Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in October 2010
Talk About Evasion
Commentary  |  10/28/2010  | 
Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.
Talk About Evasion
Commentary  |  10/27/2010  | 
What's new is old and what's old is still news
Why Windows Phone 7 Could Be Most Secure Smartphone At Launch
Commentary  |  10/25/2010  | 
One of the interesting things I learned from spending a few days with McAfee recently was that the iPhone is actually one of the most secure smartphones.
Key Management Plays Crucial Role In Database Encryption
News  |  10/22/2010  | 
User input error at Colorado County shows potential for database trouble, experts say
FBI Warns Of 'Corporate Account Takeover' Scams
News  |  10/21/2010  | 
Attacks on small and midsize companies can be financially devastating, agency says
Does Compliance Drive Patching?
Commentary  |  10/20/2010  | 
A thought-provoking comment was made in response to Ericka Chickowski's recent article "Best Practices For Oracle And Database Patching."
An SMB Guide To Credit Card Regulations, Part I: PCI DSS Q&A
Commentary  |  10/20/2010  | 
This article is the first in a short series designed to help small businesses understand the regulations around securing credit card transactions, specifically the PCI DSS (Payment Card Industry's Data Security Standard) requirements.
It's About The User
Commentary  |  10/19/2010  | 
E-commerce was born 15 years ago when a bunch of us, thrilled by all of the possibilities and promise of the Web, said, "Let's adapt this new medium to do business." Even at that early moment, it was clear that user authentication would have to play an essential role if the adaptation was going to be successful.
Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security
News  |  10/18/2010  | 
IDS/IPS, firewalls, Web application firewalls are among at-risk devices for technique that lets attackers sneak inside
Stuxnet: An Amateur's Weapon
Commentary  |  10/15/2010  | 
Stuxnet, a Trojan supposedly designed to attack Iran's nuclear program, is so technically advanced that it is said to be able to remotely explode a power plant without the controller noticing. Such an advanced weapon was developed by people with means. But whoever they are, they're amateurs.
Zero-Day Pen Testing Under Fire
Commentary  |  10/13/2010  | 
A blog post I wrote recently about using zero-day exploits for testing seems to have ruffled some feathers: I got a flood of email about why the concept is immoral, tests like that are not valid, and a host of other problems. Rather than responding to emails individually, this post answers a few common grievances with my testing methodology.
Dragging Physical Security Monitoring Into 2010
Commentary  |  10/13/2010  | 
It is fairly common to see router, firewall, and intrusion-detection system logs in addition to server, workstation, and application logs consolidated within an enterprise security information management (ESIM) system. Logs generated from network-based devices are generally responsible for the bulk of logs monitored by an ESIM, with the remainder consisting of logs from the various endpoints and software deployed throughout the infrastructure. Perhaps one of the most overlooked sources of data t
A Peek At The Intel-McAfee Strategy
Commentary  |  10/12/2010  | 
This week is McAfee's annual customer and partner event, and the first one since the announcement that Intel would acquire McAfee. The message at Focus is that the Intel-McAfee plan to secure all parts of the emerging highly distributed and massively diverse ecosystem -- from devices such as smartphones and tablets to large-scale virtualized servers -- in what is increasingly a SaaS and virtualized environment.
Monitoring With Network Flow Technology
Commentary  |  10/11/2010  | 
A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.
PCI Council Offers Guidance On Point-To-Point Encryption
News  |  10/8/2010  | 
Retail standards organization helps clarify where and when to encrypt credit card data
Blocking Zero Days With EMET 2.0
Commentary  |  10/6/2010  | 
Few security products I've used over the years are ones I would run on a Windows system on a daily basis. Of course, that would require me to run Windows on a daily basis, but if I did and I used it for daily activities like Web browsing, e-mail, etc., I wouldn't do so without the Microsoft Mitigation Experience Toolkit (EMET).
Product Watch: Cisco Expands Borderless Networks Concept With New Security Products
News  |  10/5/2010  | 
New security appliance, firewall capabilities are among many products rolled out
Three Steps To Safer Connections With Your Business Partners
News  |  10/4/2010  | 
Suppliers, contractors, and other partners can be a great help to your business, but can you trust their systems to be secure?
Data Security: You're Doing It Wrong!
Commentary  |  10/4/2010  | 
Pete Finnegan's recent webinar, "The Right Way to Secure Oracle," was pretty controversial. His message? Database security is not what's important -- data security is.
Understanding The Mindset Of The Evil Insider
Commentary  |  10/4/2010  | 
Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21238
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping bec...
CVE-2021-21239
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ...
CVE-2021-21253
PUBLISHED: 2021-01-21
OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attacker...
CVE-2020-4966
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...
CVE-2020-4968
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.