Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in October 2009
LinkedIN With 'Bill Gates'
Commentary  |  10/30/2009  | 
Bill Gates invited me to join his LinkedIN network. OK, so it wasn't really Bill Gates, but as far as my email system, spam filter, and email client were concerned, it's perfectly normal for Gates to send me a LinkedIn invitation.
Getting To Know Your Infrastructure
Commentary  |  10/29/2009  | 
Knowing your network is a fundamental step for building a successful vulnerability management (VM) project.
Know Your Tools
Commentary  |  10/28/2009  | 
Ever have one of those days where nothing really seems to go right? You're working on something that should be simple and it ends up throwing seemingly unexplainable errors back at you no matter what you try? Then when it does work, you're not sure what you changed that fixed it. Yeah -- me, too.
Christian Site's Poll Backfires
Commentary  |  10/26/2009  | 
The Alpha Course, a Christian Website, has created an instant Internet poll asking if God exists. So far, 96 percent of respondents clicked on "NO."
Using Evil WiFi To Educate Users, IT Admins
Commentary  |  10/26/2009  | 
For my keynote at Operation WebLock, I was asked to include a demo or two that would leave attendees rethinking some of their current practices. It didn't take a long to come up with a few different possibilities, but I settled on one of my favorite attacks: wireless network- impersonation and connection hijacking.
The ABCs Of DAM
Commentary  |  10/26/2009  | 
Database activity monitoring (DAM) has been the biggest advancement in database security in the past decade. Identity management controls access, and encryption protects data on media, but monitoring verifies usage.
Trusting Trust
Commentary  |  10/23/2009  | 
An old and respected paper about compilers teaches us a lot about network security architecture.
Microsoft And Mozilla Compete, Cooperate
Commentary  |  10/22/2009  | 
In its patch release last week, Microsoft described an interesting side effect in one of its bulletins.
Firefox Web Browser Weaponization Redux
Commentary  |  10/21/2009  | 
I've written about the Samurai Web Testing Framework (WTF) LiveCD project and some of the Firefox Add-Ons that can be used to transform Firefox into a highly capable Web application penetration testing tool. Now the Add-Ons included in Samurai and a few others have been bundled together into the Samurai WTF Firefox Collection--essentially, a one-stop shop for Web browser weaponization.
Using USBs For Incident Response
Commentary  |  10/19/2009  | 
I was honored to be the keynote speaker this week at Operation WebLock, a cyber incident response two-day seminar hosted by the Florida Department of Law Enforcement. The event focused on helping administrators and IT staff respond better to cyber-threats that could affect their networks and Florida's infrastructure -- a very worthwhile endeavor, and awesome that it was offered free to local business, government, and law enforcement.
App Whitelisting Potentially More Effective Against Bots
Commentary  |  10/15/2009  | 
Application whitelisting is beginning to look more and more appealing. Don't get me wrong. It has had its merits all along. But lately I've seen way too many failures of antivirus against bots, and that has me rethinking a few things.
The Priority Patches From This Month's Batch
Commentary  |  10/15/2009  | 
Tuesday's patch releases by Microsoft and Adobe are creating plenty of work for IT administrators -- quite possibly involving multiple groups with further coordination and meetings. But there are two patches that IT administrators should be focusing on to roll out quickly:
Cost, Strength Of Security Drive Users Toward SaaS Offerings
News  |  10/14/2009  | 
New Dark Reading report offers a look at the strengths, weaknesses of security SaaS -- and how to choose the right provider
Getting Around Vertical Database Security
Commentary  |  10/14/2009  | 
A few database administrators told me they wanted to know why database security is vertical and how they can fix it. True, database access controls are vertical. The basic construct of a database is a table, and access controls grant access to tables or columns. This means you can see all of the entries from top to bottom, or none at all. Access is vertical and it lacks granularity.
In Support of Poor Ol' Windows Vista
Commentary  |  10/13/2009  | 
We just released the October issue of the CSI Alert to CSI members, and this month we focus on Windows 7. This issue is, in some ways, a follow-up to last year's issue, "The Fate of the Secure OS," in which I said some nice things about Windows Vista, and advised it would be imprudent to completely ignore Windows Vista -- eyes-closed, fingers-in-ears, chanting I'm-not-listening-I'm-not-listening.
Dark Reading Launches Vulnerability Management Tech Center
Commentary  |  10/12/2009  | 
Today Dark Reading launches a new feature: the Vulnerability Management Tech Center, a subsite of Dark Reading devoted to bringing you news, product information, opinion, and analysis of the technologies and practices used to identify and eradicate security vulnerabilities from enterprise IT environments.
Phishing Your Users for Better Security
Commentary  |  10/12/2009  | 
A couple of years ago, William Perlgrin taught users about phishing...by phishing them. In doing so, the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, created an awareness program that (for the most part) worked.
The Future Of Digital Forensics
Commentary  |  10/9/2009  | 
Last week's 10th annual IT Security Awareness Day at the University of Florida had IT workers from all over the state in attendance to hear experts from InGuardians, F-Response, Sunbelt Software, and Microsoft. Though I enjoyed every presentation, I keep thinking about one in particular -- the future of forensics, by F-Response's Matt Shannon.
You Can't Always Be Proactive
Commentary  |  10/8/2009  | 
Having your car serviced regularly, stretching before working out, and visiting the dentist twice a year are known to prevent engine failure, physical injury, and potentially life-threatening gingivitis. In addition, being proactive also extends to the world of information security.
Avoiding Database Audit Pitfalls
Commentary  |  10/8/2009  | 
Many seasoned database administrators howl in protest at the mere suggestion of running native auditing functions due to the poor performance and log management headaches that often come with auditing.
Database Auditing Essentials
Commentary  |  10/5/2009  | 
Auditing database activity is a core component to any data security program. Databases capture data access and alterations during transaction processing, along with modifications to the database system. These actions are captured and written into an audit log that is managed by the database internally. The audit log is the most accurate source of events because it's the database that acts as the arbiter to ensure transactional consistency and data integrity.
Squashing Malware With Snort In-Line
Commentary  |  10/5/2009  | 
Snort is a powerful open source intrusion detection system (IDS). What surprises me is how many security people have never touched it to learn more about how IDS works -- or how easy it is to evade many IDS signatures that are designed to look for known bad traffic.
A Weapon Against SQL Injection
Commentary  |  10/2/2009  | 
The single most common database security inquiry I get is, "What's this whole stored procedure parameter thing, and how does it help with SQL injection?"
Dark Reading's Database Security Tech Center Refresh
Commentary  |  10/1/2009  | 
The Dark Reading Database Security Tech Center is expanding. The subsite, devoted to bringing you news, product information, opinion, and analysis all focused on the very timely topic of database security, has been well-received by our readers since its launch in June, so we're adding two new elements to provide even more depth of coverage: a new blogger dedicated to database security, and new monthly feature articles that drill down on the latest database security threats and issues.


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd