Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in January 2009
Are We In A Tech 'War' With Russia?
Commentary  |  1/29/2009  | 
I was reading the withering comments Vladimir Putin made to Michael Dell in response to Dell's offer to help Russia. Though Putin is Russia's prime minister, he clearly is also the guy who is running the country. Reading between the lines, I think it is likely he is driving a technology w
Hardware Vendor-Induced Vulnerabilities
Commentary  |  1/28/2009  | 
During a recent penetration test, a friend encountered some really strange findings that he asked me to review. Several of the desktops located in one of the departments had a process listening on an ephemeral, nonstandard TCP port. He provided his Nmap and Nessus findings, which both reported an Apache Web server was running on this mysterious port. The fact they were all running Apache was cert
How To Celebrate Privacy Day (And How Not To)
Commentary  |  1/27/2009  | 
Wednesday, Jan. 28, has been designated International Data Privacy Day, and I'm still not sure how to celebrate. Should I invite all of my friends and family over, then go in the bathroom, lock the door, and make an entry in my personal diary? Or maybe we should all put on funny hats and go outside with noisemakers, screaming, "It's none of your friggin' business!!" Ah, those holiday traditions.
Get Your Pentesting Permission Slip
Commentary  |  1/26/2009  | 
As infosec professionals, we are often tasked with performing duties that would be considered illegal if we did not receive proper authorization beforehand. For example, if you were performing a penetration test against a system that you or your employer doesn't own, or for which you don't have authorization to access, then you could be violating a number of laws leading to termination and possible criminal prosecution.
The Trouble With Phishing
Commentary  |  1/22/2009  | 
Any person who is familiar with even the basics of modern computer threats will know the term phishing. It is an example of the more generic threat known as social engineering, or using psychology as a primary attack vehicle. In general, people tend to be trusting and helpful (although, of course, we can all quickly bring to mind those who are neither). Phishing and other social engineering attacks make use of these traits to trick computer users into giving up valuable information, fr
Honing Security Skills Outside Of The Workplace
Commentary  |  1/22/2009  | 
Here at the Sundance Film Festival, I've noticed varying levels of credentialed people. Some work for Sundance directly; others are volunteers. Some are folks who dropped down a couple thousand dollars for a ticket package that includes an extra level of access the public doesn't have. And, of course, we can't forget the cast and crew of the films. In the four years I've been attending, you can count me as part of the rest of the bunc
How Hackers Will Crack Your Password
Commentary  |  1/21/2009  | 
I've been cracking passwords lately for pen tests, and I'm surprised at how corporate guidelines don't really help people choose passwords. As in many places in security, a disconnect exists between how people secure systems and how hackers break systems. So the following is a brief description of what hackers do (or, at least, what I do when pen-testing systems).
Largest Data Breach In History Tries To Hide Behind Inauguration
Commentary  |  1/20/2009  | 
Heartland Payment Systems, a credit card processor out of Princeton, N.J., that mostly supports small and midsize businesses, announced during today's presidential inauguration that it was the victim of a massive data breach that could include more than 100 million credit card numbers.
If It Walks Like A Botnet
Commentary  |  1/16/2009  | 
There's something fishy going on with the Confickr/Downadup worm. So far, it hasn't crossed the line to an official botnet, but this thing is fast becoming a monster that just won't stop spreading, no matter what Microsoft does to warn users to patch (the patch has been available since October, people) or how security vendors scramble to scan for it as it evolves and changes.
Geek Productivity Tough To Measure
Commentary  |  1/14/2009  | 
Measuring productivity is difficult when it comes to IT security professionals and, in general, most IT geeks. It's not as bad as trying to measure the return on investment (ROI) for security products, but it can be difficult if you focus on the number of hours worked as opposed to employee output.
PCI Impact Brings Insurance Protection Offering
Commentary  |  1/12/2009  | 
What does it say about the impact of PCI regulations on small to midsize businesses when an insurance company begins offering "card-compromise" coverage?
Campus Net Abuzz With BCS Win
Commentary  |  1/9/2009  | 
Another year, another championship. Now, that's not meant to sound snobbish or trite, but the past few years have been very good for University of Florida athletic programs. Last night was a great example with the Gator football team wrapping up the BCS National Championship with a win against the Oklahoma Sooners. After seeing the preparatory buzz of activity yesterday, I expected to see more visible excitement as I walked a
Bombshells For The New Year
Commentary  |  1/8/2009  | 
The week after Christmas should be a quiet, reflective time to get organized for the new year while the security industry takes a little winter's rest. Uh -- not so much. This is the security industry, remember? Vendors may not roll out products during the holidays, but hackers never sleep.
You're Not Paranoid, Your Antivirus Just Doesn't Work Well
Commentary  |  1/7/2009  | 
Myth #2 of the "The Five Most Dangerous Security Myths" by PC World's Erik Larkin popped up in my inbox from a family member this morning. The second myth is, "Sure, the Web is today's Wild West, with digital guns blazing and no sheriff in sight. But as long as you use a goo
People-Hacking
Commentary  |  1/6/2009  | 
My firm was recently hired to perform a network assessment for a fairly large bank. The emphasis on this engagement was circumventing physical controls and gaining access to the bank's internal network infrastructure. As with most financial institutions, we were asked to compromise remote locations (bank branches) and then make an attempt on the main office.
Hack Simplifies Attacks On Cisco Routers
News  |  1/6/2009  | 
New technique for hijacking routers reinforces need for regular IOS patching
Browser Privacy Features Leave Users Exposed
Commentary  |  1/5/2009  | 
When using "private browsing mode" included in many of the current (and beta) Web browsers, do you know just how well it is working at preventing your Internet browsing from being tracked? What about the protection provided when you hit the button to clear your Web browsing history, cookies, and cached files?
DLP: An Important Tool In Protecting Data During Mergers & Acquisitions
Commentary  |  1/2/2009  | 
Data loss prevention (DLP) is a topic I've covered in the past because it's important in these times of targeted attacks and accidental data loss. It also tends to be a controversial topic since many people view it differently due to the variation in definitions of what the technology really is. For example, DLP vendors have solutions that range from basic content filtering at the network gateway to complex network- and host-based monitoring solutions, leaving the definition up to the vendor who


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21238
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping bec...
CVE-2021-21239
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ...
CVE-2021-21253
PUBLISHED: 2021-01-21
OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attacker...
CVE-2020-4966
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...
CVE-2020-4968
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.