Dark Reading
Protect The Business - Enable Access
CISO GUIDE: FISMA Compliance
Do more than just cursory scans. Develop
a holistic approach to app security.
Find out how!
Do more than just cursory scans. Develop
a holistic approach to app security.
Find out how!
EBOOK: 7 Truths of IT Governance
Learn to take the ambiguity out of managing IT so you can guide your business forward.
Download now!
Learn to take the ambiguity out of managing IT so you can guide your business forward.
Download now!
BUYERS GUIDE: Endpoint Protection
Use these tips from Gartner to identify the EPP solution that best suits your business.
Download now!
Use these tips from Gartner to identify the EPP solution that best suits your business.
Download now!
Dark Reading Issue Archive
May 2012: Supplemental Issue
- >Endpoint Insecurity: Employees and their browsers might be the weak link in your security plan. Here's how to close the gap.
- Get Security Savvy: Tim Wilson explains why security-aware end users make such a difference.
April 2012
- Close The Door On Data Leaks: Stop insider theft and accidental disclosure with network and host controls--and don't forget to keep employees on their toes.
- Make Security Everyone's Business: Even the best data leak prevention tools will fail if employees don't make security a priority.
- Lessons From The Global Payments Breach: Recent attack underscores problems with knowledge-based authentication and perimeter defense.
- FTC Proposes "Privacy By Design": The agency's privacy guidelines could raise issues for e-commerce and online advertising.
March 2012: Supplemental Issue
- Web Encryption That Works: Secure Sockets Layer isn't perfect, but there are ways to optimize it. Here are four places to start.
- Security Success: As you look at the way you use security technology, be sure to follow best practices and do your updates. Success is all in the execution.
January 2012
- Digital Detectives: The right forensic tools in the right hands are just a start. Here's how to better apply the lessons they teach.
- Take The Offensive: It's time to be proactive, not reactive, with digital forensics.
- DoS Attack Cripples Web Servers: Researcher's proof-of-concept code takes a different spin on slow HTTP denial-of-service attacks.
- When Someone Else's Insider Is Your Threat: Protecting intellectual property is difficult when a third party has access to confidential information.
December 2011: Supplemental Issue
- Access Denied: Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks -- accidental or otherwise.
- Take Aim At Database Access: User provisioning isn't as simple as it sounds.
October 2011
- Search And Secure: Sensitive data is scattered in forgotten corners of your IT infrastructure. Find and protect it before it winds up in the wrong hands.
- The Practical Side Of Data Defense: The most common data breaches are the result of the simplest attacks.
- Dueling SIEM Deals: IBM is buying Q1 Labs, and McAfee is picking up NitroSecurity. Deals come amid concerns that security information and event management must meet today's advanced threats.
- Poor Marks For Training Programs: Experts say the security industry must figure out why cybersecurity awareness programs are so ineffective.
August 2011: Supplemental Issue
- The SQL Injection Threat: Knowing how attackers find and exploit these vulnerabilities can help you defend against them.
- Take The Defensive: 6 techniques you can use to stop these attacks.
- Constant Vigilance: Don't ignore this dull but dangerous threat, Tim Wilson warns.
July 2011
- Threats In The Supply Chain: The suppliers and contractors coming through your door could be a security risk to your business. Here's what you need to watch out for.
- Look Beyond Security's Garden Path:Focusing solely on your own company's security ignores the bigger picture.
- Take Me Out To The Breach Game: What do baseball and incident response have in common? Teamwork.
- Homeland Security And IRS Vulnerabilities Cited: Vulnerabilities At Homeland Security And IRS Agencies have been cited for database security problems.
- Anonymous Hacks Booz Allen: Hacker group says it nabbed military email addresses and password hashes from the contractor.
- U.S.-Russia Cybersecurity Pact: U.S. plans to start regularly sharing cybersecurity information with Russia.
June 2011: Supplemental Issue
- Database Defenses: Lessons learned from five of the latest security breaches.
- The Harsh Reality: The possibility of a database breach may be remote, but the costs are huge if it happens.
April 2011
- Diary Of A Breach: Our intrusion detection timeline illustrates common but costly errors in companies' risk management processes.
- Connect The Log Data Dots: Companies collect massive amounts of data for compliance and forensics, but don't use it to develop real security.
- Take Me Out To The Breach Game: What do baseball and incident response have in common? Teamwork.
- Epsilon Attack Means Long-Term Pain: The theft of millions of email addresses could lead to years of phishing, spamming, and targeted attacks.
- EMC Adds Forensic Capabilities: Its NetWitness acquisition brings tools for better incident investigation.
- Phishing Scam Snares RSA: Why didn't the security company use its own technology to prevent the attack that exposed its SecurID customers?
March 2011: Supplemental Issue
- What Makes DB2 Security Different? IBM and its database customers didn't always give much thought to protecting their DB2 data. Both are now stepping up. Here's how and why.
- Same Song, New Music For Database Security: As database attacks increase, many enterprises are looking to recentralize their sensitive data and reduce the size of the potential attack surface.
January 2011
- Wicked Innovation: Cutting-edge attacks like Stuxnet and Zeus will be the everyday attacks of the future. We tell you what you need to know to keep your company safe
- Rationalizing Security: Rationalizing Security: Five best practices to improve the budgeting process for security spending
- Prosperous New Year For Hackers: Tim Wilson explores five prime targets for exploits, including social networks, mobile devices, and wireless services.
- TPM Chips Sit Idle: Could activating the authentication chips built into millions of machines solve our cybersecurity problems?
- Mobile Users Go Phishing: Smartphone users are far more apt than PC users to visit phishing Web sites, new research shows.
Tech Centers
How To Detect And Root Out Sophisticated Malware
Are You A Human Confirms Man Or Machine With Games
State Of Utah Fires Tech Director Over Breach
MORE KEYHOLE
ENTERPRISE VULNERABILITIES
Vulnerability:ssl-vpn end-point interrogator/installer activex control
Published:2010-11-03
Severity:High
Description:Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX control (Aventail.EPInstaller) before 10.5.2 and 10.0.5 hotfix 3 allows remote attackers to execute arbitrary code via long (1) CabURL and (2) Location arguments to the Install3rdPartyComponent method.
Published:2010-11-03
Severity:High
Description:Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX control (Aventail.EPInstaller) before 10.5.2 and 10.0.5 hotfix 3 allows remote attackers to execute arbitrary code via long (1) CabURL and (2) Location arguments to the Install3rdPartyComponent method.
Vulnerability:gvim
Published:2010-11-03
Severity:High
Description:Untrusted search path vulnerability in VIM Development Group GVim before 7.3.034, and possibly other versions before 7.3.46, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse User32.dll or other DLL that is located in the same folder as a .TXT file. NOTE: some of these details are obtained from third party information.
Published:2010-11-03
Severity:High
Description:Untrusted search path vulnerability in VIM Development Group GVim before 7.3.034, and possibly other versions before 7.3.46, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse User32.dll or other DLL that is located in the same folder as a .TXT file. NOTE: some of these details are obtained from third party information.
Vulnerability:cforms
Published:2010-11-03
Severity:Medium
Description:Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
Published:2010-11-03
Severity:Medium
Description:Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
Vulnerability:links, wsn links, wsn links
Published:2010-11-03
Severity:High
Description:Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0.x before 5.0.81, 5.1.x before 5.1.51, and 6.0.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) namecondition or (2) namesearch parameter.
Published:2010-11-03
Severity:High
Description:Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0.x before 5.0.81, 5.1.x before 5.1.51, and 6.0.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) namecondition or (2) namesearch parameter.
Vulnerability:deluxebb
Published:2010-11-03
Severity:Medium
Description:SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
Published:2010-11-03
Severity:Medium
Description:SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
|
