Vulnerabilities / Threats

10/26/2009
06:07 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Top 10 E-mail Blunders Of 2009, So Far

Proofpoint's list of the ten biggest e-mail gaffes this year shows that organizations have yet to deal with the risks of e-mail.

E-mail, the Internet's first killer app, can injure companies and individuals when not used with care.

In its attempt to document the risks of electronic messaging and to make the case for the value of its services, Proofpoint, an e-mail security company, has assembled a list of what it considers are the "Top 10 Terrifying E-mail Blunders of 2009."

Keith Crosley, director of market development at Proofpoint, says the incidents his company has cited demonstrate the ongoing need for user training, for corporate e-mail policies, and for technology to enforce corporate policies. He says that only about a third of enterprises have deployed systems that can identify and block the unauthorized transmission of health or financial data.

The incidents that follow are, according to Proofpoint, in no particular order.

E-mail That Empties Bank Accounts: In September, the URLZone Trojan was reported to be spreading through e-mail and compromised Web sites, and emptying victims' bank accounts. It's even sophisticated enough to create forged balance reports to conceal its looting.

"No More Internet Banking For You!": That's what FBI director Robert Mueller's wife told him after the agency head clicked on a phishing message and nearly surrendered his personal information to a phishing Web site.

White House Spam: A White House effort to set the record straight about its healthcare plans in August led to the sending of unsolicited e-mail. The incident wasn't exactly a disaster. But it was it great public relations either.

Hotmail Accounts Blocked: Earlier this month, Microsoft blocked tens of thousands of Hotmail accounts that the company believed had been compromised as a result of a phishing scam. A security researcher at ScanSafe subsequently argued that exposed account credentials were gathered using a data theft trojan rather than a phishing attack.

Department Of Gaffes: Social media start-up RockYou reportedly managed to mess up its e-mail messaging three times in the past year. In January, it sent a mailing list message using the CC address field rather than BCC, exposing the e-mail addresses of everyone on the list. In November, it reportedly asked contractors for W-8/W-9 information in a message sent to a mailing list, which prompted replies containing personal information to the e-mail list rather than to the company's accounting department. And in September 2008, RockYou reportedly revealed over 200 e-mail addresses in a message it sent out.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.