Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in July 2010
Real-World Attacks With Social Engineering Tookit
Commentary  |  7/30/2010  | 
Social engineering has always been a penetration tester's (and hacker's) most effective tool. I would say it's their best weapon, but not everyone is good at the softer, human side of social engineering. However, when it comes to the technical side, the tools are getting better and better, including the latest version of the Social Engineering Toolkit released at BSides Las Vegas on Wednesday.
Four Must-Have SMB Security Tools
Commentary  |  7/28/2010  | 
Regardless of their size, many SMBs still need to meet strict compliance regulations, such as PCI and HIPAA. In addition to any special requirements, there are a few security technologies every small business should have in place. Here are my four SMB security must-haves.
Report: British Ministry Of Defense Lost More Than 1,000 Storage Devices In Two Years
Quick Hits  |  7/26/2010  | 
Many of the devices were unencrypted; other agencies also at risk
What You Should Know About Tokenization
Commentary  |  7/26/2010  | 
A week ago Visa released a set of best practices and recommendations for tokenization. Unfortunately, "best practices" leaves plenty of room for poor implementations.
Killed By Code: The FDA And Implantable Devices Security
Commentary  |  7/26/2010  | 
A new report from the Software Freedom Law Center deals with the security implications of bionic medical devices being implanted into the human body.
Security BSides Grows, But Not Too Much
Commentary  |  7/23/2010  | 
The security "unconference" is back in Vegas, and this time the setting is a gated private resort with multiple swimming pools and a sand beach, and the number of attendees signed up so far for the free -- yes, free -- event has doubled. But that doesn't mean Security BSides will lose the intimate vibe that its organizers envisioned and encouraged when they first launched it in Las Vegas a year ago.
Tokens A Tempting Option For Securing Cardholder Data
News  |  7/22/2010  | 
Tokenization might be the PCI Holy Grail, but the search for it could be just as circuitous
Avoiding Accidental Data Leaks In Small Businesses
News  |  7/21/2010  | 
SMBs struggle to educate users, protect company data from unintentional breaches
Conquering Large Web Apps With Solid Methodology
Commentary  |  7/21/2010  | 
This is one of those weeks where I'm trying to wrap up as much as possible before I'm out of the office for Black Hat, BSides, and Defcon. One of those things on my list is a Web application assessment for a client that's a monstrous, open-source beast with subapplications bolted on from all over the place and tons of places for vulnerabilities to hide.
The Cash Drawer Lock Box And SMB Security
Commentary  |  7/21/2010  | 
Since information security first sprouted into its own industry, the small business market has been the red-headed stepchild of the newfound art.
Semtek Announces PCI DSS De-scoping Of Major National Retailers
News  |  7/20/2010  | 
Deploying end-to-end encryption within large merchant's environments is considered the most difficult of all implementation use cases
Nonprofit Group Launches Open-Source IDS/IPS
Quick Hits  |  7/19/2010  | 
Suricata 1.0 will go head-to-head with popular Snort tool
Detection And Defense Of Windows Autorun Locations
Commentary  |  7/19/2010  | 
As an incident responder and forensic investigator, there's a truth we expect malware to always follow: Persistence is a must to survive. OK, exceptions exist. But the general rule of thumb is that malware seeks to persist, and it will hook itself into common areas on a victim Windows machine to do so.
SIEM Ain't DAM
Commentary  |  7/19/2010  | 
I've been getting questions about the difference between system information and event management (SIEM) and database activity monitoring (DAM) platforms. It's easy to get confused given their similarities in architecture. There's also a great deal of overlap in events that each collects and the way they handle information. Couple that with aggressive marketing claims, and it seems impossible to differentiate between the two platforms.
Single Trojan Accounted For More Than 10 Percent Of Malware Infections In First Half 2010
News  |  7/16/2010  | 
Top two threats both exploit the Windows Autorun feature, BitDefender study says
Certgate Unveils Security Solution For Mobile Devices
News  |  7/15/2010  | 
certgate Voice Encryptor resists spyware and malware attacks on mobile phones as well as 'man-in-the-middle' attacks
Patching And Risk Mitigation
Commentary  |  7/15/2010  | 
I followed an interesting discussion on a DBA chat board this week regarding whether to patch a database. The root issue for the DBA was a minor vulnerability was corrected by a recent patch release, but fear that a multipatch install process could fail halted the upgrade.
DEFCON: Bridging The Gap Between Hardware And Software Hacking
Commentary  |  7/14/2010  | 
I got into hardware hacking as a kid, but never quite stuck with. Electronics weren't safe back then, and I often bridged that world with the physical to give my G.I. Joe something new conquer. That interest has been renewed.
Friction-Free Security
Commentary  |  7/12/2010  | 
As security professionals, we want our network to be as secure as possible. The exception is if we're hired to break into it, but even then our job is to help secure the network to prevent future break-ins. The problem is that in securing our networks, it's easy to forget about the user and the "business."
Would 'Robin Sage' Have Made So Many Friends Without The Hot Pics?
Commentary  |  7/9/2010  | 
One of the intriguing and slightly disturbing aspects of the "Robin Sage" social network experiment is the role the phony profile's looks had in, well, attracting people. Men especially. There -- I said it.
Facebook And National Security: Two Cases
Commentary  |  7/9/2010  | 
Dark Reading's Kelly Jackson Higgins wrote about the fake Robin Sage account, which duped many in vetted circles to add "Robin" as a Facebook friend. Now from Israel comes a story of how soldiers from a secret IDF base created a Facebook group for it.
Virtual Machines For Fun, Profit, And Pwnage
Commentary  |  7/2/2010  | 
Virtualization has turned the IT world upside down. It is used everywhere these days, from desktops to servers and data centers to the "cloud." It has also presented itself as a double-edged sword to security professionals.
Is Google Stealing Our Digital Freedom?
Commentary  |  7/2/2010  | 
With the Fourth Of July here, it's a good time to focus on freedom. It seems that often when new technology and new ways of getting revenue advance in an industry, those who don't understand that technology are exploited by those who do. Google's model seems to increasingly fit this mold, and the example it is setting is driving others down the same path.


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21238
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping bec...
CVE-2021-21239
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ...
CVE-2021-21253
PUBLISHED: 2021-01-21
OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attacker...
CVE-2020-4966
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...
CVE-2020-4968
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.