Dark Reading | Security | Protect The Business

IW Home

Advertise With Us

About Us

Digital Subscription

Mobility: Who Bears The Brunt Of Data Security & Privacy

How A Little Obscurity Can Bolster Security

Top Stories

Did A Faulty Memory Feature Lead To ...

The Real Wakeup Call From Heartbleed

Mobility: Who Bears The Brunt Of Data ...

How A Little Obscurity Can Bolster Security

Heartbleed's Intranet & VPN Connection

News & Commentary

Satellite Communications Wide Open To Hackers

Kelly Jackson Higgins, Senior Editor, Dark Reading

News

Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

0 comments | Read | Post a Comment

11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue

News

Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.

By Mathew J. Schwartz , 4/17/2014

0 comments | Read | Post a Comment

Microsoft Delays Enterprise Windows 8.1 Support Doomsday

News

Responding to criticism, Microsoft gives businesses until August to adopt Windows 8.1 Update and continue receiving security updates. Consumers still face May 13 deadline.

By Mathew J. Schwartz , 4/17/2014

0 comments | Read | Post a Comment

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies

Commentary

Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?

By Corey Nachreiner Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

10 comments | Read | Post a Comment

Latest Comment: CNACHREINER981, I can see that point. So many have relied ONLY on security by obscurity (which...

Did A Faulty Memory Feature Lead To Heartbleed?

News

Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/16/2014

3 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, Thanks for the feedback, @EdMoyle. OpenBSD is doing an overhaul of OpenSSL...

The Real Wakeup Call From Heartbleed

Commentary

There's nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

By Jeff Williams CTO, Contrast Security, 4/16/2014

2 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Curious, Jeff. What do you think a "Software Facts" label should inclu...

Smartphone Kill Switches Coming, But Critics Cry Foul

Commentary

Smartphone makers and carriers agree to add optional kill switches to smartphones, but law enforcement officials say the anti-theft effort doesn't go far enough.

By Thomas Claburn Editor-at-Large, 4/16/2014

18 comments | Read | Post a Comment

Latest Comment: micjustin33, I don't know how much kill switch option is useful for smartphones ..

Mobility: Who Bears The Brunt Of Data Security & Privacy

Grayson Milbourne, Director, Security Intelligence, Webroot

Commentary

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

By Grayson Milbourne Director, Security Intelligence, Webroot, 4/16/2014

3 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, As a consumer, i really like the idea of having a security rating on an apps...

Don't Blame It On The Web Programming Platform

Quick Hits

New data shows no one Web development platform generates more vulnerabilities than another -- and website security is still a problem.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: GonzSTL, I would extend that notion to state that the C-suite must regard all of IT...

White House Details Zero-Day Bug Policy

News

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.

By Mathew J. Schwartz , 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: ScottW834, The US Government has lost its credibility. What reason is there to trust...

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin

Commentary

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

By Thomas Pedersen CEO & Founder, OneLogin, 4/15/2014

25 comments | Read | Post a Comment

Latest Comment: Thomas B. Pedersen, I should clarify that OneLogin doesn't focus particularly on start-ups, but...

Heartbleed's Intranet & VPN Connection

News

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/14/2014

4 comments | Read | Post a Comment

Latest Comment: Tyson S, ExtraHop analyzes all traffic to parse out transaction-level metrics, including...

Akamai Withdraws Proposed Heartbleed Patch

News

As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.

By Mathew J. Schwartz , 4/14/2014

2 comments | Read | Post a Comment

Latest Comment: cumulonimbus, SSL encryption is just one small aspect of security in this digital age, albeit...

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys

Commentary

NIST’s modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

By Dave Frymier Chief Information Security Officer, Unisys, 4/14/2014

6 comments | Read | Post a Comment

Latest Comment: JeremiahT680, So i came to the conclusion w/ all of the NSA spying that basically it comes...

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

Brian Prince, Contributing Writer, Dark Reading

News

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/11/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs01, I think that one of the most scaring results proposed by the report is that...

Feds Address Antitrust Concerns On Cyberthreat Sharing

Commentary

Justice Dept. and FTC confirm that sharing cybersecurity threat information is not an antitrust law violation.

By William Jackson Technology Writer, 4/11/2014

3 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Information sharing will come from vendors that companies have relationships...

Free Heartbleed-Checker Released for Firefox Browser

Quick Hits

Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/11/2014

4 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Chrome Checker is doing well for me also.

Windows XP Alive & Well in ICS/SCADA Networks

News

End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014

1 Comment | Read | Post a Comment

Latest Comment: RyanSepe, What safeguards are being taken to ensure that the systems are not being exploited...

Heartbleed Will Go On Even After The Updates

News

What's next now that the mindset is 'assume the worst has already occurred?'

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014

6 comments | Read | Post a Comment

Latest Comment: AKessler, This may seem alarming to some but intelligence agencies are in the business...

Flash Poll: Broken Heartbeat

Marilyn Cohodas, Community Editor, Dark Reading

Commentary

What steps do you plan to take in response to the Heartbleed bug? Take our poll and share your reasons in the comments.

