
Out-Of-Office Messages Are a Security Risk - zdw
https://lonesysadmin.net/2019/02/03/out-of-office-messages-are-a-security-risk/
======
tptacek
Stuff like this is what keeps organizations from taking corpsec guidance
seriously. Whatever the infinitesimal risk you accept by setting an
autoresponder, it's dwarfed by the risk of convincing the rest of your team
that you're a crank, and that what you have to say about phishing and email
attachments isn't to be taken seriously.

~~~
Moodles
I agree absolutely. It's similar to previous companies I've worked at that do
phishing test emails for all their employees (usually at 9am on a Monday).
There's little evidence it works, it is security theater and generally harms
productivity. Knowing when not to bother people about security can be really
helpful.

~~~
bplankers
Followed immediately by HR sending an unsigned email about critical deadlines
for benefits or something, telling you to click a link and/or a PDF
attachment.

~~~
gizmo686
The most obvious phishing email I ever received was from some random domain
informing me I had not take the required anti-phishing tracking and to please
click the link to take it. Like a good employee, I sent the email to our spam@
account and didn't give it any more thought. A month later, my manager comes
in and informs me that the anti-phishing training is not optional and I had a
week to complete it.

~~~
Wowfunhappy
At a large company, shouldn't someone be monitoring the address where people
report phishing, who can tell you if a reported message is legitimate?

I work at a small company, so I don't know if this is how any IRL
organizations work, but it's how I assumed the procedure went.

~~~
TeMPOraL
Anecdote time:

At one of my previous jobs, there was this big part of intranet that was used
by sysadmins, and various other people from fields other than software
development. My team didn't have to deal with it, so we weren't even aware of
it, much less had access to it. One day, however, someone wanted me to review
a document from there. I bounced off the "Unauthorized" error, and dutifully
followed the instructions to fill in an appropriate box with a justification,
and send a request to be granted access.

The issue wasn't critical, so I didn't pester anyone about it, just patiently
waited for the access, re-filing my request every other month. Many months
later, with me still not getting access, I eventually brought this up to my
boss, who then smiled and told me that this access request form literally goes
to /dev/null. Apparently after some software migration, no one bothered to
connect this to anything.

------
arkadiyt
As always with security the first thing to ask is "What is your threat model?"

This person's threat model seems to be people who email him for a legitimate
business reason, but see that he's away & take the opportunity to attack him?
I just don't buy it - I think there is nothing wrong with always setting an
autoresponder.

~~~
throwawaymath
Yeah, this is a stretch...

I'm getting pretty tired of this kind of thing. It's pretty clear to me that
the infosec industry (within appsec and netsec at least, not risk and
compliance) is bifurcated into two distinct groups. The first group consists
of people who have real technical expertise, find serious vulnerabilities and
make concrete suggestions about legitimate issues.

The second group, and the one I see more and more often (especially in bug
bounties), consists of people who find ridiculous "security" "risks" in all
manner of things. They're not appsec or netsec people but they _think_ they're
identifying actual security issues. Sometimes they point out superfluous
implementation issues but more often than not they're writing articles like
this - nitpicking the design of a thing without clarifying their threat model
and with only a vague grounding in the potential risk of compromise.

I mean did we really need a security PSA about the risk of email
autoresponders? Come on.

~~~
userbinator
I have heard the term "security vultures" being applied to the second group,
and wish it was more common (the term, not the group...)

~~~
CoreSet
I like "security fatalism" for the underlying behavior.

------
chias
Or you just check the box that says "only send to people at my organization".

~~~
sm4rk0
What if you are working mainly with customers? BTW, the article says: > Set
the autoresponse to the smallest group possible. In many cases you can narrow
it down to coworkers, and/or have a different message for people inside your
organization than outside your organization.

~~~
bigiain
I think the context of the blog post, "the lonely sysadmin", means "working
mainly with customers" isn't its target audience.

Bikeshedding for a moment, I suspect the right response for people "working
mostly with customers" is for the CRM to automatically re-route known-customer
and cold-call emails to someone else on the "working mostly with customer"
team, instead of first up telling customers or leads "Sorry, Bob's away for 2
weeks", which is _never_ going to be the message you want to be sending
there...

------
joegahona
> Don’t tell people anything more than they need to know. Does everybody
> really need to know where you’ve gone and how long? Probably not. You’re
> just gone. Set some expectations around response time, though.

That's a borderline contradiction.

~~~
bplankers
True -- fixed. Thanks.

------
kazinator
'Don't record "we're on vacation"' on you home phone answering machine is
_ancient_ knowledge/advice.

~~~
yjftsjthsd-h
Indeed - who has an answering machine these days?

~~~
kiwijamo
Most people have voicemail which is pretty much the same thing.

~~~
yjftsjthsd-h
In general, touche. For this context, there's a meaningful difference:
voicemail, unlike an answering machine, is accessible from anywhere, so
there's no reason to set a "we're out of town" message.

------
arachnids
[https://twitter.com/natashenka/status/974822101067612161](https://twitter.com/natashenka/status/974822101067612161)

~~~
O_H_E
Next time a little comment would go a long way confronting with HN guidelines.

------
scarface74
I haven’t seen any mention of his other point.

“If you’re gone be gone.”

I don’t respond to emails on vacation or after I get off of work. Not even
meeting invites. If I happen to be working late trying to figure out
something, I make it a point not to let anyone know. I don’t want to set the
expectation that I’m always reachable.

I have a project manager and a QA person who will send me messages on our
Slack channel. They ask me did I see it I tell them when I’m home I’m home.

One exception is that I will answer an email to our offshore team, but even
then I take the local developers and manager off of the email list.

------
nradov
Microsoft Outlook allows separate settings for internal versus external out-
of-office messages. There's no real security risk in telling my work
colleagues where I am.

~~~
city41
Google allows you to limit our of office messages to within the company as
well.

------
willart4food
Even worse: Social media posts of traveling/vacation.

------
Cyclone_
Important to keep in mind that security is always balanced with convenience.
Individuals need to just judge how much "risk" they want

------
duxup
This reads like something someone logiced out in their head but has no basis
in any information that indicates if any of this is a real risk.

------
lazylizard
2 cents on the topic. Potentially. Auto responders let spammers knows its a
live mail account. It can also become a backscatter problem.

------
_asummers
I fail to see how being out of office and not responding to work email has any
relevance to a person not recognizing when their bank accounts are being
zeroed. I also fail to see the vector by which someone being out of office
gives an attacker access to their bank accounts.

------
graybored
Q "hey did you get my email? im following up. that thing X needs to be done
and they are asking me why not"

A "well, i was out of office. jamaica is amazing... have you been"

Q "No, uhm, so the thing is that we are going to lose 5 bajillion dollars if
this is not done by 2 pm"

A "jerk chicken. its just like my mind opened up to a whole new way of seeing
the world.... "

Q "Right so.. .. will we be able to have that paper by noon maybe? Then I can
get it signed and we can rush it back to the.."

A "no, sorry, it takes 3 days to send it through Central, then West has to
backsearch the kumquats, its not something i really have control over"

Q ".... was your out of office not working? i couldnt see it.. i mean i
thought you were there..."

A "no, thats a security risk. i wouldnt want us to lose money due to some
scammer"

Q "what.. is that some new IT policy? i dont remember seeing that..."

A "no, no, i read about it on this site for experts in computer stuff, its
called Hacker News, you should check it out"

------
dana123
Out of office? Its an invitation to a thief with the address attached in the
signature.

~~~
Haydos585x2
Is it? If I leave for a week is it assumed all of my coworkers also leave, our
doors unlock and alarms are off?

Maybe that's a risk for a single person working in a coworking space. Probably
less so for companies that have >1 employee.

