Archive for the ‘Passwords’ Category

Microsoft SharePoint bug exposes credentials, sensitive data

Friday, April 30th, 2010

A cross-site scripting vulnerability has been confirmed in SharePoint Server 2007 and is likely also present in earlier versions of the content management system software, a Microsoft advisory warned. It allows adversaries to inject malicious javascript into the application by appending commands to the address of the targeted system.

“The vulnerability exists due to failure in the ‘/_layouts/help.aspx’ script to properly sanitize user-supplied input in ‘cid0′ variable,” the advisory states. “Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.”

Microsoft was notified of the bug on April 12, but only made the report public on Thursday.

A Microsoft spokeswoman said Thursday that researchers are in the process of drafting a security advisory that includes mitigation and workaround details. With 17 days notice, it’s unclear why Redmond’s security team didn’t already have that information ready to go.

XSS bugs are by far the most common form of vulnerability plaguing the web. Web masters and software makers often downplay them as insignificant, because the severity of many of them is minimal in their opinion. What they tend to not understand is the ability for compromised sites to hand out malware to unsuspecting users and redirector type attacks.

Tags:
Posted in Cyber Risk Management, Passwords, Personal Identifiable Information (PII), Phishing, Technical Safeguards | No Comments »

PC malware targeting iTunes, iPad users

Monday, April 26th, 2010

Here’s a cute trick. Some PC owners are getting emails alerting them to a new version of iTunes that has been updated “…for best iPad performance, newer features and security.”

The email provides a link, asking recipients to download a “new” version of iTunes. You see where this is going, of course. Those who follow through actually download a counterfeit version of iTunes which contains malicious code that opens up a backdoor allowing unauthorized access to a PC.

The code, called Backdoor.Bifrose.AADY, attempts to read the keys and serial numbers of the various software installed on the affected computer. It also logs the victim’s ICQ, Messenger and POP3 mail account password plus protected storage login.

Mac owners can rest easy. This Malware only hits on PCs.

Tags: , ,
Posted in Botnets, Cyber Risk Management, Email Scams, Passwords, Personal Identifiable Information (PII), Spyware | No Comments »

Facebook Password Stealing Scam

Tuesday, March 23rd, 2010

Facebook warns over password reset scam

Facebook has taken the unusual step of warning users about a bogus password reset scam designed to trick victims into downloading a password-stealing Trojan.

Prospective marks are falsely told in widely distributed spam emails that their password has been changed because of a supposed security incident. Targets are invited to open an email attachment for more information. This email attachment, you’ll be unsurprised to learn, contains keystroke snaffling malware. Once bitten, every password a user enters onto an infected PC becomes compromised.

Facebook points out that it would never send users a new password in an email attachment.

Facebook use in corporate settings should be limited based upon the potential policy violations and malware. Koobface is malware that specifically targets facebook.

Tags:
Posted in Cyber Risk Management, Email Scams, Passwords, Phishing | No Comments »

Lincoln National Discloses Breach Of 1.2 Million Customers

Friday, January 15th, 2010

Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.

The company disclosed the breach via letter and did not offer technical details.

“This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies,” the letter says. “The sharing of usernames and passwords is not permitted under the LNC security policy.”

Such policy violations can be detected and reported with a robust monitoring/software solution.

The forensic team that investigated the breach found no evidence that the data had been used outside of the company, either by hackers or former employers, according to the letter. The portfolio management system consolidates data about customer accounts — and therefore contains a good deal of personal information — but it doesn’t allow the user to actually access those accounts, the letter says.

Lincoln says it has “discontinued” all shared usernames and passwords in its systems, and it is notifiying customers, offering them identity theft services.

Tags: ,
Posted in Administrative Safeguards, Cyber Risk Management, Passwords, Personal Identifiable Information (PII), Physical Safeguards, Technical Safeguards | No Comments »