How To Hack A Human
Be Aware: 8 Tips for Security Awareness Training
Can We Talk? Finding A Common Security Language
Shellshocked: A Future Of 'Hair On Fire' Bugs
The Truth About Ransomware: You're On Your Own
News & Commentary
How A Major Bank Hacked Its Java Security
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Deutsche Bank London helped create a new application self-defense tool to lock down and virtually patch its Java-based enterprise applications -- even the oldest ones.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 9/30/2014
Comment2 comments  |  Read  |  Post a Comment
Retailers Realize EMV Won't Save Them From Fraudsters
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Fraudsters hit retailers harder than ever in 2014 and many recognize that even though EMV's chip-and-pin authentication will stem skimming, breaches and other forms of fraud will persist.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/30/2014
Comment2 comments  |  Read  |  Post a Comment
Software Assurance: Time to Raise the Bar on Static Analysis
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 9/30/2014
Comment4 comments  |  Read  |  Post a Comment
How To Hack A Human
Kelly Jackson Higgins, Executive Editor at Dark ReadingCommentary
Social engineering expert and founder of the DEF CON Social Engineering Capture the Flag contest Chris Hadnagy joins Dark Reading Radio on Wednesday, October 1, at 1:00 p.m. EDT.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 9/30/2014
Comment6 comments  |  Read  |  Post a Comment
Be Aware: 8 Tips for Security Awareness Training
Sara Peters, Senior Editor at Dark Reading
Hint: One giant security training session to rule them all is not the way to go.
By Sara Peters Senior Editor at Dark Reading, 9/29/2014
Comment7 comments  |  Read  |  Post a Comment
Coordinated Attacks Call For More Sophisticated Cyber Defense
Henry Kenyon, Commentary
Agencies and industry are rethinking how they defend against coordinated attacks by teams of specialized hackers.
By Henry Kenyon , 9/29/2014
Comment0 comments  |  Read  |  Post a Comment
New Bash Bugs Surface
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Time to patch again: Newly discovered flaws in Bash put Linux-based systems at risk.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 9/29/2014
Comment1 Comment  |  Read  |  Post a Comment
Making Sense Of Shellshock Attack Chaos
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Attacks against the Bash bug increase in volume and variety, with an emphasis on information gathering and botnet building.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/29/2014
Comment4 comments  |  Read  |  Post a Comment
FDA Pushes To Improve Medical Device Security
Jai Vijayan, Freelance writerCommentary
Cyber attacks pose a grave threat to the integrity of healthcare services, agency says.
By Jai Vijayan Freelance writer, 9/29/2014
Comment1 Comment  |  Read  |  Post a Comment
Can We Talk? Finding A Common Security Language
Jason Polancich, Founder & Chief Architect, SurfWatchLabsCommentary
How engineers can get beyond the crippling vocabulary and semantic barrier of infosec and actually communicate about cyber risk with bosses and business colleagues.
By Jason Polancich Founder & Chief Architect, SurfWatchLabs, 9/29/2014
Comment7 comments  |  Read  |  Post a Comment
Shellshock's Threat To Healthcare
Mac McMillan, CEO, CynergisTekCommentary
The Bash bug is everywhere, including in medical devices. The industry must be better prepared to protect itself and patients.
By Mac McMillan CEO, CynergisTek, 9/29/2014
Comment2 comments  |  Read  |  Post a Comment
When Layers On Layers Of Security Equals LOL Security
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Defense-in-depth is often poorly executed when architecture is not carefully considered.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/29/2014
Comment3 comments  |  Read  |  Post a Comment
Apple: Majority Of Mac OS X Users Not At Risk To 'Shellshock'
Brian Prince, Contributing Writer, Dark ReadingNews
According to Apple, Mac OS X systems are not exposed to remote exploits of Bash unless users have certain UNIX services configured.
By Brian Prince Contributing Writer, Dark Reading, 9/26/2014
Comment5 comments  |  Read  |  Post a Comment
Breach Awareness Made Easy
Sara Peters, Senior Editor at Dark ReadingCommentaryVideo
What if companies had to disclose breach history in the same way food companies display nutritional information?
By Sara Peters Senior Editor at Dark Reading, 9/26/2014
Comment3 comments  |  Read  |  Post a Comment
Shellshocked: A Future Of ‘Hair On Fire’ Bugs
Paul Vixie, Chairman & CEO, Farsight Security, Inc.Commentary
Most computers affected by Bash will be updated within 10 years. The rest will be vulnerable for the lifespans of all humans now living. This should concern us. But then, global warming should also concern us.
By Paul Vixie Chairman & CEO, Farsight Security, Inc., 9/26/2014
Comment22 comments  |  Read  |  Post a Comment
Amazon Reboots Cloud Servers, Xen Bug Blamed
Charles Babcock, Editor At Large, InformationWeek Commentary
Amazon tells customers it has to patch and reboot 10% of its EC2 cloud servers before Oct. 1.
By Charles Babcock Editor At Large, InformationWeek , 9/26/2014
Comment4 comments  |  Read  |  Post a Comment
iOS In-App Browsing Poses Security Risk
Thomas Claburn, Editor-at-LargeCommentary
iOS developer warns that browser windows invoked within third-party apps allow information theft.
By Thomas Claburn Editor-at-Large, 9/26/2014
Comment1 Comment  |  Read  |  Post a Comment
Breached Retailers Harden PoS, For Now
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Yet another point-of-sale (POS) breach at a major retail chain, and the victim adds encryption.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 9/25/2014
Comment8 comments  |  Read  |  Post a Comment
Malvertising Could Rival Exploit Kits
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Spate of malvertising campaigns gain steam in recent months, including the Kyle and Stan network, which researchers now believe is nine times bigger than initially estimated.
By Ericka Chickowski Contributing Writer, Dark Reading, 9/25/2014
Comment2 comments  |  Read  |  Post a Comment
'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild
Sara Peters, Senior Editor at Dark ReadingNews
CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.
By Sara Peters Senior Editor at Dark Reading, 9/25/2014
Comment6 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Security Insights
3 Places to Enable 2-Factor Authentication Now
3 Places to Enable 2-Factor Authentication Now
Two-factor authentication is a ubiquitous, mature technology. Whether or not you use it for your network, here are three external services for which you should immediately enable it.
Comment1 comments
Read | Post a Comment
More Sophos Security Insights
PR Newswire
Shellshocked: A Future Of 'Hair On Fire' Bugs
Paul Vixie, Chairman & CEO, Farsight Security, Inc.,  9/26/2014
Bash Bug May Be Worse Than Heartbleed
Sara Peters, Senior Editor at Dark Reading,  9/24/2014
Breached Retailers Harden PoS, For Now
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/25/2014
Register for Dark Reading Newsletters
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.
Cartoon
White Papers
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Flash Poll
Video
Slideshows
Twitter Feed