Forwarded from: rferrellat_private > Social engineering is the human side of breaking into a corporate > network. Companies with authentication processes, firewalls, VPNs > and network monitoring software are still wide open to an attack if > an employee unwittingly gives away key information in an email, by > answering questions over the phone with someone they don't know or > even by talking about a project with coworkers at a local pub after > hours. One prime source of information that I seldom see mentioned is vacation messages generated by SMTP agents. Setting aside for now the fact that a lot of brain-dead email programs rudely send out these things in response to every incoming message, no matter the source, a distressing number of people include not only their complete contact information, but details about the projects they're working on (even including internal code names), title and responsibilities of other employees in the company, and even details about their own and other employees' short-term and long-term schedules. Acceptable vacation message policy should quite definitely be spelled out as part of the overall infosec operational plan. RGF Robert G. Ferrell rferrellat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 04:56:03 PDT