Risk
News & Commentary
Why Digital Forensics In Incident Response Matter More Now
Craig Carpenter, President & COO, Resolution1 SecurityCommentary
By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.
By Craig Carpenter President & COO, Resolution1 Security, 12/24/2014
Comment7 comments  |  Read  |  Post a Comment
Backoff Malware Validates Targets Through Infected IP Cameras
Ericka Chickowski, Contributing Writer, Dark ReadingNews
RSA report on Backoff dives deeper into clues about the POS software and hints at attackers potentially located in India.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/23/2014
Comment1 Comment  |  Read  |  Post a Comment
How PCI DSS 3.0 Can Help Stop Data Breaches
Troy Leach and Christopher Strand, Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9Commentary
New Payment Card Industry security standards that take effect January 1 aim to replace checkmark mindsets with business as usual processes. Here are three examples.
By Troy Leach and Christopher Strand Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9, 12/23/2014
Comment1 Comment  |  Read  |  Post a Comment
The Internet's Winter Of Discontent
Paul Vixie, Chairman & CEO, Farsight Security, Inc.Commentary
The new great cybersecurity challenge in trying to sum up the most dangerous weaknesses in the world’s connected economy is that the hits just keep on coming.
By Paul Vixie Chairman & CEO, Farsight Security, Inc., 12/19/2014
Comment1 Comment  |  Read  |  Post a Comment
5 Pitfalls to Avoid When Running Your SOC
Jeff Schilling, CSO, FirehostCommentary
The former head of the US Army Cyber Command SOC shares his wisdom and battle scars about playing offense not defense against attackers.
By Jeff Schilling CSO, Firehost, 12/18/2014
Comment6 comments  |  Read  |  Post a Comment
2014: The Year of Privilege Vulnerabilities
Marc Maiffret, CTO, BeyondTrustCommentary
Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.
By Marc Maiffret CTO, BeyondTrust, 12/16/2014
Comment1 Comment  |  Read  |  Post a Comment
Shadow IT: Not The Risk You Think
Tal Klein, VP Strategy, AdallomCommentary
Enterprise cloud services such as Box, Office 365, Salesforce, and Google Apps can make a better case for being called sanctioned than many legacy, on-premises, IT-provisioned applications.
By Tal Klein VP Strategy, Adallom, 12/12/2014
Comment0 comments  |  Read  |  Post a Comment
Cyber Security Practices Insurance Underwriters Demand
Natalie Lehr, Co-Founder & VP Analytics, TSC AdvantageCommentary
Insurance underwriters aren’t looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.
By Natalie Lehr Co-Founder & VP Analytics, TSC Advantage, 12/11/2014
Comment2 comments  |  Read  |  Post a Comment
Smartphones Get Headlines, But Lax USB Security Is Just As Risky
Cam Roberson, Director Reseller Channel, Beachhead SolutionsCommentary
Most companies use no software to detect or secure sensitive data when it is moved to a USB flash drive, or even check USB drives for viruses or malware.
By Cam Roberson Director Reseller Channel, Beachhead Solutions, 12/10/2014
Comment7 comments  |  Read  |  Post a Comment
3 Steps To Solidifying Air-Gap Security
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Your isolated systems may not be as secure from exfiltration or external control as you think.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/8/2014
Comment0 comments  |  Read  |  Post a Comment
Open Source Encryption Must Get Smarter
Matt Little, VP Product Development, PKWARECommentary
When it comes to cryptography, there are quite a few myths in the age-old debate about proprietary versus open source application security.
By Matt Little VP Product Development, PKWARE, 12/8/2014
Comment3 comments  |  Read  |  Post a Comment
The Real Cost of Cyber Incidents, According To Insurers
Sara Peters, Senior Editor at Dark ReadingNews
Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.
By Sara Peters Senior Editor at Dark Reading, 12/3/2014
Comment3 comments  |  Read  |  Post a Comment
With Operation Cleaver, Iran Emerges As A Cyberthreat
Jai Vijayan, Freelance writerNews
A hacker group's actions suggest that it is laying the groundwork for a future attack on critical infrastructure targets.
By Jai Vijayan Freelance writer, 12/3/2014
Comment0 comments  |  Read  |  Post a Comment
How Startups Can Jumpstart Security Innovation
Rick Gordon, Managing Partner, Mach37 Cyber AcceleratorCommentary
One of the best places for CISOs to turn for a cutting-edge cyber security strategy is the burgeoning world of startups. Here’s how to find them.
By Rick Gordon Managing Partner, Mach37 Cyber Accelerator, 12/3/2014
Comment1 Comment  |  Read  |  Post a Comment
Leveraging The Kill Chain For Awesome
Sean Mason, VP, Incident Response, Resolution1 SecurityCommentary
There are good reasons the Kill Chain is being used by some of the most successful information security teams around. Here are three.
By Sean Mason VP, Incident Response, Resolution1 Security, 12/2/2014
Comment1 Comment  |  Read  |  Post a Comment
Senate Explores Outsourcing Security Services
Jai Vijayan, Freelance writerNews
The US Senate might outsource core cyber security support to a managed security service. Candidate tasks include network security monitoring, threat analysis, incident reporting, vulnerability analysis, and security engineering and research.
By Jai Vijayan Freelance writer, 12/2/2014
Comment3 comments  |  Read  |  Post a Comment
Cybercrooks Expand Sights To Market Manipulation
Ericka Chickowski, Contributing Writer, Dark ReadingNews
A new FireEye report shows attacks with simple technical roots but sophisticated knowledge of the investment world are stealing information that could be used for insider trading.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/1/2014
Comment2 comments  |  Read  |  Post a Comment
10 Ways Security Gurus Give Thanks
Ericka Chickowski, Contributing Writer, Dark ReadingNews
From board-level awareness to bug bounty programs and everything in between, the security world's maturation offers security practitioners something to be thankful for.
By Ericka Chickowski Contributing Writer, Dark Reading, 11/25/2014
Comment5 comments  |  Read  |  Post a Comment
6 Million+ Email Accounts Worldwide Exposed In Past 3 Months
Kelly Jackson Higgins, Executive Editor at Dark ReadingQuick Hits
Spike in number of stolen accounts likely due to uptick in major data breaches, researchers say.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 11/25/2014
Comment4 comments  |  Read  |  Post a Comment
Data Management Vs. Data Loss Prevention: Vive La Différence!
Todd Feinman,  President & CEO, Identity FinderCommentary
A sensitive data management strategy can include the use of DLP technology, but it also involves a comprehensive understanding of where your data is and what specifically is at risk.
By Todd Feinman President & CEO, Identity Finder, 11/25/2014
Comment4 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
PR Newswire
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.