Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Content posted in September 2010
In Software We (Can't) Trust
Commentary  |  9/30/2010  | 
I can't think of more than a few attacks in the past decade that involved stolen certificates as part of the malware or exploit code. However, recent attacks, and new research highlights the increasing danger of trusting signed digital certificates.
User Authentication In E-Commerce
Commentary  |  9/29/2010  | 
When we designed SSL to enable e-commerce on the Web, we had to solve two issues. One was the Web's openness -- the fact that anybody can read anything -- and the other was how parties might authenticate with one another.
Ready For Primary Cloud Storage?
Commentary  |  9/29/2010  | 
Cloud storage has moved out of the experimental mode and into some form of production for many organizations. To date most of the use cases are either to backup data to the cloud or to archive data to the cloud. Now though the move is on to provide leverage the cloud for primary data storage. If successful it could change the way many businesses buy storage.
Google To Warn Admins Of Malware Infestations
Commentary  |  9/29/2010  | 
It's been made very clear that one of the greatest threats to Web safety is reputable Web sites getting nailed with malware - and their web masters don't even know it. That malware then infects users - who also go unaware that they've been pwned. This week, Google is taking steps to try to turn that tide.
Why The Insider Threat Is Ignored
Commentary  |  9/28/2010  | 
The insider threat is complicated, and most organizations do not fully understand the magnitude of the problem. There are three main reasons why the insider threat has been ignored: Organizations do not know it's happening, it's easy for organizations to be in denial, and organizations fear bad publicity.
Government Puts The Hurt On The Internet
Commentary  |  9/28/2010  | 
There are a lot of problems that face the Internet and technology today, from major security flaws to increasing infrastructure demands, you name it. But by far the biggest threats are the regular attempts by government and special interests to control the Internet and technology, attempts which would usually end up causing severe damage.
Top Excuses For Foregoing Security Monitoring, Logging
Commentary  |  9/28/2010  | 
Monitoring for security incidents can be tough. It's tougher when you don't know what to look for. Now imagine trying to investigate an incident when you don't have any logs to analyze.
Integrating The SSD Appliance
Commentary  |  9/27/2010  | 
The SSD Appliance or Memory Array applies to storage systems that are designed from the ground up to only be used with solid state storage. They are often focused on storage I/O performance and solid state integrity more so than providing storage services like snapshots or replication. In this entry we will look at when does it make sense to use these products instead of adding SSD to an existing storage system or going all out and buying a new solid state storage system.
Stuxnet Pwned Iran. Are We Next?
Commentary  |  9/27/2010  | 
For the past few weeks rumors had run rampant about the purported targets of the Stuxnet worm. One of those rumors was that the worm was targeting Iran's controversial nuclear sites. Now, according to news reports that hit yesterday, those rumors may very well be right. There's a warning in all of this for the United States.
Five Main Causes Of SMB Security Incidents
Commentary  |  9/27/2010  | 
Like you, I have read many articles covering small business security, the authors of which have made up various lists of "top X threats" or "this year's biggest vulnerabilities," etc. So I thought it would be interesting to dig into a sampling of the data breach reports and collect some real data on causes of breaches and other security incidents in SMBs.
Zeus Targeting Mobile Phone Authentication
Commentary  |  9/26/2010  | 
A new variant of the Zeus botnet aims to circumvent an increasingly popular mode of two-factor authentication among financial institutions and other enterprises.
Lock-Picking Popularity Grows
Commentary  |  9/24/2010  | 
As security professionals, it is easy to get focused only on the technical side of security and forget about the importance of physical security.
What Solid State Form Factor Is Best - Integration
Commentary  |  9/24/2010  | 
Returning to our Solid State Form factor series; this entry we are going to begin the discussion about solid state integration. There are really two parts of the integration discussion; how will you integrate solid state disk into your storage infrastructure and the other is how will your vendor integrate solid state disk into their storage system? We'll tackle the vendor issue first since it may directl
'Here You Have' A Lesson
Commentary  |  9/24/2010  | 
It's been interchangeably called spam, or a targeted attack that spun out of control, or a form of cyber-jihad with alleged geopolitical implications. But regardless of what you call it, the "Here You Have" email worm is an excellent example of just how well today's security can work. Here are a few justifications for that optimism.
Different Flavors Of The Insider Threat
Commentary  |  9/22/2010  | 
There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.
