Dark Reading | Security | Protect The Business

IW Home

Advertise With Us

About Us

Digital Subscription

Akamai Withdraws Proposed Heartbleed Patch

'Baby Teeth' In Infrastructure Cyber Security Framework

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

Top Stories

Heartbleed's Intranet & VPN Connection

Akamai Withdraws Proposed Heartbleed Patch

'Baby Teeth' In Infrastructure Cyber ...

Active Directory Is Dead: 3 Reasons

Iranian-Based Cyberattack Activity On The ...

News & Commentary

Don't Blame It On The Web Programming Platform

Kelly Jackson Higgins, Senior Editor, Dark Reading

Quick Hits

New data shows no one Web development platform generates more vulnerabilities than another -- and website security is still a problem.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/15/2014

1 Comment | Read | Post a Comment

Latest Comment: anon6230542982, Anyone in this industry knows that the development language is not the issue,...

White House Details Zero-Day Bug Policy

News

NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information is some cases involving security or law enforcement.

By Mathew J. Schwartz , 4/15/2014

2 comments | Read | Post a Comment

Latest Comment: Charlie Babcock, It wasn't the NSA's responsibility to find the HeartBleed bug, and if they...

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin

Commentary

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

By Thomas Pedersen CEO & Founder, OneLogin, 4/15/2014

15 comments | Read | Post a Comment

Latest Comment: vremenar, You actually think you can get away with "Active Directory Is Dead. Buy my...

Heartbleed's Intranet & VPN Connection

News

How the game-changing crypto bug affects internal servers, clients, and VPN networks -- and what to do about it.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/14/2014

0 comments | Read | Post a Comment

Akamai Withdraws Proposed Heartbleed Patch

News

As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.

By Mathew J. Schwartz , 4/14/2014

2 comments | Read | Post a Comment

Latest Comment: cumulonimbus, SSL encryption is just one small aspect of security in this digital age, albeit...

'Baby Teeth' In Infrastructure Cyber Security Framework

Dave Frymier, Chief Information Security Officer, Unisys

Commentary

NIST’s modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.

By Dave Frymier Chief Information Security Officer, Unisys, 4/14/2014

6 comments | Read | Post a Comment

Latest Comment: JeremiahT680, So i came to the conclusion w/ all of the NSA spying that basically it comes...

Iranian-Based Cyberattack Activity On The Rise, Mandiant Report Says

Brian Prince, Contributing Writer, Dark Reading

News

New report details the rise of suspected Iranian and Syrian-based cyber-attacks.

By Brian Prince Contributing Writer, Dark Reading, 4/11/2014

2 comments | Read | Post a Comment

Latest Comment: securityaffairs01, I think that one of the most scaring results proposed by the report is that...

Feds Address Antitrust Concerns On Cyberthreat Sharing

Commentary

Justice Dept. and FTC confirm that sharing cybersecurity threat information is not an antitrust law violation.

By William Jackson Technology Writer, 4/11/2014

3 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Information sharing will come from vendors that companies have relationships...

Free Heartbleed-Checker Released for Firefox Browser

Quick Hits

Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/11/2014

4 comments | Read | Post a Comment

Latest Comment: Randy Naramore, Chrome Checker is doing well for me also.

Windows XP Alive & Well in ICS/SCADA Networks

News

End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014

1 Comment | Read | Post a Comment

Latest Comment: RyanSepe, What safeguards are being taken to ensure that the systems are not being exploited...

Heartbleed Will Go On Even After The Updates

News

What's next now that the mindset is 'assume the worst has already occurred?'

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014

6 comments | Read | Post a Comment

Latest Comment: AKessler, This may seem alarming to some but intelligence agencies are in the business...

Flash Poll: Broken Heartbeat

Marilyn Cohodas, Community Editor, Dark Reading

Commentary

What steps do you plan to take in response to the Heartbleed bug? Take our poll and share your reasons in the comments.

By Marilyn Cohodas Community Editor, Dark Reading, 4/10/2014

0 comments | Read | Post a Comment

Heartbleed: Examining The Impact

Commentary

With Heartbleed, there’s little hope of knowing if an asset was breached, if a breach can be identified, or what, if any, data was leaked. Here’s how to defend against future attacks.

By Tim Sapio Security Analyst, Bishop Fox, 4/10/2014

5 comments | Read | Post a Comment

Latest Comment: macker490, the impact is less than you might think: we all live in a heavilly...

CIO Vs. CSO: Allies Or Enemies?

Eric Cole, Founder & Chief Scientist, Secure Anchor Consulting

Commentary

In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.

By Eric Cole Founder & Chief Scientist, Secure Anchor Consulting, 4/10/2014

10 comments | Read | Post a Comment

Latest Comment: GonzSTL, Yes, believe me, I get all that, but if you were to stand up a security organization...

Majority Of Users Have Not Received Security Awareness Training, Study Says

Tim Wilson, Editor in Chief, Dark Reading

Quick Hits

Many users fail to follow policies on mobile, cloud security, EMA Research study says.

By Tim Wilson Editor in Chief, Dark Reading, 4/10/2014

11 comments | Read | Post a Comment

Latest Comment: Kwattman, To add to prior conversation, these days, you need to have an employee security...

More Than A Half-Million Servers Exposed To Heartbleed Flaw

News

What the newly exposed SSL/TLS threat really means for enterprises and end-users.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/9/2014

15 comments | Read | Post a Comment

Latest Comment: SaneIT, Yes, especially those that rarely log on to a particular site. If they...

Paul Allen Invests In Online Voting Firm

Commentary

E-voting firm Scytl receives $40 million from Paul Allen's Vulcan Capital to continue election modernization efforts. Defense Department among its customers.

By Elena Malykhina Technology Journalist, 4/9/2014

5 comments | Read | Post a Comment

Latest Comment: ,

What’s Worse: Credit Card Or Identity Theft?

Kerstyn Clover, Attack & Defense Team Consultant

Commentary

When it comes to data loss, it’s time for the conversation to shift from credit cards to personal information like Social Security numbers, home addresses, and your favorite flavor of ice cream.

By Kerstyn Clover Attack & Defense Team Consultant, 4/9/2014

17 comments | Read | Post a Comment

Latest Comment: Marilyn Cohodas, @CypherpunkI - In my state -- Massachusetts, they've installed bitcoin ATMS...

Emergency SSL/TLS Patching Under Way

News

A "Heartbleed" flaw revealed in the OpenSSL library leaks the contents of memory, including passwords, source code, and keys.

By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/8/2014

17 comments | Read | Post a Comment

Latest Comment: securityaffairs, Let's analyze also the reply of principal web service providers. I made some...

One Year Later: The APT1 Report

Nick Selby, CEO, StreetCred Software, Inc

Commentary

One of the most positive impacts of APT1 is the undeniable rise in the stature of the threat intelligence industry. "Threat Intelligence" is the SIEM, the NAC of 2014.

By Nick Selby CEO, StreetCred Software, Inc, 4/8/2014

2 comments | Read | Post a Comment

Latest Comment: nselby, My comment about "fact" and "FUD" has alarmed some: by it, I did not mean to...

More Stories

Current Conversations

Posted by vremenar

You actually think you can get away with "Active Directory Is Dead. Buy my soulution!" Oh, let me keep all my employes accounts on OneLogin that one day might have an "Heartbleed-like" bug. Hmm, that does sound like a...

In reply to: Re: What's the alternative
Post Your Own Reply

Posted by anon6230542982

Anyone in this industry knows that the development language is not the issue, that it is the implementation is the issue, and it all starts with the C suite. When it comes to secure software development most organizations...

In reply to: It all starts with the C-Level
Post Your Own Reply

Posted by Charlie Babcock

It wasn't the NSA's responsibility to find the HeartBleed bug, and if they did find it, I wouldn't believe their statements that they didn't use it. For them to say otherwise would tip off various parties that their servers...

In reply to: Don't expect the NSA to help or even come clean
Post Your Own Reply

Posted by securityaffairs01

We cannot be surprised. NSA, as any other intelligence has used, and will use in the future exploits to gather sensitive information and foreign government secrets. What we are seeing is just the tip of the iceberg ......

In reply to: What's new?
Post Your Own Reply

Posted by jrdepriest

You are out of your mind. AD isn't dead and will likely be a foundation of access control for smart organizations for a long time. Why? - AD is extensible. You have an app that needs fields not supported in AD? It can...

In reply to: You've been drinking your own Kool Aid
Post Your Own Reply

Posted by Marilyn Cohodas

It's interesting to read the views of all the defenders of AD and the bashers of someone who predicts its demise. But what about the question Thomas put out to the security community in his blog? He asked: - What...

In reply to: Your experience integrating AD with cloud apps?
Post Your Own Reply

Posted by boconnor@henryscheinvet.com

Your article has some merit, calling out the aging Active Directory, but you seem to base the premise on the 1990's technology (I will agree the foot in the door was Exchange 5.5 on directory management, but AD was released...

In reply to: Don't count Microsoft out yet
Post Your Own Reply

Posted by TerryB

I'm waiting to see your answer to @Marilyn, Thomas. Your use examples talk about new startups, of which 70-90% fail anyway. Cloud does make a lot sense in that case, why would you implement your own Exchange server right...

In reply to: Re: What's the alternative
Post Your Own Reply

Posted by JeremiahT680

So i came to the conclusion w/ all of the NSA spying that basically it comes down to this. The internet would fail w/o the NSA... basically they have a vested interest in the internet and have exploited vulnerabilities for...

In reply to: Netowrk Infrastructure
Post Your Own Reply

Posted by MauriceB786

I may have worded that poorly. I meant what value-add is it? What can it do that I can't?This is speaking as someone well-versed in automation, AD, and generally making people say "I didn't know it could do that." I'm...

In reply to: Re: What's the alternative
Post Your Own Reply

Posted by Thomas B. Pedersen

Maurice, You hit the nail on the head right there. A decently resourced IT team can accomplish anything, but do you really want to throw resources at all problems or would you rather leverage commercially available solutions...

In reply to: Re: What's the alternative
Post Your Own Reply

Posted by Marilyn Cohodas

Incidenally I'm putting as an open challenge Mr.Pederson, that your product doesn't do anything that a decently resourced IT team can't. @MauriceB786 What are the specific things that you believe a cloud-based...

In reply to: Re: What's the alternative
Post Your Own Reply

More Conversations

Security Insights

Preying On A Predator

Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals.

0 comments
Read | Post a Comment

More Sophos Security Insights

Products & Releases

Survey: As Companies Move to the Cloud, Increased Security is their Biggest IT Concern

Future of Open Source Survey: OSS Powering New Technologies, Creating New Economics

IBM Delivers Disaster Recovery, Security Services to SoftLayer Clients

Tripwire Donates $11.75M Cybersecurity Service to Penn State

(ISC)2® Intros Program to Develop Global Cybersecurity Education

CSC's New App Security Offering

NSS Labs Releases Latest Browser Security Test Results

Study Reveals 40% of Data Needs Protection; Less than Half of that Gets It

More Products & Releases

PR Newswire

Hot Topics

Editors' Choice

What's Worse: Credit Card Or Identity Theft?

Kerstyn Clover, Attack & Defense Team Consultant, 4/9/2014

More Than A Half-Million Servers Exposed To Heartbleed Flaw

Kelly Jackson Higgins, Senior Editor, Dark Reading, 4/9/2014

Active Directory Is Dead: 3 Reasons

Thomas Pedersen, CEO & Founder, OneLogin, 4/15/2014

Live Events

Webinars

More UBM Tech
Live Events

Enterprise Connect Lync Tour

Tower & Small Cell Summit

Flash Poll

All Polls

White Papers

Key Methods for Managing Complex Database Environments

Boosting Storage Performance for IO Intensive Enterprise Applications

Top 8 Considerations To Enable and Simplify Mobility

Key Components Of Your Resiliency Strategy

Supply Chain Visibility in Business Networks

More White Papers

Current Issue

Dark Reading April 2014

Download This Issue!

Subscribe Now!

Back Issues | Must Reads

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2013-5704

Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705

Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341

Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342

Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348

Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web

New Microsoft Threat Modeling Tool 2014 Now Available

Hackers attempt to blackmail cosmetic surgery firm, after stealing up to 500,000 patients’ records

Both attackers, researchers exploit Heartbleed OpenSSL vulnerability

Heartbleed disclosure timeline: who knew what and when

So Far, So Good for TrueCrypt: Initial Audit Phase Turns Up No Backdoors

Reports

Infographics

Containing Corporate Data on Mobile Devices

If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.

Download Now!

More Reports