Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Teleconferences
Join CIO Executive Council members and participate in the following live teleconferences:
* Planning for Succession:
Models for IT Leadership Development, June 23
* Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25
* Managing Change: Centralizing Your IT Organization
July 29
Apply today for a FREE subscription to CIO Magazine!
News Short
Microsoft Flaw Opened Door to Scammers, Analysts Say
June 19, 2007 — IDG News Service (London Bureau) — Microsoft Tuesday fixed a bug in its Windows Live ID registration that let users deceptively register a false e-mail address.
The false e-mail address could then be used as an ID for Microsoft's Live Messenger program, which could trick users into thinking they are chatting with someone who is not whom he appears to be, such as steveballmer@microsoft.nl.
Erik Duindam, a Web developer in Leiderdorp, the Netherlands, reported the problem to Microsoft on Monday. Microsoft acknowledged it had fixed the bug but did not have further information on the flaw's impact.
It's unclear how long the flaw may have existed or how many accounts with deceptive instant-messenger IDs could have been created. Duindam said a fake ID he created was still active on Tuesday morning.
If a user attempts to create a Windows Live ID, Microsoft sends a confirmation e-mail to the e-mail address entered by the user. Without confirmation, Microsoft includes a warning with future messages sent by instant message, which appear as: fake@emailaddress (E-mail Address Not Verified).
However, accounts created over the weekend with fake e-mail addresses were still active as of Tuesday and carried no such warning.
"It's heaven for scammers," Duindam said via instant message on Tuesday.
An attacker could use the flaw as part of a social-engineering ploy, where users are tricked into doing something that puts their machine at risk. For example, victims could receive an instant message from someone who appears to have his boss's e-mail address.
At that point, victims could be tricked into thinking they are communicating with their boss. The hacker could then send a link to a malicious Word document, for example, that could install a keystroke logging program on a machine.
"In one swoop, you can become the boss, or human resources or accounts," wrote Chris Boyd, senior research manager with FaceTime Communications, via instant message.
Boyd said if the original spoofed accounts are still active, Microsoft should try to shut them down as soon as possible. But it could be difficult, especially if Microsoft is not aware of the flaw and can't track the spoofed accounts.
Other stories by Jeremy Kirk
Copyright 2006 IDG News Service, International Data Group Inc. All rights reserved.
Riverbed RiOS 4.0: Raising the Bar in Wide Area Data Services
Forrester Research: Defining a Mobile Enterprise Policy
Windows Mobile Users Capture Value from Mobile Applications
Mobility for the People- Ready Business
Mobility Solutions in Enterprise-Size Businesses: Quantifying the Return on Investment (IDC Study)
Symantec Data Center Foundation Solutions
Windows Mobile Series: Improving Mobile Security and Management Webcast
Solutions to the Toughest IT Challenges in Remote Offices Webcast
Get Control of Mobile Data (and More): Improve security and reduce costs with a mobility management platform (Video webcast)
The Universal Wireless Client: How to simplify mobility and reduce the cost of supporting mobile workers (Video webcast)
Advanced DNS and Traffic Management Solutions: The Keys to Enhancing and Securing your Enterprise Network
ProCurve Access Control Video
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Lithuania: Attacks Focused on Hosting Company
Google Bows to Pressure, Adds 'Privacy' Link to Home Page
TSMC Says 2Q in Line Or Better After Major Customer Falls
Asustek to Offer Eee PC with Built-in 3G Wireless
Asustek's Latest Eee PCs Shipping in Asia in July
Lenovo Seeks Prestige in Price-Sensitive Market
Microsoft's Silverlight Draws Patent Suit
A Tale of Two City Wi-Fi's
Google Under Pressure As App Engine Requests Rise
Wall Street Beat: IT Slumps in First Half
How To Do Nearly Anything
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
