Dark Reading | Security | Protect The Business

IW Home

Advertise With Us

About Us

Digital Subscription

Akamai Withdraws Proposed Heartbleed Patch

'Baby Teeth' In Infrastructure Cyber Security Framework

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

Top Stories

Heartbleed's Intranet & VPN Connection

Akamai Withdraws Proposed Heartbleed Patch

'Baby Teeth' In Infrastructure Cyber ...

Active Directory Is Dead: 3 Reasons

Iranian-Based Cyberattack Activity On The ...

News & Commentary

Did A Faulty Memory Feature Lead To Heartbleed?

Kelly Jackson Higgins, Senior Editor, Dark Reading

News

Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/16/2014

1 Comment | Read | Post a Comment

Latest Comment: RyanSepe, I agree with Chris Eng that hindsight is 20/20 and I doubt very much that presented...

The Real Wakeup Call From Heartbleed

Commentary

There's nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

By Jeff Williams CTO, Contrast Security, 4/16/2014

0 comments | Read | Post a Comment

Smartphone Kill Switches Coming, But Critics Cry Foul

Commentary

Smartphone makers and carriers agree to add optional kill switches to smartphones, but law enforcement officials say the anti-theft effort doesn't go far enough.

By Thomas Claburn Editor-at-Large, 4/16/2014

17 comments | Read | Post a Comment

Latest Comment: Thomas Claburn, Security measures like this have limited value. But it's nice that remote wiping...

Mobility: Who Bears The Brunt Of Data Security & Privacy

Grayson Milbourne, Director, Security Intelligence, Webroot

Commentary

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

By Grayson Milbourne Director, Security Intelligence, Webroot, 4/16/2014

3 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, As a consumer, i really like the idea of having a security rating on an apps...

Don't Blame It On The Web Programming Platform

Quick Hits

New data shows no one Web development platform generates more vulnerabilities than another -- and website security is still a problem.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: GonzSTL, I would extend that notion to state that the C-suite must regard all of IT...

White House Details Zero-Day Bug Policy

News

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.

By Mathew J. Schwartz , 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: ScottW834, The US Government has lost its credibility. What reason is there to trust...

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin

Commentary

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

By Thomas Pedersen CEO & Founder, OneLogin, 4/15/2014

21 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Thanks for sharing those details about your experience with AD in cloud, BryanF287....

Heartbleed's Intranet & VPN Connection

News

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/14/2014

2 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, @micjustin33,we also covered the White House's policy on using 0days here: ...

Akamai Withdraws Proposed Heartbleed Patch

News

As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.

By Mathew J. Schwartz , 4/14/2014

2 comments | Read | Post a Comment

Latest Comment: cumulonimbus, SSL encryption is just one small aspect of security in this digital age, albeit...

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys

Commentary

NIST’s modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

By Dave Frymier Chief Information Security Officer, Unisys, 4/14/2014

6 comments | Read | Post a Comment

Latest Comment: JeremiahT680, So i came to the conclusion w/ all of the NSA spying that basically it comes...

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

Brian Prince, Contributing Writer, Dark Reading

News

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/11/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs01, I think that one of the most scaring results proposed by the report is that...

Feds Address Antitrust Concerns On Cyberthreat Sharing

Commentary

Justice Dept. and FTC confirm that sharing cybersecurity threat information is not an antitrust law violation.

By William Jackson Technology Writer, 4/11/2014

3 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Information sharing will come from vendors that companies have relationships...

Free Heartbleed-Checker Released for Firefox Browser

Quick Hits

Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/11/2014

4 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Chrome Checker is doing well for me also.

Windows XP Alive & Well in ICS/SCADA Networks

News

End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014

1 Comment | Read | Post a Comment

Latest Comment: RyanSepe, What safeguards are being taken to ensure that the systems are not being exploited...

Heartbleed Will Go On Even After The Updates

News

What's next now that the mindset is 'assume the worst has already occurred?'

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014

6 comments | Read | Post a Comment

Latest Comment: AKessler, This may seem alarming to some but intelligence agencies are in the business...

Flash Poll: Broken Heartbeat

Marilyn Cohodas, Community Editor, Dark Reading

Commentary

What steps do you plan to take in response to the Heartbleed bug? Take our poll and share your reasons in the comments.

By Marilyn Cohodas Community Editor, Dark Reading, 4/10/2014

0 comments | Read | Post a Comment

Heartbleed: Examining The Impact

Commentary

With Heartbleed, there’s little hope of knowing if an asset was breached, if a breach can be identified, or what, if any, data was leaked. Here’s how to defend against future attacks.

By Tim Sapio Security Analyst, Bishop Fox, 4/10/2014

5 comments | Read | Post a Comment

Latest Comment: macker490, the impact is less than you might think: we all live in a heavilly...

CIO Vs. CSO: Allies Or Enemies?

Eric Cole, Founder & Chief Scientist, Secure Anchor Consulting

Commentary

In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.

By Eric Cole Founder & Chief Scientist, Secure Anchor Consulting, 4/10/2014

10 comments | Read | Post a Comment

Latest Comment: GonzSTL, Yes, believe me, I get all that, but if you were to stand up a security organization...

Majority Of Users Have Not Received Security Awareness Training, Study Says

Tim Wilson, Editor in Chief, Dark Reading

Quick Hits

Many users fail to follow policies on mobile, cloud security, EMA Research study says.

By Tim Wilson Editor in Chief, Dark Reading, 4/10/2014

12 comments | Read | Post a Comment

Latest Comment: Bprince, I find it hard to believe Johnrobie that security loses in a risk versus cost...

More Than A Half-Million Servers Exposed To Heartbleed Flaw

News

What the newly exposed SSL/TLS threat really means for enterprises and end-users.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/9/2014

15 comments | Read | Post a Comment

Latest Comment: SaneIT, Yes, especially those that rarely log on to a particular site. If they...

More Stories

Current Conversations

Posted by Bprince

I find it hard to believe Johnrobie that security loses in a risk versus cost argument, but I suppose that given the survey's findings, it is entirely possible. Enterprises can design their own security awareness programs...

In reply to: Re: Security Awareness Training or lack of it
Post Your Own Reply

Posted by RyanSepe

I agree with Chris Eng that hindsight is 20/20 and I doubt very much that presented with the very simple choice of performance over, in this case vulnerability, would have been chosen by the OpenSSL project. I think the...

In reply to: Performance over Vulnerability
Post Your Own Reply

Posted by Marilyn Cohodas

Is your company forcing users to change their passwords in the wake of the heartbleed bug? If so, you're in the minority of respondents to Dark Reading's flash poll. We asked What steps do you plan to take in response...

In reply to: Heartbleed: Forcing users to change passwords?
Post Your Own Reply

Posted by Marilyn Cohodas

Thanks for sharing those details about your experience with AD in cloud, BryanF287. To paraphrase Mark Twain, it would appear that the Death of Active Directory has been greatly exaggerated -- at least from your vantage...

In reply to: Re: Your experience integrating AD with cloud apps?
Post Your Own Reply

Posted by BryanF287

What has been your experience integrating AD successfully with your cloud apps? 100% of our employee cloud based apps are integrated with AD. What have been your biggest challenges? Getting security to approve...

In reply to: Re: Your experience integrating AD with cloud apps?
Post Your Own Reply

Posted by Marilyn Cohodas

As a consumer, i really like the idea of having a security rating on an apps in the app store. That's a very simple idea -- but agreeing on the rating system would be a challenge!

In reply to: Re: Changing consumer behavior on free apps
Post Your Own Reply

Posted by gmilbourne

I do agree and it is why I think consumers share the smallest burden when it comes to protecting their privacy on mobile devices. As for developer incentives, that is a really tough problem. One angle could be to provide...

In reply to: Re: Changing consumer behavior on free apps
Post Your Own Reply

Posted by GonzSTL

I would extend that notion to state that the C-suite must regard all of IT security as a vital part of their organization. If that is the case, then security becomes integrated in every aspect of the organization. Nothing...

In reply to: Re: It all starts with the C-Level
Post Your Own Reply

Posted by anon1072277770

Microsoft ADFS is not complicated, it is really simple technology. Aynome with basic understanding of authentication protocols can setup ADFS in few hours. If you combine ADFS with Azure ACS and Azure AD you have very powerfull...

In reply to: Re: What's the alternative
Post Your Own Reply

Posted by ScottW834

The US Government has lost its credibility. What reason is there to trust them? That said, what reason was there ever to trust them. Patriotism in this country demands distrust of those that govern. There...

In reply to: Credibility and the Civil Cyber War
Post Your Own Reply

Posted by ScottW834

While everyone is skipping off to the "cloud" there are still the same issues to be dealt with. Authentication, Access and Accountability. LDAP and AD have done a good job of this and as companies are learning...

In reply to: If not AD then what?
Post Your Own Reply

Posted by Kelly Jackson Higgins

What you said about the C-level suite not educating programmers on writing secure code is key, @anon6230542982. It's also a cultural issue among coders that somehow needs to be shaken up. As Chris Eng said, "People...

In reply to: Re: It all starts with the C-Level
Post Your Own Reply

More Conversations

Security Insights

Preying On A Predator

Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

SMS PASSCODE Announces North America Launch

New Osterman Research Report: Only 13% Happy With Compliance Methods

Sophos Boosts Network Security with New Hardware Appliances

More Than Half of Organizations Filter Out Negative Facts Before Communicating Security Risk to C-Level Executives

Survey: As Companies Move to the Cloud, Increased Security is their Biggest IT Concern

Future of Open Source Survey: OSS Powering New Technologies, Creating New Economics

IBM Delivers Disaster Recovery, Security Services to SoftLayer Clients

Tripwire Donates $11.75M Cybersecurity Service to Penn State

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin, 4/15/2014

Majority Of Users Have Not Received Security Awareness Training, Study Says

Tim Wilson, Editor in Chief, Dark Reading, 4/10/2014

CIO Vs. CSO: Allies Or Enemies?

Eric Cole, Founder & Chief Scientist, Secure Anchor Consulting, 4/10/2014

Live Events

Webinars

More UBM Tech
Live Events

Enterprise Connect Lync Tour

Tower & Small Cell Summit

Flash Poll

All Polls

White Papers

The 10 Key Requirements for a Successful Oracle R12 Upgrade

Dell Case Study Report: Amerijet - Flying Right with a Next-Generation Data Center

Dell EqualLogic Hybrid Array Leaves Competition in the Dust

Supply Chain Visibility in Business Networks

The New IT

More White Papers

Current Issue

Dark Reading April 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2011-0460

Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993

Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180

Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089

Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192

Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web

Galaxy S5 fingerprint scanner hacked with glue mould

Heartbleed: Revoke! The time is nigh!

Heartbleed Shows Government Must Lead on Internet Security

Street View and reCAPTCHA technology just got smarter

Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed

Reports

Infographics

Containing Corporate Data on Mobile Devices

If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.

Download Now!

More Reports