Attacks/Breaches
News & Commentary
Software Assurance: Time to Raise the Bar on Static Analysis
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 9/30/2014
Comment0 comments  |  Read  |  Post a Comment
Coordinated Attacks Call For More Sophisticated Cyber Defense
Henry Kenyon, Commentary
Agencies and industry are rethinking how they defend against coordinated attacks by teams of specialized hackers.
By Henry Kenyon , 9/29/2014
Comment0 comments  |  Read  |  Post a Comment
Making Sense Of Shellshock Attack Chaos
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Attacks against the Bash bug increase in volume and variety, with an emphasis on information gathering and botnet building.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/29/2014
Comment2 comments  |  Read  |  Post a Comment
Shellshock's Threat To Healthcare
Mac McMillan, CEO, CynergisTekCommentary
The Bash bug is everywhere, including in medical devices. The industry must be better prepared to protect itself and patients.
By Mac McMillan CEO, CynergisTek, 9/29/2014
Comment2 comments  |  Read  |  Post a Comment
When Layers On Layers Of Security Equals LOL Security
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Defense-in-depth is often poorly executed when architecture is not carefully considered.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/29/2014
Comment3 comments  |  Read  |  Post a Comment
Breach Awareness Made Easy
Sara Peters, Senior Editor at Dark ReadingCommentaryVideo
What if companies had to disclose breach history in the same way food companies display nutritional information?
By Sara Peters Senior Editor at Dark Reading, 9/26/2014
Comment3 comments  |  Read  |  Post a Comment
Shellshocked: A Future Of ‘Hair On Fire’ Bugs
Paul Vixie, Chairman & CEO, Farsight Security, Inc.Commentary
Most computers affected by Bash will be updated within 10 years. The rest will be vulnerable for the lifespans of all humans now living. This should concern us. But then, global warming should also concern us.
By Paul Vixie Chairman & CEO, Farsight Security, Inc., 9/26/2014
Comment22 comments  |  Read  |  Post a Comment
Malvertising Could Rival Exploit Kits
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Spate of malvertising campaigns gain steam in recent months, including the Kyle and Stan network, which researchers now believe is nine times bigger than initially estimated.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/25/2014
Comment2 comments  |  Read  |  Post a Comment
'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild
Sara Peters, Senior Editor at Dark ReadingNews
CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.
By Sara Peters Senior Editor at Dark Reading, 9/25/2014
Comment6 comments  |  Read  |  Post a Comment
'BERserk' Bug Uncovered In Mozilla NSS Crypto Library Impacts Firefox, Chrome
Brian Prince, Contributing Writer, Dark ReadingNews
Attackers can exploit the bug to create forged RSA certificates -- it affects versions of Firefox, Thunderbird, Chrome, and SeaMonkey.
By Brian Prince Contributing Writer, Dark Reading, 9/25/2014
Comment1 Comment  |  Read  |  Post a Comment
How SaaS Adoption Is Changing Cloud Security
Tal Klein, VP Strategy, AdallomCommentary
Sanctioning cloud-based services requires a new approach to security that "assumes breach" and accounts for the limitations of endpoint and perimeter defenses.
By Tal Klein VP Strategy, Adallom, 9/25/2014
Comment6 comments  |  Read  |  Post a Comment
From Securities To Security: Why The SEC Is Bringing Cyber To The Boardroom
Stephen Boyer, CTO & Founder, BitSight TechnologiesCommentary
The SEC is emerging as a key proponent of corporate cyber security responsibility and diligence. What does that mean for the CISO?
By Stephen Boyer CTO & Founder, BitSight Technologies, 9/24/2014
Comment5 comments  |  Read  |  Post a Comment
Creating A DDoS Response Playbook
Brian Prince, Contributing Writer, Dark ReadingNews
A new report details challenges posed by DDoS attacks that you might not have considered.
By Brian Prince Contributing Writer, Dark Reading, 9/23/2014
Comment1 Comment  |  Read  |  Post a Comment
Healthcare Needs Cyber Security Leadership & Governance
Mansur Hasib, Contributing WriterCommentary
Cyber security breaches point to a bigger problem than inadequate security technology or processes. They point to failed leadership and governance strategies.
By Mansur Hasib Contributing Writer, 9/23/2014
Comment4 comments  |  Read  |  Post a Comment
Dark Reading Radio: Trends In Application Security
Marilyn Cohodas, Community Editor, Dark ReadingCommentary
How can we get more security baked into applications? Join us for a discussion today, Wednesday, September 24, at 1:00 p.m. New York, 10 a.m. San Francisco time.
By Marilyn Cohodas Community Editor, Dark Reading, 9/23/2014
Comment0 comments  |  Read  |  Post a Comment
The Truth About Ransomware: You’re On Your Own
Andrew Hay, Sr. Security Research Lead & Evangelist, OpenDNSCommentary
What should enterprises do when faced with ransomware? The answer is, it depends.
By Andrew Hay Sr. Security Research Lead & Evangelist, OpenDNS, 9/22/2014
Comment1 Comment  |  Read  |  Post a Comment
Home Depot Breach Surpasses Target In Scope
Brian Prince, Contributing Writer, Dark ReadingNews
New details have emerged about the breach affecting Home Depot, which exposed 56 million payment cards in stores in the US and Canada and utilized custom malware.
By Brian Prince Contributing Writer, Dark Reading, 9/19/2014
Comment5 comments  |  Read  |  Post a Comment
An AppSec Report Card: Developers Barely Passing
Jeff Williams, CTO, Aspect Security & Contrast SecurityCommentary
A new study reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, Web services, and threat modeling.
By Jeff Williams CTO, Aspect Security & Contrast Security, 9/19/2014
Comment11 comments  |  Read  |  Post a Comment
5 Ways To Monitor DNS Traffic For Security Threats
Dave Piscitello, VP Security, ICANNCommentary
Check out these examples of how to implement real-time or offline traffic monitoring using common commercial or open source security products.
By Dave Piscitello VP Security, ICANN, 9/18/2014
Comment4 comments  |  Read  |  Post a Comment
US Military In The Dark On Cyberattacks Against Contractors
Brian Prince, Contributing Writer, Dark ReadingNews
A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report.
By Brian Prince Contributing Writer, Dark Reading, 9/18/2014
Comment2 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Security Insights
3 Places to Enable 2-Factor Authentication Now
3 Places to Enable 2-Factor Authentication Now
Two-factor authentication is a ubiquitous, mature technology. Whether or not you use it for your network, here are three external services for which you should immediately enable it.
Comment1 comments
Read | Post a Comment
More Sophos Security Insights
PR Newswire
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.