Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
8 Boldest Security Predictions For 2017
Newest First  |  Oldest First  |  Threaded View
botw803
50%
50%
botw803,
User Rank: Apprentice
1/8/2017 | 1:14:41 PM
Re: Minority Report: Infosec Edition
You obviously agree because you have been working for this website forever. Your post are really boring by the way.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
1/4/2017 | 4:34:59 PM
Help prevent an unwanted Internet sick day
I don't know that the Internet will take an unscheduled sick day, but I do know the common security system for Web sites, SSL, the Network Time Protocol and the Domain Name System are probably being probed for ways to exploit them by much more sophisticated hackers than before. And the Internet depends on each of them. We've built out an immense infrastructure without enough precautions, a bold move, but we'd be wise to now try to identify the points where it needs shoring up. One place to start is the Network Time Protocol, which has a dedicated staff operating on an extremely lean budget and which could use additional support (www.ntp.org).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/4/2017 | 8:59:51 AM
Re: Minority Report: Infosec Edition
Totally agree! AI definitely has tremendous potential, emphasis on potential. The big question is how much and how soon. 
alexanderstein
50%
50%
alexanderstein,
User Rank: Apprentice
12/28/2016 | 1:06:06 PM
Minority Report: Infosec Edition
It's not new years without resolutions and predictions.  Dark Reading honors the annual tradition with their top Info-Sec prognostications. #8: machine learning and artificial intelligence will build on significant capability gains to more accurately and intelligently learn from the past to detect and predict attacks. My counter-prediction: Nope. Most technologists and security professionals still wildly misunderstand/underestimate the complexity of human behavior as it relates to cybersecurity. Effective risk mitigation solutions will come from specialists in mental architecture and psychodynamics.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
12/27/2016 | 11:27:20 AM
Drone Jacking
I'm going to give drone jacking my top pick of these.  If you take a look at the volume of patents Google has put out for their drone army, from navigation aid systems to secure communication, you can see this has always been on their minds.  However, while Google is intent on making their drones as secure as possible (good luck with that, by the way), not all drone operators and start-ups are going to go the extra mile - at first.  And as applies to all drone companies, hijacking drones in-flight isn't the only method of taking control.  Drones can be captured through physical means and repurposed. 

Specifically on the topic of secure communication, we're going to see lots of projects working to perfect protocols that will help protect consumers and public safety.  Papers like "A Secure Communication Protocol for Drones and Smart Objects" by Jongho Won, Seung-Hyun Seo, and Elisa Bertino (2015) that explores securing communication between drones and smart objects (a smart parking management system, for example) are examples.  This paper states that "To support the required security functions, such as authenticated key agreement, non-repudiation, and user revocation, we propose an efficient Certificateless Signcryption Tag Key Encapsulation Mechanism (eCLSC-TKEM). eCLSC-TKEM reduces the time required to establish a shared key between a drone and a smart object by minimizing the computational overhead at the smart object. Also, our protocol improves drone's efficiency by utilizing dual channels which allows many smart objects to concurrently execute eCLSC-TKEM."

In the discussion about whether FOSS (Free and Open Source Software) or proprietary code and standards are better for drone tech, I think we need to work through 2017 to see what security flaws are revealed.  While I am a FOSS advocate, I also recognize the need for proprietary code under the right conditions.

 


Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...