Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in May 2009
Cybercriminals: More Obvious Than They Think?
Commentary  |  5/29/2009  | 
Attackers often use and abuse security by obscurity, which can lessen the likelihood that they will be caught. From them we can learn a lot about profiling attackers on our networks, and how they work to achieve better operational security. Take their use of encryption.
Snort To Go Virtual
News  |  5/28/2009  | 
Open source IDS/IPS celebrates its tenth year with an all-new platform in the works, a new release candidate, and plans for a commercial a virtual appliance
Security Alliances Partner To Work On Cloud Computing
Quick Hits  |  5/27/2009  | 
Jericho Forum, Cloud Security Alliance agree to align their best practices for secure collaboration in the cloud
U.S. Cyber Czar On The Horizon; New Legislation, Too?
Commentary  |  5/27/2009  | 
The buzz surrounding President Obama's efforts at securing our cyber-infrastructure is audible. The release of a 60-day review of the government's cybersecurity efforts, which started back in February, is expected soon, along with the naming of a new White House official -- a "cyber czar," as some are calling the position -- who will reportedly have purview over developing a strategy for securing both government and private networks.
When Your Security Career Gets Hacked
Commentary  |  5/26/2009  | 
Security professionals like to think they're immune from the economic woes plaguing the rest of the business world, but, unfortunately, many are finding out the hard way that their jobs aren't any more secure than their apps. So career coaches Lee Kushner and Michael Murray today launched an "incident response" podcast series to help security professionals whose careers have been hacked and their jobs lost get back into the job market.
Adobe Owns Up To Security Issues
Commentary  |  5/22/2009  | 
The discussion surrounding how to make software vendors accountable for hacked systems and data breaches due to security problems in their products is, at best, an effort in futility. As much as we'd like to have Microsoft, Oracle, and Adobe take responsibility for software vulnerabilities that have caused us headaches and cost us money, we are stuck in an endless loop of dependence on their products.
Lessons From Fighting Cybercrime, Part 2
Commentary  |  5/21/2009  | 
In this article we'll examine three basic guidelines on how to implement solutions into social systems, learned from the fight against spam.
Hardened OS Vendor Builds Secure Virtual Layer For Network Devices
News  |  5/21/2009  | 
"Tier one" networking equipment vendors are adopting Green Hills Software's secure virtualization platform as an extra layer of protection for their devices, company says
Ruminating on CSI SX
Commentary  |  5/20/2009  | 
Citizens of the Information Security Nation, to you I say Classify and inventory your data and assets! Tedium? Odium? Delirium? Yes, probably all three. But worth the trouble.
Educating Our Clients Is Part Of Our Responsibility
Commentary  |  5/20/2009  | 
Have you ever had a client (or your own employer) say, "There's no way a user could hack our internal Web apps; they can't run anything but authorized applications like a Web browser and e-mail client." Happens all the time, right? Guess what -- you're not alone.
Trusted Computing Group Widens Security Specs Beyond Enterprise Networks
News  |  5/18/2009  | 
New specs include support for SCADA systems, physical access control systems, guest PCs, printers, and VOIP phones
Report: Growth Of Digital Data Could Overwhelm Security
Quick Hits  |  5/18/2009  | 
IDC "Digital Universe" study says volume of data is vastly outgrowing the resources available to protect it
Zero-Day IIS Vuln Bypasses Authentication
Commentary  |  5/18/2009  | 
Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerabili
Lessons From Fighting Cybercrime
Commentary  |  5/17/2009  | 
The history of anti-spam teaches us about half-baked ideas and how people succeeded or failed to implement them. The analogy of evolution, while limited, demonstrates how reactionary solutions can achieve strategic goals before they are made obsolete by countermeasures.
'Kramer' Is In The Building
Commentary  |  5/15/2009  | 
My firm, Secure Network Technologies, was recently hired by a large healthcare provider to perform a security assessment. As part of the job, my partner, Bob Clary, posed as an employee, similar to the "Seinfeld" episode in which Kramer shows up and works at a company where he was never actually hired.
Tippett To Discuss Verizon Breach Report
Commentary  |  5/14/2009  | 
Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, will discuss the results of the company's "2009 Verizon Business Data Breach Investigations Report" (DBIR) at CSI SX: Security Exchange, taking place May 17-21 in Las Vegas.
Detecting Malware Through Configuration Management
Commentary  |  5/13/2009  | 
Malware analysis has two basic approaches that fall into either the static or dynamic analysis category. The static approach analyzes the malicious executable itself by disassembling it to determine its true nature. Dynamic analysis involves execution of the malware and analyzing it's behavior.
SIEM Case Study: Israeli E-Government ISP
Commentary  |  5/12/2009  | 
Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.)
Porn Leads To Conviction Under 'Hacker Law'
Commentary  |  5/11/2009  | 
Did you know that by looking online for an "adult friend" and uploading nude pictures of yourself while at work, you could be convicted using the same law that was designed for prosecuting malicious hackers?
Researchers Find Missile Defense Data On Used Hard Drive
News  |  5/8/2009  | 
Study also produces sensitive data from Ford Motor, Laura Ashley, and other businesses
Recession Opens Up Opportunities To Innovate
Commentary  |  5/8/2009  | 
Information technology, and especially the area of security, is an ever-changing, dynamic field for work and research. That's one of the reasons I enjoy it so much; if I get bored with one thing, there's a dozen others I can focus on and come back to the previous thing later. But, we are in interesting times. Enterprises are cutting back IT budgets. Layoffs are happening all around us. Companies are consolidating. What does this mean to the infosec community?
Windows 7 Will Mostly Be More Secure Than Leopard
Commentary  |  5/8/2009  | 
Apple's Snow Leopard will be attacked more than any other version of the vendor's platform, and Apple's use of a s"ecurity by obscurity policy" where it does its very best not to actually talk in any depth about the subject will likely bite it in the butt this time.
Startup Takes New Spin On Online Fraud Detection
News  |  5/7/2009  | 
Pramana's 'HumanPresent' technology uses stealthy real-time detection of bots and bad guys posing as legitimate users
CouchSurfing: A Working Trust Model
Commentary  |  5/7/2009  | 
Trust. At the beginning we take it on faith. On the Internet, a fortiori, all the more so. While security professionals struggle to establish online trust, CouchSurfing, a social site for tourists who want to borrow your couch and, perhaps -- wink, wink -- make friends, has a working trust model that is cool to boot.
Backdoors In The Network: Modems, WiFi, & Cellular
Commentary  |  5/6/2009  | 
War-dialing received a revival in March with HD Moore's release of WarVOX, a tool that leverages VoIP to speed up the calling of phone numbers to find modems, faxes, and voice systems. Finding modems can help enterprises find backdoors into their network setup by a rogue employee. Likewise, it can help penetration testers find forgotten or lesser-known ways into a target's network through a poorly secured modems.
BT Study: Most Enterprises Expect To Get Hacked This Year
News  |  5/5/2009  | 
A soon-to-be released ethical hacking report finds 60 percent of organizations budget for penetration testing
Time Synchronization: The Devil Is In The Details
Commentary  |  5/4/2009  | 
One of the coolest birthday gifts I received this year was a Kindle, which is letting me finally tap into the collection of unread e-books sitting on my laptop. One of them is the first in a series called "Stealing the Network: How to Own the Box." The chapter I'm reading reminded me of a pet peeve of mine that drives me nuts during incident response: time synchronization.
Heartland Payment Systems' PCI Compliance Is Reinstated
Quick Hits  |  5/4/2009  | 
Visa gives payment services provider the green light following 2008 megabreach
Security's Past Gives Hints To Its Future
Commentary  |  5/4/2009  | 
Julius Caesar didn't see the need for a bodyguard when he went to the floor of the Roman senate on a March day in 44 B.C. That little oversight cost him 23 stab wounds and the throne of the empire. More than 1,900 years later, Abe Lincoln entered the presidential box at Ford's Theater in Washington, D.C. -- again, no bodyguard seemed necessary. We all know how that decision turned out.
Tech Insight: Back To Basics For Securing Your Outgoing Traffic
News  |  5/1/2009  | 
One way to leverage your existing infrastructure amid security budget constraints is egress filtering using your existing network devices
The Irony Of Preventing Security Failures
Commentary  |  5/1/2009  | 
It used to be that we were judged by not suffering security incidents. But today everyone gets hit, so we are now judged by how we deal with a breach. But what if nothing happens because we stopped it? That may be the most dangerous option in the long term.


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21238
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping bec...
CVE-2021-21239
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ...
CVE-2021-21253
PUBLISHED: 2021-01-21
OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attacker...
CVE-2020-4966
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...
CVE-2020-4968
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.