By Marilyn Cohodas Community Editor, Dark Reading, 4/10/2014

0 comments | Read | Post a Comment

More Stories

Current Conversations

Posted by Thomas B. Pedersen

I should clarify that OneLogin doesn't focus particularly on start-ups, but that's where we are seeing this trend. 90% of our customers are not startups and have Active Directory, some of them with dozens of forests and...

In reply to: Re: Unusual article
Post Your Own Reply

Posted by CNACHREINER981

I can see that point. So many have relied ONLY on security by obscurity (which IS bad) for protection that it is probably good to hammer that idea out of a Infosec neophyte's head... However, I still think the more exprienced...

In reply to: Re: Security v. Obscurity
Post Your Own Reply

Posted by David F. Carr

One site I converted to WordPress previously ran on a CMS of sorts that you could edit by going to www.mydomain.com/data/ - no password required, pure security by obscurity. So compared with that, WordPress was certainly...

In reply to: Re: Custom platforms another example of security by obscurity
Post Your Own Reply

Posted by kobriencl

@rjthomas01: The drive to cloud is largely about mobility, speed, and collaboration. The apps you mention are being adopted by users directly; whether that's good or not is certainly debatable, but their popularity is born...

In reply to: Re: Unusual article
Post Your Own Reply

Posted by mwalker871

Better to deride obscurity than end up back where we started: Obscurity is Security

In reply to: Security v. Obscurity
Post Your Own Reply

Posted by CNACHREINER981

Yep... we agree. The best security is securely designed systems, but there is no point in making those systems easy to find. ^_^ Corey

In reply to: Re: slows down an attack -- so it helps
Post Your Own Reply

Posted by CNACHREINER981

I absolutely agree... However, to be devils advocate to this point (and my own article), I think this will only be the case if you have security conscious and trained folks creating the custom systems. Since they are blackboxes,...

In reply to: Re: Custom platforms another example of security by obscurity
Post Your Own Reply

Posted by CNACHREINER981

That is an excellent point! When relying on someone elses' systems (the cloud) obscurity is NOT good. We need transparency in what tactics and strategies our external partners are using to protect out data... But in that...

In reply to: Re: Know your risks first
Post Your Own Reply

Posted by kobriencl

Interesting article, Corey. Something to consider here is that there is a distinction between obscurity, where you rely upon the use of an unknown or custom system to trip up a tracker, and a defensive posture where you...

In reply to: Know your risks first
Post Your Own Reply

Posted by Tyson S

ExtraHop analyzes all traffic to parse out transaction-level metrics, including the heartbeat messages used in this exploit. In this way, enterprise IT teams can easily monitor all potential Heartbleed attacks against any...

In reply to: It's possible to analyze all traffic for heartbeat messages
Post Your Own Reply

Posted by Kelly Jackson Higgins

Thanks for the feedback, @EdMoyle. OpenBSD is doing an overhaul of OpenSSL in what they consider a security cleanup of the code. I'm not sure where all of this will go--there is a major cultural gap between the two groups...

In reply to: Re: Memory management not the core issue
Post Your Own Reply

Posted by Ed Moyle

First, great reporting Kelly as always. Second, I'm sure I'll get flames for this, but it strikes me that the mechanics of memory allocation aren't the issue here. The lack of bounds checking (i.e. the bogus...

In reply to: Memory management not the core issue
Post Your Own Reply

More Conversations

Security Insights

Preying On A Predator

Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

SMS PASSCODE Announces North America Launch

New Osterman Research Report: Only 13% Happy With Compliance Methods

Sophos Boosts Network Security with New Hardware Appliances

More Than Half of Organizations Filter Out Negative Facts Before Communicating Security Risk to C-Level Executives

Survey: As Companies Move to the Cloud, Increased Security is their Biggest IT Concern

Future of Open Source Survey: OSS Powering New Technologies, Creating New Economics

IBM Delivers Disaster Recovery, Security Services to SoftLayer Clients

Tripwire Donates $11.75M Cybersecurity Service to Penn State

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin, 4/15/2014

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys, 4/14/2014

Live Events

Webinars

More UBM Tech
Live Events

Enterprise Connect Lync Tour

Tower & Small Cell Summit

Flash Poll

All Polls

White Papers

Combining Cloud-Based DDoS Protection and DNS Services to Thwart the Threat of DDoS

Approaches to DDoS Protection: An Overview on Keeping Your Networks Protected

Consolidation: The Foundation for IT Business Transformation

Build a Business Case: Developing Custom Apps

The New IT

More White Papers

Current Issue

Dark Reading April 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2011-0460

Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993

Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180

Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089

Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192

Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web

Year-Long Exploit Pack Traffic Campaign Surges After Leveraging CDN

Automate Discovery and Remediation of Heartbleed

Galaxy S5 fingerprint scanner hacked with glue mould

Heartbleed: Revoke! The time is nigh!

Heartbleed Shows Government Must Lead on Internet Security

Reports

Infographics

Containing Corporate Data on Mobile Devices

If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.

Download Now!

More Reports