Vulnerabilities / Threats // Vulnerability Management
News & Commentary
Context: Finding The Story Inside Your Security Operations Program
Joshua Goldfarb, VP & CTO - Americas, FireEye.Commentary
What’s missing in today’s chaotic, alert-driven incident response queue is the idea of a narrative that provides a detailed understanding of how an attack actually unfolds.
By Joshua Goldfarb VP & CTO - Americas, FireEye., 3/23/2015
Comment6 comments  |  Read  |  Post a Comment
Dark Reading Threat Intelligence Survey
InformationWeek Staff,
Threat intelligence is the best way to stay ahead of new and complex attacks, say survey respondents. How analytics influences their IT security strategies varies.
By InformationWeek Staff , 3/20/2015
Comment0 comments  |  Read  |  Post a Comment
Risky Business: Why Monitoring Vulnerability Data Is Never Enough
Bill Ledingham, CTO & Executive VP of Engineering, Black Duck SoftwareCommentary
Keeping tabs on open source code used in your organization’s applications and infrastructure is daunting, especially if you are relying solely on manual methods.
By Bill Ledingham CTO & Executive VP of Engineering, Black Duck Software, 3/19/2015
Comment4 comments  |  Read  |  Post a Comment
7 In 10 Businesses Struggle To Sustain PCI Compliance
Jai Vijayan, Freelance writerNews
Maintaining PCI compliance is a bigger challenge that achieving it for many companies, Verizon study finds.
By Jai Vijayan Freelance writer, 3/12/2015
Comment1 Comment  |  Read  |  Post a Comment
Lack of WordPress User Education Affecting Security Posture
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Survey shows many users lack knowledge to effectively protect their sites.
By Ericka Chickowski Contributing Writer, Dark Reading, 3/10/2015
Comment7 comments  |  Read  |  Post a Comment
OpenSSL To Undergo Major Audit
Sara Peters, Senior Editor at Dark ReadingNews
The Linux Foundation's Core Infrastructure Initiative funding work to take a closer look at the TLS stack.
By Sara Peters Senior Editor at Dark Reading, 3/9/2015
Comment2 comments  |  Read  |  Post a Comment
How To Reduce Spam & Phishing With DMARC
Daniel Ingevaldson, CTO, Easy SolutionsCommentary
Providers of more than 3 billion email boxes have taken up a new Internet protocol to help put trust back into electronic messaging.
By Daniel Ingevaldson CTO, Easy Solutions, 2/26/2015
Comment7 comments  |  Read  |  Post a Comment
Lenovo Superfish Adware Excuses Are Lame
Thomas Claburn, Editor at Large, Enterprise MobilityCommentary
Lenovo is downplaying the installation of Superfish adware on its notebook PCs. Here's why we think business and consumer users deserve better.
By Thomas Claburn Editor at Large, Enterprise Mobility, 2/19/2015
Comment11 comments  |  Read  |  Post a Comment
A Winning Strategy: Must Patch, Should Patch, Can't Patch
Jeff Schilling, CSO, FirehostCommentary
The best way to have a significant impact on your company's security posture is to develop an organized effort for patching vulnerabilities.
By Jeff Schilling CSO, Firehost, 2/11/2015
Comment2 comments  |  Read  |  Post a Comment
3 Disturbing New Trends in Vulnerability Disclosure
Sara Peters, Senior Editor at Dark ReadingNews
Who's winning and who's losing the battle of the bugs? While security pros and software companies fight amongst themselves, it looks like black hats are winning and users are losing.
By Sara Peters Senior Editor at Dark Reading, 2/3/2015
Comment7 comments  |  Read  |  Post a Comment
Browsers Are The Window To Enterprise Infection
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Ponemon report says infections dominated by browser-based exploits.
By Ericka Chickowski Contributing Writer, Dark Reading, 2/2/2015
Comment9 comments  |  Read  |  Post a Comment
Video: Super Bowl WiFi Coaches, Leaky Apps & Binge Watching
Andrew Conry Murray, Director of Content & Community, InteropCommentary
This Week In 60 Seconds checks out WiFi troubleshooters at the Super Bowl, a leaky NFL app, and whether binge watching is a sign of depression.
By Andrew Conry Murray Director of Content & Community, Interop, 1/30/2015
Comment1 Comment  |  Read  |  Post a Comment
NFL Mobile Sports App Contains Super Bowl-Sized Vulns
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Lack of protections puts users at risk of exposed information by way of man-in-the-middle attacks.
By Ericka Chickowski Contributing Writer, Dark Reading, 1/27/2015
Comment10 comments  |  Read  |  Post a Comment
Adobe Fixes Second Flash Flaw Exploited By Angler
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Second 0-day fix addresses UAF vulnerability.
By Ericka Chickowski Contributing Writer, Dark Reading, 1/26/2015
Comment1 Comment  |  Read  |  Post a Comment
Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit
Kelly Jackson Higgins, Executive Editor at Dark ReadingQuick Hits
Researcher Kafeine's 0day discovery confirmed by Malwarebytes.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/21/2015
Comment2 comments  |  Read  |  Post a Comment
The Truth About Malvertising
Peter Zavlaris, Analyst, RiskIQCommentary
Malvertising accounts for huge amounts of cyberfraud and identity theft. Yet there is still no consensus on who is responsible for addressing these threats.
By Peter Zavlaris Analyst, RiskIQ, 1/16/2015
Comment7 comments  |  Read  |  Post a Comment
4 Mega-Vulnerabilities Hiding in Plain Sight
Giora Engel, VP Product & Strategy, LightCyberCommentary
How four recently discovered, high-impact vulnerabilities provided “god mode” access to 90% of the Internet for 15 years, and what that means for the future.
By Giora Engel VP Product & Strategy, LightCyber, 1/14/2015
Comment1 Comment  |  Read  |  Post a Comment
2015: The Year Of The Security Startup – Or Letdown
Tim Wilson, Editor in Chief, Dark ReadingCommentary
While stealth startup Ionic and other newcomers promise to change the cyber security game, ISC8 may be the first of many to head for the showers.
By Tim Wilson Editor in Chief, Dark Reading, 1/13/2015
Comment5 comments  |  Read  |  Post a Comment
Microsoft Protests Bug Disclosure By Google
Thomas Claburn, Editor at Large, Enterprise MobilityNews
After Google discloses Win 8.1 vulnerability two days prior to planned patch, Microsoft argues in favor of vulnerability publication schedules.
By Thomas Claburn Editor at Large, Enterprise Mobility, 1/12/2015
Comment14 comments  |  Read  |  Post a Comment
Banking Trojans Disguised As ICS/SCADA Software Infecting Plants
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Researcher spots spike in traditional financial malware hitting ICS/SCADA networks -- posing as popular GE, Siemens, and Advantech HMI products.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/8/2015
Comment4 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.