Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Commentary

Content posted in October 2018
How the Power of Quantum Can Be Used Against Us
Commentary  |  10/31/2018  | 
There has been a palpable shift from volumetric attacks to "quantum attacks," and they look to be one of the biggest cybersecurity challenges on the rise today.
Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk
Commentary  |  10/31/2018  | 
Halloween movies are the perfect metaphor for breaking down today's scariest supplier breach tropes.
The Case for MarDevSecOps
Commentary  |  10/30/2018  | 
Why security must lead the integration of marketing into the collaborative security and development model in the cloud.
10 Steps for Creating Strong Customer Authentication
Commentary  |  10/30/2018  | 
Between usability goals and security/regulatory pressures, setting up customer-facing security is difficult. These steps and best practices can help.
AppSec Is Dead, but Software Security Is Alive & Well
Commentary  |  10/29/2018  | 
Application security must be re-envisioned to support software security. It's time to shake up your processes.
3 Keys to Reducing the Threat of Ransomware
Commentary  |  10/26/2018  | 
Following these steps could mean the difference between an inconvenience and a multimillion-dollar IT system rebuild -- for the public and private sectors alike.
Securing Serverless: Attacking an AWS Account via a Lambda Function
Commentary  |  10/25/2018  | 
Its not every day that someone lets you freely wreak havoc on their account just to find out what happens when you do.
Securing Severless: Defend or Attack?
Commentary  |  10/25/2018  | 
The best way to protect your cloud infrastructure is to pay attention to the fundamentals of application security, identity access management roles, and follow configuration best-practices.
Tackling Supply Chain Threats
Commentary  |  10/24/2018  | 
Vendor-supplied malware is a threat that has been largely overlooked. That has to change.
Benefits of DNS Service Locality
Commentary  |  10/24/2018  | 
Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect applications, services, and users from potential risks.
The Browser Is the New Endpoint
Commentary  |  10/23/2018  | 
Given the role browsers play in accessing enterprise applications and information, it's time to rethink how we classify, manage, and secure them.
Good Times in Security Come When You Least Expect Them
Commentary  |  10/23/2018  | 
Not every cybersecurity endeavor can have a huge impact. But a small percentage of your efforts can still produce results that blow you away.
Understanding SOCs' 4 Top Deficiencies
Commentary  |  10/22/2018  | 
In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.
Risky Business: Dark Reading Caption Contest Winners
Commentary  |  10/19/2018  | 
Phishing, anti-shoulder surfing, Russia and other hysterical identity management puns and comments. And the winners are ...
Audits: The Missing Layer in Cybersecurity
Commentary  |  10/18/2018  | 
Involving the audit team ensures that technology solutions are not just sitting on the shelf or being underutilized to strategically address security risks.
Getting Up to Speed with "Always-On SSL"
Commentary  |  10/18/2018  | 
Websites can avoid the negative consequences of a "not secure" label from Google Chrome 68 by following four AOSSL best practices.
Cybercrime-as-a-Service: No End in Sight
Commentary  |  10/17/2018  | 
Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.
The Three Dimensions of the Threat Intelligence Scale Problem
Commentary  |  10/17/2018  | 
To succeed, organizations must be empowered to reduce their attack surface and staff overload so they can get more out of their existing firewall and threat intelligence investments.
A Cybersecurity Weak Link: Linux and IoT
Commentary  |  10/16/2018  | 
Linux powers many of the IoT devices on which we've come to rely -- something that enterprises must address.
Spies Among Us: Tracking, IoT & the Truly Inside Threat
Commentary  |  10/16/2018  | 
In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.
4 Ways to Fight the Email Security Threat
Commentary  |  10/15/2018  | 
It's time to reimagine employee training with fresh, more aggressive approaches that better treat email security as a fundamentally human problem.
Threat Hunters & Security Analysts: A Dynamic Duo
Commentary  |  10/12/2018  | 
Fighting spying with spying, threat hunters bring the proactive mindset of network reconnaissance and repair to the enterprise security team.
Not All Multifactor Authentication Is Created Equal
Commentary  |  10/11/2018  | 
Users should be aware of the strengths and weaknesses of the various MFA methods.
The Better Way: Threat Analysis & IIoT Security
Commentary  |  10/11/2018  | 
Threat analysis offers a more nuanced and multidimensional approach than go/no-go patching in the Industrial Internet of Things. But first, vendors must agree on how they report and address vulnerabilities.
Security Researchers Struggle with Bot Management Programs
Commentary  |  10/10/2018  | 
Bots are a known problem, but researchers will tell you that bot defenses create problems of their own when it comes to valuable data.
Lessons Learned from the Facebook Breach: Why Logic Errors Are So Hard to Catch
Commentary  |  10/9/2018  | 
By ensuring that each layer of protection scours an application for unintended uses, you can find the flaws before the bad guys do.
New Domains: A Wide-Open Playing Field for Cybercrime
Commentary  |  10/9/2018  | 
As bad actors increasingly exploit new domains for financial gain and other nefarious purposes, security teams need to employ policies and practices to neutralize the threat in real time. Here's why and how.
Who Do You Trust? Parsing the Issues of Privacy, Transparency & Control
Commentary  |  10/5/2018  | 
Technology such as Apple's device trust score that decides "you" is not you is a good thing. But only if it works well.
GDPR Report Card: Some Early Gains but More Work Ahead
Commentary  |  10/4/2018  | 
US companies paid the most, to date, to meet the EU's General Data Protection Regulation, according to a recent study, but UK companies made greater progress in achieving compliance goals.
Putting Security on Par with DevOps
Commentary  |  10/3/2018  | 
Inside the cloud, innovation and automation shouldn't take a toll on protection.
Stop Saying 'Digital Pearl Harbor'
Commentary  |  10/2/2018  | 
Yes, there are serious dangers posed by malevolent nation-states. But the hype is distracting us from the reality of the threats.
CISOs: How to Answer the 5 Questions Boards Will Ask You
Commentary  |  10/2/2018  | 
As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.
The Right Diagnosis: A Cybersecurity Perspective
Commentary  |  10/1/2018  | 
A healthy body and a healthy security organization have a lot more in common than most people think.


Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19794
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVE-2019-19795
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
CVE-2019-19796
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
CVE-2019-5253
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
CVE-2019-5260
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...