Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in June 2009
'Net Parrot Effect
Commentary  |  6/30/2009  | 
Iran. You remember the place? Before several celebrities died in the past week, Iran's election aftermath gripped national attention. The more I found out about the election situation, the demonstrations, and the crackdown, the more I felt as if I were reading a political thriller. That's when the ugly side of our hyper-connected society reared its ugly head.
Don't Let Legacy Media Foil Your Forensic Investigation
Commentary  |  6/29/2009  | 
When performing incident response and forensics on a compromised system, the focus of analysis is on the most immediately available and relevant sources of evidence. Volatile data collected from a running system, the hard drive, network flow data, and logs collected on a central server all serve as useful sources for determining the particulars of the incidents. But what about incidents that go back further, requiring you to dig into backup tapes -- and potentially very old ones?
EU Group: Social Networks, Thirty-Party App Developers Subject To EU Privacy Laws
Commentary  |  6/25/2009  | 
I just took a close look at the Article 29 Data Protection Working Party's opinion report on online social networking. While some of its recommendations are what you'd expect, others came as a surprise.
The Iranian 'Proxy War'
Commentary  |  6/25/2009  | 
Iranians are using proxies worldwide to circumvent government censorship.
Could The Cloud Lead To An Even Bigger 9/11?
Commentary  |  6/25/2009  | 
Late last week I attended an event sponsored by IBM/Lotus and Technology Review. A very credible "End of the U.S." doomsday scenario tied to the public cloud was outlined that I believe warrants further thought.
Forewarned Is Forearmed, Right?
Commentary  |  6/23/2009  | 
Next-gen Web apps and virtualization are two topics much on the collective mind of CIOs and line-of-business leaders. Of course, they're seeing dollar signs from slick eye-candy RIAs and cramming 20 VMs on each physical server. Security? Meh.
Maltego: Going On The Offensive *And* Defensive To Defend Against Social Networks
Commentary  |  6/22/2009  | 
You know the military's ol' mantra about "loose lips sink ships"? Well, it's being redefined by sites like Twitter, Flickr, and Facebook, according to a great article from Federal Computer Week that discusses the threats social networks pose to operational security.
Facebook Scam: I'm Stranded In London. Send Money!
Commentary  |  6/21/2009  | 
Facebook users are facing a new threat, 419 scams in chat form, masquerading as friends.
Data Leakage Through Nontraditional Networks
Commentary  |  6/19/2009  | 
Securing our company's data is our job. We build up layers of defense to protect it when it is housed within our corporate network and corporate computer systems. Firewalls, VPNs, encryption, and data leakage prevention all help in some way to protect the data that we don't want anyone else to have. Sometimes, however, we are stuck in the situation where we don't control the network or systems that portions of our data ends up on.
Government Takes Action On Internet Badness
Commentary  |  6/17/2009  | 
Sources of online criminal activity, such as Atrivo/Intercage and McColo, are no longer around. While I am not quite willing to share the full story behind these takedowns just yet, I can say that community action was the key.
Developers Often Left Out Of Security Training
Commentary  |  6/17/2009  | 
A good friend was telling me recently about a risk assessment he was involved with in which his organization found some vulnerabilities in the Web application. When they asked the developer about them, the response was, "What is cross site scripting?" Wow -- how is it that in this day and age that someone, who probably considers themselves to be a competent Web developer, doesn't know XSS? Ask them about SQL injection, and the response would probably be the same.
Researchers To Unleash New SMS Hacking Tool At Black Hat
News  |  6/16/2009  | 
iPhone-based auditing tool tests mobile phones for vulnerabilities to SMS-borne attacks
Dark Reading Launches Database Security Tech Center
Commentary  |  6/16/2009  | 
Today Dark Reading launches a new feature: the Database Security Tech Center, a subsite of Dark Reading devoted to bringing you news, product information, opinion, and analysis specifically focused on the topic of database security.
Researchers Build Anonymous, Browser-Based 'Darknet'
News  |  6/15/2009  | 
Black Hat USA presentation will demonstrate how the latest browser technology makes underground, private Internet communities simpler to form, more secretive
Incorporating The 'CIA' Triad In Software Purchases
Commentary  |  6/15/2009  | 
When talking to sysadmins and developers about security of the new software they're looking to deploy, I often end up in a discussion in which at least one or two of the CIA (confidentiality, integrity, and availability) triad is left out.
Report: No Magic Bullet For Database, Server Security
News  |  6/11/2009  | 
New Forrester report says encryption, data monitoring technologies key tools for now
Flaw In Virtualization App Causes Data Loss On Thousands Of Websites
Quick Hits  |  6/10/2009  | 
VAServ says some customers may never recover data wiped in zero-day attack
Cost Analysis Of Multifactor Authentication
Commentary  |  6/10/2009  | 
A recent article on integrating the YubiKey, a USB token that can provide one-time passwords (OTP), and WordPress reminded me of how few people I know actually use multi-factor authentication to secure their resources. Instead, they rely on the passwords for users to authenticate to Websites and VPNs with nothing in between them and an attacker who might steal that password. The insecurity of passwords is a topic that's b
Hacking Challenge Shows XSS Still King
Commentary  |  6/8/2009  | 
Last week, another company got egg on its face by running a "we're-so-secure-you-can't-hack-our-stuff contest." When are companies going to learn claims like that always backfire?
Trust And Web Ad Services
Commentary  |  6/5/2009  | 
Well-respected, highly secure Websites commonly infect the people who surf them. So if they are so secure, then why does this keep happening?
Disclosure Helps Bad Guys -- But Not The Way You'd Think
Commentary  |  6/4/2009  | 
When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.
Security Incident Ratings Made Easy
Commentary  |  6/3/2009  | 
Management likes numbers. They get the the warm fuzzies when numbers can be graphed in a way that they can quickly discern what's going on. Of course, if the numbers are bad, then they may not feel those warm fuzzies. In the IT security world, we try to provide useful numbers to show what a great job we're doing, but it's hard to quantify thwarted attacks -- other than relying on numbers from an IPS and anti-malware system.
Java Trouble Brewing For Apple
Commentary  |  6/2/2009  | 
Like most computer geeks with the latest toys, I can always find a way to play rather than work. My procrastination tendencies can sometimes lead to troubling results (just ask my girlfriend), so I often give vendors some leeway when it comes to patching vulnerabilities. But some vendors just don't get it.
BackTrack4 Sneak Peek Shows New Forensic Capabilities
Commentary  |  6/1/2009  | 
BackTrack 4 Pre Final Sneak Peek was released to Informer Blog subscribers last week. Informer, created by Johnny Long and his Hackers For Charity organization, is a fundraising program to help feed children in East Africa, and its blog "is designed to give subscribers a 'backstage pass' to the world of Information


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.