Vulnerabilities / Threats // Vulnerability Management
News & Commentary
Satellite Communications Wide Open To Hackers
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014
Comment2 comments  |  Read  |  Post a Comment
11 Heartbleed Facts: Vulnerability Discovery, Mitigation Continue
Mathew J. Schwartz, News
Millions of websites, applications from Cisco and VMware, Google Play apps, as well as millions of Android devices are vulnerable -- and the list keeps growing.
By Mathew J. Schwartz , 4/17/2014
Comment0 comments  |  Read  |  Post a Comment
Smartphone Kill Switches Coming, But Critics Cry Foul
Thomas Claburn, Editor-at-LargeCommentary
Smartphone makers and carriers agree to add optional kill switches to smartphones, but law enforcement officials say the anti-theft effort doesn't go far enough.
By Thomas Claburn Editor-at-Large, 4/16/2014
Comment18 comments  |  Read  |  Post a Comment
White House Details Zero-Day Bug Policy
Mathew J. Schwartz, News
NSA denies prior knowledge of the Heartbleed vulnerability, but the White House reserves the right to withhold zero-day exploit information in some cases involving security or law enforcement.
By Mathew J. Schwartz , 4/15/2014
Comment3 comments  |  Read  |  Post a Comment
Heartbleed Will Go On Even After The Updates
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
What's next now that the mindset is 'assume the worst has already occurred?'
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014
Comment6 comments  |  Read  |  Post a Comment
Heartbleed: Making The Case For SDN
Lori MacVittie, Commentary
Software-defined networking technology could help protect against vulnerabilities like Heartbleed. It's time to develop a more mature SDN option.
By Lori MacVittie , 4/10/2014
Comment3 comments  |  Read  |  Post a Comment
More Than A Half-Million Servers Exposed To Heartbleed Flaw
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
What the newly exposed SSL/TLS threat really means for enterprises and end-users.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/9/2014
Comment15 comments  |  Read  |  Post a Comment
Social Engineering Grows Up
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/7/2014
Comment9 comments  |  Read  |  Post a Comment
Nominum: 24 Million Home Routers Exposing ISPs to DDoS Attacks
Brian Prince, Contributing Writer, Dark ReadingNews
Even Internet service providers that go to great lengths to protect their networks are vulnerable.
By Brian Prince Contributing Writer, Dark Reading, 4/4/2014
Comment7 comments  |  Read  |  Post a Comment
API-First: 3 Steps For Building Secure Cloud Apps
Ravi Ithal, Chief Architect, NetskopeCommentary
When it comes to protecting data traveling to and from the cloud, today's choices are daunting. Here are three steps for making the application programming interface your new best friend.
By Ravi Ithal Chief Architect, Netskope, 4/3/2014
Comment4 comments  |  Read  |  Post a Comment
Bit Errors & the Internet of Things
Jaeson Schultz, Threat Research Engineer, Cisco TRAC TeamCommentary
Internet traffic, misdirected to malicious bitsquatted domains, has plagued computer security for years. The consequences will be even worse for the IoT.
By Jaeson Schultz Threat Research Engineer, Cisco TRAC Team, 3/31/2014
Comment7 comments  |  Read  |  Post a Comment
'Thingularity' Triggers Security Warnings
Mathew J. Schwartz, News
The Internet of Things is creating 50 billion Internet-connected devices. Who is going to keep them updated and secure?
By Mathew J. Schwartz , 3/28/2014
Comment0 comments  |  Read  |  Post a Comment
Flying Naked: Why Most Web Apps Leave You Defenseless
Jeff Williams, CTO, Contrast SecurityCommentary
Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.
By Jeff Williams CTO, Contrast Security, 3/28/2014
Comment13 comments  |  Read  |  Post a Comment
A Cyber History Of The Ukraine Conflict
John Bumgarner, Chief Technology Officer for the U.S. Cyber Consequences UnitCommentary
The CTO for the US Cyber Consequences Unit offers a brief lesson in Russian geopolitics and related cyber flare-ups, and explains why we should be concerned.
By John Bumgarner Chief Technology Officer for the U.S. Cyber Consequences Unit, 3/27/2014
Comment5 comments  |  Read  |  Post a Comment
Facebook Builds Its Own Threat Modeling System
Kelly Jackson Higgins, Senior Editor, Dark ReadingQuick Hits
The tool helps the social network gather, store, analyze, and react to the latest threats against it.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 3/26/2014
Comment4 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web