Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]

[Pete Herzog <lists () isecom org>]

Actually, I do think that story is a bit stretched.  But I do know a 
story which is sounds more realistic and is real too:

A few headhunters in NYC were watching the OOOs (OOPs) of some 
top-talent Electrical Engineers at various firms waiting to catch them 
away from work. With some document grinding-- dating sites, facebook, 
etc., they knew what these people wanted and exactly how sweet the 
deal needed to be to get them to jump ship. When the "regular" mails 
came back with OOOs, the headhunters went to work on them to meet them 
in their neighborhood, offer them basketball tickets to make informal 
meetings with clients, and other tricks. The OOOs themselves weren't 
detrimental but they gave the headhunters a clue as to when to act 
best when the engineers had their guard down and weren't thinking of 
the office. They nabbed a lot of engineers that way.

That was back in the dotcom era but I think headhunters are no less 
aggressive today. Anyway, at the very least, I try to explain it this way:

An OOO is an interaction and sometimes with an unknown person. All 
interactions which don't add to business or save money are bad. 
Interaction is required to steal something either directly or 
indirectly.  If the OOO is necessary for the work done by the business 
then it has no benefit and is an unnecessary interaction and may lead 
to theft whether by a clever hacker, an eager head hunter, or....

We reduce all interactions to only those necessary and we save 
ourselves and others a lot of grief.  Hear that you people still 
bouncing SPAM and Virus mails back to the forged domains your mail 
server thinks it actually came from!

-pete.

www.isecom.org
www.osstmm.org
www.hackerhighschool.org



Tim March wrote:
> I didn't miss the point -- just found the story questionable.
>
>
> T.
>
> Pablo Cardoso wrote:
> > Tim, I'm guessing you missed the point. The secretary called the
> > tech-support of Joe's company, she was the one requesting the
> > /etc/shadow file
> > from the server :P!!!
> >
> > Excellent scenario, Jon, thanks for sharing!
> >
> > Regards,
> > Pablo Cardoso
> >
> > On Mon, Sep 15, 2008 at 2:39 AM, Tim March <march.tim () gmail com> wrote:
> > > A secretary with access to the '/etc/shadow' file... and the means to 
> > > pull it off of the machine and in to her email client... *giggles to 
> > > self*

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------