The Cookies You Can't Remove
Commentary  |  9/22/2010  | 
They say that some things last forever, like diamonds or true love or Twinkies. But should browser cookies used for tracking be added to that list?
Web-Based Spam Detection With Google Alerts
Commentary  |  9/22/2010  | 
Search engines are great, powerful tools. They can help find an answer when you've tried everything you can think of. They can also help find information about a company you may be performing a penetration test on.
Twitter Under Attack
Commentary  |  9/21/2010  | 
There's a cross-site site scripting flaw aggressively spreading across the social networking site Twitter. I know, I was hacked first thing this morning. . .
Virtual Desktops And Storage - Dealing With Boot Storms
Commentary  |  9/21/2010  | 
Virtual desktop environments are different than virtual server environments when discussing performance. To the virtual desktop environment we need to be able to provide acceptable performance consistent, but moderate, performance throughout the day to a set of endpoints (desktops and laptops) that have similar I/O patterns. This is different than server virtualization which has highly random I/O patterns and needs very high performance at peak moments throughout the day.
The What And The Why Of Professional Penetration Testing
Commentary  |  9/20/2010  | 
Welcome to the first in a series of posts on professional penetration testing. During the course of the next few entries, I will shed light on the often confusing and rarely straightforward world of penetration testing based on my experience during the past decade as both a professional penetration tester and a manager of penetration testing teams.
Missing The Insider Threat
Commentary  |  9/20/2010  | 
"I trust everyone. It is the devil inside that I do not trust" is a great line from the movie "The Italian Job." Every single person has the potential to do harm if the right circumstances occur. Yes, this includes employees.
Protegrity Gets Aggressive
Commentary  |  9/20/2010  | 
Last week Protegrity announced it had filed patent infringement suits against NuBridges and Voltage Security Inc., its main competitors. Patent infringements suits are nothing new with technology companies, but this one was a little odd in that the suits were actually filed in May.
A Lesson From Steve Jobs' Email
Commentary  |  9/20/2010  | 
We've all had one of these moments: You get an email and quickly respond without putting much thought into it. Then you end up wishing you'd taken more time.
Steady Bleed: State of HealthCare Data Breaches
Commentary  |  9/19/2010  | 
Study reveals that, for many healthcare providers, patient data breaches continue - month after month - at an alarming rate.
Desktop Virtualization And The Storage Challenges It Creates
Commentary  |  9/17/2010  | 
As server virtualization becomes more widespread desktop virtualization is quickly becoming the next big project that IT Managers have on their white board. As with any new IT project it has the opportunity to bring added flexibility and cost savings to the organization while at the same time increasing IT efficiency. However like server virtualization before desktop virtualization brings a whole new set of storage challenges.
Which Solid State Disk Is Best? Part IV
Commentary  |  9/15/2010  | 
The next step in deciding which solid state storage is best for your environment is to understand how you are going to use solid state disk. I moved this ahead of how to integrate solid state disk into your environment because knowing how you are going to use solid state disk may impact how you choose to implement it.
Taking USB Attacks To The Next Level
Commentary  |  9/15/2010  | 
USB devices have many benign, legitimate uses. But put a USB-based device in the hands of a savvy hardware hacker, and that USB device can go from good to evil in no time.
Dark Reading Launches Tech Center On Security Monitoring
Commentary  |  9/14/2010  | 
Today Dark Reading launches a new feature: the Security Monitoring Tech Center, a subsite of Dark Reading devoted to bringing you news, insight, and in-depth reporting on the topic of security data monitoring and analysis.
Cloud Security And Compliance: Clear The Ambiguity
Commentary  |  9/13/2010  | 
The fact that business consumers of public cloud computing services don't get much in the way of transparency into the governance and security efforts of their cloud providers has been an obvious hindrance to cloud adoption. Here's an example at how a nascent, but encouraging, standard - CloudAudit - aims to change that.
What Solid State Storage Form Factor Is Best? Part III
Commentary  |  9/13/2010  | 
In our series on trying to decide which Solid State Storage is best for your environment we have covered PCIe Based Solid State Storage and Solid State Disk (SSD). This entry will cover Solid State Systems (SSS) or Memory Arrays. These are systems that are designed from the ground up to only provide solid state
Relying On Tools Makes You Dumber
Commentary  |  9/13/2010  | 
It takes a lot of time and effort to stay up on the latest vulnerabilities, attacks, and tools. Often, we in the security field rely on tools to automate parts of a vulnerability assessment or penetration test, but our testing should never rely only on the tools. If all we ran were some tools and blindly trusted their output,then we would be no better than your average script kiddie.
