Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/26/2009
06:07 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Top 10 E-mail Blunders Of 2009, So Far

Proofpoint's list of the ten biggest e-mail gaffes this year shows that organizations have yet to deal with the risks of e-mail.

E-mail, the Internet's first killer app, can injure companies and individuals when not used with care.

In its attempt to document the risks of electronic messaging and to make the case for the value of its services, Proofpoint, an e-mail security company, has assembled a list of what it considers are the "Top 10 Terrifying E-mail Blunders of 2009."

Keith Crosley, director of market development at Proofpoint, says the incidents his company has cited demonstrate the ongoing need for user training, for corporate e-mail policies, and for technology to enforce corporate policies. He says that only about a third of enterprises have deployed systems that can identify and block the unauthorized transmission of health or financial data.

The incidents that follow are, according to Proofpoint, in no particular order.

E-mail That Empties Bank Accounts: In September, the URLZone Trojan was reported to be spreading through e-mail and compromised Web sites, and emptying victims' bank accounts. It's even sophisticated enough to create forged balance reports to conceal its looting.

"No More Internet Banking For You!": That's what FBI director Robert Mueller's wife told him after the agency head clicked on a phishing message and nearly surrendered his personal information to a phishing Web site.

White House Spam: A White House effort to set the record straight about its healthcare plans in August led to the sending of unsolicited e-mail. The incident wasn't exactly a disaster. But it was it great public relations either.

Hotmail Accounts Blocked: Earlier this month, Microsoft blocked tens of thousands of Hotmail accounts that the company believed had been compromised as a result of a phishing scam. A security researcher at ScanSafe subsequently argued that exposed account credentials were gathered using a data theft trojan rather than a phishing attack.

Department Of Gaffes: Social media start-up RockYou reportedly managed to mess up its e-mail messaging three times in the past year. In January, it sent a mailing list message using the CC address field rather than BCC, exposing the e-mail addresses of everyone on the list. In November, it reportedly asked contractors for W-8/W-9 information in a message sent to a mailing list, which prompted replies containing personal information to the e-mail list rather than to the company's accounting department. And in September 2008, RockYou reportedly revealed over 200 e-mail addresses in a message it sent out.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15222
PUBLISHED: 2020-09-24
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification say...
CVE-2020-15223
PUBLISHED: 2020-09-24
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacke...
CVE-2020-12842
PUBLISHED: 2020-09-24
ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php.
CVE-2020-12843
PUBLISHED: 2020-09-24
ismartgate PRO 1.5.9 is vulnerable to malicious file uploads via the form for uploading sounds to garage doors. The magic bytes for WAV must be used.
CVE-2020-13119
PUBLISHED: 2020-09-24
ismartgate PRO 1.5.9 is vulnerable to clickjacking.