Dark Reading | Security | Protect The Business

IW Home

Advertise With Us

About Us

Digital Subscription

Heartbleed: A Password Manager Reality Check

Poll: Dark Reading Community Acts On Heartbleed

Mobility: Who Bears The Brunt Of Data Security & Privacy

Top Stories

Heartbleed: A Password Manager Reality Check

Poll: Dark Reading Community Acts On ...

Did A Faulty Memory Feature Lead To ...

The Real Wakeup Call From Heartbleed

Mobility: Who Bears The Brunt Of Data ...

News & Commentary

Michaels Retail Chain Reveals Details Of Breach: Nearly 3M Affected

Tim Wilson, Editor in Chief, Dark Reading

Quick Hits

Attack on point-of-sale systems went on for more than six months, officials say.

By Tim Wilson Editor in Chief, Dark Reading, 4/18/2014

1 Comment | Read | Post a Comment

Latest Comment: securityaffairs, It is an embarrassing situation. The level of security offered to the...

Poll: Dark Reading Community Acts On Heartbleed

Marilyn Cohodas, Community Editor, Dark Reading

Commentary

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

By Marilyn Cohodas Community Editor, Dark Reading, 4/18/2014

0 comments | Read | Post a Comment

Heartbleed: A Password Manager Reality Check

News

Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?

By Mathew J. Schwartz , 4/18/2014

7 comments | Read | Post a Comment

Latest Comment: RyanSepe, Ok thank you for the insight. It seems very logical to have something like...

Phishers Recruit Home PCs

Brian Prince, Contributing Writer, Dark Reading

News

Residential broadband machines spotted hosting phishing attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/18/2014

2 comments | Read | Post a Comment

Latest Comment: Robert McDougal, I imagine it would be almost impossible for the ISP's to track down these compromised...

SQL Injection Cleanup Takes Two Months or More

Kelly Jackson Higgins, Senior Editor, Dark Reading

Quick Hits

A new report highlights the prevalence and persistence of SQL injection attacks.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

0 comments | Read | Post a Comment

Satellite Communications Wide Open To Hackers

News

Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs, Very interesting post ... satellite components in many cases lack of proper...

11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue

News

Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.

By Mathew J. Schwartz , 4/17/2014

2 comments | Read | Post a Comment

Latest Comment: Bprince, This is a great post Matt. Does anyone have a problem with the way companies...

Microsoft Delays Enterprise Windows 8.1 Support Doomsday

News

Responding to criticism, Microsoft gives businesses until August to adopt Windows 8.1 Update and continue receiving security updates. Consumers still face May 13 deadline.

By Mathew J. Schwartz , 4/17/2014

1 Comment | Read | Post a Comment

Latest Comment: Robert McDougal, While this sounds like a heavy handed action from Microsoft, it is in line...

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies

Commentary

Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?

By Corey Nachreiner Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

17 comments | Read | Post a Comment

Latest Comment: CNACHREINER981, Perfect analogy, and exactly my point summed up fantastically!

Did A Faulty Memory Feature Lead To Heartbleed?

News

Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/16/2014

4 comments | Read | Post a Comment

Latest Comment: 1401, Aha - but imagine - if software developers and vendors had really accepted...

The Real Wakeup Call From Heartbleed

Commentary

There's nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

By Jeff Williams CTO, Contrast Security, 4/16/2014

9 comments | Read | Post a Comment

Latest Comment: Interesting, As an IT Auditor who worked with one of the big five (before they became the...

Smartphone Kill Switches Coming, But Critics Cry Foul

Commentary

Smartphone makers and carriers agree to add optional kill switches to smartphones, but law enforcement officials say the anti-theft effort doesn't go far enough.

By Thomas Claburn Editor-at-Large, 4/16/2014

18 comments | Read | Post a Comment

Latest Comment: micjustin33, I don't know how much kill switch option is useful for smartphones ..

Mobility: Who Bears The Brunt Of Data Security & Privacy

Grayson Milbourne, Director, Security Intelligence, Webroot

Commentary

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

By Grayson Milbourne Director, Security Intelligence, Webroot, 4/16/2014

3 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, As a consumer, i really like the idea of having a security rating on an apps...

Don't Blame It On The Web Programming Platform

Quick Hits

New data shows no one Web development platform generates more vulnerabilities than another -- and website security is still a problem.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: GonzSTL, I would extend that notion to state that the C-suite must regard all of IT...

White House Details Zero-Day Bug Policy

News

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.

By Mathew J. Schwartz , 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: ScottW834, The US Government has lost its credibility. What reason is there to trust...

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin

Commentary

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

By Thomas Pedersen CEO & Founder, OneLogin, 4/15/2014

25 comments | Read | Post a Comment

Latest Comment: Thomas B. Pedersen, I should clarify that OneLogin doesn't focus particularly on start-ups, but...

Heartbleed's Intranet & VPN Connection

News

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/14/2014

4 comments | Read | Post a Comment

Latest Comment: Tyson S, ExtraHop analyzes all traffic to parse out transaction-level metrics, including...

Akamai Withdraws Proposed Heartbleed Patch

News

As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.

By Mathew J. Schwartz , 4/14/2014

2 comments | Read | Post a Comment

Latest Comment: cumulonimbus, SSL encryption is just one small aspect of security in this digital age, albeit...

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys

Commentary

NIST’s modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

By Dave Frymier Chief Information Security Officer, Unisys, 4/14/2014

6 comments | Read | Post a Comment

Latest Comment: JeremiahT680, So i came to the conclusion w/ all of the NSA spying that basically it comes...

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

News

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/11/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs01, I think that one of the most scaring results proposed by the report is that...

More Stories

Current Conversations

Posted by Bprince

From what I have been told is that for many the focus is on "compensating measures" such as firewalls and physical security. Truth is, they have been dealing with this type of issue for years. It's not uncommon to find Windows...

In reply to: compensating measures
Post Your Own Reply

Posted by Bprince

This is a great post Matt. Does anyone have a problem with the way companies were notified? Certain companies were told early, certain companies weren't, and there are vendors that still don't know if their product are vulnerable....

In reply to: Heartbleed
Post Your Own Reply

Posted by RyanSepe

Ok thank you for the insight. It seems very logical to have something like a password manager in place. However, let me play devil's advocate for the moment. For the password manager to work it needs to store your passwords....

In reply to: Re: RoboForm Password Manager
Post Your Own Reply

Posted by Interesting

As an IT Auditor who worked with one of the big five (before they became the big four) global audit firms, I can only suggest that our definitions of assurance are vastly different. Arthur Andersen certainly found it out...

In reply to: Re: But assurance equals accountability equals liability.
Post Your Own Reply

Posted by planetlevel

I wrote a nice tool to generate these labels automatically. If anyone is interested in making an open-source tool out of it, I'd be happy to share.

In reply to: Re: Assurance Evidence
Post Your Own Reply

Posted by securityaffairs

It is an embarrassing situation. The level of security offered to the customers is very poor. In many cases pos systems are common windows based machine with a few defense systems that in many cases are not sufficient...

In reply to: embarrassing
Post Your Own Reply

Posted by CNACHREINER981

Perfect analogy, and exactly my point summed up fantastically!

In reply to: Re: Great Article
Post Your Own Reply

Posted by Robert McDougal

I imagine it would be almost impossible for the ISP's to track down these compromised hosts. The ports and traffic generated by the compromised machines is not overly odd when compared to the traffic of legitimate...

In reply to: Re: Broadband provider's responsibility?
Post Your Own Reply

Posted by jaingverda

@Ryan to answer yoru questions for lastpass at least; I can't speak to other password managers. It does act as a single sign on but I still have to manually log into my password manager and click the button to sign into...

In reply to: Re: RoboForm Password Manager
Post Your Own Reply

Posted by Marilyn Cohodas

I really like your analogy comparing software assurance to a supply chain for software. I don't think it's too much to ask that we hold software to the same standard: that the components that go into developing bsiness...

In reply to: Re: But assurance equals accountability equals liability.
Post Your Own Reply

Posted by jaingverda

I use lastpass and will be paying for the premium part here soon to use it on my mobile device. I swear by it, the passwords are stored securely and also for security reasons last pass is just an encrypted storage facility...

In reply to: Re: RoboForm Password Manager
Post Your Own Reply

Posted by Robert McDougal

Great points Corey! I don't see anything wrong with security by obscurity when used in conjunction with a secure system. By making your systems appear to be smaller targets you are essentially eliminating...

In reply to: Great Article
Post Your Own Reply

More Conversations

Security Insights

Preying On A Predator

Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

Study finds 52% of enterprises defenseless against cyber attacks

Cryptzone Survey Reveals SharePoint Users are Breaching Security Policies

Understanding Risk from Business Perspective Is Top Concern for Network Security Organizations

New Survey: Half of IT Professionals Make Undocumented Changes to IT Systems

Endpoint Protection Products Improve Significantly for Socially Engineered Malware Protection

SMS PASSCODE Announces North America Launch

New Osterman Research Report: Only 13% Happy With Compliance Methods

Sophos Boosts Network Security with New Hardware Appliances

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin, 4/15/2014

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

The Real Wakeup Call From Heartbleed

Jeff Williams, CTO, Contrast Security, 4/16/2014

Live Events

Webinars

More UBM Tech
Live Events

Enterprise Connect Lync Tour

Tower & Small Cell Summit

Cartoon

Latest Comment: LOL.

Cartoon Archive

White Papers

Key Methods for Managing Complex Database Environments

Combining Cloud-Based DDoS Protection and DNS Services to Thwart the Threat of DDoS

Top 8 Considerations To Enable and Simplify Mobility

Key Components Of Your Resiliency Strategy

The New IT

More White Papers

Current Issue

Dark Reading April 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2011-3154

Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143

Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036

Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054

Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071

Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web

Heartbleed Bug Sends Bandwidth Costs Skyrocketing

Heroku Security Bug Bounty

Regulators: No interruption after state utilities were hacked

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

Facebook Webinject Leads to iBanking Mobile Bot

Reports

Infographics

Containing Corporate Data on Mobile Devices

If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.

Download Now!

More Reports