State Of Cybercrime Legislation Around The World
Commentary  |  9/13/2010  | 
The main problem with international law enforcement on cybercrime is that even with efforts by the FBI and others, international communication between different agencies around the world is extremely slow.
The DeDupe Performance Boost
Commentary  |  9/10/2010  | 
Deduplication is the elimination of redundant data typically associated with optimizing storage utilization. I've spent some time lately defending our stance that deduplication in primary storage can be done without a performance penalty. What is not often discussed is that there is also the potential for a performance gain when using deduplication that may outweigh the resources costs associated with the process.
'Virus Crashes Plane' And Poor Safety Protocols
Commentary  |  9/10/2010  | 
Now that people are done making noise about how a "virus crashes a plane," the subject can be discussed reasonably.
What Solid State Storage Form Factor Is Best? Part II
Commentary  |  9/9/2010  | 
As discussed in an earlier entry, there are three basic types of solid state form factors available in the market today; PCIe as we discussed last entry, Solid State Disks, which we will cover in this entry and Solid State Appliances also called Memory Arrays which we will cover next. We'll conclude this series with a discussion in integration methods that storage vendors are using to implement solid sta
iPhone iOS Devices Jailbroken
Commentary  |  9/9/2010  | 
Hackers are claiming to have uncovered a flaw within iPhone and iPod Touch hardware that will make it easy for users to jailbreak their devices. And, if these reports prove accurate, it'll not be a trivial workaround for Apple to fix.
Authentication A Problem That Needs a Solution -- Yesterday
Commentary  |  9/8/2010  | 
A number of distinct developments brought about the current authentication schemes we see in networks today.
Ownage By USB Keyboard
Commentary  |  9/8/2010  | 
When was the last time Windows asked you for permission before adding your new hardware -- say, a mouse?
Twitter Hit With Another Cross-Site Scripting Vulnerability
Commentary  |  9/7/2010  | 
Over this Labor Day weekend developers at Twitter had to do a bit of additional labor that they should have previously completed - and that's to close a potentially dangerous cross-site scripting (XSS) vulnerability before things slid out of hand.
Are Clouds Real?
Commentary  |  9/7/2010  | 
The theme last week at VMworld was "Virtual Roads, Actual Clouds" which begs the question, are we really to a point that clouds are real? The answer, as always, is "it depends". The determent is dependent on where you sit and what your angle of view is, but for the most part clouds are more real for more businesses than they ever were.
Seven Features To Look For In Database Assessment Tools
Commentary  |  9/7/2010  | 
As a follow-up to my "Essentials of Database Assessment" post, I want to go over some of the basic features and functions to look for in a database assessment product. Many features differentiate one tool from another, but I'll focus in on the top seven items you should review.
Keep Your Browser Updated
Commentary  |  9/7/2010  | 
During the Labor Day weekend, I got pulled in by friends and relatives (some remotely) to take care of their computer-related problems.
Anticipating The First Car Virus
Commentary  |  9/7/2010  | 
I've been thinking a lot about Intel's acquisition of McAfee, and recently spent the afternoon with the company reviewing its strategy. Intel doesn't want to repeat the mistake made with the PC in regard to malware as we move to more common interfaces, operating systems, and network-connected TVs, appliances, manufacturing equipment, air conditioning and heating systems -- and, yes, automobiles and motorcycles. While a virus or an attack on a PC or server is certainly painful, the same attack on
Apple's Ping Stumble Highlights Systemic Security Problem
Commentary  |  9/4/2010  | 
Within 48 hours of Ping's launch, Apple's foray into music social networks, more than one million users joined. Too bad, like so many other applications and services on the Internet, security was an afterthought, and those users were plagued with spam comments.
vStorage API Spreads Its Wings
Commentary  |  9/2/2010  | 
The goal for VMware is to virtualize as much of the data center as possible. This goal can only be reached by increasing virtual machine (VM) density per physical server. The roadblock to high VM density per host is storage performance and data protection. Much of the focus of VMworld was addressing those issues through more vendors adopting the use of the vStorage API set.
Finding Exposed Devices On Your Network
Commentary  |  9/1/2010  | 
When browsing through SHODAN, it never ceases to amaze me what I can find. How is it that people think it's okay to leave their printers, routers, fiber channel switches, and industrial control systems completely open to the Internet?

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file