Dark Reading | Security | Protect The Business

IW Home

Advertise With Us

About Us

Digital Subscription

Heartbleed: A Password Manager Reality Check

Poll: Dark Reading Community Acts On Heartbleed

Mobility: Who Bears The Brunt Of Data Security & Privacy

Top Stories

Heartbleed: A Password Manager Reality Check

Poll: Dark Reading Community Acts On ...

Did A Faulty Memory Feature Lead To ...

The Real Wakeup Call From Heartbleed

Mobility: Who Bears The Brunt Of Data ...

News & Commentary

Michaels Retail Chain Reveals Details Of Breach: Nearly 3M Affected

Tim Wilson, Editor in Chief, Dark Reading

Quick Hits

Attack on point-of-sale systems went on for more than six months, officials say.

By Tim Wilson Editor in Chief, Dark Reading, 4/18/2014

2 comments | Read | Post a Comment

Latest Comment: RyanSepe, Has there been any report as to what type of malware was used to exploit the...

Poll: Dark Reading Community Acts On Heartbleed

Marilyn Cohodas, Community Editor, Dark Reading

Commentary

Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so.

By Marilyn Cohodas Community Editor, Dark Reading, 4/18/2014

0 comments | Read | Post a Comment

Heartbleed: A Password Manager Reality Check

News

Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?

By Mathew J. Schwartz , 4/18/2014

8 comments | Read | Post a Comment

Latest Comment: stalepie, Use the word "passcode" instead of "password" and less people will use simple...

Phishers Recruit Home PCs

Brian Prince, Contributing Writer, Dark Reading

News

Residential broadband machines spotted hosting phishing attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/18/2014

2 comments | Read | Post a Comment

Latest Comment: Robert McDougal, I imagine it would be almost impossible for the ISP's to track down these compromised...

SQL Injection Cleanup Takes Two Months or More

Kelly Jackson Higgins, Senior Editor, Dark Reading

Quick Hits

A new report highlights the prevalence and persistence of SQL injection attacks.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

0 comments | Read | Post a Comment

Satellite Communications Wide Open To Hackers

News

Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs, Very interesting post ... satellite components in many cases lack of proper...

11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue

News

Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.

By Mathew J. Schwartz , 4/17/2014

2 comments | Read | Post a Comment

Latest Comment: Bprince, This is a great post Matt. Does anyone have a problem with the way companies...

Microsoft Delays Enterprise Windows 8.1 Support Doomsday

News

Responding to criticism, Microsoft gives businesses until August to adopt Windows 8.1 Update and continue receiving security updates. Consumers still face May 13 deadline.

By Mathew J. Schwartz , 4/17/2014

1 Comment | Read | Post a Comment

Latest Comment: Robert McDougal, While this sounds like a heavy handed action from Microsoft, it is in line...

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies

Commentary

Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?

By Corey Nachreiner Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

17 comments | Read | Post a Comment

Latest Comment: CNACHREINER981, Perfect analogy, and exactly my point summed up fantastically!

Did A Faulty Memory Feature Lead To Heartbleed?

News

Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/16/2014

4 comments | Read | Post a Comment

Latest Comment: 1401, Aha - but imagine - if software developers and vendors had really accepted...

The Real Wakeup Call From Heartbleed

Commentary

There's nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

By Jeff Williams CTO, Contrast Security, 4/16/2014

9 comments | Read | Post a Comment

Latest Comment: Interesting, As an IT Auditor who worked with one of the big five (before they became the...

Smartphone Kill Switches Coming, But Critics Cry Foul

Commentary

Smartphone makers and carriers agree to add optional kill switches to smartphones, but law enforcement officials say the anti-theft effort doesn't go far enough.

By Thomas Claburn Editor-at-Large, 4/16/2014

18 comments | Read | Post a Comment

Latest Comment: micjustin33, I don't know how much kill switch option is useful for smartphones ..

Mobility: Who Bears The Brunt Of Data Security & Privacy

Grayson Milbourne, Director, Security Intelligence, Webroot

Commentary

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

By Grayson Milbourne Director, Security Intelligence, Webroot, 4/16/2014

3 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, As a consumer, i really like the idea of having a security rating on an apps...

Don't Blame It On The Web Programming Platform

Quick Hits

New data shows no one Web development platform generates more vulnerabilities than another -- and website security is still a problem.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: GonzSTL, I would extend that notion to state that the C-suite must regard all of IT...

White House Details Zero-Day Bug Policy

News

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.

By Mathew J. Schwartz , 4/15/2014

3 comments | Read | Post a Comment

Latest Comment: ScottW834, The US Government has lost its credibility. What reason is there to trust...

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin

Commentary

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

By Thomas Pedersen CEO & Founder, OneLogin, 4/15/2014

25 comments | Read | Post a Comment

Latest Comment: Thomas B. Pedersen, I should clarify that OneLogin doesn't focus particularly on start-ups, but...

Heartbleed's Intranet & VPN Connection

News

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/14/2014

4 comments | Read | Post a Comment

Latest Comment: Tyson S, ExtraHop analyzes all traffic to parse out transaction-level metrics, including...

Akamai Withdraws Proposed Heartbleed Patch

News

As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.

By Mathew J. Schwartz , 4/14/2014

2 comments | Read | Post a Comment

Latest Comment: cumulonimbus, SSL encryption is just one small aspect of security in this digital age, albeit...

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys

Commentary

NIST’s modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

By Dave Frymier Chief Information Security Officer, Unisys, 4/14/2014

6 comments | Read | Post a Comment

Latest Comment: JeremiahT680, So i came to the conclusion w/ all of the NSA spying that basically it comes...

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

News

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/11/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs01, I think that one of the most scaring results proposed by the report is that...

More Stories

Current Conversations

Posted by stalepie

Use the word "passcode" instead of "password" and less people will use simple passcodes based on words. Something like "H6f4ggmo3fGaM" is not a word, so it doesn't make sense to call it a "password."

In reply to: language
Post Your Own Reply

Posted by RyanSepe

Has there been any report as to what type of malware was used to exploit the POS machines? Also, how were the machines infiltrated?

In reply to: Type of Malware
Post Your Own Reply

Posted by Bprince

From what I have been told is that for many the focus is on "compensating measures" such as firewalls and physical security. Truth is, they have been dealing with this type of issue for years. It's not uncommon to find Windows...

In reply to: compensating measures
Post Your Own Reply

Posted by Bprince

This is a great post Matt. Does anyone have a problem with the way companies were notified? Certain companies were told early, certain companies weren't, and there are vendors that still don't know if their product are vulnerable....

In reply to: Heartbleed
Post Your Own Reply

Posted by RyanSepe

Ok thank you for the insight. It seems very logical to have something like a password manager in place. However, let me play devil's advocate for the moment. For the password manager to work it needs to store your passwords....

In reply to: Re: RoboForm Password Manager
Post Your Own Reply

Posted by Interesting

As an IT Auditor who worked with one of the big five (before they became the big four) global audit firms, I can only suggest that our definitions of assurance are vastly different. Arthur Andersen certainly found it out...

In reply to: Re: But assurance equals accountability equals liability.
Post Your Own Reply

Posted by planetlevel

I wrote a nice tool to generate these labels automatically. If anyone is interested in making an open-source tool out of it, I'd be happy to share.

In reply to: Re: Assurance Evidence
Post Your Own Reply

Posted by securityaffairs

It is an embarrassing situation. The level of security offered to the customers is very poor. In many cases pos systems are common windows based machine with a few defense systems that in many cases are not sufficient...

In reply to: embarrassing
Post Your Own Reply

Posted by CNACHREINER981

Perfect analogy, and exactly my point summed up fantastically!

In reply to: Re: Great Article
Post Your Own Reply

Posted by Robert McDougal

I imagine it would be almost impossible for the ISP's to track down these compromised hosts. The ports and traffic generated by the compromised machines is not overly odd when compared to the traffic of legitimate...

In reply to: Re: Broadband provider's responsibility?
Post Your Own Reply

Posted by jaingverda

@Ryan to answer yoru questions for lastpass at least; I can't speak to other password managers. It does act as a single sign on but I still have to manually log into my password manager and click the button to sign into...

In reply to: Re: RoboForm Password Manager
Post Your Own Reply

Posted by Marilyn Cohodas

I really like your analogy comparing software assurance to a supply chain for software. I don't think it's too much to ask that we hold software to the same standard: that the components that go into developing bsiness...

In reply to: Re: But assurance equals accountability equals liability.
Post Your Own Reply

More Conversations

Security Insights

Preying On A Predator

Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

Study finds 52% of enterprises defenseless against cyber attacks

Cryptzone Survey Reveals SharePoint Users are Breaching Security Policies

Understanding Risk from Business Perspective Is Top Concern for Network Security Organizations

New Survey: Half of IT Professionals Make Undocumented Changes to IT Systems

Endpoint Protection Products Improve Significantly for Socially Engineered Malware Protection

SMS PASSCODE Announces North America Launch

New Osterman Research Report: Only 13% Happy With Compliance Methods

Sophos Boosts Network Security with New Hardware Appliances

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin, 4/15/2014

How A Little Obscurity Can Bolster Security

Corey Nachreiner, Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014

The Real Wakeup Call From Heartbleed

Jeff Williams, CTO, Contrast Security, 4/16/2014

Live Events

Webinars

More UBM Tech
Live Events

Enterprise Connect Lync Tour

Tower & Small Cell Summit

Cartoon

Latest Comment: LOL.

Cartoon Archive

White Papers

How Insurers Can Effectively Meet the Challenges of the ACA

DDoS Mitigation - Best Practices for a Rapidly Changing Threat Landscape

DDoS and Downtime - Considerations for Risk Management

Five Steps to Prepare for a DDoS Attack

Select the Right Cloud-Based ITSM Solution

More White Papers

Current Issue

Dark Reading April 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2013-6213

Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214

Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2014-0778

Published: 2014-04-19
The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.

CVE-2014-1974

Published: 2014-04-19
Directory traversal vulnerability in LYSESOFT AndExplorer before 20140403 and AndExplorerPro before 20140405 allows attackers to overwrite or create arbitrary files via unspecified vectors.

CVE-2014-1983

Published: 2014-04-19
Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors.

Best of the Web

Heartbleed Bug Sends Bandwidth Costs Skyrocketing

Heroku Security Bug Bounty

Regulators: No interruption after state utilities were hacked

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

Facebook Webinject Leads to iBanking Mobile Bot

Reports

Infographics

Containing Corporate Data on Mobile Devices

If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.

Download Now!

More Reports