Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in August 2009
Snow Leopard's Toothless Trojan Defense
Commentary  |  8/31/2009  | 
Snow Leopard is the strongest business offering that Apple has ever fielded, but Apple remains in the dark ages when it comes to protection against malware and its unwillingness to work with third-party vendors to minimize the risk of bringing an Apple machine into a large business.
Lessons From The Credit Union Penetration-Test Debacle
Commentary  |  8/28/2009  | 
Determining who is "in the loop" during a penetration test is an important step not always properly planned during the beginning phases of an engagement. The recent media release from the National Credit Union Association (NCUA) provides an excellent example of what can go wrong.
Filtering Network Attacks With A 'Netflix' Method
News  |  8/28/2009  | 
University of California at Irvine researchers devise new model for blacklisting network attackers
Cybercriminals: Taking The Road Less Traveled
Commentary  |  8/27/2009  | 
If you were a criminal, what data would you be looking for? The most obvious answer is to look for the types of data that give you direct access to cash: bank accounts, brokerage accounts, credit cards. Like Willie Sutton, you'd go where the money is, right? And that's why some of the stiffest security defenses surround this sort of account data.
New IEEE Printer Security Standard Calls For Encryption, Authentication, Electronic 'Shredding'
News  |  8/26/2009  | 
Printers finally getting security attention, but locking them down depends on actual implementation, configuration, experts say
Attacking Customers, Employees With SQL Injection
Commentary  |  8/26/2009  | 
In the security world, providing "what-if" scenarios can be good, but real-world examples are often required to get people to sit up and listen.
Message From Hackers: Enjoy The Summer Break Because Winter Attacks Will Be Harsh
Quick Hits  |  8/25/2009  | 
More than 80 percent are more active over the winter holidays, according to newly released survey of hackers at Defcon17
When Mass SQL Injection Worms Evolve...Again
Commentary  |  8/24/2009  | 
In the past, I've described how mass SQL injection worms took the Web completely by storm. Two years ago, SQL injection attacks evolved from sentient, one-off, targeted data-stealing exploits, like in the breaches at Hannaford Brothers and Heartland, to fully automated, unauthenticated
Your Cloud Insurance Policy
Commentary  |  8/24/2009  | 
Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.
Rapid Triage To Stop The Data Bleed
Commentary  |  8/20/2009  | 
The SANS Internet Storm Center on Tuesday questioned whether an exploit was out in the wild for MS09-039 due to increased scanning for TCP port 42. That same afternoon, a notice went out to the EDUCAUSE Security mailing list with the subject: "CRITICAL: Active exploitation of MS09-039 in the EDU sector." It's not often we get to see a preauthentication attack against a Windows service like WINS that makes an easy jumping-off point to compromise an entire Microsoft Active Directory. Can you imagi
Why I Refuse to Update My Website Certificate
Commentary  |  8/20/2009  | 
Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.
Qualys Report Shows Disturbing Persistence Of Critical Vulns
Commentary  |  8/17/2009  | 
In my recent Tech Insight on vulnerability management, I covered a few of the major components for having a successful program to address vulnerabilities as they are disclosed by vendors and researchers. I've known for a while that patching desktop applications is lagging behind, but for some reason companies just aren't taking it seriously enough to resolve quickly -- even when confronted wit
Who Are These Followers And Followees of the Twitter Botnet?
Commentary  |  8/17/2009  | 
Social networks really do bring people together, don't they? Old friends. Long-lost relatives. Bots and bot-herders. Warms the heart.
Physical Penetration Testing Tells All
Commentary  |  8/14/2009  | 
Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most companies just don't understand physical security and how it can fail. They often think they do, but then they end up putting in flawed physical security controls that can't keep out even the mo
Reclaiming The Email Channel
Commentary  |  8/14/2009  | 
Financial institutions and ecommerce sites use email as a marketing platform, training users to trust email -- essentially blazing a trail for the phishers.
Specialization Inevitable In Infosec
Commentary  |  8/13/2009  | 
Specialization in the information security field is key. Plenty of blogs have been written during the past few months with infosec career advice, but none has hit the nail on the head like two recent posts from Richard Bejtlich and Anton Chuvakin.
It's Time To Integrate Physical And Virtual Security
Commentary  |  8/13/2009  | 
With examples of employee theft and the increasing threat of damage to systems by disgruntled ex-employees, it's time to consider presence-linked polices and implementing the Trusted Computing Group's new Trusted Network Connect (TNC) standard. We have the technology to better support our financial and intellectual property -- and in these hard times, we need to step up and do just that.
Denial-Of-Service Attacks Hard To Kill
News  |  8/10/2009  | 
While tweets went silent last week, hundreds of other DDoS attacks were under way around the globe -- and several more powerful ones
Social Zombies Out For Your Network, Not Brains
Commentary  |  8/10/2009  | 
Last week, I took a shot at the Marines for banning social networks without waiting for the Pentagon to finish looking into the threats posed by members of our armed forces using sites like Facebook and Twitter.
Lockpicking And The Internet
Commentary  |  8/10/2009  | 
Physical locks aren't very good. They keep the honest out, but any burglar worth his salt can pick the common door lock pretty quickly. It used to be that most people didn't know this. Sure, we all watched television criminals and private detectives pick locks with an ease only found on television and thought it realistic, but somehow we still held onto the belief that our own locks kept us safe from intruders. The Internet changed that.
Big Names, Big Blogs
Commentary  |  8/10/2009  | 
The Dark Reading blog section continues to add new voices from some of the top security researchers and experts in the industry.
SecurityBSides: The Best-Kept Vegas Secret
Commentary  |  8/6/2009  | 
Getting to SecurityBSides made me think of all the Vegas movies where a casino boss takes a cheater out into the desert and buries him in the sand.
Marines Jump The Gun On Social Networking
Commentary  |  8/5/2009  | 
Being on the front line of IT security, it often feels like the equivalent of holding a hammer during a game of Whack-A-Mole. One day it's a client-side vulnerability in Adobe Acrobat, and the next, it's an unsubstantiated vulnerability in OpenSSH. At the end of the day, we're just trying to find that balance between usability,productivity, and security. That's why the news that the U.S. Marines are banning social networking sites completely makes me think they're jumping the gun.
The Seedy Side Of Hacking
Commentary  |  8/5/2009  | 
The running joke among seasoned Defcon attendees in Las Vegas every year is to steer clear of ATM machines at the Riviera Hotel, where hackers have known to place a booby-trapped ATM to prove their point that nothing is sacred when hackers are in the house (or worse). Then there's the Wall of Sheep "contest" at both Black Hat USA and Defcon to see who's either clueless or bold enough to jump onto the unsecured WiFi network at the shows. When they do, they get the dubious honor of getting their
'FOCA' And The Power Of Metadata Analysis
Commentary  |  8/3/2009  | 
Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.
Compliance Pressures Fuel Adoption Of Firewall Auditing Tools
News  |  8/3/2009  | 
PCI, staffing cuts are driving organizations to rein in their firewall policies and change processes with automation tools
Security Vendors That Spam
Commentary  |  8/3/2009  | 
Every time a security vendor sends spam, an angel's wings get clipped.


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd