Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/26/2009
06:07 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Top 10 E-mail Blunders Of 2009, So Far

Proofpoint's list of the ten biggest e-mail gaffes this year shows that organizations have yet to deal with the risks of e-mail.

E-mail, the Internet's first killer app, can injure companies and individuals when not used with care.

In its attempt to document the risks of electronic messaging and to make the case for the value of its services, Proofpoint, an e-mail security company, has assembled a list of what it considers are the "Top 10 Terrifying E-mail Blunders of 2009."

Keith Crosley, director of market development at Proofpoint, says the incidents his company has cited demonstrate the ongoing need for user training, for corporate e-mail policies, and for technology to enforce corporate policies. He says that only about a third of enterprises have deployed systems that can identify and block the unauthorized transmission of health or financial data.

The incidents that follow are, according to Proofpoint, in no particular order.

E-mail That Empties Bank Accounts: In September, the URLZone Trojan was reported to be spreading through e-mail and compromised Web sites, and emptying victims' bank accounts. It's even sophisticated enough to create forged balance reports to conceal its looting.

"No More Internet Banking For You!": That's what FBI director Robert Mueller's wife told him after the agency head clicked on a phishing message and nearly surrendered his personal information to a phishing Web site.

White House Spam: A White House effort to set the record straight about its healthcare plans in August led to the sending of unsolicited e-mail. The incident wasn't exactly a disaster. But it was it great public relations either.

Hotmail Accounts Blocked: Earlier this month, Microsoft blocked tens of thousands of Hotmail accounts that the company believed had been compromised as a result of a phishing scam. A security researcher at ScanSafe subsequently argued that exposed account credentials were gathered using a data theft trojan rather than a phishing attack.

Department Of Gaffes: Social media start-up RockYou reportedly managed to mess up its e-mail messaging three times in the past year. In January, it sent a mailing list message using the CC address field rather than BCC, exposing the e-mail addresses of everyone on the list. In November, it reportedly asked contractors for W-8/W-9 information in a message sent to a mailing list, which prompted replies containing personal information to the e-mail list rather than to the company's accounting department. And in September 2008, RockYou reportedly revealed over 200 e-mail addresses in a message it sent out.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.