[ISN] No One at Home

From: InfoSec News (isnat_private)
Date: Fri Dec 20 2002 - 02:13:12 PST

  • Next message: InfoSec News: "[ISN] Security flaw threatens Cisco Web site"

    [I should also point out all these "out of the office" messages are
    ideal for the social engineer. Then calling the help desk as your
    "assistant" looking for a password reset, to get that Powerpoint file
    for the budget, otherwise we might all be out there looking for a new
    job, and collecting unemployment. :)  - WK]
    By Andrew Chang
    Dec. 19 - Office workers who set up their e-mail to leave an "out of 
    office" message when they're on vacation may be setting themselves up 
    as victims of burglary - without even knowing it.
    British technology group Tif recently warned that thieves could be 
    buying huge lists of e-mail addresses, and sending mass-mailings in 
    the hopes of receiving auto-replies to find out who could be on 
    Then, after obtaining the e-mails, thieves could cross-reference them 
    with publicly available personal information to find the 
    vacation-goer's name, telephone number and address.
    "You wouldn't go on holiday with a note pinned to your door saying who 
    you were, how long you were away for and when you were coming back, so 
    why would you put this in an e-mail?" said David Roberts, Tif's chief 
    "If employees or frequent home users do not understand some of the 
    potential consequences of using a feature intended to help 
    relationships with colleagues and customers while away from the office 
    or on holiday then they may become the victim of a crime," he said. 
    Protect Yourself
    The Justice Department and the FBI said they had did not have any 
    current investigations of such crimes underway, but FBI public affairs 
    officer David Wray told ABCNEWS the FBI watch section "has some 
    indication that there might be some of this activity."
    Mark Rasche, vice president of cyber-security firm Solutionary said 
    it's "common sense" that such a crime could take place in the United 
    States - especially in the holiday season, when many people will be 
    away from home.
    But there are ways to prevent becoming a victim, Rasche said. There is 
    some expectation with e-mail that people respond as soon as possible, 
    he said, so not using an "out of office" auto-reply is out of the 
    Computer users can make their out of office replies as vague as 
    possible though, he said. "Some people leave a very detailed out of 
    office message with notes like 'I will be in the Philippines for two 
    weeks,'" he said.
    Having an address that is not associated with your name, and having an 
    unlisted home phone number can help too, he said.
    Tif's information security group also suggested users redirect 
    enquiries to another colleague, refrain from giving out details like 
    personal contact information or job title in such replies. 
    Double-Edged Sword
    The "out-of-office" burglary scheme might be one of the perils of 
    technology, but technology can provide solutions too, Rasche said. 
    "The Lord giveth and the Lord taketh away."
    Users can set up a spam filter so that their out-of-office replies go 
    only to designated people - colleagues, for instance. Workers who will 
    be away from home can also use the Internet to keep an eye on an empty 
    house, he said.
    Rasche says he has set up a remote motion detector camera in his 
    house, so he can see if there's anything moving in his house when he's 
    But there's no way to absolutely guarantee you won't be a victim of 
    burglary when you're away from home, he said. The "out-of-office" scam 
    is no different than thieves who use travel agencies or security 
    companies or newspaper deliveries to find out when people aren't home. 
    "It's just a high-tech way of doing things that can be done in a 
    low-tech way," he said. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 20:08:08 PST