Vulnerabilities / Threats
News & Commentary
Hacker Or Military? Best Of Both In Cyber Security
John B. Dickson, CISSP,  Principal, Denim GroupCommentary
How radically different approaches play out across the security industry.
By John B. Dickson CISSP, Principal, Denim Group, 8/21/2014
Comment4 comments  |  Read  |  Post a Comment
Heartbleed Not Only Reason For Health Systems Breach
Sara Peters, Senior Editor at Dark ReadingNews
Community Health Systems' bad patching practices are nothing compared to its poor encryption, network monitoring, fraud detection, and data segmentation, experts say.
By Sara Peters Senior Editor at Dark Reading, 8/20/2014
Comment9 comments  |  Read  |  Post a Comment
4 Tips: Protect Government Data From Mobile Malware
Julie M. Anderson, Managing Director, Civitas GroupCommentary
Mobile malware continues to proliferate, particularly on Android devices. These four steps help counter the threat.
By Julie M. Anderson Managing Director, Civitas Group, 8/20/2014
Comment2 comments  |  Read  |  Post a Comment
Debugging The Myths Of Heartbleed
Steve Riley, Technical Leader, Office of the CTO, Riverbed TechnologyCommentary
Does Heartbleed really wreak havoc without a trace? The media and many technical sites seemed convinced of this, but some of us were skeptical.
By Steve Riley Technical Leader, Office of the CTO, Riverbed Technology, 8/20/2014
Comment3 comments  |  Read  |  Post a Comment
Q&A: DEF CON At 22
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
DEF CON founder Jeff Moss, a.k.a. The Dark Tangent, reflects on DEF CON's evolution, the NSA fallout, and wider security awareness.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 8/19/2014
Comment2 comments  |  Read  |  Post a Comment
Why John McAfee Is Paranoid About Mobile
Peter Zavlaris, Analyst, RiskIQCommentary
Mobile apps are posing expanding risks to both enterprises and their customers. But maybe being paranoid about mobile is actually healthy for security.
By Peter Zavlaris Analyst, RiskIQ, 8/19/2014
Comment11 comments  |  Read  |  Post a Comment
Cloud Apps & Security: When Sharing Matters
Krishna Narayanaswamy, Founder & Chief Scientist, NetskopeCommentary
Sharing documents and data is happening all over the cloud today but not all sharing activity carries equal risk.
By Krishna Narayanaswamy Founder & Chief Scientist, Netskope, 8/18/2014
Comment5 comments  |  Read  |  Post a Comment
Infographic: 70 Percent of World's Critical Utilities Breached
Mark L. Cohn, Chief Technology Officer, Unisys Federal SystemsCommentary
New research from Unisys and Ponemon Institute finds alarming security gaps in worldwide ICS and SCADA systems within the last 12 months.
By Mark L. Cohn Chief Technology Officer, Unisys Federal Systems, 8/15/2014
Comment8 comments  |  Read  |  Post a Comment
Test Drive: GFI LanGuard 2014
John H. Sawyer, Contributing Writer, Dark ReadingCommentary
LanGuard worked well in the lab and may prove more beneficial to IT operations than security teams.
By John H. Sawyer Contributing Writer, Dark Reading, 8/15/2014
Comment1 Comment  |  Read  |  Post a Comment
Why Patching Makes My Heart Bleed
John Rostern, CRISC, QSA, VP Technology Audit & Advisory Services, CoalfireCommentary
Heartbleed was a simple mistake that was allowed to propagate through "business as usual" patching cycles and change management. It could easily happen again.
By John Rostern CRISC, QSA, VP Technology Audit & Advisory Services, Coalfire, 8/14/2014
Comment2 comments  |  Read  |  Post a Comment
Internet Of Things Security Reaches Tipping Point
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Public safety issues bubble to the top in security flaw revelations.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 8/13/2014
Comment11 comments  |  Read  |  Post a Comment
Security Holes Exposed In Trend Micro, Websense, Open Source DLP
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Researchers Zach Lanier and Kelly Lum at Black Hat USA took the wraps off results of their security testing of popular data loss prevention software.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 8/12/2014
Comment4 comments  |  Read  |  Post a Comment
CloudBot: A Free, Malwareless Alternative To Traditional Botnets
Sara Peters, Senior Editor at Dark ReadingNews
Researchers take advantage of cloud service providers' free trials and lousy anti-automation controls to use cloud instances like bots.
By Sara Peters Senior Editor at Dark Reading, 8/11/2014
Comment1 Comment  |  Read  |  Post a Comment
Closing The Skills Gap Between Hackers & Defenders: 4 Steps
W. Hord Tipton, Commentary
Improvements in security education, budgets, tools, and methods will help our industry avoid more costly and dangerous attacks and data breaches in the future.
By W. Hord Tipton , 8/11/2014
Comment17 comments  |  Read  |  Post a Comment
Facebook Malware: Protect Your Profile
Kristin Burnham, Senior Editor, InformationWeek.comCommentary
Malicious "Color Change" app has resurfaced on Facebook, compromising thousands of profiles. Here's what to do if you're infected.
By Kristin Burnham Senior Editor, InformationWeek.com, 8/8/2014
Comment12 comments  |  Read  |  Post a Comment
The Hyperconnected World Has Arrived
Michael Sutton, VP Security Research, ZscalerCommentary
Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge.
By Michael Sutton VP Security Research, Zscaler, 8/8/2014
Comment6 comments  |  Read  |  Post a Comment
Heartbleed, GotoFail Bring Home Pwnie Awards
Sara Peters, Senior Editor at Dark ReadingQuick Hits
The Pwnie Awards celebrate the best bug discoveries and worst security fails.
By Sara Peters Senior Editor at Dark Reading, 8/7/2014
Comment5 comments  |  Read  |  Post a Comment
Dan Geer Touts Liability Policies For Software Vulnerabilities
Sara Peters, Senior Editor at Dark ReadingNews
Vendor beware. At Black Hat, Dan Geer suggests legislation to change product liability and abandonment rules for vulnerable and unsupported software.
By Sara Peters Senior Editor at Dark Reading, 8/6/2014
Comment6 comments  |  Read  |  Post a Comment
The Illegitimate Milliner’s Guide to Black Hat
Tal Klein, VP Strategy, AdallomCommentary
A less-than-honest "Abe" goes undercover to get a behind-the-scenes look at Black Hat and its infamous attendees.
By Tal Klein VP Strategy, Adallom, 8/6/2014
Comment9 comments  |  Read  |  Post a Comment
5 Steps To Supply Chain Security
Robert Lemos, Technology JournalistNews
The integrity of enterprise data is only as strong as your most vulnerable third-party supplier or business partner. It's time to shore up these connection points.
By Robert Lemos Technology Journalist, 8/6/2014
Comment5 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Security Insights
3 Places to Enable 2-Factor Authentication Now
3 Places to Enable 2-Factor Authentication Now
Two-factor authentication is a ubiquitous, mature technology. Whether or not you use it for your network, here are three external services for which you should immediately enable it.
Comment1 comments
Read | Post a Comment
More Sophos Security Insights
PR Newswire
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-0965
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

CVE-2014-3022
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.