Vulnerabilities / Threats
News & Commentary
Why Digital Forensics In Incident Response Matter More Now
Craig Carpenter, President & COO, Resolution1 SecurityCommentary
By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.
By Craig Carpenter President & COO, Resolution1 Security, 12/24/2014
Comment7 comments  |  Read  |  Post a Comment
JPMorgan Hack: 2FA MIA In Breached Server
Kelly Jackson Higgins, Executive Editor at Dark ReadingQuick Hits
Sources close to the breach investigation say a network server missing two-factor authentication let attackers make their way into JPMorgan's servers.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/24/2014
Comment9 comments  |  Read  |  Post a Comment
Backoff Malware Validates Targets Through Infected IP Cameras
Ericka Chickowski, Contributing Writer, Dark ReadingNews
RSA report on Backoff dives deeper into clues about the POS software and hints at attackers potentially located in India.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/23/2014
Comment1 Comment  |  Read  |  Post a Comment
How PCI DSS 3.0 Can Help Stop Data Breaches
Troy Leach and Christopher Strand, Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9Commentary
New Payment Card Industry security standards that take effect January 1 aim to replace checkmark mindsets with business as usual processes. Here are three examples.
By Troy Leach and Christopher Strand Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9, 12/23/2014
Comment1 Comment  |  Read  |  Post a Comment
The Coolest Hacks Of 2014
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative -- and yes, scary -- hacks this year by security researchers.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/22/2014
Comment8 comments  |  Read  |  Post a Comment
Security News No One Saw Coming In 2014
John B. Dickson, CISSP,  Principal, Denim GroupCommentary
John Dickson shares his list (and checks it twice) of five of the most surprising security headlines of the year.
By John B. Dickson CISSP, Principal, Denim Group, 12/22/2014
Comment12 comments  |  Read  |  Post a Comment
The Internet's Winter Of Discontent
Paul Vixie, Chairman & CEO, Farsight Security, Inc.Commentary
The new great cybersecurity challenge in trying to sum up the most dangerous weaknesses in the worldís connected economy is that the hits just keep on coming.
By Paul Vixie Chairman & CEO, Farsight Security, Inc., 12/19/2014
Comment1 Comment  |  Read  |  Post a Comment
Time To Rethink Patching Strategies
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
In 2014, the National Vulnerability Database is expected to log a record-breaking 8,000 vulnerabilities. That's 8,000 reasons to improve software quality at the outset.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 12/19/2014
Comment14 comments  |  Read  |  Post a Comment
5 Pitfalls to Avoid When Running Your SOC
Jeff Schilling, CSO, FirehostCommentary
The former head of the US Army Cyber Command SOC shares his wisdom and battle scars about playing offense not defense against attackers.
By Jeff Schilling CSO, Firehost, 12/18/2014
Comment6 comments  |  Read  |  Post a Comment
'Grinch' Bug May Affect Most Linux Systems
Kelly Jackson Higgins, Executive Editor at Dark ReadingQuick Hits
But newly discovered vulnerability not as urgent as previous open-source bug disclosures.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/17/2014
Comment3 comments  |  Read  |  Post a Comment
The New Target for State-Sponsored Cyber Attacks: Applications
Jeff Williams, CTO, Aspect Security & Contrast SecurityCommentary
Skilled hackers are now using simple web application vulnerabilities like SQL Injection to take over database servers. Are you prepared to defend against this new type of threat actor?
By Jeff Williams CTO, Aspect Security & Contrast Security, 12/17/2014
Comment1 Comment  |  Read  |  Post a Comment
2014: The Year of Privilege Vulnerabilities
Marc Maiffret, CTO, BeyondTrustCommentary
Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.
By Marc Maiffret CTO, BeyondTrust, 12/16/2014
Comment1 Comment  |  Read  |  Post a Comment
Ekoparty Isnít The Next Defcon (& It Doesnít Want To Be)
Andrew Ford, Developer, BugcrowdCommentary
Unlike American security conferences that offer a buffet of merchandise, meals, and drinks, Ekoparty, in Buenos Aires, is every bit as functional -- with a little less fluff.
By Andrew Ford Developer, Bugcrowd, 12/15/2014
Comment0 comments  |  Read  |  Post a Comment
Shadow IT: Not The Risk You Think
Tal Klein, VP Strategy, AdallomCommentary
Enterprise cloud services such as Box, Office 365, Salesforce, and Google Apps can make a better case for being called sanctioned than many legacy, on-premises, IT-provisioned applications.
By Tal Klein VP Strategy, Adallom, 12/12/2014
Comment0 comments  |  Read  |  Post a Comment
Hiring Hackers To Secure The Internet Of Things
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
How some white hat hackers are changing career paths to help fix security weaknesses in consumer devices and business systems.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/11/2014
Comment3 comments  |  Read  |  Post a Comment
Cyber Security Practices Insurance Underwriters Demand
Natalie Lehr, Co-Founder & VP Analytics, TSC AdvantageCommentary
Insurance underwriters arenít looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.
By Natalie Lehr Co-Founder & VP Analytics, TSC Advantage, 12/11/2014
Comment2 comments  |  Read  |  Post a Comment
Crypto In The Crosshairs Again
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
"POODLE" attack extends to newer versions of SSL/TLS encryption as well.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/10/2014
Comment0 comments  |  Read  |  Post a Comment
'Inception' Cyber Espionage Campaign Targets PCs, Smartphones
Jai Vijayan, Freelance writerNews
Blue Coat report details sophisticated attacks mainly against Russian targets, and Kaspersky Lab calls new campaign next-generation of Red October cyber spying operation.
By Jai Vijayan Freelance writer, 12/10/2014
Comment1 Comment  |  Read  |  Post a Comment
Employees Still Get More Access Than They Need
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Two surveys show how little enterprises enforce and track least-privilege policies.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/9/2014
Comment1 Comment  |  Read  |  Post a Comment
Internet Of Things: 3 Holiday Gifts That Will Keep CISOs Up At Night
Chris Rouland, Founder & CEO, BastilleCommentary
If you think BYOD policies will protect your infrastructure from the January influx of mobile hotspots, fitness trackers, and Bluetooth, think again.
By Chris Rouland Founder & CEO, Bastille, 12/9/2014
Comment7 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
PR Newswire
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.