Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in April 2009
New Tools Emerge To Ease Enterprise Fear Of Firewall Swapping
News  |  4/30/2009  | 
Replacing one vendor's firewall with another risks network disruption and could opens security holes, leaving many organizations to stick with the same firewall maker
Adobe Exploit Sheds Light On Bigger Risk Management Issue
Commentary  |  4/29/2009  | 
Batten down the hatches: It's zero-day exploitation time for Adobe Reader and Acrobat. But according to Adobe's blog post yesterday, "we are currently not aware of any reports of exploits in the wild for this issue." Is that the kind of statement you would feel comfortable taking to your CIO or CIS
Security Vendors Offer More Freebies, Deals To Existing Customers
News  |  4/27/2009  | 
Under increasing budget constraints and intensifying threats, organizations are asking their vendors for free, enhanced features and better deals -- and they're getting them
The Real Costs Of Laptop Loss
Commentary  |  4/27/2009  | 
How many movies have you seen where the bad guy is just about to get caught and interrogated when he bites down on a cyanide capsule and dies almost instantaneously? It's a pretty common scene that I've seen in movies as recent as "The Watchmen." Similar solutions, like virtual cyanide capsules, exist that can address lost or stolen electronic devices, and a study released by Intel and the Ponemon Institute last week highlights the importance of those products.
RSA's Five Big Takeaways
Commentary  |  4/27/2009  | 
Swag was scarce, attendee counts were down, and a few vendors opted not to exhibit this year, but last week's annual RSA Conference in San Francisco was still the obligatory get-together for security experts and vendors, sprinkled with loads of product and partner announcements and high-profile keynote speakers. The trouble with a show as large as the RSA Conference, of course, is that you can't see it all. So here's a synopsis of just some of the more memorable moments:
At RSA, Security Pros Don't Practice What They Preach
Quick Hits  |  4/27/2009  | 
AirPatrol study finds almost 100 unauthorized WiFi access points at convention
Taking Some Of The Sting Out Of Data Breaches
Commentary  |  4/24/2009  | 
Anyone who has suffered a recent data breach involving regulatory or legislative data knows the investigation can be an excruciating process. The investigation is subject to time constraints as to how long it takes time to prepare and notify affected individuals. Statutes may apply to the company requiring customers to be notified within X number of days. And, of course, breaches never occur when it's convenient for the victim. So what can you do to streamline the investigative process and make
Third-Party App Updates, Unite!
Commentary  |  4/22/2009  | 
Unite, unite, UNITE! It's a great fight song being preached by Secunia at this week's RSA Conference. In "Secunia Pushes For Standard That Updates Consumer Apps," here on Dark Reading, Secunia's effort to unify patching was discussed with some interesting statistics from the recent Microsoft Incident Report. According to the report, 90 percent of vulnerabilities present on Windows system
Aladdin Introduces Clientless Smartcard Authentication Solution For Online Services
News  |  4/21/2009  | 
Aladdin eToken PRO Anywhere combines certificate-based authentication with plug-and-play simplicity
Analyzing Security Psychology
Commentary  |  4/21/2009  | 
The integration of psychology into the security strategic-thinking process is critical for the advancement of information security. The human element influences all security controls because all of these controls seek to regulate human behavior.
The Human Element Behind Malware-Related Breaches
Commentary  |  4/20/2009  | 
Last year, the Verizon Data Breach Investigation Report made a big splash with insightful statistics on actual data breach investigations performed by the company's incident response team. Last week, the team released an updated version (PDF) for 2009 that includes more data, as well as an interesting look at what happened during the past year. What's grabbing my attention? The numbers related to malwa
I'm Interested, But In You
Commentary  |  4/20/2009  | 
Social engineering is a disturbing aspect of overall security threat analysis because it is the human element that is least in our control. Security and psychology -- once again -- go hand in hand.
Botnets: Coming To A Social Network Near You
Commentary  |  4/17/2009  | 
I've dealt with a lot of different types of bots. The communication channels among them have varied from unsophisticated IRC command and control (C&C) servers to advanced peer-to-peer (P2P) protocols. For botnet herders, the challenge is flying under the radar of network security professionals who are monitoring their networks and looking for anomalies. The infosec pros who know their networks inside and out are likely to pick up on strange protocols pretty quickly -- which is one of the reasons
Insecurity The Price Of Ubiquity
Commentary  |  4/16/2009  | 
The mainstream media seems enamored by the ubiquitous Internet, but it's not doing much to reveal the risks of interconnected computers.
The Certainty Of Death, Taxes and Malware
Commentary  |  4/15/2009  | 
In a letter to Jean-Baptiste Leroy, Benjamin Franklin spoke of the seemingly permanent outlook for the new Constitution, and followed up with "but in this world nothing can be said to be certain, except death and taxes." I don't think we can disagree about any of those points, especially with today being when the tax man cometh. However, I think we can add something else to that quote about certainty: malware.
New Web Vulnerability Tool Is Passive But Aggressive
Commentary  |  4/13/2009  | 
Every couple of weeks, a project comes across my desk that requires some sort of Web application vulnerability assessment or penetration test. It's one of the more fun things I get to do, and I rely on a quite a few different tools during each engagement. While most people relatively unfamiliar with Web app security think of active scanning apps such as Cenzic and WebInspect when they think Web app testing, quite a few of the tools I use fall into the passive analysis category.
Tech Insight: Making The Most Of Open-Source Forensics Tools
News  |  4/10/2009  | 
Emerging offerings can turn network forensics into a low-cost, do-it-yourself security project
WSJ's Meatless 'Spies' Story
Commentary  |  4/8/2009  | 
Wednesday's Wall Street Journal article reporting that the U.S. power grid had been infiltrated by Chinese and Russian "cyberspies" likely caused a few people to choke on their Cheerios. But it left the security community -- already jaded with stories of SCADA and power-grid vulnerabilities, and with assumptions that the grid had been hacked a long time ago -- hungry for more.
F-Response 3.09 Preview
Commentary  |  4/8/2009  | 
I've written a little about F-Response before. It's an incident response and forensic tool that gives investigators and responders the ability to access a running computer system's hard drive and physical memory in a read-only manner. Your analysis workstation connects over iSCSI to the target machine, and you can use practically any forensic tool to conduct analysis and imaging. I have used it with Forensic Toolkit (FTK), Encase, FTK Imager, Memoryze, and X-Ways. It's a great "enabler" tool tha
SCADA Security: What SCADA Security?
Commentary  |  4/7/2009  | 
SCADA, the control systems for such infrastructure services as water and energy, has us worried whenever critical infrastructure defense is mentioned. Why, then, is it the most insecure industry on the planet?
SANS Survey: Log Data Not 'Just For Geeks' Anymore
Quick Hits  |  4/7/2009  | 
More IT/security professionals are collecting log data than ever before, new report says
The Week After: Conflicted About Conficker
Commentary  |  4/6/2009  | 
The title says it all. With so much hype surrounding last week's impending destruction of the Internet, I started out a bit lackadaisical when people asked me about Conficker. As the week progressed, I started to feel annoyed and slightly hostile because so many people were coming to me to ask what was going to happen and how should they protect themselves. In hindsight, I should be happy at the new awareness brought on by Conficker, but I'm not.
Scanning Flash Apps For Insecurities
Commentary  |  4/3/2009  | 
Did you know that a simple Flash application on your Website could be a backdoor into your network? I've always known of such insecurities in Flash applications, but until recently, I had only looked at some Flash-based malware using Flare to analyze suspected malicious SWF files. All that has all changed with HP's new SWFScan tool,
Getting Physical With Workstation Security
Commentary  |  4/2/2009  | 
So often we as security professionals talk about the security of the machines we're responsible for, and the only time physical security comes up is during the discussion of laptops and server rooms. We're concerned about laptop theft and loss that could lead to the dreaded customer notification process. Or maybe we brag about the awesome security of our datacenter. What about user workstations? Is there an subconscious assumption they're safe since they're behind locked doors?
Anticipating Government Overreaction To An Actual Conficker Attack
Commentary  |  4/1/2009  | 
Most governments tend to overreact, and the U.S. probably leads the pack. Fortunately, we survived Conficker on Wednesday, but what if it had resulted in a massive amount of damage? Would the government's response have done more damage than the worm?
Dark Reading Launches Security Services Tech Center
Commentary  |  4/1/2009  | 
Today Dark Reading launches a new feature: the Security Services Tech Center, a subsite of Dark Reading devoted to bringing you news, product information, opinion, and analysis of the "outsourced" security services and technologies available to augment your organization's IT defenses.


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd