The FBI announced today arrests of three people in the ESP data breaches from the compromises of various ESPs a few years ago. Krebs on Security: Feds Indict Three in 2011 Epsilon Hack Department of Justice: Three Defendants Charged with One of the Largest Reported Data Breaches in U.S. History After stealing over a billion […]
M3AAWG is on a roll lately with published documents. They recently released the Compromised User ID Best Practices (pdf link).
Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn’t provided any information as of yet as to what is going on.
Social engineering is a long standing way to compromise security. Chunkhost reports today that they discovered accounts being compromised through social engineering of Sendgrid support. While the compromise did not work it was a close call. The only thing that saved the targeted customers was their implementation of 2 factor authentication. We know many of […]
According to Brian Krebs the compromise of Target’s POS system probably originated with a phishing attack against one of Target’s vendors. This attack compromised credentials of the HVAC vendor and possibly allowed the hackers entrance into Target’s systems. Interestingly, Brian mentions Ariba, a company I’ve been forced to deal by a large customer of ours. […]
U.S. Representative Michele Bachmann (R-Minnesota) announced today that she’s not going to seek re-election in 2014. Last time around, the race between her and Minnesota businessman Jim Graves was very close. Mr. Graves lost by a very narrow margin. Graves had already announced his intention to take on Ms. Bachmann again next year. As the news […]
Many of us have lots of accounts on various networking sites, but how much attention do we pay to password security? If you haven’t heard, someone managed to compromise the Associated Press’ twitter account today. Not only was the account compromised, but they put out a fake tweet claiming that there were explosions at the […]
A couple weeks ago I wrote a post about handling abuse complaints. As a bit of a throwaway I mentioned that new companies don’t always think about how their service can be abused before releasing it on the unsuspecting internet. Today’s blog post by Margot Romary at the Return Path In the Know blog reminds […]
There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security […]
Go to your ESP customer login page and use “View Source” to look at the HTML (under “Page” on Internet Explorer, “Tools->Web Developer” on Firefox, and “View” on Safari). Go on, I’ll wait. Search for the word autocomplete. If it says something like autocomplete=”off” then your web developers have already thought about this security issue. […]