Dark Reading | Security | Protect The Business

Advertise With Us

About Us

Digital Subscription

What Government Can (And Can't) Do About Cybersecurity

Could The Sony Attacks Happen Again? Join The Conversation

2015: The Year Of The Security Startup – Or Letdown

Top Stories

What Government Can (And Can't) Do About ...

Could The Sony Attacks Happen Again? Join ...

Why Russia Hacks

2015: The Year Of The Security Startup ...

Cartoon: End-User Ed

News & Commentary

Security Skills Shortage? Don’t Panic!

Focus your energies on building a comprehensive security strategy and turning to experts for guidance.

By Carric Dooley WW VP of Foundstone Services, Intel Security, 1/26/2015

0 comments | Read | Post a Comment

Adobe Fixes Second Flash Flaw Exploited By Angler

Ericka Chickowski, Contributing Writer, Dark Reading

News

Second 0-day fix addresses UAF vulnerability.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/26/2015

0 comments | Read | Post a Comment

Building A Cybersecurity Program: 3 Tips

Jason Sachowski, Senior Forensic Investigator, Scotiabank

Commentary

Getting from “we need” to “we have” a cybersecurity program is an investment in time and resources that’s well worth the effort.

By Jason Sachowski Senior Forensic Investigator, Scotiabank, 1/26/2015

0 comments | Read | Post a Comment

Growing Open Source Use Heightens Enterprise Security Risks

News

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say

By Jai Vijayan Freelance writer, 1/23/2015

3 comments | Read | Post a Comment

Latest Comment: Neta1, WhiteSource has been helping companies of all sizes to responsibly and effortlessly...

Why Russia Hacks

Mike Walls, Managing Director Security Operations & Analysis, EdgeWave

Commentary

Conventional wisdom holds that Russia hacks primarily for financial gain. But equally credible is the belief that the Russians engage in cyberwarfare to further their geopolitical ambitions.

By Mike Walls Managing Director Security Operations & Analysis, EdgeWave, 1/23/2015

16 comments | Read | Post a Comment

Latest Comment: lynnbr2, Russia & China both have a long history of hacking for over fifty years....

Diverse White Hat Community Leads To Diverse Vuln Disclosures

Sara Peters, Senior Editor at Dark Reading

News

Researchers at Penn State find that courting new bug hunters is just as important as rewarding seasoned ones.

By Sara Peters Senior Editor at Dark Reading, 1/22/2015

6 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, The key to the success of these bug-bounty programs relies on the credibility...

The Internet of Abused Things

We need to find ways to better secure the Internet of Things, or be prepared to face the consequences.

By Liviu Arsene Senior E-threat Analyst, Bitdefender, 1/22/2015

0 comments | Read | Post a Comment

NSA Report: How To Defend Against Destructive Malware

Kelly Jackson Higgins, Executive Editor at Dark Reading

Quick Hits

In the wake of the Sony breach, spy agency's Information Assurance Directorate (IAD) arm provides best practices to mitigate damage of data annihilation attacks.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/22/2015

3 comments | Read | Post a Comment

Latest Comment: macker490, 1. use a secure O/S. 2. look into using Named Spaces remember that in implementing...

What Government Can (And Can’t) Do About Cybersecurity

Jeff Williams, CTO, Aspect Security & Contrast Security

Commentary

In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.

By Jeff Williams CTO, Aspect Security & Contrast Security, 1/22/2015

17 comments | Read | Post a Comment

Latest Comment: jleon570, It seems to me that "raising the bar for developers" isn't practical for the...

Protect Yourself by Protecting Others

How the consumerization of IT is affecting endpoint security.

By Candace Worley SVP & GM, Endpoint Security Business, Intel Security, 1/22/2015

0 comments | Read | Post a Comment

President's Plan To Crack Down On Hacking Could Hurt Good Hackers

News

Security experts critical of President Obama's new proposed cybersecurity legislation.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/21/2015

9 comments | Read | Post a Comment

Latest Comment: Wolf6305, Thanks for the voice of agreement. I think that a small group of people...

Security Budgets Going Up, Thanks To Mega-Breaches

News

Sixty percent of organizations have increased their security spending by one-third -- but many security managers still don't think that's enough, Ponemon study finds.

By Sara Peters Senior Editor at Dark Reading, 1/21/2015

5 comments | Read | Post a Comment

Latest Comment: GonzSTL, Case in point could be Target, the breach that keeps on giving. Incident Response...

Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit

Quick Hits

Researcher Kafeine's 0day discovery confirmed by Malwarebytes.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/21/2015

2 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, Thanks, @Jon. I was about to post an update here about the patch. http://blogs.adobe.com/psirt/?p=1157 And...

Facebook Messenger: Classically Bad AppSec

Commentary

Facebook offers a textbook example of what the software industry needs to do to put application security in the forefront of software development.

By Daniel Riedel CEO, New Context, 1/21/2015

2 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, I find it particulary disturbing that Facebook exhibits such flagrant disregard...

Could The Sony Attacks Happen Again? Join The Conversation

Tim Wilson, Editor in Chief, Dark Reading

Commentary

Check out Dark Reading Radio's interview and live chat with CrowdStrike founder and CEO George Kurtz and Shape Security executive Neal Mueller.

By Tim Wilson Editor in Chief, Dark Reading, 1/21/2015

12 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, So noted, Gonz. We may not be hitting this exact topic immediately. But we've...

Ransomware Leads Surge In 2014 Mobile Malware Onslaught

News

Mobile malware increases 75 percent in U.S.

By Ericka Chickowski Contributing Writer, Dark Reading, 1/20/2015

3 comments | Read | Post a Comment

Latest Comment: impactnow, Do you think the current software is adequate to protect our phones or do you...

'123456' & 'Password' Are The 2 Most Common Passwords, Again

Quick Hits

New entrants to the top 25 show that bad password creators are fans of sports, superheroes, dragons, and NSFW numeral combos.

By Sara Peters Senior Editor at Dark Reading, 1/20/2015

3 comments | Read | Post a Comment

Latest Comment: RyanSepe, I think options are the worst part of creating a password. UserID's and passwords...

New Technology Detects Cyberattacks By Their Power Consumption

News

Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test.

By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/20/2015

2 comments | Read | Post a Comment

Latest Comment: MichaelE546, Ingenious but I agree with Whoopty on this technique having the "Car Alarm"...

Recruit, Reward & Retain Cybersecurity Experts

How to create a better working environment for security professionals.

By Carric Dooley WW VP of Foundstone Services, Intel Security, 1/20/2015

5 comments | Read | Post a Comment

latest comment CarricDooley I would argue that the CISO often DOES pay - with his job. (A friend of mine...

A Lot of Security Purchases Remain Shelfware

News

Companies may be investing more in security, but many are either underutilizing their new purchases or not using them at all, an Osterman Research survey shows.

By Jai Vijayan Freelance writer, 1/16/2015

9 comments | Read | Post a Comment

Latest Comment: dplyons, I have known many standard IT Admins. I would trust very very few of...

More Stories

Current Conversations

Posted by jleon570

It seems to me that "raising the bar for developers" isn't practical for the very reasons you cited as the reasons: the staggering complexity. The number of "developers" in the world is too large to be hogtied. Perhaps...

In reply to: Problematic solutions at best.
Post Your Own Reply

Posted by Marilyn Cohodas

Yep, I've been on the receiving end of a few security presentations that looked like that. Funny cartoon that very rings too true. :-)

In reply to: Been there..
Post Your Own Reply

Posted by Marilyn Cohodas

The key to the success of these bug-bounty programs relies on the credibility and legitimacy of the white-hat hackers. Not sure that a platform like Wooyun is the right model of the U.S. , especially under the existing...

In reply to: Re: Alas...
Post Your Own Reply

Posted by Marilyn Cohodas

Good points,@andregironda. If you haven't already, I hope you will take a few minutes to check out and comment on Mike's follow up blogs on why Russia and North Korea hack. Coming up next is Iran, then US & Israel. So stay...

In reply to: Re: Why the Hack Not?
Post Your Own Reply

Posted by Neta1

WhiteSource has been helping companies of all sizes to responsibly and effortlessly manage the open source components they use. We've been doing it since 2011 and for all programming languages, we are in a unique position...

In reply to: WhiteSource proves that open source is safe if used responsibly
Post Your Own Reply

Posted by lynnbr2

Russia & China both have a long history of hacking for over fifty years. Their primary reason is military. Remenber the Buran shuttle - amazinging similar to our old Space Shuttle. And now look at the Chinese J-20...

In reply to: Re: Financial gain?
Post Your Own Reply

Posted by andregironda

It is really simple to gauge the intentions of each country leading to cyber indications, based on a sort of personality test.While the sociocultural theories are still under massive development, starter frameworks such...

In reply to: Re: Why the Hack Not?
Post Your Own Reply

Posted by mumom10

This is downright unethical. There is no way the company didn't know how insecure this device was. This is a privacy violation to begin with - to expect a customer to allow an insurance provider to track. It...

In reply to: Hack the dongle
Post Your Own Reply

Posted by Joe Stanganelli

I recently saw former DHS chief Michael Chertoff speak at a cybersecurity conference, and he himself outright accused Russia of actively working with and supporting criminal organizations so as to perpetrate cyberwarfare...

In reply to: FWIW...
Post Your Own Reply

Posted by Joe Stanganelli

Hah! I <3 the Frankenstein analogy! This is the folly of Linus's Law -- i.e., "Given enough eyeballs, all bugs are shallow."Akamai's CSO, Andy Ellis, put it best at a cybersecurity conference I attended a...

In reply to: Frankenstein
Post Your Own Reply

Posted by Joe Stanganelli

Unfortunately, it would seem that if the current administration gets its way (as Jeff Williams wrote for Dark Reading recently), the CFAA will be expanded significantly -- which is harmful to and disincentivizes white-hat...

In reply to: Alas...
Post Your Own Reply

Posted by Joe Stanganelli

*sigh* Unfortunately, the CFAA needs revamping before it needs strengthening/broadening, because it in and of itself hurts cybersecurity efforts by penalizing independent security research.

In reply to: CFAA
Post Your Own Reply

More Conversations

Products & Releases

Bitglass Breach Discovery Limits Damage From Data Breaches

Adroit Digital Study Reveals Consumer Data Privacy and Security Concerns as President Obama Talks Cybersecurity in State of the Union

Updated for 2015: Tools Designed to Manage Third Party Risk

Vormetric’s 2015 Insider Threat Report: 93% of U.S. Organizations Polled Vulnerable to Insider Threats

Online Trust Alliance Determines Over 90 Percent of Data Breaches in First Half of 2014 Could Have Been Easily Prevented

As State of the Union Tackles Cybersecurity, New ISACA Survey Shows 86% See a Cybersecurity Skills Shortage

ForgeRock and FireEye Join Forces to Detect Cyber Attacks with Identity-Aware Threat Intelligence Solution

RiskIQ Finds More Than 11 Percent of Android Banking and Finance- Related Apps are Suspicious

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

What Government Can (And Can't) Do About Cybersecurity

Jeff Williams, CTO, Aspect Security & Contrast Security, 1/22/2015

Why Russia Hacks

Mike Walls, Managing Director Security Operations & Analysis, EdgeWave, 1/23/2015

Could The Sony Attacks Happen Again? Join The Conversation

Tim Wilson, Editor in Chief, Dark Reading, 1/21/2015

Partner Perspectives

What's This?

Security Skills Shortage? Don't Panic!

Focus your energies on building a comprehensive security strategy and turning to experts for guidance. Read >>

Protect Yourself by Protecting Others

0 comments

Recruit, Reward & Retain Cybersecurity Experts

5 comments

More Stories

Live Events

Webinars

More UBM Tech
Live Events

Join Security Experts at Black Hat Asia 2015

Embracing the Bring-Your-Own-App Phenomenon

Interop Las Vegas Conference & Expo

Cartoon

Latest Comment: Yep, I've been on the receiving end of a few security presentations that looked like that. Funny cartoon that very rings too true. :-)

Cartoon Archive

Dark Reading Radio

Archived Dark Reading Radio

The Sony Hack: A Security Community Discussion

If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.

FULL SCHEDULE | ARCHIVED SHOWS

White Papers

Capitalizing On Big Data: Managed Services Help Financial Firms Accelerate Big Data Projects

The Potential of Location Based Data and Geographic Information Systems in Insurance

SDN: How do you get there from here?

Understanding Big Data Quality

Technology for Big Data

More White Papers

Current Issue

Dark Reading Tech Digest, Dec. 19, 2014

Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2014-8148

Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157

Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158

Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571

Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572

Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web

Unpatched Apple Vulnerabilities Latest Google Project Zero Disclosures

Barrett Brown Sentenced to 5 Years in Prison in Connection to Stratfor Hack

FBI: Ransomware is on the Rise

Nearly every U.S. arms program found vulnerable to cyber attacks

Israeli man arrested over Madonna hack

Reports

Infographics

10 Recommendations for Outsourcing Security

Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?

Download Now!

Title Partner’s Role in Perimeter Security

0 comments

Threat Intel Today

0 comments

DevOps’ Impact on Application Security

0 comments

More Reports