Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Author

 John H. Sawyer
RSS
E-Mail

Profile of John H. Sawyer

Contributing Writer, Dark Reading
News & Commentary Posts: 272
Articles by John H. Sawyer
posted in August 2009

Lessons From The Credit Union Penetration-Test Debacle

8/28/2009
Determining who is "in the loop" during a penetration test is an important step not always properly planned during the beginning phases of an engagement. The recent media release from the National Credit Union Association (NCUA) provides an excellent example of what can go wrong.

Post a Comment

Your Cloud Insurance Policy

8/24/2009
Security is all about managing risk -- looking at the threats, evaluating the likelihood that they will affect you, and determining what the impact would be. But in the end, do the numbers really make us feel warm and fuzzy? I didn't think so.

Post a Comment

Rapid Triage To Stop The Data Bleed

8/20/2009
The SANS Internet Storm Center on Tuesday questioned whether an exploit was out in the wild for MS09-039 due to increased scanning for TCP port 42. That same afternoon, a notice went out to the EDUCAUSE Security mailing list with the subject: "CRITICAL: Active exploitation of MS09-039 in the EDU sector." It's not often we get to see a preauthentication attack against a Windows service like WINS that makes an easy jumping-off point to compromise an entire Microsoft Active Directory. Can you imagi

Post a Comment

Qualys Report Shows Disturbing Persistence Of Critical Vulns

8/17/2009
In my recent Tech Insight on vulnerability management, I covered a few of the major components for having a successful program to address vulnerabilities as they are disclosed by vendors and researchers. I've known for a while that patching desktop applications is lagging behind, but for some reason companies just aren't taking it seriously enough to resolve quickly -- even when confronted wit

Post a Comment

Physical Penetration Testing Tells All

8/14/2009
Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most companies just don't understand physical security and how it can fail. They often think they do, but then they end up putting in flawed physical security controls that can't keep out even the mo

Post a Comment

Specialization Inevitable In Infosec

8/13/2009
Specialization in the information security field is key. Plenty of blogs have been written during the past few months with infosec career advice, but none has hit the nail on the head like two recent posts from Richard Bejtlich and Anton Chuvakin.

Post a Comment

Marines Jump The Gun On Social Networking

8/5/2009
Being on the front line of IT security, it often feels like the equivalent of holding a hammer during a game of Whack-A-Mole. One day it's a client-side vulnerability in Adobe Acrobat, and the next, it's an unsubstantiated vulnerability in OpenSSH. At the end of the day, we're just trying to find that balance between usability,productivity, and security. That's why the news that the U.S. Marines are banning social networking sites completely makes me think they're jumping the gun.

Post a Comment
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-36260
PUBLISHED: 2021-09-22
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.
CVE-2021-39404
PUBLISHED: 2021-09-22
MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database.
CVE-2021-3583
PUBLISHED: 2021-09-22
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This...
CVE-2021-39339
PUBLISHED: 2021-09-22
The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.
CVE-2021-38153
PUBLISHED: 2021-09-22
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixe...