Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in July 2009
New iPhone SMS Threat No Reason To Panic
Commentary  |  7/31/2009  | 
You may have heard that researcher Charlie Miller has released details about a vulnerability that allows an attacker to take over an iPhone remotely with a SMS message. Now everyone is rushing to offer homegrown advice on how to fix the problem. But I'm going to offer a different point of view.
McAfee Buys Cloud Security Provider MX Logic For $140 Million
Quick Hits  |  7/31/2009  | 
Acquisition expands McAfee's security software-as-a-service offerings
Pwnie Awards Bring Fame And Shame
Commentary  |  7/30/2009  | 
The third annual Pwnie Awards at Black Hat in Las Vegas, hosted by Alex Sotirov, Dino Dai Zovi, HD Moore, Halvar Flake, and Rich, celebrated the highs and lows in the security industry. As Dino said, "First we reward for great work, then we shame."
Black Hat, Day One: Rationalizing And Reinforcing My Pessimistic World View
Commentary  |  7/30/2009  | 
When I arrived in Las Vegas, I already smoldered and grumbled about the facts that online trust mechanisms are untrustworthy, and that browsers' fundamental weaknesses persist despite the fact that better browsers would make an incalculable impact on overall Web security. Yesterday's sessions simply added more kindling to the fire.
Metasploit Meterpreter For Mac Coming Soon
Commentary  |  7/29/2009  | 
Meterpreter is by far one of the most powerful and most advanced payloads included in the Metasploit Framework. It's been the joy of penetration testers and the bane of incident responders and until now, it's only been a payload targeted at Windows systems, while Mac users have dodged a bullet. But that won't be the case for much longer, as demonstrated by Dino Dai Zovi in a 20-minute breakout session at Black Hat today titled "Macsploitation with Meterpreter."
Obama Administration Going Soft On Cybersecurity
Commentary  |  7/28/2009  | 
Viruses, botnets with international botmasters, denial-of-service attacks on government properties, cyberbullying, and the increasing threat of identity theft plague every resident, from child to adult, regardless of whether they are actually ever online -- U.S. cybersecurity has been little more than a bad joke.
Spammers Exploiting Free File Storage On Websites
Quick Hits  |  7/24/2009  | 
Automated account creation exploit lets spammers hide behind legitimate file storage services, researchers say
The BlackBerry 'Trojan Horse'
Commentary  |  7/23/2009  | 
Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.
The Encryption Gap
Commentary  |  7/23/2009  | 
Things that make us say "hmmm" include these stats: The percentage of respondents to our 2009 Strategic Security Survey who rated encrytion as effective in reducing risk dropped from 57% in 2008 to 48% in 2009. Use of disk, file, and backup media encryption ALL fell year over year by at least five percentage points. Backup encryption usage is down 10 points.
Using Malware In Penetration Testing
Commentary  |  7/22/2009  | 
Huh? That's the exact reaction I had when I first read the title for the blog entry "Pentest Evolution: Malware Under Control."
Aussie Police To 'War-Drive' For Insecure WiFi In Homes, Businesses
Quick Hits  |  7/21/2009  | 
Queensland authorities reportedly launch awareness program to find and warn users with vulnerable wireless networks
Data Breach Laws Drive IR, Preparation Is Key
Commentary  |  7/20/2009  | 
Fellow Dark Reading blogger Gadi Evron had an interesting take on the relationship between incident response and forensics in his post "Incident Response Is Not Forensics." I agree with him for the most part, but I don't think forensics is the most common course of action depending on who is responding to the incident.
Brothers In U.K. Convicted In Massive Credit Card Data Scam
Quick Hits  |  7/17/2009  | 
Identity theft operation highlights need to protect card data at the source, experts say
PCI Group Spells Out Guidelines For Deploying PCI-Compliant WiFi
News  |  7/17/2009  | 
'Operator's guide' provides security recommendations for merchants, auditors
Defensible Network Architecture Ideal For Incident Response
Commentary  |  7/17/2009  | 
In my last blog, I talked about how incident response is more than just preparing your first responders by training them and providing them with the tools. Your network and systems need to set up in preparation, too, so that you have the information you need when handling an incident. It wasn't until yesterday that I remembered what I think is one of the best models of network design that fits the mold of what I mean by having your environment ready for an incident.
Incident Response Is Not Forensics
Commentary  |  7/16/2009  | 
Professionals who handle computer security incident response traditionally have also been charged with forensics. They find the evidence of wrongdoing, and preserve it in a court-approved fashion. This best practice is a good one, even when saving data for law enforcement is not a necessity or a priority.
Incident Response Prep Extends Beyond Tools, Training
Commentary  |  7/15/2009  | 
Whenever you read information on how to perform forensics and incident response, there is a preparation phase that comes before anything else. Preparation steps cover how to prepare for dealing with an incident in your environment -- but what about making sure your environment is ready for an incident?
The Security 'Unconference' In Vegas
Commentary  |  7/15/2009  | 
Most of the security action happening later this month will be in Vegas' Caesars Palace and the Riviera Hotel, where Black Hat USA and Defcon will convene. But at a rented house at a thus-far undisclosed location a few miles off of the Las Vegas Strip, a handful of hackers will host SecurityBSides, a homegrown "unconference" alternative to the more structured format of Black Hat.
New Hardened Thumb Drive Self-Destructs When Breached
News  |  7/14/2009  | 
IronKey's new S200 includes strong encryption, anti-malware controls, and security policy management
Report: Encryption Adoption Steadily Growing
Quick Hits  |  7/14/2009  | 
While more organizations consider encryption as an overall strategic security solution, breaches keep rising, according to Ponemon Institute
Internet Explorer Hit With 1-2 Punch Of Zero-Day Attacks
Commentary  |  7/13/2009  | 
It's Monday: Do you know what Web browser your users are running? If it's Internet Explorer, don't look now, but for two weeks in a row, IE has taken two jabs straight to the face with ActiveX zero-day exploits that let attackers stomp all over users who are tricked into clicking on a malicious link or get redirected from a compromised site. Browser alternatives starting to look a little more enticing?
DDoS Cyberwarfare Hurts Us All
Commentary  |  7/9/2009  | 
A distributed denial of service (DDoS) attack has been in the news in recent days due to attacks against the U.S. government -- with fingers pointed at North Korea. But people forget a few basic truths people when it comes to information warfare (or cyberwarfare) and DDoS attacks.
Hacking And Exploit Site Milw0rm Closes Its Doors
Commentary  |  7/8/2009  | 
Milw0rm is by far one of the best-known public sites to get the latest proof-of-concept exploit code. Or at least it was until it closed its doors today. The closing comes as a shock to the security community given that milw0rm had become a valuable resource for proof-of-concept and weaponized exploit code, demonstration videos, and papers on all areas of information security.
SecureWorks-VeriSign Deal Highlights Acquisition Trend In Security Services
News  |  7/7/2009  | 
As SecureWorks gets bigger faster, VeriSign pulls out of services business
Kantara Initiative: Another Effort To Get Identity 2.0 Out Of The Gate
Commentary  |  7/6/2009  | 
We've been saying for a while now that better identity management -- more so than secure Web app coding or even more secure browsers -- could fuel a quantum leap in Web security. The "Identity 2.0" community can be credited with wonderful research and truly significant advancements in identity management technology. In many ways, we're poised for an identity revolution. However, the efforts have been hampered by a lack of public awareness, a lack of interoperable standards, usability concerns, a
Would Your Users Take The Bait?
Commentary  |  7/6/2009  | 
Military leaders would never send their troops into war without preparing them for the threats they'd be facing on the battleground. Likewise, you shouldn't let your users go about their daily activities without educating them about the dangers they face when opening an e-mail or clicking on a link returned from a seemingly innocuous Google query.
The Only Two Reliable Cloud Security Controls
Commentary  |  7/2/2009  | 
It seems that we in the information technology profession are just as fickle as the fashionistas strutting around Milan or New York. While we aren't quite as locked to a seasonal schedule, we do have a tendency to fawn over the latest technology advances as if they were changing colors or hem lengths. Some are new, some are old, some are incredibly useful, and others are completely frivolous, but we can't deny their ability to enter and steer our collective consciousness -- at least until the ne
Security Design Goes With Secure Coding
Commentary  |  7/1/2009  | 
When professionals without security awareness plan a project, security is often left out. The result costs money in the long run. What can we do to make it better?
It's Time To Take Bot Infections Seriously
Commentary  |  7/1/2009  | 
The soapbox is a place I hate to be, but sometimes a topic just rubs me raw enough that I climb up to try and get my point across. The topic of bots, botnets, and their impact on corporate data is one of those issues.


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd