Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in February 2010
Comcast Goes DNSSEC, OpenDNS Adopts Alternative DNS Security
News  |  2/24/2010  | 
DNS provider OpenDNS selects DNSCurve over DNSSEC, but experts say the two technologies could eventually play together
Fight Malware With Software Restriction Policies
Commentary  |  2/24/2010  | 
Good news for Department of Defense folks. They can now start using USB flash drives again -- provided there's absolutely no other way to transfer the data from point A to point B. OK, so maybe it isn't time to rejoice just yet.
Firewalls And DIY Plug-Ins
Commentary  |  2/23/2010  | 
Let's face it: Users love the concept of adding free plug-ins and apps to customize and empower the base software tool, whether it's in a smartphone or browser. Doing so is fun, it's cool, and it lets them personalize their software to augment or shape how they use it. Even firewall management has joined the plug-in party.
PGP Launches Multivendor Key Management Platform
Quick Hits  |  2/22/2010  | 
New tool set is designed to provide a single framework for administering multiple encryption keys
Enhancing Botnet Detection With Manpower
Commentary  |  2/22/2010  | 
The average computer user (a.k.a. most of my family) doesn't have a fighting chance. I hate to say it, but the malware we're seeing on a daily basis makes this scary fact evermore true. There is absolutely no way that most home users are going to be able to protect themselves against modern malware like Zeus. Malware authors have become extremely good and proficient at what they do because it's making them money.
Defense Agencies Drop Ban On Portable Storage Devices
Quick Hits  |  2/19/2010  | 
Critics say new policies, practices may not be enforced
Boosting Your Defenses Against Botnet Infections
Commentary  |  2/19/2010  | 
In the past few weeks since the Google/China incident, we have seen a number of interesting blog posts and white papers that provide further details on some of the techniques used by the attackers.
Will Cyber Shockwave Make Some Waves?
Commentary  |  2/17/2010  | 
With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.
Mozilla's Add-On Policies And Spyware Surprises
Commentary  |  2/17/2010  | 
I've been using FlashGot on and off for years. It is a useful plug-in that helps you download multiple files from the same Web page "automagically." So when Firefox informed me about a new update for an add-on I've used for years, I clicked "OK" and updated it, only to find a surprise the next time I used Google.
Penetration Testing Is Sexy, But Mature?
Commentary  |  2/17/2010  | 
The buzz generated from Core Security's move to integrate with the Metasploit Framework has left me a little puzzled. Don't get me wrong: I love Metasploit. It's a fantastic tool that has certainly been put through its paces as a pen-testing tool -- it's free, open source, and extremely accessible to aspiring security professionals. And, of course, I've heard great things about Core's flagship product, Impact Pro. But the deal just seems like an odd move.
Measuring Database Security
Commentary  |  2/16/2010  | 
How much does it cost to secure your database, and how do you calculate that? One of the more vexing problems in security is the lack of metrics models for measuring and optimizing security efforts. Without frameworks and metrics to measure the efficiency and effectiveness of security programs, it's difficult both to improve processes and to communicate our value to nontechnical decision makers.
Oracle 0-Days
Commentary  |  2/12/2010  | 
During BlackHat, David Litchfield disclosed a security issue with the Oracle 10g and 11g database platforms. The vulnerability centers on the ability to exploit low security privileges to compromise Oracle's Java implementation, resulting in a total takeover of the database. While the issue appears relatively easy to address, behind the scenes this disclosure has raised a stir in database security circles. The big issue is not the bug or misconfiguration issue, or whatever you want to call it.
Virtualization Vulnerabilities Up And Coming
Commentary  |  2/11/2010  | 
Microsoft's February 2010 Patch Tuesday was one of the bigger releases for Microsoft and its clients in the past two years -- 13 bulletins addressing 26 vulnerabilities.
Sights, Sounds (And Snow) Of ShmooCon 2010
Commentary  |  2/11/2010  | 
There are hacker conferences, and then there's ShmooCon. The annual East Coast convention was held during a major snowstorm in Washington, D.C., but that didn't stop researchers from sharing their latest exploits, hardware, and software inventions, and huddling over discussions about the latest security issues.
How Much Crypto You Really Need
Commentary  |  2/11/2010  | 
Last month an international team of researchers announced they had managed to factor a 768-bit RSA key. This raises interesting questions about handling encryption and planning ahead in your security strategy.
Dark Reading Launches New Database Security Newsletter
Commentary  |  2/10/2010  | 
One of the things we've learned in publishing Dark Reading is that a pretty wide range of people work under the title of "security professional." There are techies and managers, risk managers and privacy people, white hats and black hats. Not surprisingly, they aren't all interested in the same news and information.
Speeding Incident Response With 'Indicators' Of A Compromise
Commentary  |  2/10/2010  | 
Advanced persistent threat: I like the term -- it sounds evil, and it is...well, at least I think it is. There has been a lot of news, opinions, and genuine FUD on APT since Google went public with news of its breach several weeks ago. Until then, I really don't think anyone ever paid much attention to what APT was, even though well-respected people, like Richard Bejtlich and the folks at Mandiant, have been talking about it for a while.
New SpyEye Trojan Could Challenge Zeus, Researchers Say
Quick Hits  |  2/10/2010  | 
Emerging Russian crimeware kit hasn't spread yet -- but it has potential
Amazon's SimpleDB Not Your Typical Database
Commentary  |  2/6/2010  | 
Several cloud providers offer databases specifically designed for cloud deployment. Amazon's SimpleDB, while technically a database, deviates from what most of us recognize as a database platform. Although SimpleDB is still in prerelease beta format, developers have begun designing applications for it.
New Flaws Pry Lid Off Cloud Frameworks
Commentary  |  2/5/2010  | 
A new set of vulnerabilities came to light this week at Black Hat DC, and its appearance provides a good look at our bleak "next-gen" security future.
'Brand' Your Employees
Commentary  |  2/5/2010  | 
You might want your product to be in the news every day, and for your PR to create miracles for you. But if you want attention, then your company must speak out on big security issues and news.
Litchfield's Last Hurrah
Commentary  |  2/3/2010  | 
Yesterday was David Litchfield's last day at NGS Software, and he commemorated the milestone by dropping a zero-day vulnerability in Oracle's 11g database at Black Hat DC. He also surprised the audience -- and possibly himself -- by awarding Oracle a "B+" final grade for security in 11g, after nearly 10 years of keeping Oracle on its toes by calling out vulnerabilities in its database technology.
Updated Tool Targets Facebook Security
Commentary  |  2/3/2010  | 
Security issues surrounding social networking sites make me cringe. I understand their practical applications, but they are also the platform for easy delivery of exploits through social engineering. I've seen many systems compromised by the unconscious click on a Facebook link that users' nonchalance on similar sites and their trust in the Internet frustrates me to no end.
IBM ISS Researcher Exposes Holes In Cisco's Internet Surveillance Architecture
News  |  2/3/2010  | 
Wiretapping architecture could be abused by individuals under surveillance and outside attackers; Cisco reviews recommended fixes
Tool Helps Prepare For Disaster
Commentary  |  2/3/2010  | 
When I see an event like the Haiti earthquake, I worry that we treat disaster preparedness much like we do data backup -- we don't really think about it until it's too late. We are faced with putting in place a plan to deal with disaster, and then realize we don't aren't properly prepared. But I might have found a tool that can help.
Researcher Cracks Security Of Widely Used Computer Chip
News  |  2/2/2010  | 
Electron microscopy could enable criminals to develop counterfeit chips, Tarnovsky says at Black Hat DC
When Software Glitches Are Fatal -- Literally
Commentary  |  2/1/2010  | 
Hearing about how many companies were hacked during the Aurora attacks due to a software vulnerability in Microsoft's Internet Explorer (IE) is frustrating. Now another attack is ready to be unveiled at Black Hat DC that also uses an IE "feature." The thought of what can and has happened because of these flaws is scary -- theft of personal information, espionage, identity theft, etc. -- but what happens when software glitches lead to death?


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd