News & Commentary

Latest Content tagged with Vulnerability Management
Page 1 / 2   >   >>
Advanced Deception: How It Works & Why Attackers Hate It
Commentary  |  12/18/2017  | 
While cyberattacks continue to grow, deception-based technology is providing accurate and scalable detection and response to in-network threats.
What Slugs in a Garden Can Teach Us About Security
Commentary  |  12/8/2017  | 
Design principles observed in nature serve as a valuable model to improve organizations' security approaches.
Rutkowska: Trust Makes Us Vulnerable
News  |  12/7/2017  | 
Offensive security researcher Joanna Rutkowska explains why trust in technology can put users at risk.
6 Personality Profiles of White-Hat Hackers
Slideshows  |  12/5/2017  | 
From making the Internet safer to promoting their security careers, bug bounty hunters have a broad range of motivators for hacking most just like the challenge.
Deception: Why It's Not Just Another Honeypot
Commentary  |  12/1/2017  | 
The technology has made huge strides in evolving from limited, static capabilities to adaptive, machine learning deception.
The Critical Difference Between Vulnerabilities Equities & Threat Equities
Commentary  |  11/30/2017  | 
Why the government has an obligation to share its knowledge of flaws in software and hardware to strengthen digital infrastructure in the face of growing cyberthreats.
8 Low or No-Cost Sources of Threat Intelligence
Slideshows  |  11/27/2017  | 
Heres a list of sites that for little or no cost give you plenty of ideas for where to find first-rate threat intelligence.
Frequent Software Releases, Updates May Injure App Security
News  |  11/13/2017  | 
The more frequently you release apps, the more security vulnerabilities you are likely to introduce in the code, a new study confirms.
6 Steps for Sharing Threat Intelligence
Slideshows  |  11/10/2017  | 
Industry experts offer specific reasons to share threat information, why it's important - and how to get started.
Siemens Teams Up with Tenable
News  |  11/8/2017  | 
ICS/SCADA vendor further extends its managed security services for critical infrastructure networks.
Inmarsat Disputes IOActive Reports of Critical Flaws in Ship SATCOM
News  |  10/26/2017  | 
Satellite communications provider says security firm's narrative about vulnerabilities in its AmosConnect 8 shipboard email service is overblown.
Why Patching Software Is Hard: Organizational Challenges
Commentary  |  10/25/2017  | 
The Equifax breach shows how large companies can stumble when it comes to patching. Organizational problems can prevent best practices from being enforced.
Why Patching Software Is Hard: Technical Challenges
Commentary  |  10/24/2017  | 
Huge companies like Equifax can stumble over basic technical issues. Here's why.
The Week in Crypto: Bad News for SSH, WPA2, RSA & Privacy
News  |  10/20/2017  | 
Between KRACK, ROCA, new threats to SSH keys, and the European Commission's loosey-goosey stance on encryption backdoors, it's been a difficult time for cryptography.
Oracle Fixes 20 Remotely Exploitable Java SE Vulns
News  |  10/18/2017  | 
Quarterly update for October is the smallest of the year: only 252 flaws to fix! Oracle advises to apply patches 'without delay.'
Reuters: Microsoft's 2013 Breach Hit Bug Repository, Insiders Say
Quick Hits  |  10/17/2017  | 
Five anonymous former Microsoft employees tell Reuters that Microsoft's database of internally discovered vulnerabilities was compromised in 2013, but Microsoft will not confirm it occurred.
Private, Public, or Hybrid? Finding the Right Fit in a Bug Bounty Program
Commentary  |  10/5/2017  | 
How can a bug bounty not be a bug bounty? There are several reasons. Here's why you need to understand the differences.
Security's #1 Problem: Economic Incentives
Commentary  |  9/25/2017  | 
The industry rewards cutting corners rather than making software safe. Case in point: the Equifax breach.
SecureAuth to Merge with Core Security
News  |  9/20/2017  | 
K1 Investment Management, which owns Core Security, plans to acquire the identity management and authentication company for more than $200 million.
The 'Team of Teams' Model for Cybersecurity
Commentary  |  9/12/2017  | 
Security leaders can learn some valuable lessons from a real-life military model.
How to Use Purple Teaming for Smarter SOCs
How to Use Purple Teaming for Smarter SOCs
Dark Reading Videos  |  9/7/2017  | 
Justin Harvey explains why the standard blue team vs. red team can be improved upon, and provides tips on doing purple teaming right.
Is Your Organization Merely PCI-Compliant or Is It Actually Secure?
Commentary  |  9/6/2017  | 
The Host Identity Protocol might be the answer to inadequate check-the-box security standards.
Using Market Pressures to Improve Cybersecurity
Using Market Pressures to Improve Cybersecurity
Dark Reading Videos  |  8/31/2017  | 
Post-MedSec, Chris Wysopal discusses what impact the investor community -- if not consumers -- can have on squashing vulnerabilities and improving cybersecurity.
St. Jude Pacemaker Gets Firmware Update 'Intended as a Recall'
News  |  8/30/2017  | 
The devices that were the subject of a vulnerability disclosure debate last summer now have an FDA-approved fix.
New York's Historic FinSec Regulation Covers DDoS, Not Just Data
News  |  8/28/2017  | 
Starting today, New York banks and insurers must report to authorities within 72 hours on any security event that has a 'reasonable likelihood' of causing material harm to normal operations.
The Changing Face & Reach of Bug Bounties
Commentary  |  8/23/2017  | 
HackerOne CEO Mrten Mickos reflects on the impact of vulnerability disclosure on today's security landscape and leadership.
How Bad Teachers Ruin Good Machine Learning
How Bad Teachers Ruin Good Machine Learning
Dark Reading Videos  |  8/18/2017  | 
Sophos data scientist Hillary Sanders explains how security suffers when good machine learning models are trained on bad testing data.
DoJ Launches Framework for Vulnerability Disclosure Programs
Quick Hits  |  8/3/2017  | 
The Department of Justice releases a set of guidelines to help businesses create programs for releasing vulnerabilities.
Facebook Offers $1 Million for New Security Defenses
News  |  7/26/2017  | 
The social media giant has increased the size of its Internet Defense Prize program in order to spur more research into ways to defend users against the more prevalent and common methods of attack.
Using DevOps to Move Faster than Attackers
News  |  7/20/2017  | 
Black Hat USA talk will discuss the practicalities of adjusting appsec tooling and practices in the age of DevOps.
Cloud AV Can Serve as an Avenue for Exfiltration
News  |  7/14/2017  | 
Black Hat USA researchers show how bad guys can use cloud AV connections to bypass air-gaps and extremely segmented networks to keep stolen data flowing.
New SQL Injection Tool Makes Attacks Possible from a Smartphone
News  |  7/12/2017  | 
Recorded Future finds new hacking tool that's cheap and convenient to carry out that old standby attack, SQL injection.
Microsoft Patches Critical Zero-Day Flaw in Windows Security Protocol
News  |  7/11/2017  | 
Researchers at Preempt uncovered two critical vulnerabilities in the Windows NTLM security protocols, one of which Microsoft patched today.
How Code Vulnerabilities Can Lead to Bad Accidents
Commentary  |  7/10/2017  | 
The software supply chain is broken. To prevent hackers from exploiting vulnerabilities, organizations need to know where their applications are, and whether they are built using trustworthy components.
No-Name Security Incidents Caused as Many Tears as WannaCry, Pros Say
Quick Hits  |  6/27/2017  | 
Half of security pros say they've worked just as frantically this year to fix other incidents that the public never heard about.
The Folly of Vulnerability & Patch Management for ICS Networks
Commentary  |  6/21/2017  | 
Yes, such efforts matter. But depending on them can give a false sense of security.
Major Websites Vulnerable to their Own Back-End Servers
News  |  6/19/2017  | 
DoD, other websites found with back-end server flaws and misconfigurations that could give attackers an entryway to internal networks, researcher will demonstrate at Black Hat USA next month.
Survey: 58% of Security and Development Teams Play Nice
Quick Hits  |  6/14/2017  | 
Despite frequent talk of tension between software development and security teams, it turns out more than half of organizations surveyed have these two groups collaborating.
Your Information Isn't Being Hacked, It's Being Neglected
Commentary  |  6/9/2017  | 
To stop customer information from being compromised, we must shore up the most vulnerable parts first, the day-to-day IT operations work that builds, configures, and changes systems.
Security & Development: Better Together
Commentary  |  6/1/2017  | 
How DevSecOps removes the silos between security and application development teams so that everyone can work together at the same speed.
DNS Is Still the Achilles Heel of the Internet
Partner Perspectives  |  6/1/2017  | 
Domain Name Services is too important to do without, so we better make sure its reliable and incorruptible
4 Reasons the Vulnerability Disclosure Process Stalls
Commentary  |  5/24/2017  | 
The relationship between manufacturers and researchers is often strained. Here's why, along with some resources to help.
Microsoft Releases Emergency Patch For RCE Vuln
News  |  5/9/2017  | 
Flaw in Microsoft Malware Protection Engine called 'crazy bad' by researchers who discovered it.
Cybersecurity & Fitness: Weekend Warriors Need Not Apply
Commentary  |  4/12/2017  | 
It takes consistency and a repeatable but flexible approach to achieve sustainable, measurable gains in both disciplines.
How Innovative Companies Lock Down Data
Commentary  |  4/12/2017  | 
A mix of back-to-basics security and a set of new, data-centric best practices is key to defending against a future of growing and sophisticated cyberattacks.
Forget the Tax Man: Time for a DNS Security Audit
Slideshows  |  4/11/2017  | 
Here's a 5-step DNS security review process that's not too scary and will help ensure your site availability and improve user experience.
FCC Privacy Rule Repeal Will Have Widespread Security Implications
News  |  4/4/2017  | 
Concerns over the action are sending VPN sales soaring, some vendors say.
Patch Unlikely for Widely Publicized Flaw in Microsoft IIS 6.0
Quick Hits  |  3/30/2017  | 
Microsoft recommends upgrade to latest operating system for more protection.
7 Steps to Transforming Yourself into a DevSecOps Rockstar
Slideshows  |  3/23/2017  | 
Security practitioners at one education software firm offer lessons learned from merging DevOps with security.
Cisco Issues Advisory on Flaw in Hundreds of Switches
Quick Hits  |  3/21/2017  | 
Vulnerability was discovered in WikiLeaks recent data dump on CIAs secret cyber-offensive unit.
Page 1 / 2   >   >>


BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Cloud Security's Changing Landscape
[Strategic Security Report] Cloud Security's Changing Landscape
Cloud services are increasingly becoming the platform for mission-critical apps and data. Heres how enterprises are adapting their security strategies!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.