Vulnerabilities / Threats
News & Commentary
Satellite Communications Wide Open To Hackers
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014
Comment2 comments  |  Read  |  Post a Comment
11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue
Mathew J. Schwartz, News
Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.
By Mathew J. Schwartz , 4/17/2014
Comment1 Comment  |  Read  |  Post a Comment
How A Little Obscurity Can Bolster Security
Corey Nachreiner, Director, Security Strategy & Research, WatchGuard TechnologiesCommentary
Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?
By Corey Nachreiner Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014
Comment14 comments  |  Read  |  Post a Comment
Did A Faulty Memory Feature Lead To Heartbleed?
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
Debate arises over an older memory allocation feature in OpenSSL, and the OpenBSD community starts to tear down and revise the crypto software for its own use.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/16/2014
Comment4 comments  |  Read  |  Post a Comment
Smartphone Kill Switches Coming, But Critics Cry Foul
Thomas Claburn, Editor-at-LargeCommentary
Smartphone makers and carriers agree to add optional kill switches to smartphones, but law enforcement officials say the anti-theft effort doesn't go far enough.
By Thomas Claburn Editor-at-Large, 4/16/2014
Comment18 comments  |  Read  |  Post a Comment
Mobility: Who Bears The Brunt Of Data Security & Privacy
Grayson Milbourne, Director, Security Intelligence, WebrootCommentary
OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.
By Grayson Milbourne Director, Security Intelligence, Webroot, 4/16/2014
Comment3 comments  |  Read  |  Post a Comment
White House Details Zero-Day Bug Policy
Mathew J. Schwartz, News
NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.
By Mathew J. Schwartz , 4/15/2014
Comment3 comments  |  Read  |  Post a Comment
'Baby Teeth' In Infrastructure Cyber Security Framework
Dave Frymier, Chief Information Security Officer, UnisysCommentary
NIST’s modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath.
By Dave Frymier Chief Information Security Officer, Unisys, 4/14/2014
Comment6 comments  |  Read  |  Post a Comment
Free Heartbleed-Checker Released for Firefox Browser
Kelly Jackson Higgins, Senior Editor, Dark ReadingQuick Hits
Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/11/2014
Comment4 comments  |  Read  |  Post a Comment
Heartbleed Will Go On Even After The Updates
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
What's next now that the mindset is 'assume the worst has already occurred?'
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014
Comment7 comments  |  Read  |  Post a Comment
Heartbleed: Making The Case For SDN
Lori MacVittie, Commentary
Software-defined networking technology could help protect against vulnerabilities like Heartbleed. It's time to develop a more mature SDN option.
By Lori MacVittie , 4/10/2014
Comment3 comments  |  Read  |  Post a Comment
Flash Poll: Broken Heartbeat
Marilyn Cohodas, Community Editor, Dark ReadingCommentary
What steps do you plan to take in response to the Heartbleed bug? Take our poll and share your reasons in the comments.
By Marilyn Cohodas Community Editor, Dark Reading, 4/10/2014
Comment0 comments  |  Read  |  Post a Comment
Heartbleed: Examining The Impact
Tim Sapio, Security Analyst, Bishop FoxCommentary
With Heartbleed, there’s little hope of knowing if an asset was breached, if a breach can be identified, or what, if any, data was leaked. Here’s how to defend against future attacks.
By Tim Sapio Security Analyst, Bishop Fox, 4/10/2014
Comment5 comments  |  Read  |  Post a Comment
CIO Vs. CSO: Allies Or Enemies?
Eric Cole, Founder & Chief Scientist, Secure Anchor ConsultingCommentary
In the wake of the Target breach it's clear that the CIO and CSO must have clear boundaries of responsibility and equal representation in the board room.
By Eric Cole Founder & Chief Scientist, Secure Anchor Consulting, 4/10/2014
Comment10 comments  |  Read  |  Post a Comment
More Than A Half-Million Servers Exposed To Heartbleed Flaw
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
What the newly exposed SSL/TLS threat really means for enterprises and end-users.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/9/2014
Comment15 comments  |  Read  |  Post a Comment
Paul Allen Invests In Online Voting Firm
Elena Malykhina, Technology JournalistCommentary
E-voting firm Scytl receives $40 million from Paul Allen's Vulcan Capital to continue election modernization efforts. Defense Department among its customers.
By Elena Malykhina Technology Journalist, 4/9/2014
Comment5 comments  |  Read  |  Post a Comment
What’s Worse: Credit Card Or Identity Theft?
Kerstyn Clover, Attack & Defense Team ConsultantCommentary
When it comes to data loss, it’s time for the conversation to shift from credit cards to personal information like Social Security numbers, home addresses, and your favorite flavor of ice cream.
By Kerstyn Clover Attack & Defense Team Consultant, 4/9/2014
Comment17 comments  |  Read  |  Post a Comment
Emergency SSL/TLS Patching Under Way
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
A "Heartbleed" flaw revealed in the OpenSSL library leaks the contents of memory, including passwords, source code, and keys.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/8/2014
Comment17 comments  |  Read  |  Post a Comment
One Year Later: The APT1 Report
Nick Selby, CEO, StreetCred Software, IncCommentary
One of the most positive impacts of APT1 is the undeniable rise in the stature of the threat intelligence industry. "Threat Intelligence" is the SIEM, the NAC of 2014.
By Nick Selby CEO, StreetCred Software, Inc, 4/8/2014
Comment2 comments  |  Read  |  Post a Comment
Social Engineering Grows Up
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/7/2014
Comment9 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Security Insights
70% Rise In Malware: Time To Block Facebook?
70% Rise In Malware: Time To Block Facebook?
New research published by Sophos today reveals a 70 percent increase in the number of companies reporting spam and malware attacks via social networks.
Comment0 comments
Read | Post a Comment
More Sophos Security Insights
PR Newswire
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web