Educause Security Discussion mailing list archives
Re: phishing irony
From: Leo Song <song () UOGUELPH CA>
Date: Fri, 13 Feb 2009 10:40:28 -0500
Has anyone done or thought of applying e-mail content filter at edge MTAs, to "catch" all outgoing e-mails with "username password" in message body, and auto-reply to staff / students? Leo Song, Cluster Lead - Networking and Security (519) 824-4120 x 53181 CCS, University of Guelph ----- Original Message ----- From: "Ozzie Paez" <ozpaez () SPRYNET COM> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Friday, February 13, 2009 9:41:02 AM GMT -05:00 US/Canada Eastern Subject: Re: [SECURITY] phishing irony James - You are right in that passwords are not ever logged - users are identified so that they can be contacted. Some cultures are really sensitive to issues of trust and it can come up, which is why it is important to explain that this is being done to protect everyone. It is also important that the communications be light enough that it gets people to think without feeling like they were just targeted. Light humor could work in this regard. Ultimately, users need to understand that almost every vulnerability study points to them as a group as being a key security vulnerability, so, they are being helped with these strategies. Hope it helps, Ozzie Paez SSE/CISSP SAIC 303-332-5363 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Sent: Friday, February 13, 2009 6:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] phishing irony Maybe I've missed your point entirely, but sending out your own phish emails to see who replies doesn't change the "IT dept. will never ask for my password" rule. People are not supposed to reply, the rule still holds. Anyone who does reply hasn't followed the rule and you get to know about it and educate them before they reply to a real phish. James -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Friday, February 13, 2009 4:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] phishing irony On Thu, 12 Feb 2009 09:55:25 CST, "HALL, NATHANIEL D." said:
Why stop sending examples? To me it seems like a perfect opportunity to educate those users who responded.
What little gain you get in education is *vastly* outweighed by the fact that you can no longer say "WE NEVER ASK FOR PASSWORDS IN EMAIL". You might be able to get that 7-word version to stick in the average user's brain. You start trolling your users like this, and what they'll *remember* is: "IT doesn't ask for our passwords in e-mail, except if it's a training event, oh and didn't I hear from somebody down the hall they'd do it if they lost the password database and had to rebuild it, just like this e-mail says they're doing, and 2 or 3 other cases they'd do it even though they usually don't..."
Current thread:
- Re: phishing irony, (continued)
- Re: phishing irony Ozzie Paez (Feb 12)
- Re: phishing irony HALL, NATHANIEL D. (Feb 12)
- Re: phishing irony Pete Hickey (Feb 12)
- Re: phishing irony Matthew Gracie (Feb 12)
- Re: phishing irony Valdis Kletnieks (Feb 12)
- Re: phishing irony Gary Flynn (Feb 13)
- Re: phishing irony James (Feb 13)
- Re: phishing irony Ozzie Paez (Feb 13)
- Re: phishing irony Falcon, Patricia (Feb 13)
- Re: phishing irony HALL, NATHANIEL D. (Feb 13)
- Re: phishing irony Leo Song (Feb 13)
- Re: phishing irony Ozzie Paez (Feb 13)
- Re: phishing irony Chris Edwards (Feb 13)
- Re: phishing irony Leon DuPree (Feb 13)
- Re: phishing irony Zach Jansen (Feb 13)
- Re: phishing irony Valdis Kletnieks (Feb 13)
- Re: phishing irony HALL, NATHANIEL D. (Feb 13)
- Re: phishing irony Harris, Michael C. (Feb 13)
- Re: phishing irony Allison Dolan (Feb 13)