Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Opinion

posted in October 2018
Page 1 / 2   >   >>
How the Power of Quantum Can Be Used Against Us
Commentary  |  10/31/2018  | 
There has been a palpable shift from volumetric attacks to "quantum attacks," and they look to be one of the biggest cybersecurity challenges on the rise today.
Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk
Commentary  |  10/31/2018  | 
Halloween movies are the perfect metaphor for breaking down today's scariest supplier breach tropes.
Google's reCAPTCHA Version 3 Offers Better Bot-Fighting Capabilities
Larry Loeb  |  10/31/2018  | 
Google is rolling out the third version of reCAPTCHA software, which the company claims can better fight spam and bots with less user input.
The Case for MarDevSecOps
Commentary  |  10/30/2018  | 
Why security must lead the integration of marketing into the collaborative security and development model in the cloud.
10 Steps for Creating Strong Customer Authentication
Commentary  |  10/30/2018  | 
Between usability goals and security/regulatory pressures, setting up customer-facing security is difficult. These steps and best practices can help.
Kaspersky: Most CISOs Say Cyber Attacks Are Inevitable
Jeffrey Burt  |  10/30/2018  | 
The Kaspersky Lab report says that while the relationship between executives and CISOs is improving, there continues to be a disconnect around such issues as budgets and the risk of threats.
AppSec Is Dead, but Software Security Is Alive & Well
Commentary  |  10/29/2018  | 
Application security must be re-envisioned to support software security. It's time to shake up your processes.
DemonBot Botnet Takes Advantage of Hadoop Flaw to Create DDoS Attacks
Larry Loeb  |  10/29/2018  | 
Radware has found a new botnet called DemonBot that is taking advantage of a flaw in Hadoop servers to create large-scale DDoS attacks.
3 Keys to Reducing the Threat of Ransomware
Commentary  |  10/26/2018  | 
Following these steps could mean the difference between an inconvenience and a multimillion-dollar IT system rebuild -- for the public and private sectors alike.
IoT Device Adoption Hampered by Consumer's Security Concerns
Larry Loeb  |  10/26/2018  | 
For companies looking to jump on the IoT bandwagon, the adoption of these devices is being slowed by consumers' concerns over safety and security, a new report finds.
Securing Serverless: Attacking an AWS Account via a Lambda Function
Commentary  |  10/25/2018  | 
Its not every day that someone lets you freely wreak havoc on their account just to find out what happens when you do.
Securing Severless: Defend or Attack?
Commentary  |  10/25/2018  | 
The best way to protect your cloud infrastructure is to pay attention to the fundamentals of application security, identity access management roles, and follow configuration best-practices.
Managed Security Service Providers: Good Idea, but What's the Catch?
Alan Zeichick  |  10/25/2018  | 
Managed security service providers are a good idea for businesses struggling with creating their own InfoSec division. However, there are some drawbacks to consider.
Tackling Supply Chain Threats
Commentary  |  10/24/2018  | 
Vendor-supplied malware is a threat that has been largely overlooked. That has to change.
Benefits of DNS Service Locality
Commentary  |  10/24/2018  | 
Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect applications, services, and users from potential risks.
iPhones Increasingly Vulnerable to Coinhive Cryptomining Malware
Jeffrey Burt  |  10/24/2018  | 
In their most recent Global Threat Index, Check Point researchers found a 400% increase in Coinhive attacks against iPhones by bad actors using the popular cryptomining malware.
Industrial Systems Suffer From Poor Patching, Bad Password Practices Study
Larry Loeb  |  10/24/2018  | 
Industrial control systems are riddled with outdated software that is in need of patching, while passwords are stored in plain text and endpoints are left open to attack, according to a report from CyberX.
The Browser Is the New Endpoint
Commentary  |  10/23/2018  | 
Given the role browsers play in accessing enterprise applications and information, it's time to rethink how we classify, manage, and secure them.
Good Times in Security Come When You Least Expect Them
Commentary  |  10/23/2018  | 
Not every cybersecurity endeavor can have a huge impact. But a small percentage of your efforts can still produce results that blow you away.
Understanding SOCs' 4 Top Deficiencies
Commentary  |  10/22/2018  | 
In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.
Unpatched MikroTik Routers Vulnerable to Cryptomining Malware
Larry Loeb  |  10/22/2018  | 
An alert from Avast Threat Labs finds that a vast majority of MikroTik routers don't have the last firmware update to block a cryptomining campaign.
Risky Business: Dark Reading Caption Contest Winners
Commentary  |  10/19/2018  | 
Phishing, anti-shoulder surfing, Russia and other hysterical identity management puns and comments. And the winners are ...
MIT Researchers Have a DAWG in the Fight Against Spectre & Meltdown
Larry Loeb  |  10/19/2018  | 
In the fight against Spectre and Metldown vulnerabilities, MIT is pitting its DAWG solution against Intel's CAT.
McAfee: Seasalt Malware Raises Its Head Again
Jeffrey Burt  |  10/19/2018  | 
Code from the Seasalt malware that was last seen in 2010 has been found in new campaigns in North Korea and North America, according to McAfee.
Audits: The Missing Layer in Cybersecurity
Commentary  |  10/18/2018  | 
Involving the audit team ensures that technology solutions are not just sitting on the shelf or being underutilized to strategically address security risks.
Getting Up to Speed with "Always-On SSL"
Commentary  |  10/18/2018  | 
Websites can avoid the negative consequences of a "not secure" label from Google Chrome 68 by following four AOSSL best practices.
Your People Can't Secure Your Network? Try Tier 0 Automation
Alan Zeichick  |  10/18/2018  | 
Keeping up with modern security requirements requires a multi-prong approach. One way to ensure that threats are being met is to ignore the false alerts. This is where Tier 0 automation comes in.
Cybercrime-as-a-Service: No End in Sight
Commentary  |  10/17/2018  | 
Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.
The Three Dimensions of the Threat Intelligence Scale Problem
Commentary  |  10/17/2018  | 
To succeed, organizations must be empowered to reduce their attack surface and staff overload so they can get more out of their existing firewall and threat intelligence investments.
Why Killing Off TLS 1.0 & 1.1 Is a Good Thing
Larry Loeb  |  10/17/2018  | 
All good things must come to an end. Apple, Microsoft, Mozilla and Google have decided that's the case for the 1.0 and 1.1 versions of TLS.
A Cybersecurity Weak Link: Linux and IoT
Commentary  |  10/16/2018  | 
Linux powers many of the IoT devices on which we've come to rely -- something that enterprises must address.
Spies Among Us: Tracking, IoT & the Truly Inside Threat
Commentary  |  10/16/2018  | 
In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.
4 Ways to Fight the Email Security Threat
Commentary  |  10/15/2018  | 
It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem.
Living With Compromised Technology Supply Chains in a Post-Supermicro World
Joe Stanganelli  |  10/15/2018  | 
In the wake of Bloomberg's jarring expos on tainted motherboards from mega-manufacturer Supermicro, practical questions remain for enterprise organizations on how they can cope with the scary prospect of compromised hardware.
Gallmaker Attackers Living Off the Land, Symantec Finds
Jeffrey Burt  |  10/15/2018  | 
Gallmaker, a new state-sponsored threat group, eschews custom malware for legitimate hacking tools and techniques to run under the radar while attacking government and military organizations in eastern Europe and the Middle East, according to recent research from Symantec.
Threat Hunters & Security Analysts: A Dynamic Duo
Commentary  |  10/12/2018  | 
Fighting spying with spying, threat hunters bring the proactive mindset of network reconnaissance and repair to the enterprise security team.
Intel's 9th Gen Processors Offer Protections Against Spectre & Meltdown
Larry Loeb  |  10/12/2018  | 
While talking up its 9th Gen processors this week, Intel offer some subtle hints about plans to protect its CPUs against the Spectre and Meltdown vulnerabilities that have plague x86 processors.
DHS Raps Juniper Over the Knuckles for 40 Junos OS Vulnerabilities
Larry Loeb  |  10/12/2018  | 
The Department of Homeland Security felt it necessary to take Juniper Networks to the woodshed for 40 vulnerabilities, many critical, that affected the company's Junos OS.
Not All Multifactor Authentication Is Created Equal
Commentary  |  10/11/2018  | 
Users should be aware of the strengths and weaknesses of the various MFA methods.
The Better Way: Threat Analysis & IIoT Security
Commentary  |  10/11/2018  | 
Threat analysis offers a more nuanced and multidimensional approach than go/no-go patching in the Industrial Internet of Things. But first, vendors must agree on how they report and address vulnerabilities.
Security Researchers Struggle with Bot Management Programs
Commentary  |  10/10/2018  | 
Bots are a known problem, but researchers will tell you that bot defenses create problems of their own when it comes to valuable data.
Gemalto: 4.5B Records Breached in First Half of 2018
Larry Loeb  |  10/10/2018  | 
Gemalto's Breach Level Index showed a staggering 133% increase in data breaches between the first half of 2017 and the first six months of this year. However, most of this malicious activity is attributable to two incidents one involving Facebook.
Lessons Learned from the Facebook Breach: Why Logic Errors Are So Hard to Catch
Commentary  |  10/9/2018  | 
By ensuring that each layer of protection scours an application for unintended uses, you can find the flaws before the bad guys do.
New Domains: A Wide-Open Playing Field for Cybercrime
Commentary  |  10/9/2018  | 
As bad actors increasingly exploit new domains for financial gain and other nefarious purposes, security teams need to employ policies and practices to neutralize the threat in real time. Here's why and how.
Rotten Fruit: 4 Insider Threats to Watch Out For
Alan Zeichick  |  10/8/2018  | 
When it comes to insider threats, it's best not to trust anyone. However, different employees pose different types of threats to the network. Here are the four types of 'rotten fruit' to look out for in your business.
DanaBot Banking Trojan Is Now Finding Its Way to the US
Jeffrey Burt  |  10/8/2018  | 
The DanaBot Trojan first targeting organizations in Australia earlier this year has expanded into Europe and now is aiming at US, according to Proofpoint.
Who Do You Trust? Parsing the Issues of Privacy, Transparency & Control
Commentary  |  10/5/2018  | 
Technology such as Apple's device trust score that decides "you" is not you is a good thing. But only if it works well.
US Voting Machines Riddled With Vulnerabilities & Security Flaws
Larry Loeb  |  10/5/2018  | 
The highly anticipated report form the DEF CON Voting Machine Hacking Village finds that any number of voting machines used in US elections are vulnerable to any number of attacks or hacks.
GDPR Report Card: Some Early Gains but More Work Ahead
Commentary  |  10/4/2018  | 
US companies paid the most, to date, to meet the EU's General Data Protection Regulation, according to a recent study, but UK companies made greater progress in achieving compliance goals.
Putting Security on Par with DevOps
Commentary  |  10/3/2018  | 
Inside the cloud, innovation and automation shouldn't take a toll on protection.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...