Human Factor Wild Card in IT Performance

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.arabnews.com/Article.asp?ID=25690

Molouk Y. Ba-Isa, Arab News Staff

ALKHOBAR, 29 April 2003 - The incident I am about to reveal today is
so bizarre that it might seem to be the stuff of fantasy.  
Unfortunately, it's not. This extremely weird fiasco does make me
wonder though if people put on their thinking caps before they go to
work each morning in Saudi Arabia. The incident involves a Saudi bank
and in good conscience I can't say which one - not to protect the
bank, but to protect the bank's customers.

The whole crazy mess got started on April 23 when the bank sent out a
message to a group of its Internet banking users. The message read in
part:

"As a valued member and as part of our services enhancement strategy,
we invite you to give us your appreciated feedback and comments. This
would enable us to serve you better...Kindly be mindful of
safeguarding your subscriber ID and password. Rest assured, your
accounts are secured and protected with us. Please feel free to call
us on our toll-free number for further clarifications. We look forward
to an everlasting relationship with you."

I want to emphasize here that it was not the bank's message that was
the problem. It's what happened next. A man named Riyadh received the
message. He had a problem and he wanted the bank to help him. On April
26, he sent the administrators of the Internet banking service the
following communication:

"Thank u for your nice message. For me I forget my user ID & password.  
So could you help me on this matter? Best Regards."

Once again, I must emphasize that there was nothing bad about Riyadh
sending the bank an e-mail. The problem occurred in how he addressed
the message. You see, instead of simply clicking on "reply" in the
original message, Riyadh clicked on "Reply all." That still might not
have created a crisis except that the bank's mail server was
incorrectly configured. When Riyadh clicked reply all, two e-mail
addresses came up. The first one was for the bank's administration.  
The second one was for a group of Internet banking customers. When it
received Riyadh's e-mail, the bank's incorrectly configured mail
server sent out Riyadh's request for his user identification and
password to everyone - both the bank's administration and the bank's
customers.

When they received the strange e-mail, some customers in the Internet
banking group realized immediately what had happened and simply phoned
the bank to report a problem with the mail server. Unfortunately, one
man, Samir, who wasn't so knowledgeable about IT, went bananas and
sent out an aggressive message in reply to Riyadh's e-mail. Even
worse, instead of typing in only Riyadh's address on the new mail,
Samir clicked reply on the original e-mail he'd received from Riyadh.  
Since the e-mail was already primed to go out to everyone - the bank's
administration and customers, the nasty message was received by all,
including Riyadh. It read:

"Who are you? How come I am getting your request? Which user ID are
you talking about? Are you sure about what you are asking for? Kindly
go to the bank near you and find out what is to be done. I am holding
the bank responsible for this if they release my ID and password.  
Watch out."

I am sure that many of you can imagine what happened next. Customers
in the Internet banking group freaked out. Some sent messages directly
back to the concerned individuals but others clicked reply and their
e-mails went to everybody. Those individuals revealed their primary
e-mail addresses and, in most cases, their full names, to a bunch of
people they don't know. Let's hope that all customers in that Internet
banking group are decent folks because that information could be used
for spoofing, SPAM registration or even as a starting point for
identity theft.

On the evening of April 26, the bank sent out a message to all their
abused Internet banking customers. Please note, the text is exactly as
sent by the bank. It read:

"This is to bring to your attention to a recent incident that you
might have been part of. We have created a mailing group for our
continuous strive to better communicate with you. Unfortunately, the
setting of this e-mail address allowed your reply to be viewable by
the bank's administration as well as some other users. This
involuntary fault has been remedied and you will no longer receive
non-bank authorized e-mail. We apologize for any inconvenience that
this mishap may have caused you. Nevertheless, we assure you that
there has been no compromise on your privileged information
whatsoever. Again, make certain that your account transactions and
information are secure and protected with this bank. Trust your
understanding."

Yes, ladies and gentlemen, trust your understanding of this situation.  
The incorrect configuration of the bank's mail server was most likely
unintentional - it was not involuntary.

[...]


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.