Doing Its Job
Commentary  |  4/4/2014  | 
When people claimed after 9/11 that the NSA was ill equipped to deal with a changing world, I wonder what they expected to happen.
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youíre still focused on securing endpoints, youíve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

CVE-2014-2393
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

CVE-2011-5279
Published: 2014-04-23
CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.

CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Best of the Web