Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Vulnerabilities / Threats posted in January 2015
Google Paid Over $1.5 Million In Bug Bounties In 2014
Quick Hits  |  1/30/2015  | 
Mobile apps developed by Google now included in its Vulnerability Reward Program.
WiIl Millennials Be The Death Of Data Security?
Commentary  |  1/27/2015  | 
Millennials, notoriously promiscuous with data and devices, this year will become the largest generation in the workforce. Is your security team prepared?
NFL Mobile Sports App Contains Super Bowl-Sized Vulns
News  |  1/27/2015  | 
Lack of protections puts users at risk of exposed information by way of man-in-the-middle attacks.
Gas Stations Urged To Secure Internet-Exposed Fuel Tank Devices
News  |  1/26/2015  | 
Researchers find more than 5,000 US gas stations' automated tank gauges unprotected on the public Internet and open to hackers.
Why Russia Hacks
Commentary  |  1/23/2015  | 
Conventional wisdom holds that Russia hacks primarily for financial gain. But equally credible is the belief that the Russians engage in cyberwarfare to further their geopolitical ambitions.
Diverse White Hat Community Leads To Diverse Vuln Disclosures
News  |  1/22/2015  | 
Researchers at Penn State find that courting new bug hunters is just as important as rewarding seasoned ones.
What Government Can (And Cant) Do About Cybersecurity
Commentary  |  1/22/2015  | 
In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.
President's Plan To Crack Down On Hacking Could Hurt Good Hackers
News  |  1/21/2015  | 
Security experts critical of President Obama's new proposed cybersecurity legislation.
Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit
Quick Hits  |  1/21/2015  | 
Researcher Kafeine's 0day discovery confirmed by Malwarebytes.
Facebook Messenger: Classically Bad AppSec
Commentary  |  1/21/2015  | 
Facebook offers a textbook example of what the software industry needs to do to put application security in the forefront of software development.
Ransomware Leads Surge In 2014 Mobile Malware Onslaught
News  |  1/20/2015  | 
Mobile malware increases 75 percent in U.S.
New Technology Detects Cyberattacks By Their Power Consumption
News  |  1/20/2015  | 
Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test.
Security MIA In Car Insurance Dongle
News  |  1/16/2015  | 
A researcher finds security holes in Flo the Progressive Girl's Snapshot insurance policy product.
The Truth About Malvertising
Commentary  |  1/16/2015  | 
Malvertising accounts for huge amounts of cyberfraud and identity theft. Yet there is still no consensus on who is responsible for addressing these threats.
Why North Korea Hacks
Commentary  |  1/15/2015  | 
The motivation behind Democratic Peoples Republic of Korea hacking is rooted in a mix of retribution, paranoia, and the immature behavior of an erratic leader.
Anatomy Of A 'Cyber-Physical' Attack
News  |  1/14/2015  | 
Inflicting major or physical harm in ICS/SCADA environments takes more than malware.
Majority Of Enterprises Finally Recognize Users As Endpoint's Weakest Vulnerability
News  |  1/14/2015  | 
The Ponemon State of the Endpoint report shows endpoint management continues to grow more difficult.
4 Mega-Vulnerabilities Hiding in Plain Sight
Commentary  |  1/14/2015  | 
How four recently discovered, high-impact vulnerabilities provided god mode access to 90% of the Internet for 15 years, and what that means for the future.
Insider Threats in the Cloud: 6 Harrowing Tales
Commentary  |  1/13/2015  | 
The cloud has vastly expanded the scope of rogue insiders. Read on to discover the latest threat actors and scenarios.
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
News  |  1/12/2015  | 
But chances of this becoming a mandatory national breach notification law are no sure thing, even in the wake of the past year's high-profile hacks, experts say.
Insider Threat, Shadow IT Concerns Spur Cloud Security
News  |  1/12/2015  | 
Surveys show cloud tops 2015 priorities.
Microsoft Software Flaws Increase Sharply But Majority Affect IE
News  |  1/9/2015  | 
The number of reported flaws in core Windows components in 2014 were lower compared to the year before.
Chick-fil-A Breach: Avoiding 5 Common Security Mistakes
Commentary  |  1/9/2015  | 
On the surface these suggestions may seem simplistic. But almost every major retail breach in the last 12 months failed to incorporate at least one of them.
How NOT To Be The Next Sony: Defending Against Destructive Attacks
News  |  1/8/2015  | 
When an attacker wants nothing more than to bring ruin upon your business, you can't treat them like just any other criminal.
Banking Trojans Disguised As ICS/SCADA Software Infecting Plants
News  |  1/8/2015  | 
Researcher spots spike in traditional financial malware hitting ICS/SCADA networks -- posing as popular GE, Siemens, and Advantech HMI products.
Nation-State Cyberthreats: Why They Hack
Commentary  |  1/8/2015  | 
All nations are not created equal and, like individual hackers, each has a different motivation and capability.
Using Free Tools To Detect Attacks On ICS/SCADA Networks
News  |  1/8/2015  | 
ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations.
CryptoWall 2.0 Has Some New Tricks
Quick Hits  |  1/6/2015  | 
New ransomware variant uses TOR on command-and-control traffic and can execute 64-bit code from its 32-bit dropper.
Deconstructing The Sony Hack: What I Know From Inside The Military
Commentary  |  1/6/2015  | 
Don't get caught up in the guessing game on attribution. The critical task is to understand the threat data and threat actor tactics to ensure you are not vulnerable to the same attack.
Threat Intelligence: Sink or Swim?
Partner Perspectives  |  1/6/2015  | 
The coming flood of threat-intelligence data from the Internet of Things and new classes of endpoints has organizations seriously evaluating their strategies.


News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...