Dark Reading | Security | Protect The Business

Advertise With Us

About Us

Digital Subscription

Dark Reading Radio: The Winners & Losers of Botnet Takedowns

7 Black Hat Sessions Sure To Cause A Stir

Internet of Things: Security For A World Of Ubiquitous Computing

Infographic: With BYOD, Mobile Is The New Desktop

CEO Report Card: Low Grades for Risk Management

Top Stories

Dark Reading Radio: The Winners & Losers ...

7 Black Hat Sessions Sure To Cause A Stir

Internet of Things: Security For A World ...

Infographic: With BYOD, Mobile Is The New ...

CEO Report Card: Low Grades for Risk ...

News & Commentary

Internet Of Things Contains Average Of 25 Vulnerabilities Per Device

Ericka Chickowski, Contributing Writer, Dark Reading

News

New study finds high volume of security flaws in such IoT devices as webcams, home thermostats, remote power outlets, sprinkler controllers, home alarms, and garage door openers.

By Ericka Chickowski Contributing Writer, Dark Reading, 7/29/2014

1 Comment | Read | Post a Comment

Latest Comment: Marilyn Cohodas, That seems pretty high to me, but how does that compare to, for instance, a...

DHS-Funded 'SWAMP' Helps Scour Code For Bugs

Kelly Jackson Higgins, Senior Editor, Dark Reading

News

Cloud-based platform offering free secure coding tools for developers in government, enterprises, academia, gaining commercial attention as well.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 7/28/2014

5 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Awareness of the tools is a good first step. Awareness that software assurance...

Weak Password Advice From Microsoft

Andrey Dulkin, Senior Director, Cyber Innovation, CyberArk

Commentary

Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.

By Andrey Dulkin Senior Director, Cyber Innovation, CyberArk, 7/28/2014

3 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, Your point is well-taken Andrey that in terms of risk the calculus of "important"...

Myth-Busting Machine Learning In Security

News

Black Hat USA presentation to help quell misconceptions and confusion over machine learning methods in today's security tools.

By Ericka Chickowski Contributing Writer, Dark Reading, 7/28/2014

4 comments | Read | Post a Comment

Latest Comment: Kelly Jackson Higgins, Good point, @tgulati. It is definitely evolving, and I think this talk should...

Researchers Develop 'BlackForest' To Collect, Correlate Threat Intelligence

Brian Prince, Contributing Writer, Dark Reading

News

Researchers at the Georgia Tech Research Institute develop the BlackForest system to help organizations uncover and anticipate cyberthreats.

By Brian Prince Contributing Writer, Dark Reading, 7/25/2014

1 Comment | Read | Post a Comment

Latest Comment: securityaffairs, Threat Intelligence and Information sharing are principal discipline and practices...

Internet of Things: 4 Security Tips From The Military

Michael K. Daly, CTO, Cybersecurity & Special Missions, Raytheon Intelligence, Information & Services

Commentary

The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. It’s time to take a page from their battle plan.

By Michael K. Daly CTO, Cybersecurity & Special Missions, Raytheon Intelligence, Information & Services, 7/25/2014

8 comments | Read | Post a Comment

Latest Comment: GonzSTL, @aws0513 An excellent post! I have found myself talking about those points...

Travel Agency Fined £150,000 For Violating Data Protection Act

News

That'll teach them not to retain credit card data in perpetuity.

By Sara Peters , 7/24/2014

1 Comment | Read | Post a Comment

Latest Comment: Thomas Claburn, When it comes to data storage, less is more.

Passwords Be Gone! Removing 4 Barriers To Strong Authentication

Phillip M. Dunkelberger, President & CEO, Nok Nok Labs

Commentary

As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.

By Phillip M. Dunkelberger President & CEO, Nok Nok Labs, 7/24/2014

7 comments | Read | Post a Comment

Latest Comment: Arshad Noor, What makes FIDO different is that it does NOT rely on biometrics to authenticate...

7 Arrested, 3 More Indicted For Roles In Cyber Fraud Ring That Stung StubHub

News

Arrests made in New York state, London, Toronto, and Spain for money laundering, grand larceny, and using StubHub customers' credit cards to buy and sell 3,500 e-tickets to prime events.

By Sara Peters , 7/23/2014

3 comments | Read | Post a Comment

Latest Comment: RyanSepe, Never thought of it like that. That does make sense to a certain extent. However,...

RAM Scraper Malware: Why PCI DSS Can't Fix Retail

Brian Riley, Technical Director, Government Programs, Green Hills Software

Commentary

There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data

By Brian Riley Technical Director, Government Programs, Green Hills Software, 7/23/2014

8 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, That's a great call to action, @brianriley. Here are two links about how to...

Dark Reading Radio: The Winners & Losers of Botnet Takedowns

Commentary

Our guests are Cheri McGuire, VP of global government affairs and cyber security policy for Symantec, and Craig D. Spiezle, executive director and founder of the Online Trust Alliance.

By Sara Peters , 7/23/2014

0 comments | Read | Post a Comment

7 Black Hat Sessions Sure To Cause A Stir

At Black Hat, researchers will point out the weaknesses in everything from the satellites in outer space to the thermostat in your home.

By Ericka Chickowski Contributing Writer, Dark Reading, 7/22/2014

9 comments | Read | Post a Comment

Latest Comment: RyanSepe, Thanks for this! For me, I am interested to hear about the shortcomings of...

Nigerian 419 Scammers Evolving Into Malware Pushers (But Not Very Good Ones)

Quick Hits

"Silver Spaniel" attacks use commodity malware to damage others' security, but they aren't very good at protecting their own.

By Sara Peters , 7/22/2014

10 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, My thinking is that the earlier good practices can be drummed in the better....

Infographic: With BYOD, Mobile Is The New Desktop

Commentary

Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand.

By Adam Ely COO, Bluebox, 7/22/2014

8 comments | Read | Post a Comment

Latest Comment: RyanSepe, 14000 give or take a fluctuation of 500 because we are a teaching hospital...

Don't Overestimate EMV Protections, Underestimate Card Thief Sophistication

News

At Black Hat, an AccessData researcher will offer up a crash course in card payment tech and protections to root out security community misconceptions

By Ericka Chickowski Contributing Writer, Dark Reading, 7/21/2014

2 comments | Read | Post a Comment

Latest Comment: catvalencia, Now that debit card and credit card spending is growing; the door is open for...

Internet of Things: Security For A World Of Ubiquitous Computing

Candace Worley, SVP & GM, Endpoint Security, McAfee

Commentary

Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.

By Candace Worley SVP & GM, Endpoint Security, McAfee, 7/21/2014

5 comments | Read | Post a Comment

Latest Comment: William L. Lind, The government should ensure about internet security. The use of the internet...

Hacking Your Hotel Room

News

At Black Hat USA next month, a researcher will show how to hack your way into controlling everything in a hotel room -- from lighting to television sets.

By Brian Prince Contributing Writer, Dark Reading, 7/18/2014

12 comments | Read | Post a Comment

Latest Comment: n0md3plum, I wear 6 proxies whenever I use hotel WiFi.

CEO Report Card: Low Grades for Risk Management

Marilyn Cohodas, Community Editor, Dark Reading

Commentary

Dark Reading's latest community poll shows a stunning lack of confidence in chief execs' commitment to cyber security.

By Marilyn Cohodas Community Editor, Dark Reading, 7/18/2014

12 comments | Read | Post a Comment

Latest Comment: Robert McDougal, While I agree having everyone accountable is an ideal situation I would still...

Government-Grade Stealth Malware In Hands Of Criminals

News

"Gyges" can be bolted onto other malware to hide it from anti-virus, intrusion detection systems, and other security tools.

By Sara Peters , 7/17/2014

13 comments | Read | Post a Comment

Latest Comment: theb0x, To me government-grade sounds outdated. Polymorphic Shellcode has been around...

Website Hacks Dropped During World Cup Final

Quick Hits

Hackers apparently took time off to watch the Germany-Argentina title match of the 2014 FIFA World Cup.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 7/17/2014

15 comments | Read | Post a Comment

Latest Comment: RyanSepe, I definitely think your statement regarding the non-world cup average being...

More Stories

Current Conversations

Posted by Marilyn Cohodas

Your point is well-taken Andrey that in terms of risk the calculus of "important" versus "unimportant" is not a simple matter. For the typical user, it's obvious that you will want to protect your credit cards, online banking...

In reply to: Important to whom?
Post Your Own Reply

Posted by Marilyn Cohodas

That seems pretty high to me, but how does that compare to, for instance, a typical smartphone or tablet? I'd also be curious to know if OWASP has info abut which are most vulnerabe IoT devices on the market.

In reply to: 25 vulns/device
Post Your Own Reply

Posted by Marilyn Cohodas

Awareness of the tools is a good first step. Awareness that software assurance is a critical issue that needs to be addressed by all developers in companies large and small is the bigger challenge, to be sure.

In reply to: Re: DHS-Funded 'SWAMP' Helps Scour Code For Bugs
Post Your Own Reply

Posted by GonzSTL

@aws0513 An excellent post! I have found myself talking about those points so many times, but unfortunately they sometimes fall on deaf ears. Usually it is because the listener has their own perception of security governance,...

In reply to: Re: What not to learn from the military
Post Your Own Reply

Posted by Kelly Jackson Higgins

So true. =) If the tools are free, easy to use online, all that's left is awareness about them. But I can see that still being an issue for smaller orgs/developers.

In reply to: Re: DHS-Funded 'SWAMP' Helps Scour Code For Bugs
Post Your Own Reply

Posted by GonzSTL

Maybe it will make secure coding more mainstream. One thing it will potentially do is eliminate excuses.

In reply to: Re: DHS-Funded 'SWAMP' Helps Scour Code For Bugs
Post Your Own Reply

Posted by Kelly Jackson Higgins

Given the strong push to write more secure code, this project indeed seems important. What I also think is cool about it is that it's going to include commercial scanning services, so users don't have to jump from one platform...

In reply to: Re: DHS-Funded 'SWAMP' Helps Scour Code For Bugs
Post Your Own Reply

Posted by AlkaG040

I would say instead of using weak passwords at all, use a Single Sign-on solution to access all your accounts from one dashboard so that you only have to remember one set of credentials instead of many and that's to your...

In reply to: Single Sign-on as a solution for passwords
Post Your Own Reply

Posted by GonzSTL

This is an excellent service, especially for government agencies and small organizations who do not necessarily have the financial or human resouorces to help in the development of secure code. I understand that security...

In reply to: DHS-Funded 'SWAMP' Helps Scour Code For Bugs
Post Your Own Reply

Posted by aws0513

First... thank you for the kind comment. Next... All of the following is my general opinion. Others may see things different. Most enterprise security teams fall way short on the preparing for the worst. Some of...

In reply to: Re: What not to learn from the military
Post Your Own Reply

Posted by Kelly Jackson Higgins

Good point, @tgulati. It is definitely evolving, and I think this talk should help advance that.

In reply to: Re: Machine Learning
Post Your Own Reply

Posted by theb0x

To me government-grade sounds outdated. Polymorphic Shellcode has been around a long time and is by far the most difficult to detect. Most IDSs contain signatures for commonly used strings within shellcode. It also hides...

In reply to: Government-Grade? Lol.
Post Your Own Reply

More Conversations

Security Insights

Microsoft, No-IP, And The Need For Clarity

The Microsoft vs. No-IP case highlights the need for clear standards of abuse handling and transparency on which service providers measure up.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

Business and IT Emerge as Essential Allies in the Move to Social IDs and 'Bring Your Own Identity'

IT Security Pros Surveyed: Poor password management leaves accounts open to attack

New Windows App to Detect WiFi Security

Global Study: Nearly 30 Percent of Security Professionals Would Completely Overhaul Their Current Enterprise Security System Given Resources & Opportunity

Half of Security Professionals Think Java Applications are Vulnerable to Attacks

ZeroFOX to Spotlight Social Risk Management at Black Hat 2014

Solutionary SERT 2014 Q2 Threat Intelligence Report: Amazon-Hosted Malware Nearly Triples in First Half 2014

39 Percent of IT Organizations Experienced More Than Two Significant Security Incidents

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

Nigerian 419 Scammers Evolving Into Malware Pushers (But Not Very Good Ones)

Sara Peters 7/22/2014

7 Black Hat Sessions Sure To Cause A Stir

Ericka Chickowski, Contributing Writer, Dark Reading, 7/22/2014

RAM Scraper Malware: Why PCI DSS Can't Fix Retail

Brian Riley, Technical Director, Government Programs, Green Hills Software, 7/23/2014

Live Events

Webinars

More UBM Tech
Live Events

Plan and Deploy a Most Cost-Effective 4G Infrastructure

Come to Interop New York, Sept 29 - Oct 3, 2014

Learn to Maximize Your Next-Gen Network Investments

Dark Reading Radio

Archived Dark Reading Radio

Botnet Takedowns: Who's Winning, Who's Losing

Sara Peters hosts a conversation on Botnets and those who fight them.

UPCOMING!
Wednesday, July 30, 1pm EDT
Data Loss Prevention (DLP) FAIL

FULL SCHEDULE | ARCHIVED SHOWS

Flash Poll

All Polls

White Papers

Network Transformation: A Guide to Planning Your Journey to All-IP

5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain

Creating the Best-of-Breed DDI Solution in a Microsoft Environment

Designing a Secure DNS Architecture

Visibility for Converged Infrastructure Solutions

More White Papers

Current Issue

Dark Reading Must Reads July 15, 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2014-3541

Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542

Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

CVE-2014-3543

Published: 2014-07-29
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity referenc...

CVE-2014-3544

Published: 2014-07-29
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

CVE-2014-3545

Published: 2014-07-29
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

Best of the Web

The NSA's Cyber-King Goes Corporate

Far East Targeted by Drive by Download Attack

Russia offers $110,000 to crack Tor anonymous network

Cat-stalking website highlights privacy issues

Siemens Fixes Vulnerabilities in SIMATIC WinCC SCADA System

Reports

Infographics

DevOps’ Impact on Application Security

Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.

Download Now!

More Reports

Slideshows

7 Black Hat Sessions Sure To Cause A Stir

9 comments | Read | Post a Comment

Ransomware: 5 Threats To Watch

6 Things That Stink About SSL