|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Out of office/vacation messages
On Fri, 02 Jan 2004 10:13:28 PST, "Rachel K. Warren" <[email protected]> said: > Sometimes you have no choice but to run a Windows mail client - it's called > your company forcing you to a standard mailer. It's not something I have > liked doing in the past, but having your management heavily disaprove of > using something outside of standard is usually not a good thing. Wave the "security issue" flag at them on this one. There's a number of good security reasons to not use software that blabs in response to mailing list mail: 1) If this is a reply to a message from a mailing list that you usually "lurk" on, your subscription to the list has just been revealed (probably to every person who is posting - possibly to the entire list if your responder replied to the list). 2) The fact you are "Out of your office" could reveal information to a hacker. 2a) The hacker now knows that you aren't watching your PC very carefully, and thus it's possibly a better target for a hacking attempt. 2b) If the hacker has gotten a message "George Smith is at a client site until Aug 30", he can try calling your company and saying "This is George.. I'm at the client's site, and I can't get to the corporate net. Can you reset my password so I can get the documents I need to close this deal?". This is an amazingly effective "social engineering" attack. 2c) The software most responsible for these errant messages is also well-known for multiple security issues - and quite often even puts its exact version in the X-Mailer header. This allows an attacker to send you a malicious e-mail message (specially selected for your software version), for you to read when you get back (and are probably buried under many messages and not paying as much attention to the contents as you should). If that doesn't work, point the PHB at this: http://news.bbc.co.uk/1/hi/technology/3290251.stm Only 2 out of the top 10 viruses/worms for last year did *NOT* target Outlook. Then ask the PHB if they have any legal criterion of "due care" that would put them at risk of being negligent for continuing to run their business in a known dangerous manner. Attachment:
pgp00001.pgp
|