Spear phishing Catch 22 for Salesforce.com
By Davey Winder in Editorial
Posted in Uncategorized on
Salesforce.com has been the victim of a classic spear phishing attack, where a highly targeted social engineering exploit is used in an attempt to persuade a single employee to reveal confidential corporate information that can then be used as ammunition for further and more widely spread attacks.
The CRM vendor has admitted that one of its employees had fallen foul of such a spear phishing scam and handed over a password to the cyber-criminal involved. This led to a customer contact database being copied, and consequently the “first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com” being leaked. I am led to believe that a number of the customers so exposed were then taken in by a phishing scam which was made all the more believable by the amount of accurate personal data it was able to use.
John Stewart, founder of secure authentication specialists Signify reckons the whole thing should not come as a surprise to anyone, telling me “the growing popularity of the SaaS (Software as a Service) model means that it’s too big a honeypot for the Internet Underworld to ignore.” One of the problems being that there’s a blind spot in corporate security: whereas two factor authentication and VPN encryption is considered essential before remote users are allowed access to this data on the corporate network, as soon as it is hosted by a third party, it seems that just a web browser and a password are all that’s needed. “In essence, you’ve uploaded your entire customer database and sales pipeline to a public website and protected it with a basic password” Stewart insists, adding the data is no more secure than your Facebook login.”
Salesforce.com is now recommending the use of two-factor authentication (2FA) for service login, but this requires replacing the password with a 2FA process by enabling the single sign on function: something that is limited in the edition used by the majority of SME ‘Pro Edition’ customers. With single sign on being, effectively, a global setting which is either on or off for everyone it doesn’t take a genius to realise that Salesforce still as a long way to go. SMEs are going to baulk at the cost of deploying 2FA tokens to every user, including everyone on the road, all managers, office and admin staff. The spear phishing attack has shown how just a single weak link in the chain can be exploited after all. The other option is the equally expensive upgrade to the Enterprise Edition, something of a Catch 22 it seems.
“It is frustrating that our customers cannot extend the use of their tokens to secure their Salesforce.com accounts too.
Rated: 20% (1 votes)
Loading ...Comment by Tom Wiseman - November 13, 2007 on 11:02 am
I presume this jargon ridden 1st paragraph means simply that an employee was blackmailed or coerced - if so, say so - say what you mean in clear English.
Criminal activity will always find a way of exploiting human weaknesses or vulnerabilities and so ‘mere’ ‘mechanical’ or ‘electronic’ procedures however clever are always at risk of subversion - as ever, you need to look after your staff, however clever you think you are.
Comment by Davey Winder - November 13, 2007 on 11:50 am
It means what it says: that an employee was the victim of social engineering in a highly targeted manner, something known as spear phishing. Try reading it again and you might spot that the paragraph actually explains what spear phishing is. I would hardly call the use of the widely understood term ’social engineering’ and the detailed explanation of ’spear phishing’ to constitute a jargon ridden anything…
Comment by Mas Funaki - June 30, 2008 on 1:28 am
NHK is Japan’s public television network.(http://www.nhk.or.jp/nhkworld/) NHK produces a program called; ” Close-up Today ” a half hour prime time program broadcated at 7:30PM from Monday to Thursday in Japan.This is one most watched programs for last fourteen years.The format of the program is that the host of program discusses with guests on subject which focuses on viewers’ current interests and questions such as social trends,social problems,people and so on.This program is similar to ” Nightline ” on ABC.
I’m currently working on an upcoming project about SaaS(Software as a Service).Most viewers are not aware of SaaS which are used by businesses we deal with everyday. In this program, we are going to show our viewers about this business trend in IT field. This program will focus on how SaaS work by showing provider side and customer side.
Also, we would like to address downside of SaaS as well.
I am looking for a person who could discuss why SaaS are target of hackers and cutting edge hacking
technology for on camera interview.I would like to find out weather you could discuss as well as your
availability for this week.
Thank you for your assistance.
Mas Funaki
Comment by karry - November 3, 2008 on 2:51 am
http://www.batterygoshop.co.uk/acer/as07a32-battery.htm acer as07a32 battery
Make a comment
Tag cloud
Archives
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
Most commented posts
- 80 percent of viruses love Windows 7
165 comments
- Has Microsoft gone mental?
- Has the US Army declared war on Windows 7?
- Cuil frozen out: market share drops to next to nothing
- Xbox 360 FAIL
- The 24GB RAM Desktop is born
- Use old version of Windows instead of Linux, says teacher
- Microsoft reveals time-based licensing model
- How Marblecake Hacked Time
- Nexus Two - The Next Generation
Highest Rated Blog Posts
- Why ecommerce fails (100%)
- Google Chrome stands alone at PWN2OWN (100%)
- Betting on Hubdub technology (100%)
- Has Google gone insane as GMail goes back to beta? (100%)
- Chinese whispers as government implicated in UK hack attacks (100%)
- Crimeware toolkit targets 10,000 trusted sites (100%)
- Black Hat risk to migrating VMs (100%)
- Tough on cyber crime, tough on the causes of cyber crime (100%)
- Firefox 3, Beta 4, Enhancements 900, Tested 5 (100%)
- Has the US Army declared war on Windows 7? (100%)
