Dark Reading | Security | Protect The Business

IW Home

Advertise With Us

About Us

Digital Subscription

Stolen Passwords Used In Most Data Breaches

Heartbleed Attack Targeted Enterprise VPN

Heartbleed: A Password Manager Reality Check

Top Stories

Stolen Passwords Used In Most Data Breaches

FAQ: Understanding The True Price of ...

Heartbleed Attack Targeted Enterprise VPN

Cartoon: E2c$y5tion

Heartbleed: A Password Manager Reality Check

News & Commentary

How To Detect Heartbleed Mutations

Chris Chapman, Senior Methodologist, Spirent Communications

Commentary

The nightmare of Heartbleed is not the chaos of fixing the bug. It's identifying hundreds, possibly thousands, of small mutations still hiding in the network.

By Chris Chapman Senior Methodologist, Spirent Communications, 4/24/2014

0 comments | Read | Post a Comment

Intelligence-Sharing Suffers Growing Pains

Kelly Jackson Higgins, Senior Editor, Dark Reading

News

For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/23/2014

0 comments | Read | Post a Comment

Android Heartbleed Alert: 150 Million Apps Still Vulnerable

News

Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X.

By Mathew J. Schwartz , 4/23/2014

3 comments | Read | Post a Comment

Latest Comment: micjustin33, There are SSL/Crypto implementations in languages other than C.OpenSSL was...

Workplace Data Privacy Vs. Security: The New Balance

David Melnick, Founder & CEO, WebLife Balance

Commentary

Is it time to rethink the traditional lock-down approach to employee use of corporate networks at work?

By David Melnick Founder & CEO, WebLife Balance, 4/23/2014

6 comments | Read | Post a Comment

Latest Comment: dmelnick, You nailed it. My whole vision to changing the playing field. If we segmented...

Michaels Data Breach Response: 7 Facts

News

Could the retailer have done more to spot the eight-month intrusion in the first place?

By Mathew J. Schwartz , 4/22/2014

4 comments | Read | Post a Comment

Latest Comment: Duane T, While the point made about sharing is valid, the article also states that the...

Bots Attack US Mainly During Dinnertime

Quick Hits

Most bot-infected machines hail from the US and wage attacks there between 6 and 9 p.m. Eastern Time, new report finds.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/22/2014

8 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, They are both evil. That's for sure.

7 Tips To Improve 'Signal-to-Noise' In The SOC

Joshua Goldfarb, CSO, nPulse Technologies

Commentary

When security analysts are desensitized to alerts because of sheer volume, they miss the true positives that can prevent a large-scale data breach. Here's how to up your game.

By Joshua Goldfarb CSO, nPulse Technologies, 4/22/2014

4 comments | Read | Post a Comment

Latest Comment: jg@npulsetech.com, Another excellent question Marilyn, thank you. Gut feelings, or put another...

Free Scanning Tool Promises To Find Heartbleed On Any Device

Tim Wilson, Editor in Chief, Dark Reading

Quick Hits

CrowdStrike says tool identifies the flaw on web servers, VPNs, servers, routers, printers, and phones.

By Tim Wilson Editor in Chief, Dark Reading, 4/22/2014

5 comments | Read | Post a Comment

Latest Comment: DarkReadingTim, While there has been some criticism of the free Heartbleed scanners' ability...

Stolen Passwords Used In Most Data Breaches

News

New Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93 percent of security incidents in the past decade.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/22/2014

10 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, Thanks so much for sharing your insight and experience with this @douglasmow....

FAQ: Understanding The True Price of Encryption

Commentary

In the wake of recent events like Heartbleed, the search for cost-effective, easy, and scalable encryption solutions has never been more important.

By Sol Cates CSO, Vormetric, 4/21/2014

5 comments | Read | Post a Comment

Latest Comment: theb0x, I'm surpsied there are still software companies that actively utilize encryption...

Heartbleed Attack Targeted Enterprise VPN

News

Attack spotted using the OpenSSL Heartbleed bug to steal session tokens and bypass two-factor authentication.

By Mathew J. Schwartz , 4/21/2014

2 comments | Read | Post a Comment

Latest Comment: AmmarNaeem, The Heartbleed bug is making headlines people! CNN Money reported yesterday...

Michaels Retail Chain Reveals Details Of Breach: Nearly 3M Affected

Quick Hits

Attack on point-of-sale systems went on for more than six months, officials say.

By Tim Wilson Editor in Chief, Dark Reading, 4/18/2014

4 comments | Read | Post a Comment

Latest Comment: DarkReadingTim, Agreed, Robert. Michaels did not give details on the malware itself,...

Poll: Dark Reading Community Acts On Heartbleed

Marilyn Cohodas, Community Editor, Dark Reading

Commentary

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

By Marilyn Cohodas Community Editor, Dark Reading, 4/18/2014

2 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Paul, In terms of our poll, do you think the fact that only 30 percent...

Heartbleed: A Password Manager Reality Check

News

Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?

By Mathew J. Schwartz , 4/18/2014

13 comments | Read | Post a Comment

Latest Comment: Markus5, I use Sticky Password. These guys are great, secure and cheap. However nice...

Phishers Recruit Home PCs

Brian Prince, Contributing Writer, Dark Reading

News

Residential broadband machines spotted hosting phishing attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/18/2014

5 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, It's hard for me to imagine that users who already have difficulty managing...

SQL Injection Cleanup Takes Two Months or More

Quick Hits

A new report highlights the prevalence and persistence of SQL injection attacks.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

1 Comment | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Interesting data, Kelly. Wondering if the Ponemon study quantified any of the...

Satellite Communications Wide Open To Hackers

News

Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

3 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, These findings are reminiscent of vulnerabilities in ICS/SCADA products. It's...

11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue

News

Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.

By Mathew J. Schwartz , 4/17/2014

2 comments | Read | Post a Comment

Latest Comment: Bprince, This is a great post Matt. Does anyone have a problem with the way companies...

Microsoft Delays Enterprise Windows 8.1 Support Doomsday

News

Responding to criticism, Microsoft gives businesses until August to adopt Windows 8.1 Update and continue receiving security updates. Consumers still face May 13 deadline.

By Mathew J. Schwartz , 4/17/2014

1 Comment | Read | Post a Comment

Latest Comment: Robert McDougal, While this sounds like a heavy handed action from Microsoft, it is in line...

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies

Commentary

Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?

By Corey Nachreiner Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

18 comments | Read | Post a Comment

Latest Comment: theb0x, I have always liked the old saying "A locked door keeps an honest man out."...

More Stories

Current Conversations

Posted by micjustin33

There are SSL/Crypto implementations in languages other than C.OpenSSL was one of the first non-commercial ones, which is why it is so prevalent.At the time it was written, languages such as Java simply weren't fast enough...

In reply to: Re: Heartbleed and Android
Post Your Own Reply

Posted by Mathew

Great question. I touched on this last week in my Heartbleed Facts feature, but here's the short answer: 1) Android OS vulnerabilities: According to Lookout, 86% of users running Android 4.1.1 are vulnerable to Heartbleed...

In reply to: Re: Heartbleed and Android
Post Your Own Reply

Posted by dmelnick

You nailed it. My whole vision to changing the playing field. If we segmented personal web-use (the highest risk activity) from business activity. And then we isolated or contained the personal use, the remaining business...

In reply to: Re: Workplace Data Privacy Vs. Security: The New Balance
Post Your Own Reply

Posted by theb0x

Well said. What if a company just segmented their network traffic? You want to go on facebook? You want to check your personal email? Okay, BYOD and use this network and we will not provide you a firewall or monitor your...

In reply to: Re: Workplace Data Privacy Vs. Security: The New Balance
Post Your Own Reply

Posted by dmelnick

I hear you, and there is no doubt that in the US, with proper notice and consent, usually in the form of an Acceptable Use Policy (AUP), a company clearly has the right to monitor and control employee Internet use. There...

In reply to: Re: Workplace Data Privacy Vs. Security: The New Balance
Post Your Own Reply

Posted by theb0x

I would like to know if these Android devices are shipped from the factory vulnerable with it's either 4.1.1 version or if it's any of the 3rd party apps bundled? Which by the way you can only stop their running services...

In reply to: Heartbleed and Android
Post Your Own Reply

Posted by Kelly Jackson Higgins

Thanks so much for sharing your insight and experience with this @douglasmow. What seems to be such a basic thing to secure and track, a logon & password, always seems to rear its ugly head. The Verizon DBIR put an exclamation...

In reply to: Re: Supplement Security With Access Analytics
Post Your Own Reply

Posted by theb0x

I see how there are many issues with this in the workplace but a properly written acceptable use policy that clearly states all email sent from a company computer is sole property of that company should be expressed. I am...

In reply to: Workplace Data Privacy Vs. Security: The New Balance
Post Your Own Reply

Posted by douglasmow

@Kelly, Your story covering the 2014 Verizon DBIR highlights something we work to continuously convey to customers... what may look like a customer or partner or staff member, may not in fact be so. With the report citing...

In reply to: Supplement Security With Access Analytics
Post Your Own Reply

Posted by dmelnick

Anthony, thanks for joining the conversation. Better still if you did it from work. I really liked how you highlighted the tip-toe problem. I see this at the Board and C-Suite level where on the one hand the leadership want...

In reply to: Re: Sensitivity make this difficult
Post Your Own Reply

Posted by DarkReadingTim

While there has been some criticism of the free Heartbleed scanners' ability to catch every instance of the vulnerability, I think it's worth giving the vendors some kudos for their efforts. Several of the free tools came...

In reply to: Heartbleed scanners -- good step for the community
Post Your Own Reply

Posted by Robert McDougal

After testing the CrowdStrike tool I can confirm that it was able to identify all of the servers I was able to identify previously. However, at least in my environment, it did not identify any new servers which were...

In reply to: Testing of Tool
Post Your Own Reply

More Conversations

Security Insights

Preying On A Predator

Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

SecureAuth IdP Qualifies For Microsoft Office 365 Qualification

NIST Removes Cryptography Algorithm from Random Number Generator Recommendations

Black Lotus Threat Report Predicts New DrDoS Attacks in Excess of 800 Gbps in 2015

Cloud Control: Launch of Entrust IdentityGuard Cloud Services Simplifies Certificate Management, Credentialing

Verizon Expands Cloud Solutions, With Secure Cloud Interconnect

Mocana Calls Heartbleed a “Wake-Up Call” for Makers of Smart Connected Devices

HID Global Security Survey and Infographic Reveal Attitudes about Best Practices for Physical Access Control

Cisco Launches Managed Threat Defense Service

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

Heartbleed: A Password Manager Reality Check

Mathew J. Schwartz 4/18/2014

Stolen Passwords Used In Most Data Breaches

Kelly Jackson Higgins, Senior Editor, Dark Reading, 4/22/2014

Bots Attack US Mainly During Dinnertime

Kelly Jackson Higgins, Senior Editor, Dark Reading, 4/22/2014

Live Events

Webinars

More UBM Tech
Live Events

Enterprise Connect Lync Tour

Tower & Small Cell Summit

Cartoon

Latest Comment: #Win: "I don't move my lips while typing"

Cartoon Archive

White Papers

The 10 Key Requirements for a Successful Oracle R12 Upgrade

Combining Cloud-Based DDoS Protection and DNS Services to Thwart the Threat of DDoS

Key Components Of Your Resiliency Strategy

Consolidation: The Foundation for IT Business Transformation

The Customer-Centric Supply Chain

More White Papers

Current Issue

Dark Reading April 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2014-2391

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392

Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

CVE-2014-2393

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

CVE-2011-5279

Published: 2014-04-23
CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.

CVE-2012-0360

Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Best of the Web

Google Adding Security Checks to Non-OAuth 2.0 Compliant Apps

SEC To Examine Wall Street Cyber Security Policies

Empowering Women in Information Security

Watering Holes vs. Spear Phishing

OpenSSL code beyond repair, claims creator of “LibreSSL” fork

Reports

Infographics

Containing Corporate Data on Mobile Devices

If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.

Download Now!

More Reports