Security News

McDonald's customers who won a prize draw competition got more than they hoped for after the burger chain emailed them login credentials for development and production databases used to power the campaign. The first person to report the blunder to McDonald's, startup founder Connor Greig, told The Register: "It's a bit weird," adding that code strings containing the credentials looked as if they had "Been formatted into the email by accident."

A researcher at vulnerability and red-team company Rapid7 recently uncovered a pair of risky security bugs in a digital home security product. The affected product comes from the company Fortress Security Store, which sells two branded home security setups, the entry-level S03 Wifi Security System, which starts at $130, and the more expensive S6 Titan 3G/4G WiFi Security System, starting at $250. The intrepid reseacher, Arvind Vishwakarma, acquired an S03 starter system, which includes a control panel, remote control fobs, a door or window sensor, a motion detector, and an indoor siren.

Microsoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. "The front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx," according to a Monday posting on the bug from Trend Micro's Zero Day Initiative.

Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account. An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel application and steal messages from a victim's inbox.

Email routing protocols were designed in a time when cryptographic technology was at a nascent stage, and therefore security was not an important consideration. As a result, in most email systems encryption is still opportunistic, which implies that if the opposite connection does not support TLS, it gets rolled back to an unencrypted one delivering messages in plaintext.

Implementing a comprehensive, fully supported email security solution is the best way of ensuring proper email setup and configuration and securing critical information shared over email with layered encryption standards and protocols including SPF, DMARC and DKIM. Despite its importance, email remains poorly protected. The majority of modern cyber risk is email risk, with over 90% of cyberattacks beginning with a phishing email, yet too many businesses still fail to recognize the universal risk associated with inadequately securing email infrastructure.

ESET and TrendMicro have identified a novel and sophisticated backdoor tool that miscreants have slipped onto compromised Windows computers in companies mostly in Asia but also in North America. TrendMicro's researchers speculate that the design of the malware indicates that at least one member of the group is familiar with the tools and techniques of security red teams while the SideWalk/ScrambleCross backdoor suggests personnel with deep knowledge of low-level programming and advanced software development.

Microsoft is updating Defender for Office 365 to protect customers from embedded email threats while previewing quarantined emails. Microsoft Defender for Office 365 provides Office 365 enterprise email accounts with protection from multiple threats, including business email compromise and credential phishing, as well as automated attack remediation.

Lemarié, the San Francisco jury found, then went on to share those trade secrets with his new employer, French email security firm Vade Secure. Of 20 trade secrets Proofpoint said Lemarié and Vade had used unlawfully, the jury agreed that 15 had been misappropriated by Vade Secure in a "Wilful and malicious" way, according to the final verdict form [PDF].

Phishing can be a profitable business model, and most breaches begin with a phishing email. As detailed in the report, threats ranging from ransomware, credential harvesters to difficult-to-discover but costly Business Email Compromise targeted inboxes, could have resulted in over $354 million in direct losses had they been successful.