Re: Out of office/vacation messages

[David Scott Olverson <olverson () fas harvard edu>]

> The hacker now knows that you aren't watching your PC very carefully, and
> thus it's possibly a better target for a hacking attempt.

Does an out of office message indicate I'm not watching my PC?
That's a little unclear to me.  Wouldn't these messages come
from an Exchange server and not my PC necessarily, at least in
the case of Microsoft products?  My PC could just as easily be
shutdown for the holidays, no?

2ndly, off the top of my head, it's unclear to me that it's an easy matter
to map someone's e-mail address to a specific machine on their network.  I
guess perhaps the machine might be named for that individual perhaps.
Maybe someone has worked on that one a bit more???

> This allows an attacker to send you a malicious e-mail
> message (specially selected for your software version), for you to read
> when you get back (and are probably buried under many messages and not
> paying as much attention to the contents as you should).

This type of negligence doesn't seem to be limited to those with out of
office replies set.  I've seen people repeatedly do that even after being
specifically warned not to as well.  :)

Dave Olverson

On Fri, 2 Jan 2004 Valdis.Kletnieks () vt edu wrote:

> On Fri, 02 Jan 2004 10:13:28 PST, "Rachel K. Warren" <rachel () plur net>  said:
>
> > Sometimes you have no choice but to run a Windows mail client - it's called
> > your company forcing you to a standard mailer.  It's not something I have
> > liked doing in the past, but having your management heavily disaprove of
> > using something outside of standard is usually not a good thing.
>
> Wave the "security issue" flag at them on this one.  There's a number of good
> security reasons to not use software that blabs in response to mailing list mail:
>
> 1) If this is a reply to a message from a mailing list that you usually "lurk"
> on, your subscription to the list has just been revealed (probably to every
> person who is posting - possibly to the entire list if your responder replied
> to the list).
>
> 2) The fact you are "Out of your office" could reveal information to a hacker.
>
> 2a) The hacker now knows that you aren't watching your PC very carefully, and
> thus it's possibly a better target for a hacking attempt.
>
> 2b) If the hacker has gotten a message "George Smith is at a client site until
> Aug 30", he can try calling your company and saying "This is George.. I'm at
> the client's site, and I can't get to the corporate net. Can you reset my
> password so I can get the documents I need to close this deal?".  This is an
> amazingly effective "social engineering" attack.
>
> 2c) The software most responsible for these errant messages is also well-known
> for multiple security issues - and quite often even puts its exact version in
> the X-Mailer header.  This allows an attacker to send you a malicious e-mail
> message (specially selected for your software version), for you to read when
> you get back (and are probably buried under many messages and not paying as
> much attention to the contents as you should).
>
> If that doesn't work, point the PHB at this:
>
> http://news.bbc.co.uk/1/hi/technology/3290251.stm
>
> Only 2 out of the top 10 viruses/worms for last year did *NOT* target Outlook.
>
> Then ask the PHB if they have any legal criterion of "due care" that would put
> them at risk of being negligent for continuing to run their business in a known
> dangerous manner.