Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Perimeter posted in September 2009
Which Botnet Is Worst? Report Offers New Perspective On Spam Growth
News  |  9/30/2009  | 
Rustock might be biggest, but Grum is worst offender, MessageLabs study says
Password-Stealing Malware Spikes
Commentary  |  9/30/2009  | 
McAfee's recent report on malware has staggering numbers that are simply hard to believe, yet because I've been battling daily the very bots, Trojans, and scareware they researchers are talking about, I can't help but agree.
Stupid IRS Spam
Commentary  |  9/30/2009  | 
I believe that anyone who uses the Internet on a regular basis has to know that most e-mail messages are spam, and possibly part of a fraud scheme. I also realize that some people are more aware than others, and that some criminals are clever. But the current spread of an email message that claims to be from the IRS accusing a person of fraud demonstrates that naivete that runs deep on the Internet.
Dutch ISPs Sign Anti-Botnet Treaty
Commentary  |  9/29/2009  | 
Netherlands ISPs last month launched a joint effort to fight malware-infected computers and botnets -- fondly described by locals as a "treaty."
Metasploit Adds Exploit For Unpatched Windows SMBv2 Bug
Commentary  |  9/28/2009  | 
The upcoming stable release of Metasploit Framework version 3.3 is brimming with awesome new features that will make a lot of penetration testers happy. New features include the ability to take screenshots of exploited systems, while others add raw power, like being able to exploit the unpatched SMBv2 vulnerability in Windows Vista and Server 2008.
New NIST Report Sheds Some Light On Security Of The Smart Grid
News  |  9/28/2009  | 
First draft of Cyber Security Coordination Task Group report released
Nature Versus Hacker: Digital 'Ants' Swarm Malware In Research Project
Quick Hits  |  9/28/2009  | 
Method mimics how ants in nature fight threats en masse, digital ants successfully spot computer worm
BeEF: XSS Vuln To Hack In Less Than 20 Characters
Commentary  |  9/25/2009  | 
As I'm finishing another successful Web application penetration test, I'm kicking myself for not noticing a new release of one of my all-time favorite Web hacking tools, the Browser Exploitation Framework (BeEF). BeEFis a fantastic tool for getting across to developers and Web admins the seriousness of vulnerabilities like cross-site scripting (XSS).
Debit Or Credit? Neither
Commentary  |  9/24/2009  | 
I stopped using my debit card altogether a couple of years ago out of an intense fear that I would never recoup the losses if my card were skimmed in the grocery-store line or compromised at TJ Maxx. Now I casually slide my checkbook onto the card reader stand and perform that rare act of putting pen to paper while trying to avoid the annoyed stares of shoppers behind me in line who may lose a few seconds off of their shopping time because I didn't use plastic.
Scareware And Bots Require Layered Defenses
Commentary  |  9/23/2009  | 
Defense in depth is not a new idea in security, but the importance of taking a layered approach is more important than ever. The current rise in infections by bots and scareware, along with recent reports on anti-malware endpoint protection, demonstrate how we need to be doing more at every layer.
DoD Preparing To Lift USB Ban
Quick Hits  |  9/22/2009  | 
'Authorized' users and only DoD-approved, DoD-purchased thumb drives and other USB devices will be allowed
New Service Certifies Security Of Printers, Copiers, Other Networked Devices
Quick Hits  |  9/21/2009  | 
ICSA offers security testing, assessment of nonmainstream devices, such as surveillance cameras and digital signs
SANS Honeypot Shows Prevalence Of Web Attacks
Commentary  |  9/21/2009  | 
The recent New York Times malvertisement attack helped bring mainstream media attention to the problem of popular, legitimate Websites being compromised and used as the source of Web-based malware attacks. What would probably shock those same people is how often Websites are attacked.
A Trick For Defending WordPress, Other Apps
Commentary  |  9/17/2009  | 
There's a little trick -- or basic security measure -- you can use to help protect your WordPress blog and other Web applications against the never-ending bombardment of new vulnerabilities and exploits.
