Vulnerabilities / Threats // Vulnerability Management
News & Commentary
Scan Shows Possible Heartbleed Fix Failures
Kelly Jackson Higgins, Senior Editor, Dark ReadingQuick Hits
Study indicates many Global 2000 firms patched, but failed to replace digital certificates.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 7/29/2014
Comment1 Comment  |  Read  |  Post a Comment
A New Age in Cyber Security: Public Cyberhealth
Brian Foster, CTO, DamballaCommentary
The cleanup aimed at disrupting GameOver Zeus and CryptoLocker offers an instructive template for managing mass cyber infections.
By Brian Foster CTO, Damballa, 7/17/2014
Comment5 comments  |  Read  |  Post a Comment
Government Security: Saying 'No' Doesn't Work
Steve Jones, Group Strategy Director, Big Data & Analytics, CapgeminiCommentary
It's time for government agencies to move beyond draconian security rules and adopt anomaly analytics.
By Steve Jones Group Strategy Director, Big Data & Analytics, Capgemini, 7/14/2014
Comment0 comments  |  Read  |  Post a Comment
In Fog Of Cyberwar, US Tech Is Caught In Crossfire
Julian Waits, President & CEO, ThreatTrack SecurityCommentary
Distrust of the US intelligence community is eroding consumer confidence and hampering US technology firms on the global stage at a time when the sector should be showing unprecedented growth.
By Julian Waits President & CEO, ThreatTrack Security, 7/9/2014
Comment6 comments  |  Read  |  Post a Comment
Retro Macro Viruses: They're Baaack
Kevin Casey, Commentary
Malicious Virtual Basic for Applications (VBA) macros are back, this time using social engineering to trick users into opening infected attachments, says Sophos.
By Kevin Casey , 7/9/2014
Comment2 comments  |  Read  |  Post a Comment
Black Hat USA 2014: Third-Party Vulns Spread Like Diseases
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Understanding the impact of vulnerabilities in libraries and other components
By Ericka Chickowski Contributing Writer, Dark Reading, 7/7/2014
Comment2 comments  |  Read  |  Post a Comment
Dell Focuses On Security
Michael Endler, Associate Editor, InformationWeek.comCommentary
Dell made a flurry of security-minded announcements this week, highlighted by improvements to its Dropbox for Business integration.
By Michael Endler Associate Editor, InformationWeek.com, 6/26/2014
Comment5 comments  |  Read  |  Post a Comment
Sensitive Data Protection Bedevils IT Security Pros
William Welsh, Contributing WriterCommentary
Most organizations don't know where their sensitive structured or unstructured data resides, says new Ponemon study.
By William Welsh Contributing Writer, 6/24/2014
Comment3 comments  |  Read  |  Post a Comment
Crowdsourcing & Cyber Security: Who Do You Trust?
Robert R. Ackerman Jr., Founder & Managing Director, Allegis CapitalCommentary
A collective security defense can definitely tip the balance in favor of the good guys. But challenges remain.
By Robert R. Ackerman Jr. Founder & Managing Director, Allegis Capital, 6/24/2014
Comment3 comments  |  Read  |  Post a Comment
P.F. Chang's Breach Went Undetected For Months
Lucas Zaichkowsky, Enterprise Defense Architect, AccessDataCommentary
Early reports indicate that the compromise involved a large number of restaurant locations and dates as far back as September 2013.
By Lucas Zaichkowsky Enterprise Defense Architect, AccessData, 6/23/2014
Comment4 comments  |  Read  |  Post a Comment
Cyber Attackers Target Small, Midsized Businesses
Henry Kenyon, Commentary
As large companies beef up security, attackers seek out weak links and use social tactics to hit smaller enterprises.
By Henry Kenyon , 6/18/2014
Comment1 Comment  |  Read  |  Post a Comment
IoT: Get Security Right The First Time
Patrick Oliver Graf, GM, Americas, NCP EngineeringCommentary
Let's start building security into the Internet of Things now, before everything becomes connected -- and hackable.
By Patrick Oliver Graf GM, Americas, NCP Engineering, 6/17/2014
Comment6 comments  |  Read  |  Post a Comment
NIST Security Guidance Revision: Prepare Now
Vincent Berk, Commentary
NIST 800-53 Revision 5 will likely put more emphasis on continuous monitoring. Don't wait until it arrives to close your security gaps.
By Vincent Berk , 6/16/2014
Comment4 comments  |  Read  |  Post a Comment
XSS Flaw In TweetDeck Leads To Spread Of Potential Exploits
Tim Wilson, Editor in Chief, Dark ReadingQuick Hits
Twitter unit fixes cross-site scripting problem, but not before many users spread vulnerable scripts with their tweets.
By Tim Wilson Editor in Chief, Dark Reading, 6/12/2014
Comment5 comments  |  Read  |  Post a Comment
Putter Panda: Tip Of The Iceberg
George Kurtz, President & CEO, CrowdStrikeCommentary
What CrowdStrike's outing of Putter Panda -- the second hacking group linked to China's spying on US defense and European satellite and aerospace industries -- means for the security industry.
By George Kurtz President & CEO, CrowdStrike, 6/10/2014
Comment3 comments  |  Read  |  Post a Comment
BYOD: Build A Policy That Works
Ericka Chickowski, Contributing Writer, Dark ReadingCommentary
To secure employee-owned smartphones and tablets, it takes a practical, enforceable set of guidelines.
By Ericka Chickowski Contributing Writer, Dark Reading, 6/9/2014
Comment1 Comment  |  Read  |  Post a Comment
Government Advances Continuous Security Monitoring
Henry Kenyon, Commentary
DOD, DHS expect smart technologies will defend networks against common attacks, free IT personnel to deal with more dangerous threats.
By Henry Kenyon , 6/6/2014
Comment3 comments  |  Read  |  Post a Comment
Microsoft: Ignore Unofficial XP Update Workaround
Sara Peters, News
A small change to the Windows XP Registry allows users to receive security updates for another five years. Yet the tweak could create other security and functionality issues for XP holdouts.
By Sara Peters , 5/28/2014
Comment8 comments  |  Read  |  Post a Comment
Dissecting Dendroid: An In-Depth Look Inside An Android RAT Kit
Felix Leder, Senior Malware Researcher, Blue Coat Systems NorwayCommentary
Dendroid is full of surprises to assist it in subverting traditional security tactics through company-issued Android phones or BYOD.
By Felix Leder Senior Malware Researcher, Blue Coat Systems Norway, 5/28/2014
Comment4 comments  |  Read  |  Post a Comment
New Vulnerability In IE8 Remains Unpatched
Tim Wilson, Editor in Chief, Dark ReadingQuick Hits
Security vulnerability in Microsoft's Internet Explorer 8 browser is disclosed by Zero-Day Initiative after software giant fails to patch during 180-day window
By Tim Wilson Editor in Chief, Dark Reading, 5/26/2014
Comment5 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio