Dark Reading | Security | Protect The Business

IW Home

Advertise With Us

About Us

Digital Subscription

Mobility: Who Bears The Brunt Of Data Security & Privacy

How A Little Obscurity Can Bolster Security

Top Stories

Did A Faulty Memory Feature Lead To ...

The Real Wakeup Call From Heartbleed

Mobility: Who Bears The Brunt Of Data ...

How A Little Obscurity Can Bolster Security

Heartbleed's Intranet & VPN Connection

News & Commentary

Heartbleed: A Password Manager Reality Check

News

Is a password manager an effective defense against vulnerabilities like Heartbleed, or are they simply another way to lose data to hackers?

By Mathew J. Schwartz , 4/18/2014

1 Comment | Read | Post a Comment

Latest Comment: anon5030740074, Now enterprise companies have a new password management to choose from. ...

Phishers Recruit Home PCs

Brian Prince, Contributing Writer, Dark Reading

News

Residential broadband machines spotted hosting phishing attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/18/2014

0 comments | Read | Post a Comment

SQL Injection Cleanup Takes Two Months or More

Kelly Jackson Higgins, Senior Editor, Dark Reading

Quick Hits

A new report highlights the prevalence and persistence of SQL injection attacks.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

0 comments | Read | Post a Comment

Satellite Communications Wide Open To Hackers

News

Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs, Very interesting post ... satellite components in many cases lack of proper...

11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue

News

Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.

By Mathew J. Schwartz , 4/17/2014

1 Comment | Read | Post a Comment

Latest Comment: Markus5, I will update the passwords now and couple days or weeks later again to make...

Microsoft Delays Enterprise Windows 8.1 Support Doomsday

News

Responding to criticism, Microsoft gives businesses until August to adopt Windows 8.1 Update and continue receiving security updates. Consumers still face May 13 deadline.

By Mathew J. Schwartz , 4/17/2014

0 comments | Read | Post a Comment

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies

Commentary

Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?

By Corey Nachreiner Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

14 comments | Read | Post a Comment

Latest Comment: stephenq42, Everyone who has a user account on any system relies on security through obscurity. Consider...

Did A Faulty Memory Feature Lead To Heartbleed?

News

Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/16/2014

4 comments | Read | Post a Comment

Latest Comment: 1401, Aha - but imagine - if software developers and vendors had really accepted...

The Real Wakeup Call From Heartbleed

Commentary

There's nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

By Jeff Williams CTO, Contrast Security, 4/16/2014

3 comments | Read | Post a Comment

Latest Comment: Interesting, Agree that assurance is a desirable feature. But assurance implies accountability,...

Smartphone Kill Switches Coming, But Critics Cry Foul

Commentary

Smartphone makers and carriers agree to add optional kill switches to smartphones, but law enforcement officials say the anti-theft effort doesn't go far enough.

By Thomas Claburn Editor-at-Large, 4/16/2014

18 comments | Read | Post a Comment

Latest Comment: micjustin33, I don't know how much kill switch option is useful for smartphones ..

Mobility: Who Bears The Brunt Of Data Security & Privacy

Grayson Milbourne, Director, Security Intelligence, Webroot

Commentary

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

By Grayson Milbourne Director, Security Intelligence, Webroot, 4/16/2014

3 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, As a consumer, i really like the idea of having a security rating on an apps...

Don't Blame It On The Web Programming Platform

Quick Hits

New data shows no one Web development platform generates more vulnerabilities than another -- and website security is still a problem.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: GonzSTL, I would extend that notion to state that the C-suite must regard all of IT...

White House Details Zero-Day Bug Policy

News

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.

By Mathew J. Schwartz , 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: ScottW834, The US Government has lost its credibility. What reason is there to trust...

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin

Commentary

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

By Thomas Pedersen CEO & Founder, OneLogin, 4/15/2014

25 comments | Read | Post a Comment

Latest Comment: Thomas B. Pedersen, I should clarify that OneLogin doesn't focus particularly on start-ups, but...

Heartbleed's Intranet & VPN Connection

News

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/14/2014

4 comments | Read | Post a Comment

Latest Comment: Tyson S, ExtraHop analyzes all traffic to parse out transaction-level metrics, including...

Akamai Withdraws Proposed Heartbleed Patch

News

As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.

By Mathew J. Schwartz , 4/14/2014

2 comments | Read | Post a Comment

Latest Comment: cumulonimbus, SSL encryption is just one small aspect of security in this digital age, albeit...

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys

Commentary

NIST’s modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

By Dave Frymier Chief Information Security Officer, Unisys, 4/14/2014

6 comments | Read | Post a Comment

Latest Comment: JeremiahT680, So i came to the conclusion w/ all of the NSA spying that basically it comes...

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

News

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/11/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs01, I think that one of the most scaring results proposed by the report is that...

Feds Address Antitrust Concerns On Cyberthreat Sharing

Commentary

Justice Dept. and FTC confirm that sharing cybersecurity threat information is not an antitrust law violation.

By William Jackson Technology Writer, 4/11/2014

3 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Information sharing will come from vendors that companies have relationships...

Free Heartbleed-Checker Released for Firefox Browser

Quick Hits

Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/11/2014

4 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Chrome Checker is doing well for me also.

More Stories

Current Conversations

Posted by anon5030740074

Now enterprise companies have a new password management to choose from. Ilantus Password Express can be deployed in a cloud or on-premise mode. Learn more at http://ilantusexpress.com/ and get a free 30 day t...

In reply to: Why Password Management is a Must
Post Your Own Reply

Posted by anon5450533792

We found in our recent independent research that hospitals, care providers and medical insurers experience twice as many internal security breaches in comparison to other sectors. As we are seeing more and more...

In reply to: Re: Exceptions to the rule?
Post Your Own Reply

Posted by Markus5

I will update the passwords now and couple days or weeks later again to make sure I am safe. Luckily I use Sticky Password which helps me with managing the hassle.

In reply to: When to update the passwords
Post Your Own Reply

Posted by stephenq42

This flaw has been in circulation for years (plural). It could have been exploited by anyone during that time. It is unbelievable that nobody discovered this flaw until last week, especially since the source code...

In reply to: We must assume the worst
Post Your Own Reply

Posted by stephenq42

Everyone who has a user account on any system relies on security through obscurity. Consider the user ID/password combination. One component (the ID) may or may not be obscure, but the second (the password)...

In reply to: We rely on Security through Obscurity
Post Your Own Reply

Posted by 1401

Aha - but imagine - if software developers and vendors had really accepted the wisdom of Multics and then the segmented memory architecture in the Intel 286 chip and beyond, memory bounds and memory typing would be handled...

In reply to: Re: Memory management not the core issue
Post Your Own Reply

Posted by samenk

Great article here, Corey! Security by obscurity should only be used as a method to delay and/or discourage the attackers from compromising our security; nothing more. "Security by Obscurity is no security at all." I agree,...

In reply to: Re: How A Little Obscurity Can Bolster Security
Post Your Own Reply

Posted by samenk

In reply to: Re: slows down an attack -- so it helps
Post Your Own Reply

Posted by Interesting

Agree that assurance is a desirable feature. But assurance implies accountability, which implies liability. If the software is developed for free and given away for free, and the license clearly warns you that it is provided...

In reply to: But assurance equals accountability equals liability.
Post Your Own Reply

Posted by securityaffairs

Very interesting post ... satellite components in many cases lack of proper defense measures. Many satellite architectures were designed many years ago, while their life cycle is very long the cyber threats evolution...

In reply to: Re: Oh, fabulous
Post Your Own Reply

Posted by mwalker871

Sure, don't give anything away.Don't pick names easy to guess or commonly used. Passwords are just the final threshold. However, if your domain can be enumerated, the ship has sailed. Which is more important?

In reply to: Re: Security v. Obscurity
Post Your Own Reply

Posted by Lorna Garey

Queue conspiracy theorists that this is what happened to the Malaysian Airlines flight in 3, 2, ...

In reply to: Oh, fabulous
Post Your Own Reply

More Conversations

Security Insights

Preying On A Predator

Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

Study finds 52% of enterprises defenseless against cyber attacks

Cryptzone Survey Reveals SharePoint Users are Breaching Security Policies

Understanding Risk from Business Perspective Is Top Concern for Network Security Organizations

New Survey: Half of IT Professionals Make Undocumented Changes to IT Systems

Endpoint Protection Products Improve Significantly for Socially Engineered Malware Protection

SMS PASSCODE Announces North America Launch

New Osterman Research Report: Only 13% Happy With Compliance Methods

Sophos Boosts Network Security with New Hardware Appliances

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin, 4/15/2014

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys, 4/14/2014

Live Events

Webinars

More UBM Tech
Live Events

Enterprise Connect Lync Tour

Tower & Small Cell Summit

Flash Poll

All Polls

White Papers

Enabling Devices and Device Management for your Mobility/BYOD Program

How Insurers Can Effectively Meet the Challenges of the ACA

DDoS Mitigation - Best Practices for a Rapidly Changing Threat Landscape

Five Steps to Prepare for a DDoS Attack

Consolidation: The Foundation for IT Business Transformation

More White Papers

Current Issue

Dark Reading April 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2011-3154

Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143

Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036

Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054

Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071

Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web

Heartbleed Bug Sends Bandwidth Costs Skyrocketing

Heroku Security Bug Bounty

Regulators: No interruption after state utilities were hacked

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

Facebook Webinject Leads to iBanking Mobile Bot

Reports

Infographics

Containing Corporate Data on Mobile Devices

If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.

Download Now!

More Reports