News & Commentary

Content posted in July 2008
Page 1 / 4   >   >>
Most Security Breaches Go Unreported
News  |  7/31/2008  | 
An RSA survey found the e-mail-borne malware and phishing that affected 69% of respondents' companies, may not have led to serious consequences in every instance.
Credit Card Compliance And Security: New PCI Information Resource Worth A Visit
Commentary  |  7/31/2008  | 
How much do you know about your business's compliance and security responsibilities for credit card data and other information involved in the transactions that your bank executes for you? Think compliance is completely the responsibility of the financial institution? Think again.
IBM Bulks Up Data Protection
News  |  7/31/2008  | 
Vendor aims its Tivoli Storage Manager at Windows-based CDP
Startup Promises More Accurate Fraud Detection
News  |  7/31/2008  | 
Guardian Analytics's new 'fraud modeling' technology recognizes activity that goes outside user norm
Survey Highlights Telecommuter Troubles
Quick Hits  |  7/31/2008  | 
Telecommuting security, privacy risks often put on the back burner, according to a new survey by Ernst & Young
Cisco Won't Buy EMC, Will It?
Commentary  |  7/30/2008  | 
Analyst Kaushik Roy with Choi and Pacific Growth Equities really stoked the fire of a longstanding rumor (repeat rumor) that Cisco would just love to buy storage king EMC. And while this won't happen, there are kernels of truth in there.
Radware Reveals Critical Vulnerability In Firefox 3
Commentary  |  7/30/2008  | 
Well, not exactly "critical." But there is a flaw. And there is no patch. And so Radware demonstrates how many security vendors push their gear by spreading fear, uncertainty, and doubt on the user community.
Phishing Kits Widely Compromised To Steal From Phishers
News  |  7/30/2008  | 
From 21 different distribution sites, the authors of the Usenix Conference paper identified 379 distinct phishing kits, 129 of which contained back doors.
The Reality Of Private Clouds
Commentary  |  7/30/2008  | 
In his blog "Clouds Are Only in the Sky" yesterday, Richard Martin suggested that a cloud must be on the public Internet for it to truly be a cloud and that if something resembling a cloud is used internally then it must be utility computing. He makes a very good point; however, I respectfully disagree.
Websense Warns: Legit Sites Top Hack Targets
Commentary  |  7/30/2008  | 
Another midyear security overview is out now, this one from Websense, and if the year-to-date is looking bad, the six months to come are looking worse.
The Real Dirt on Whitelisting
News  |  7/30/2008  | 
The choice for blacklisting versus whitelisting isn't really black and white
Cyber Security for the 44th Presidency Group to Come Out of the Shadows at Black Hat
Quick Hits  |  7/30/2008  | 
A presidential 'playbook' for cyberware is among the issues under discussion by the group
Chinese Authorities Order Olympic Hotels To Install Spy Gear
News  |  7/29/2008  | 
Kansas Sen. Sam Brownback claims foreign-owned hotels have been asked to install Internet monitoring equipment to spy on hotel guests during the Beijing Games.
Oracle WebLogic Servers Vulnerable To Attacks
Commentary  |  7/29/2008  | 
When it comes to security vulnerabilities, this flaw is as ugly as it gets -- but, in this case, it's not all because of anything Oracle did wrong.
Oracle Issues Alert For WebLogic Plugin Vulnerability
News  |  7/29/2008  | 
The exploit code was released July 17, two days after Oracle issued its second-quarter Critical Patch Update.
Most Malicious Code Launched From Legitimate Web Sites
News  |  7/29/2008  | 
The proliferation of user-generated content on popular Web 2.0 sites has opened the door for hackers to plant malware, says Websense report.
IBM Midyear Security Report: A Bad Year That's Getting Worse
Commentary  |  7/29/2008  | 
Time flies when you're having fun, and flies even faster when the bad guys are having their "fun." Already more than halfway through 2008 and a new security report let's us know in detail just how insecure a year it is.
Hacking Without Exploits
News  |  7/29/2008  | 
Black Hat researchers will demonstrate how the bad guys are quietly raking in big bucks without ninja hacking skills, tools, or exploit code
Report: From Bug Disclosure to Exploit in 24 Hours
Quick Hits  |  7/29/2008  | 
New IBM ISS report shows fast and furious nature of Web browser vulnerability finds and attacks
Apple And Security: Long Road Still Ahead
Commentary  |  7/29/2008  | 
Apple's trying to pick up its game with iPhone security, recently listing an iPhone Security Engineer position. Assuming the job is really about helping users -- and not just thwarting pesky unlockers -- it's a good move, but some corporate inertia might need to be overcome before security is a true priority. Just take a look at the official iPhone Enterprise Deployment tools.
Modeling IT Attacks
Commentary  |  7/28/2008  | 
Every day IT managers have to contend with an ever-changing risk environment. That's where good risk modeling can help.
Password Security: With Prosecutors Like This, Who Needs Rogue Administrators?
Commentary  |  7/28/2008  | 
So the San Francisco District Attorney, building a case against the rogue administrator who shut down city network access, decided to include actual passwords as evidence. Bonehead decisions may not get much more boneheaded than this.
Beating Up Storage Vendors
Commentary  |  7/28/2008  | 
An analyst firm recently published a report suggesting that the No. 1 priority in reducing IT costs was to beat up your storage vendor for lower costs. I would like to give a dissenting opinion.
Botnets Behind One Fourth of Click Fraud
Quick Hits  |  7/28/2008  | 
Click Fraud Index reports biggest surge of botnet-generated pay-per-click fraud to date in the second quarter
New Video Surveillance Technology 'Recognizes' Abnormal Activity
News  |  7/28/2008  | 
BRS software can establish 'normal' on-camera activity - and alert security staff when something unusual occurs
When Penetration Testers (Almost) Get Caught
News  |  7/25/2008  | 
Sometimes employees really do learn their physical security lessons
Vibrations Part II
Commentary  |  7/25/2008  | 
In my last entry we opened up a can of worms around drive vibration, discussing what it is and how it occurs. Vibration exists, but why should you, the IT professional, care? This stuff is all on RAID 5, right? Why do you care if a drive fails?
DNS Woes: How Worried Should You Be? Pretty Dang Worried!
Commentary  |  7/25/2008  | 
Yesterday's news that the first DNS attack strategies are circulating was no surprise: once a vulnerability -- large, small or in-between -- is discovered, the exploit code follows like rats nipping at the heels of the Pied Piper. The question is, how worried should you be about this particular vulnerability? Pretty worried, is my take.
Ad Agency Keeps the Word From Spreading
News  |  7/25/2008  | 
Access control technology helps Arnold Worldwide protect client data, meet compliance requirements
Small & Mid-Sized Enterprises Living in La-La Land, Study Says
Quick Hits  |  7/25/2008  | 
Many smaller firms kid themselves that they're too little to be targets, McAfee study says
Disclosure Isn't Working
Commentary  |  7/24/2008  | 
After a decade of writing about IT security, I don't know how anyone would think this current system of disclose and patch is working. It's not.
Are Lock-Picking Demos On YouTube A Bad Idea?
Commentary  |  7/24/2008  | 
Amateur lock hackers who share their techniques may be improving security -- or endangering your life and property.
'Spam King' Escapes From Prison
News  |  7/24/2008  | 
Eddie Davidson remains at large after walking away from the Colorado prison where he was serving time for his role in spam scams.
San Francisco Computer Tech Set Booby Trap In City Network
News  |  7/24/2008  | 
Prosecutors say Childs set the network to delete numerous files during a scheduled maintenance of the system.
DNS Flaw Attacks Coming: Patch Now!!!
Commentary  |  7/24/2008  | 
The first attackware strategies based on the widespread DNS flaw announced earlier this month have been spotted. If you haven't patched yet, do it now, before it's too late. (Some say it's already too late.)
Report: Website Infection Rate Has Tripled Since 2007
Quick Hits  |  7/24/2008  | 
Malicious Web pages now exceed more than 16,000 per day, Sophos says
Details, Exploits of Web-Wide DNS Vulnerability Revealed
News  |  7/24/2008  | 
Kaminsky outlines flaw, says 'we're in serious trouble'; exploit code posted on Metasploit
DNS Poisoning Vulnerability: If You Haven't Yet Patched, It May Be Too Late
Commentary  |  7/23/2008  | 
If you've ignored the urge to patch Dan Kaminsky's DNS cache poisoning flaw, you could be on the verge of big trouble: Exploit code has just been published in a popular penetration testing tool.
Apple's iPhone Mail, Safari Apps Vulnerable To Attack
News  |  7/23/2008  | 
Apple's iPhone Mail and Safari apps under the iPhone 1.1.4 and 2.0 firmware are vulnerable to URL spoofing, a security researcher said Wednesday.
McAfee Says Small, Midsize Business Sweats Security Too Little. You Agree?
Commentary  |  7/23/2008  | 
A new survey from security firm McAfee warns that small and midsize businesses don't consider themselves to be targets for cybercrime. Do their findings match your feelings? Let's hope not.
Good, Good, Good…Good Vibrations
Commentary  |  7/23/2008  | 
Its summertime, time for a little Beach Boys? No, Good Vibrations is the beginning of a series of entries that I will be posting on increasing physical hard drive unit life. In recent briefings, manufacturers like Copan Systems and Xiotech have been raising the issue on the impact of drive vibration. While I was aware of drive vibration, it is not discussed much, so I decided to take a deeper dive.
Most Bank Sites Are Insecure
News  |  7/23/2008  | 
Security risks caused by basic flaws in Web site design are widespread, according to computer scientists.
S.F. Computer Tech Gives Up Password To City Network
News  |  7/23/2008  | 
Terry Childs has been charged with four felony computer-tampering counts for allegedly locking out system administrators and supervisors from the city's servers.
Red Alert! DNS Flaw Revealed
News  |  7/23/2008  | 
Security researchers warn users to patch immediately, as technical details to exploit a widespread DNS vulnerability were disclosed online.
Researchers Raise Alarm Over New Iteration of Coreflood Botnet
News  |  7/23/2008  | 
Password-stealing Trojan is spreading like a worm - and targeted directly at the enterprise
Page 1 / 4   >   >>


Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.