Dark Reading | Security | Protect The Business

Advertise With Us

About Us

Digital Subscription

What Government Can (And Can't) Do About Cybersecurity

Could The Sony Attacks Happen Again? Join The Conversation

2015: The Year Of The Security Startup – Or Letdown

Top Stories

What Government Can (And Can't) Do About ...

Could The Sony Attacks Happen Again? Join ...

Why Russia Hacks

2015: The Year Of The Security Startup ...

Cartoon: End-User Ed

News & Commentary

Power Consumption Technology Could Help Enterprises Identify Counterfeit Devices

Tim Wilson, Editor in Chief, Dark Reading

Commentary

Understanding a device's "power fingerprint" might make it possible to detect security anomalies in Internet of Things as well, startup says

By Tim Wilson Editor in Chief, Dark Reading, 1/26/2015

1 Comment | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Fascinating blog, Tim. Very cool intrusion detection technology. Seems like...

Security Skills Shortage? Don’t Panic!

Focus your energies on building a comprehensive security strategy and turning to experts for guidance.

By Carric Dooley WW VP of Foundstone Services, Intel Security, 1/26/2015

1 Comment | Read | Post a Comment

latest comment Marilyn Cohodas Assuming that "you" is referring to "users," I'm wondering what security awareness...

Adobe Fixes Second Flash Flaw Exploited By Angler

Ericka Chickowski, Contributing Writer, Dark Reading

News

Second 0-day fix addresses UAF vulnerability.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/26/2015

0 comments | Read | Post a Comment

Building A Cybersecurity Program: 3 Tips

Jason Sachowski, Senior Forensic Investigator, Scotiabank

Commentary

Getting from “we need” to “we have” a cybersecurity program is an investment in time and resources that’s well worth the effort.

By Jason Sachowski Senior Forensic Investigator, Scotiabank, 1/26/2015

0 comments | Read | Post a Comment

Growing Open Source Use Heightens Enterprise Security Risks

News

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say

By Jai Vijayan Freelance writer, 1/23/2015

7 comments | Read | Post a Comment

Latest Comment: Dr.T, Agree. As I mentioned in my other post, there is no hard link between open...

Why Russia Hacks

Mike Walls, Managing Director Security Operations & Analysis, EdgeWave

Commentary

Conventional wisdom holds that Russia hacks primarily for financial gain. But equally credible is the belief that the Russians engage in cyberwarfare to further their geopolitical ambitions.

By Mike Walls Managing Director Security Operations & Analysis, EdgeWave, 1/23/2015

16 comments | Read | Post a Comment

Latest Comment: lynnbr2, Russia & China both have a long history of hacking for over fifty years....

Diverse White Hat Community Leads To Diverse Vuln Disclosures

Sara Peters, Senior Editor at Dark Reading

News

Researchers at Penn State find that courting new bug hunters is just as important as rewarding seasoned ones.

By Sara Peters Senior Editor at Dark Reading, 1/22/2015

6 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, The key to the success of these bug-bounty programs relies on the credibility...

The Internet of Abused Things

We need to find ways to better secure the Internet of Things, or be prepared to face the consequences.

By Liviu Arsene Senior E-threat Analyst, Bitdefender, 1/22/2015

0 comments | Read | Post a Comment

NSA Report: How To Defend Against Destructive Malware

Kelly Jackson Higgins, Executive Editor at Dark Reading

Quick Hits

In the wake of the Sony breach, spy agency's Information Assurance Directorate (IAD) arm provides best practices to mitigate damage of data annihilation attacks.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/22/2015

3 comments | Read | Post a Comment

Latest Comment: macker490, 1. use a secure O/S. 2. look into using Named Spaces remember that in implementing...

What Government Can (And Can’t) Do About Cybersecurity

Jeff Williams, CTO, Aspect Security & Contrast Security

Commentary

In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.

By Jeff Williams CTO, Aspect Security & Contrast Security, 1/22/2015

17 comments | Read | Post a Comment

Latest Comment: jleon570, It seems to me that "raising the bar for developers" isn't practical for the...

Protect Yourself by Protecting Others

How the consumerization of IT is affecting endpoint security.

By Candace Worley SVP & GM, Endpoint Security Business, Intel Security, 1/22/2015

0 comments | Read | Post a Comment

President's Plan To Crack Down On Hacking Could Hurt Good Hackers

News

Security experts critical of President Obama's new proposed cybersecurity legislation.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/21/2015

9 comments | Read | Post a Comment

Latest Comment: Wolf6305, Thanks for the voice of agreement. I think that a small group of people...

Security Budgets Going Up, Thanks To Mega-Breaches

News

Sixty percent of organizations have increased their security spending by one-third -- but many security managers still don't think that's enough, Ponemon study finds.

By Sara Peters Senior Editor at Dark Reading, 1/21/2015

5 comments | Read | Post a Comment

Latest Comment: GonzSTL, Case in point could be Target, the breach that keeps on giving. Incident Response...

Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit

Quick Hits

Researcher Kafeine's 0day discovery confirmed by Malwarebytes.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/21/2015

2 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, Thanks, @Jon. I was about to post an update here about the patch. http://blogs.adobe.com/psirt/?p=1157 And...

Facebook Messenger: Classically Bad AppSec

Commentary

Facebook offers a textbook example of what the software industry needs to do to put application security in the forefront of software development.

By Daniel Riedel CEO, New Context, 1/21/2015

2 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, I find it particulary disturbing that Facebook exhibits such flagrant disregard...

Could The Sony Attacks Happen Again? Join The Conversation

Commentary

Check out Dark Reading Radio's interview and live chat with CrowdStrike founder and CEO George Kurtz and Shape Security executive Neal Mueller.

By Tim Wilson Editor in Chief, Dark Reading, 1/21/2015

12 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, So noted, Gonz. We may not be hitting this exact topic immediately. But we've...

Ransomware Leads Surge In 2014 Mobile Malware Onslaught

News

Mobile malware increases 75 percent in U.S.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/20/2015

3 comments | Read | Post a Comment

Latest Comment: impactnow, Do you think the current software is adequate to protect our phones or do you...

'123456' & 'Password' Are The 2 Most Common Passwords, Again

Quick Hits

New entrants to the top 25 show that bad password creators are fans of sports, superheroes, dragons, and NSFW numeral combos.

By Sara Peters Senior Editor at Dark Reading, 1/20/2015

3 comments | Read | Post a Comment

Latest Comment: RyanSepe, I think options are the worst part of creating a password. UserID's and passwords...

New Technology Detects Cyberattacks By Their Power Consumption

News

Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/20/2015

2 comments | Read | Post a Comment

Latest Comment: MichaelE546, Ingenious but I agree with Whoopty on this technique having the "Car Alarm"...

Recruit, Reward & Retain Cybersecurity Experts

How to create a better working environment for security professionals.

By Carric Dooley WW VP of Foundstone Services, Intel Security, 1/20/2015

5 comments | Read | Post a Comment

latest comment CarricDooley I would argue that the CISO often DOES pay - with his job. (A friend of mine...

More Stories

Current Conversations

Posted by Dr.T

Agree. As I mentioned in my other post, there is no hard link between open source and security but there are advantages and disadvantages when it comes to using open source and dealing with security. If you use open source...

In reply to: Re: blast from the past
Post Your Own Reply

Posted by Dr.T

I agree with this too. At the same time we know hackers have advantage too when the see vulnerabilities in open source, it is easier to attack open source code base.

In reply to: Re: Frankenstein
Post Your Own Reply

Posted by Dr.T

I would agree with them. It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it.

In reply to: Re: WhiteSource proves that open source is safe if used responsibly
Post Your Own Reply

Posted by Dr.T

I would like to make a point that there is no an hard link between open source and security. Some open source systems are quite secure some are not. The same goes with the closed system, Windows is a closed system...

In reply to: Open source and security
Post Your Own Reply

Posted by Marilyn Cohodas

Assuming that "you" is referring to "users," I'm wondering what security awareness tools community members find to be the most (or least) effective ...

In reply to: Admit that you have a problem....
Post Your Own Reply

Posted by Marilyn Cohodas

Fascinating blog, Tim. Very cool intrusion detection technology. Seems like a no brainer for SCADA systems, but the IOT applications are definitely an interesting possiblity.

In reply to: Very cool technology..
Post Your Own Reply

Posted by jleon570

It seems to me that "raising the bar for developers" isn't practical for the very reasons you cited as the reasons: the staggering complexity. The number of "developers" in the world is too large to be hogtied. Perhaps...

