Security Watch

Corporate Bloggers Raise the Security Ante

Plus: QuickTime, WinZip flaws, and my hacker mom.

• By Russ Cooper
• 06/27/2007

It's completely unclear from the article precisely why he thinks this; his only example has nothing to do with blogging. He believes that blogging activity is being ignored by corporations. He believes that this unmonitored blogging means people will leak information that can be pieced together by criminals. His suggestion is to stop employees from doing this from their corporate laptops and to use e-mail aliases.

Blogging isn't the only way for individuals to be lured into divulging corporate -- and personal -- information. While the proliferation of blogging may be significant, it hardly represents a new threat. Employees should be aware that they may divulge sensitive information in any public forum, be it electronic or physical.

Old QuickTime, WinZip Flaws Getting Exploited?
An article at ZDnet says that Symantec has discovered a criminal phishing Web site that uses a four-month-old QuickTime vulnerability and a six-month-old WinZip vulnerability, which the article explains "highlights both the importance of having a prompt patching schedule and the fact that attackers are keeping up with the times and constantly updating their attack strategies to help ensure ongoing success."

Well, that's strange. Symantec say they were not aware that the vulnerabilities were being exploited in the wild. OK, so they discovered that they were ... so what ... they're still old vulnerabilities. Researchers have long been aware that vulnerabilities are exploited long after they are initially discovered -- nothing new there. However, suggesting that you need "prompt patching," because a months-old vulnerability is being exploited seems contradictory.

In any event, it all boils down to the victim pulling the attack from a criminal's site. It's interesting to note that the Symantec honeypot machine was presenting itself as an unpatched Windows XP SP1 system.

Slashdot Post on Those Motherhackers
A poster to SlashDot wrote that he e-mailed 10 Web hosting providers he had accounts with. He wrote them from a Hotmail account that the providers had no prior knowledge of, asking that the domain registered with the account be transferred to a previously unknown domain registrar account, or that he be given the domain registrar login information so he could make the changes. In all cases, he had the hosting provider register the associated domain names. Five providers responded with the login information or changed the domain registration according to his request -- despite not knowing whether he really was the actual owner of the domain.

As the author points out, the hosting providers who complied with the unverified request demonstrated a lack of awareness to social engineering. It is probably worth remembering the next time you sign up for a hosting service to give something like this a try, to see how well they stick to their stated procedures.