Dark Reading | Security | Protect The Business

Advertise With Us

About Us

Digital Subscription

What Government Can (And Can't) Do About Cybersecurity

Could The Sony Attacks Happen Again? Join The Conversation

2015: The Year Of The Security Startup – Or Letdown

Top Stories

What Government Can (And Can't) Do About ...

Could The Sony Attacks Happen Again? Join ...

Why Russia Hacks

2015: The Year Of The Security Startup ...

Cartoon: End-User Ed

News & Commentary

NFL Mobile Vulnerable Super Bowl-Sized Vulns

Ericka Chickowski, Contributing Writer, Dark Reading

News

Lack of protections puts users at risk of exposed information by way of man-in-the-middle attacks.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/27/2015

0 comments | Read | Post a Comment

Gas Stations Urged To Secure Internet-Exposed Fuel Tank Devices

Kelly Jackson Higgins, Executive Editor at Dark Reading

News

Researchers find more than 5,000 US gas stations' automated tank gauges unprotected on the public Internet and open to hackers.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/26/2015

5 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, I'm sure that we are only scratching about security (or lack of security)...

Power Consumption Technology Could Help Enterprises Identify Counterfeit Devices

Tim Wilson, Editor in Chief, Dark Reading

Commentary

Understanding a device's "power fingerprint" might make it possible to detect security anomalies in Internet of Things as well, startup says

By Tim Wilson Editor in Chief, Dark Reading, 1/26/2015

1 Comment | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Fascinating blog, Tim. Very cool intrusion detection technology. Seems like...

Security Skills Shortage? Don’t Panic!

Focus your energies on building a comprehensive security strategy and turning to experts for guidance.

By Carric Dooley WW VP of Foundstone Services, Intel Security, 1/26/2015

1 Comment | Read | Post a Comment

latest comment Marilyn Cohodas Assuming that "you" is referring to "users," I'm wondering what security awareness...

Adobe Fixes Second Flash Flaw Exploited By Angler

News

Second 0-day fix addresses UAF vulnerability.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/26/2015

0 comments | Read | Post a Comment

Building A Cybersecurity Program: 3 Tips

Jason Sachowski, Senior Forensic Investigator, Scotiabank

Commentary

Getting from “we need” to “we have” a cybersecurity program is an investment in time and resources that’s well worth the effort.

By Jason Sachowski Senior Forensic Investigator, Scotiabank, 1/26/2015

1 Comment | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Great job on this blog, Jason. Wondering, in your experience, what is the trickest...

Growing Open Source Use Heightens Enterprise Security Risks

News

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say

By Jai Vijayan Freelance writer, 1/23/2015

9 comments | Read | Post a Comment

Latest Comment: Joe Stanganelli, re: "It is easier to see vulnerabilities with many eyes in open source and...

Why Russia Hacks

Mike Walls, Managing Director Security Operations & Analysis, EdgeWave

Commentary

Conventional wisdom holds that Russia hacks primarily for financial gain. But equally credible is the belief that the Russians engage in cyberwarfare to further their geopolitical ambitions.

By Mike Walls Managing Director Security Operations & Analysis, EdgeWave, 1/23/2015

16 comments | Read | Post a Comment

Latest Comment: lynnbr2, Russia & China both have a long history of hacking for over fifty years....

Diverse White Hat Community Leads To Diverse Vuln Disclosures

Sara Peters, Senior Editor at Dark Reading

News

Researchers at Penn State find that courting new bug hunters is just as important as rewarding seasoned ones.

By Sara Peters Senior Editor at Dark Reading, 1/22/2015

6 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, The key to the success of these bug-bounty programs relies on the credibility...

The Internet of Abused Things

We need to find ways to better secure the Internet of Things, or be prepared to face the consequences.

By Liviu Arsene Senior E-threat Analyst, Bitdefender, 1/22/2015

0 comments | Read | Post a Comment

NSA Report: How To Defend Against Destructive Malware

Quick Hits

In the wake of the Sony breach, spy agency's Information Assurance Directorate (IAD) arm provides best practices to mitigate damage of data annihilation attacks.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/22/2015

3 comments | Read | Post a Comment

Latest Comment: macker490, 1. use a secure O/S. 2. look into using Named Spaces remember that in implementing...

What Government Can (And Can’t) Do About Cybersecurity

Jeff Williams, CTO, Aspect Security & Contrast Security

Commentary

In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.

By Jeff Williams CTO, Aspect Security & Contrast Security, 1/22/2015

17 comments | Read | Post a Comment

Latest Comment: jleon570, It seems to me that "raising the bar for developers" isn't practical for the...

Protect Yourself by Protecting Others

How the consumerization of IT is affecting endpoint security.

By Candace Worley SVP & GM, Endpoint Security Business, Intel Security, 1/22/2015

0 comments | Read | Post a Comment

President's Plan To Crack Down On Hacking Could Hurt Good Hackers

News

Security experts critical of President Obama's new proposed cybersecurity legislation.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/21/2015

9 comments | Read | Post a Comment

Latest Comment: Wolf6305, Thanks for the voice of agreement. I think that a small group of people...

Security Budgets Going Up, Thanks To Mega-Breaches

News

Sixty percent of organizations have increased their security spending by one-third -- but many security managers still don't think that's enough, Ponemon study finds.

By Sara Peters Senior Editor at Dark Reading, 1/21/2015

5 comments | Read | Post a Comment

Latest Comment: GonzSTL, Case in point could be Target, the breach that keeps on giving. Incident Response...

Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit

Quick Hits

Researcher Kafeine's 0day discovery confirmed by Malwarebytes.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/21/2015

2 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, Thanks, @Jon. I was about to post an update here about the patch. http://blogs.adobe.com/psirt/?p=1157 And...

Facebook Messenger: Classically Bad AppSec

Commentary

Facebook offers a textbook example of what the software industry needs to do to put application security in the forefront of software development.

By Daniel Riedel CEO, New Context, 1/21/2015

2 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, I find it particulary disturbing that Facebook exhibits such flagrant disregard...

Could The Sony Attacks Happen Again? Join The Conversation

Commentary

Check out Dark Reading Radio's interview and live chat with CrowdStrike founder and CEO George Kurtz and Shape Security executive Neal Mueller.

By Tim Wilson Editor in Chief, Dark Reading, 1/21/2015

13 comments | Read | Post a Comment

Latest Comment: Joe Stanganelli, A tiny part of me (the itty-bitty ridiculous-conspiracy-theory part) wonders...

Ransomware Leads Surge In 2014 Mobile Malware Onslaught

News

Mobile malware increases 75 percent in U.S.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/20/2015

3 comments | Read | Post a Comment

Latest Comment: impactnow, Do you think the current software is adequate to protect our phones or do you...

'123456' & 'Password' Are The 2 Most Common Passwords, Again

Quick Hits

New entrants to the top 25 show that bad password creators are fans of sports, superheroes, dragons, and NSFW numeral combos.

By Sara Peters Senior Editor at Dark Reading, 1/20/2015

3 comments | Read | Post a Comment

Latest Comment: RyanSepe, I think options are the worst part of creating a password. UserID's and passwords...

More Stories

Current Conversations

Posted by Marilyn Cohodas

Great job on this blog, Jason. Wondering, in your experience, what is the trickest part of building a cybersecurity program -- and how did you deal with the problem?

In reply to: Good pragmatic advice
Post Your Own Reply

Posted by Marilyn Cohodas

I'm sure that we are only scratching about security (or lack of security) surrounding the Internet of Things. Kelly's point about small businesses -- like a mom & pop convenient store or gas station -- being the most...

In reply to: Re: Thermostats
Post Your Own Reply

Posted by Kelly Jackson Higgins

This is indeed a common theme of Internet of Things things, and more importantly, of industrial systems things. One reason for the vulnerability of these smaller gas stations is that they don't have the private WAN...

In reply to: Re: Thermostats
Post Your Own Reply

Posted by Joe Stanganelli

Even major government systems are not immune. See, e.g., pastebin.com/Wx90LLum

In reply to: Re: Thermostats
Post Your Own Reply

Posted by Joe Stanganelli

I want to know where to get a tablet with that large a screen!(Maybe they're the old "convertibles.")

In reply to: Re: Been there..
Post Your Own Reply

Posted by Joe Stanganelli

A tiny part of me (the itty-bitty ridiculous-conspiracy-theory part) wonders if the whole thing was a false flag attack perpetrated by Sony itself as a publicity stunt for The Interview.

In reply to: False flag?
Post Your Own Reply

Posted by impactnow

Dave agreed. I wonder how many of the gas station owners are aware of the vulnerability and just don't think it's an issue versus those that are completely unaware.

In reply to: Re: Thermostats
Post Your Own Reply

Posted by Joe Stanganelli

re: "It is easier to see vulnerabilities with many eyes in open source and take action on it as a community than waiting Microsoft release a fix for it."One might think, but research does not support this proposition. ...

In reply to: Re: WhiteSource proves that open source is safe if used responsibly
Post Your Own Reply

Posted by Joe Stanganelli

The other issue is that many of the big boys -- Microsoft, Google, etc. -- have bug bounty programs. No such program exists for open source.Maybe it doesn't need to (after all, Apple typically offers nothing or next...

In reply to: Re: Frankenstein
Post Your Own Reply

Posted by David Wagner

Sigh...didn't we learn this with thermostats? Are we goign to have the same problem with sensors on refrigerated trucks? I feel like we're making the same mistakes over and over. I wish we'd make some new ones. At the same...

In reply to: Thermostats
Post Your Own Reply

Posted by Dr.T

Agree. As I mentioned in my other post, there is no hard link between open source and security but there are advantages and disadvantages when it comes to using open source and dealing with security. If you use open source...

In reply to: Re: blast from the past
Post Your Own Reply

Posted by Dr.T

I agree with this too. At the same time we know hackers have advantage too when the see vulnerabilities in open source, it is easier to attack open source code base.

In reply to: Re: Frankenstein
Post Your Own Reply

More Conversations

Products & Releases

15th Member of Washington, D.C.-Based Identity Theft Ring Pleads Guilty

SolarWinds Survey Investigates Insider Threats to Federal Cybersecurity

Ad Networks Just Got More Secure

Bitglass Breach Discovery Limits Damage From Data Breaches

Adroit Digital Study Reveals Consumer Data Privacy and Security Concerns as President Obama Talks Cybersecurity in State of the Union

Updated for 2015: Tools Designed to Manage Third Party Risk

Vormetric’s 2015 Insider Threat Report: 93% of U.S. Organizations Polled Vulnerable to Insider Threats

Online Trust Alliance Determines Over 90 Percent of Data Breaches in First Half of 2014 Could Have Been Easily Prevented

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

What Government Can (And Can't) Do About Cybersecurity

Jeff Williams, CTO, Aspect Security & Contrast Security, 1/22/2015

Why Russia Hacks

Mike Walls, Managing Director Security Operations & Analysis, EdgeWave, 1/23/2015

Could The Sony Attacks Happen Again? Join The Conversation

Tim Wilson, Editor in Chief, Dark Reading, 1/21/2015

Partner Perspectives

What's This?

Security Skills Shortage? Don't Panic!

Focus your energies on building a comprehensive security strategy and turning to experts for guidance. Read >>

Protect Yourself by Protecting Others

0 comments

Recruit, Reward & Retain Cybersecurity Experts

5 comments

More Stories

Live Events

Webinars

More UBM Tech
Live Events

Join Security Experts at Black Hat Asia 2015

WebRTC - Learn if it is ready for the enterprise this March in Orlando!

Interop Las Vegas Full & Half-Day Workshops

Cartoon

Latest Comment: I want to know where to get a tablet with that large a screen!(Maybe they're the old "convertibles.")

Cartoon Archive

Dark Reading Radio

Archived Dark Reading Radio

The Sony Hack: A Security Community Discussion

If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.

FULL SCHEDULE | ARCHIVED SHOWS

White Papers

Capitalizing On Big Data: Managed Services Help Financial Firms Accelerate Big Data Projects

Detect and Investigate Malicious IP Activities in SIEM with Predictive Threat Intelligence

Customer Loyalty Programs 101

Visualizing Big Digital Data

Understanding Big Data Quality

More White Papers

Current Issue

Dark Reading Tech Digest, Dec. 19, 2014

Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2014-8148

Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157

Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158

Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571

Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572

Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web

Hackers in China Leak South Korean Nuclear Power Blueprints

Lloyd's CEO: Cyber attacks cost companies $400 billion every year

Russian Dating Site Topface Hacked for 20 Million User Names

Malaysia Airlines Website Hacked

Davos Elites Warned About Catastrophic Cyberattacks

Reports

Infographics

10 Recommendations for Outsourcing Security

Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?

Download Now!

Title Partner’s Role in Perimeter Security

0 comments

Threat Intel Today

0 comments

DevOps’ Impact on Application Security

0 comments

More Reports