In reply to: Problematic solutions at best.
Post Your Own Reply

Posted by Marilyn Cohodas

Yep, I've been on the receiving end of a few security presentations that looked like that. Funny cartoon that rings too true. :-)

In reply to: Been there..
Post Your Own Reply

Posted by Marilyn Cohodas

The key to the success of these bug-bounty programs relies on the credibility and legitimacy of the white-hat hackers. Not sure that a platform like Wooyun is the right model of the U.S. , especially under the existing...

In reply to: Re: Alas...
Post Your Own Reply

Posted by Marilyn Cohodas

Good points,@andregironda. If you haven't already, I hope you will take a few minutes to check out and comment on Mike's follow up blogs on why Russia and North Korea hack. Coming up next is Iran, then US & Israel. So stay...

In reply to: Re: Why the Hack Not?
Post Your Own Reply

Posted by Neta1

WhiteSource has been helping companies of all sizes to responsibly and effortlessly manage the open source components they use. We've been doing it since 2011 and for all programming languages, we are in a unique position...

In reply to: WhiteSource proves that open source is safe if used responsibly
Post Your Own Reply

Posted by lynnbr2

Russia & China both have a long history of hacking for over fifty years. Their primary reason is military. Remenber the Buran shuttle - amazinging similar to our old Space Shuttle. And now look at the Chinese J-20...

In reply to: Re: Financial gain?
Post Your Own Reply

More Conversations

Products & Releases

Ad Networks Just Got More Secure

Bitglass Breach Discovery Limits Damage From Data Breaches

Adroit Digital Study Reveals Consumer Data Privacy and Security Concerns as President Obama Talks Cybersecurity in State of the Union

Updated for 2015: Tools Designed to Manage Third Party Risk

Vormetric’s 2015 Insider Threat Report: 93% of U.S. Organizations Polled Vulnerable to Insider Threats

Online Trust Alliance Determines Over 90 Percent of Data Breaches in First Half of 2014 Could Have Been Easily Prevented

As State of the Union Tackles Cybersecurity, New ISACA Survey Shows 86% See a Cybersecurity Skills Shortage

ForgeRock and FireEye Join Forces to Detect Cyber Attacks with Identity-Aware Threat Intelligence Solution

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

What Government Can (And Can't) Do About Cybersecurity

Jeff Williams, CTO, Aspect Security & Contrast Security, 1/22/2015

Why Russia Hacks

Mike Walls, Managing Director Security Operations & Analysis, EdgeWave, 1/23/2015

Could The Sony Attacks Happen Again? Join The Conversation

Tim Wilson, Editor in Chief, Dark Reading, 1/21/2015

Partner Perspectives

What's This?

Security Skills Shortage? Don't Panic!

Focus your energies on building a comprehensive security strategy and turning to experts for guidance. Read >>

Protect Yourself by Protecting Others

0 comments

Recruit, Reward & Retain Cybersecurity Experts

5 comments

More Stories

Live Events

Webinars

More UBM Tech
Live Events

Join Security Experts at Black Hat Asia 2015

WebRTC - Learn if it is ready for the enterprise this March in Orlando!

Transforming Business Communications - Enterprise Connect

Cartoon

Latest Comment: Yep, I've been on the receiving end of a few security presentations that looked like that. Funny cartoon that rings too true. :-)

Cartoon Archive

Dark Reading Radio

Archived Dark Reading Radio

The Sony Hack: A Security Community Discussion

If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.

FULL SCHEDULE | ARCHIVED SHOWS

White Papers

Capitalizing On Big Data: Managed Services Help Financial Firms Accelerate Big Data Projects

Threat Intelligence Defined

Detect and Investigate Malicious IP Activities in SIEM with Predictive Threat Intelligence

Why Your Next Generation Firewall Protection Isn't Enough

IDC Paper: Foundation for DC Automation and Business Agility

More White Papers

Current Issue

Dark Reading Tech Digest, Dec. 19, 2014

Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2014-8148

Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157

Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158

Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571

Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572

Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web

Hackers in China Leak South Korean Nuclear Power Blueprints

Lloyd's CEO: Cyber attacks cost companies $400 billion every year

Russian Dating Site Topface Hacked for 20 Million User Names

Malaysia Airlines Website Hacked

Davos Elites Warned About Catastrophic Cyberattacks

Reports

Infographics

10 Recommendations for Outsourcing Security

Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?

Download Now!

Title Partner’s Role in Perimeter Security

0 comments

Threat Intel Today

0 comments

DevOps’ Impact on Application Security

0 comments

More Reports