Anatomy Of A Client-Side Attack Using Metasploit
Commentary  |  9/16/2009  | 
A new report from the SANS Institute sheds light on some important attack trends that security professionals need to take action on immediately.
Smart Card Alliance: End-To-End Encryption Won't Stop Credit-Card Fraud
Quick Hits  |  9/15/2009  | 
Industry association proposes contactless chip cards, says end-to-end encryption isn't enough
NY Times Website Infected With Fake Antivirus
Commentary  |  9/15/2009  | 
The New York Times Website became the victim of a malicious Internet-based advertisement over the weekend. Users of certain sections of NYTimes.com encountered notifications that they were infected with malware and needed to install the antivirus software linked from the notification. And if you've dealt with a user, friend, or family member who's fallen for this sort of ruse, then you know the AV software is really just malware posing as AV.
Hacking A Board Meeting
Commentary  |  9/14/2009  | 
A client recently asked us to gain access to its facility and attend a meeting of the board and executive management. Here at Secure Network we've been asked to gain access to numerous networks via social engineering techniques, but this job seemed rather unachievable at first. Turns out it was easier than we expected.
All Forensic Investigators Are Not Created Equal
Commentary  |  9/11/2009  | 
I've always had a predilection toward incident response and forensics. For some reason, I just like digging through a compromised system, network flow data, and unknown binaries to figure out what happened -- it gives me a rush.
Blacklisting For Extra Mail Server Security
Commentary  |  9/10/2009  | 
A majority of systems around the world use Internet blacklists as lists of IP addresses that are most likely compromised -- by bots -- and used by these systems to block or otherwise filter email. However, these lists can sometimes be used beyond the blacklist's design intent for increased security, but only after careful consideration.
Why Social Engineers Need Training
Commentary  |  9/10/2009  | 
Many security professionals who think they know anything about penetration testing also think they know enough to perform social engineering. After all, they are successful time and time again, so they think they know what they are doing. However, what follows is a textbook example of how a little knowledge in the wrong hands can be very dangerous.
DuPont Alleges Second Insider Breach In Two Years
News  |  9/9/2009  | 
Chemical giant claims former employee was headed to China with company secrets
Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack
News  |  9/9/2009  | 
Long-awaited security updates finally arrive for attacks targeting TCP, but still more to come
Windows XP, 2000 Left Patchless Against DoS Attacks
Commentary  |  9/9/2009  | 
I think most people would agree that Windows Millennium Edition (ME) was the bastard child Microsoft wanted to turn its back on. After yesterday's Patch Tuesday, I'm starting to think Windows XP and Windows 2000 have joined the ME ranks.
The Story Of A Girl I Met Online
Commentary  |  9/7/2009  | 
I have met many people online during the past two decades, and I have many stories to tell. The latest is about a girl who decided I was her future husband.
Hosting Kevin Mitnick
Commentary  |  9/4/2009  | 
It's not easy being Kevin Mitnick: The reformed black hat hacker may sue AT&T after it kicked him off its wireless network, and his Web hosting provider dropped him after his Website suffered a nasty hack last month. Seems he has become too big a target for some network and hosting providers.
Scenario-Based Incident Response Questionnaires
Commentary  |  9/2/2009  | 
I was talking with someone about incident handling, and one of the points that came up was whether some standard sort of incident response questionnaire existed.
Automated Vulnerability Assessment In 2010
Commentary  |  9/2/2009  | 
Vulnerability assessment is a relatively older technology in the information security professional's arsenal -- so does it still make sense to use it as you plan your security strategy for the coming year?
How Much Would You Pay To Never Have To Store PII?
Commentary  |  9/2/2009  | 
Imagine a world in which you can do all manner of smooth, rich, user-friendly online commerce with mighty security. You can have complete faith in the validity of customers' login credentials and payment data (thereby reducing fraud costs, for starters). You can protect users' privacy...and never need to worry about securely storing -- or even seeing -- customers' credit card data or other legally protected personally identifiable information. Wait 12 to 18 months, and you might just have that.


Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd