Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in August 2010
Could USB Flash Drives Be Your Enterprise's Weakest Link?
News  |  8/31/2010  | 
The Pentagon last week conceded that a USB flash drive carried an attack program inside a classified U.S. military network. Could your company be next?
The Essentials Of Database Assessment
Commentary  |  8/30/2010  | 
The three fundamental database security operational practices are refining access control, database configuration settings, and patching. And by "operational" I mean you do them over and over to make sure they are right.
Enterprise Data Continues To Leak, Study Says
Quick Hits  |  8/30/2010  | 
More than one third of companies have experienced the loss of sensitive data in the last year
Make Security About Security, Not Compliance
Commentary  |  8/30/2010  | 
The lack of follow-through and belief in any type of lifecycle for security is one that really bothers me when working with clients who are looking only to meet the minimum compliance requirements.
Are We Missing the Point?
Commentary  |  8/29/2010  | 
Recently there has been a lot of talk about nuclear weapons, terrorism, and peace treaties. At the end of the day, the question remains: how do we protect a country and its citizens from attack? If that is really the purpose of the summits and the meetings, why isn't cybersecurity part of the discussion -- more importantly, the insider threat?
The Case For Zero-Day Penetration Testing
Commentary  |  8/26/2010  | 
Penetration testing is a tightrope act where you balance existing knowledge with a mixture of freshly released- and zero-day knowledge. As a penetration tester, I often hear the argument that zero-day attacks do not belong in a test, that there is no time to prepare for them, so of course the target will be compromised. But I have the exact opposite philosophy: zero-day testing should occur to gauge an organization's response to such an attack. If mitigating controls are in place, an unknown att
DNSSEC Will Drive Certificate Market
News  |  8/24/2010  | 
While DNNSEC will improve domain authentication, certificates still needed to verify the brand
Choosing The Right Firewall For Your Small Business
Commentary  |  8/21/2010  | 
After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.
Tech Insight: Using Network Segmentation And Access Control To Isolate Attacks
News  |  8/20/2010  | 
The right network design can protect against hidden threats from embedded systems and rogue access points
Intel Buys McAfee: Is The PC Security Model Dead?
Commentary  |  8/20/2010  | 
When it comes to emerging platforms like smartphones, tablets, and embedded networked systems, the old model of separate antivirus security companies is officially dead. And Intel's purchase of McAfee puts a stake in it.
Embedded Systems Can Mean Embedded Vulnerabilities
Commentary  |  8/18/2010  | 
I'll admit that I've been having a lot of fun with the VxWorks vulnerabilities lately, but it's important to step back and look at our networks to see what other devices could be sitting there waiting to be the next harbingers of doom.
Database Threat Modeling And Strip Poker
Commentary  |  8/17/2010  | 
Threat modeling used to be an arcane process handed down from one security expert to another. But it's the single most valuable skill I have learned in security. It involves looking at every system interface or function and trying to find different ways to break it.
Advanced Persistent Threat: The Insider Threat
Commentary  |  8/16/2010  | 
APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.
Gaining A Foothold By Exploiting VxWorks Vulns
Commentary  |  8/13/2010  | 
The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.
Girl Quits Job! Oh, What A Meme
Commentary  |  8/11/2010  | 
Who hasn't yet seen the "Girl quits her job on dry erase board, emails entire office" meme? It hit the Net like an hurricane, and I liked it immediately. In fact, fake or not -- I still do. What can we learn from it?
Protecting Your Network From The Unpatchable
Commentary  |  8/10/2010  | 
When I first saw the F-Secure blog post on installing Microsoft's fix for the LNK vulnerability on a Windows XP SP2 host, I couldn't help but ask, "Why?" Seriously. Why would anyone running a Windows XP host not be running with the latest service pack and security updates? And then it hit me.
Athena Rolls Out Firewall Configuration Debugger
News  |  8/10/2010  | 
Offers offline troubleshooting for service availability issues
How To Protect Oracle Database Vault
Commentary  |  8/9/2010  | 
In Esteban Martinez Fayo's "Hacking and Protecting Oracle Database Vault" session at Black Hat USA in Las Vegas a couple weeks ago, he used several exploit methods that could be used to disable Oracle Data Vault. Each exploit provided an avenue by which he could hack the database. With each exploit he performed the same hack: rename the dynamically linked library that implemented all Oracle Database Vaults functions.
What To Do When Your Database Gets Breached
News  |  8/9/2010  | 
It has happened: Your data is compromised. What should you do now? A new report offers some answers
How RIM Could Fail
Commentary  |  8/9/2010  | 
Of the handset choices that are sold broadly on the market, the BlackBerry platform is the most inherently secure. To appeal to the business market it targets, it had to be better than any other handset or mobile solutions vendor. But with Saudi Arabia blocking the service and other countries expected to follow -- coupled with mistakes on its new flagship Blackberry Torch -- RIM could be on the brink of a Palm-like failure.
Yet Another Facebook Malware Evolution
Commentary  |  8/9/2010  | 
Every once in a while I like to discuss the strategic view and how different players affect each other in the realm of cybercrime. This post is about the latest evolutionary development in the fight -- with Facebook malware.
Flawed Deployments Undermine Kerberos Security
News  |  8/8/2010  | 
Sure, you have Kerberos, but are you secure? Researchers find practical problems that can weaken secure authentication
Dark Reading Launches New Tech Center On Authentication
Commentary  |  8/8/2010  | 
Today Dark Reading launches a new feature: the Authentication Tech Center, a subsite of Dark Reading devoted to bringing you news, insight, and in-depth reporting on the topic of authentication and certification of end user access.
Data Visualization For Faster, More Effective Pen Testing
Commentary  |  8/5/2010  | 
"Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage" was the last discussion I attended at Defcon. It was a fun talk that demonstrated interesting applications from visualization tools, like Maltego and Google Maps, to track information available through Twitter and Facebook.
EEMBC Undertakes Design Of Industry-Standard Network Security Performance Benchmarks
News  |  8/4/2010  | 
Industry lacks common method to test and validate DPI throughput for network security products
Cloud-Based Denial Of Service Attacks Looming, Researchers Say
News  |  8/4/2010  | 
Two consultants use a handful of virtual servers in Amazon's EC2 cloud to take down an SMB's network
CipherOptics Simplifies PCI Compliance Over Public Networks And Internet
News  |  8/3/2010  | 
CipherOptics’ Virtual IP technology allows customers to secure PCI regulated data over public and private networks simultaneously
Using The 36 Stratagems For Social Engineering
Commentary  |  8/3/2010  | 
I attended several great presentations during last week's BSides and Defcon. HD's VxWorks, egyp7's phpterpreter, and David Kennedy's SET talks were a few of my favorites, with great content and demos, but one that I found especially refreshing and fun was Jayson Street's "Deceiving the Heavens to Cross the Sea: Using the 36 Stratagems for Social Engineering."
VxWorks Vulnerability Tools Released
Commentary  |  8/2/2010  | 
If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21238
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping bec...
CVE-2021-21239
PUBLISHED: 2021-01-21
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ...
CVE-2021-21253
PUBLISHED: 2021-01-21
OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attacker...
CVE-2020-4966
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the...
CVE-2020-4968
PUBLISHED: 2021-01-21
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.