Is there any fundamental reason your corporate email system couldn't, for example, just not interoperate with the rest of the Internet, at least by default? I understand if this doesn't work for people in sales or consulting or whatever, but 90-99% of my work email is entirely within the same company, and I think it would be less onerous and more secure to just block external email by default and use a separate, secured system when you had to email anyone outside the company.
A friend of mine works in industrial safety. He sees this a lot. He told me the rule "Jedes Verbot braucht ein Gebot", which roughly translated means "Every thing that is forbidden should be accompanied by a permission". So you can't just forbid people to smoke somewhere, you have to find a place where they can smoke. Otherwise they might find one themselves.
But how? They could only email with other people who also used their personal gmail for work—they couldn’t book conference rooms or look up anyone they hadn’t emailed before.
I suppose it depends on how we measure effectiveness. What was the false positive rate you observed in addition to the marked increase in reports of real phishing attempts? It would be interesting to see what impact the "blame and train" internal phishing has on overall company productivity compared to just not doing it.
What's with https://h20195.www2.hpe.com/? Why?
I work at a small company, so I don't know if this is how any IRL organizations work, but it's how I assumed the procedure went.
At one of my previous jobs, there was this big part of intranet that was used by sysadmins, and various other people from fields other than software development. My team didn't have to deal with it, so we weren't even aware of it, much less had access to it. One day, however, someone wanted me to review a document from there. I bounced off the "Unauthorized" error, and dutifully followed the instructions to fill in an appropriate box with a justification, and send a request to be granted access.
The issue wasn't critical, so I didn't pester anyone about it, just patiently waited for the access, re-filing my request every other month. Many months later, with me still not getting access, I eventually brought this up to my boss, who then smiled and told me that this access request form literally goes to /dev/null. Apparently after some software migration, no one bothered to connect this to anything.
I think it shouldn't be too hard to write an Outlook plugin to do this.
Imagine if someone from your benefits provider called and asked for your social security number or other PII for confirmation. Would you give it to them? I hope not. You should ask (as I always do) for their name and extension and tell them that you'll return their call through a published telephone number. Never once have I had someone balk at that, and I've done it countless times for many years.
For a link to a benefits provider, it's trivial to log into the portal through a known good domain and look around for whatever piece of information or news they were trying to communicate.
The hard issues come with all the random services HR contracts for stuff like harassment training, etc. If I can't corroborate a link myself then as a last resort I can simply ask HR (or w'ever department) directly, or as previously said just ignore it and wait for someone to say something.
At some point the usage of so many third-party services is just an insane security risk. It's almost comical when the corp security team runs a phishing test and on the same day you get a half-dozen e-mail messages from other departments with twice as many links to random domains. At some point you're just like, "fsck 'em" and have half a mind to not bother caring anymore. But it's not just their security on the line, it's yours, too.
I still use mutt for personal e-mail so maybe this is all easier for me. I've yet to become accustomed to hidden links or embedded multimedia in e-mail.
The kicker was when they told us that, if our mobile devices become more than a few years old, we just had to buy new ones in order to stay secure. I was flabbergasted. This is speaking about our own personal devices, not company-issued ones. Seriously, the gall to make people think the only way to be safe is to spend hundreds of dollars on new phones every 2 years.
It's just bizarre, and it's never been applicable in any of my workplaces. And I have worked for large, global law firms on quite famous litigation with huge international conglomerates as clients -- as a poorly paid grunt, not an associate, but that just meant I had more direct access to sensitive documents. I've probably received ~100 "phishy" emails over the years, and zero of them have been actual phishing attempts. Just more of that "the molesters are waiting around every corner and hiding behind every tree" nonsense, now migrated into the workplace.
Sure there is a lot of security theater but I think its important to understand that for attackers its definitely worth to spend a couple of hours on research. A successful email can quickly reach a 5 figures reward.
Source: I work in email security
As for the smartphone example: they could just have said to make sure you always have the most recent version of the OS, which is quite easy if you own a certain brand of smartphones, and can be frustratingly difficult if you use something else. I'm sorry to say but they were right: most vendors don't care for customers who have devices older than a few years because they don't bring them any money. It's a general problem in the industry, nothing surprisingly new.
I already have your team structure from LinkedIn. I probably know about your trip from Facebook or Instagram. I don't really care when you get back, because i'll be stealthy either way.
This person's threat model seems to be people who email him for a legitimate business reason, but see that he's away & take the opportunity to attack him? I just don't buy it - I think there is nothing wrong with always setting an autoresponder.
I'm getting pretty tired of this kind of thing. It's pretty clear to me that the infosec industry (within appsec and netsec at least, not risk and compliance) is bifurcated into two distinct groups. The first group consists of people who have real technical expertise, find serious vulnerabilities and make concrete suggestions about legitimate issues.
The second group, and the one I see more and more often (especially in bug bounties), consists of people who find ridiculous "security" "risks" in all manner of things. They're not appsec or netsec people but they think they're identifying actual security issues. Sometimes they point out superfluous implementation issues but more often than not they're writing articles like this - nitpicking the design of a thing without clarifying their threat model and with only a vague grounding in the potential risk of compromise.
I mean did we really need a security PSA about the risk of email autoresponders? Come on.
This lack of any concept of a threat model was precisely why his (considerable) effort was totally wasted and I can imagine similar "researchers" giving the industry as a whole a bad name.
Along the lines of "John and I had a payment planned, but he's out of the office, can you send it to [fake destination]?"
But, like other people have noted, you also have to weigh the chance of that happening in real life. It seems like the amount of planning on the attacker's part would be significant enough that if they could pull it off, they would have found easier targets by then.
A guy in an Accounts Receivable role got phished. He went on a two week vacation, and bright-and-early on the first day he was out the phisher sent out emails as the vacationing AR person to a number of Customers advising them that remittance processing was being handled by a new third-party. They directed all the Customers to that third-party's "new" bank account. The attacker helpfully put a rule on the guy's Inbox to move new messages from every domain that the attacker emailed directly to "Deleted Items".
One of the Customers thought it seemed a bit fishy and called-in to confirm that very first day.
If you're some outsider you don't know if that person is really unreachable or if their colleagues can easily reach them on Slack/send them a text/whatever if they have some important question.
And if you are internal/close enough to know their time off plans and that they're going backpacking in the Canadian Arctic, you didn't need the message to tell you they're out of office.
UPD: also, I guess any attacker could just assume that you're Out of Office at night time.
Impersonate the person out of town to escalate to their privilege level.
Imposter: "My password isn't working, can you help me reset it?" Yes, this is unlikely to to work in smaller orgs where you know people face to face. It is more likely to work as the org scales up in size (think enterprises with their own helpdesk).
Once you have email and/or other federated access, you have a toehold. Bonus points if you've cloned their work cell SIM or have rerouted SIP for their desk phone to keep them out of the loop. I have seen weaker phishing attacks on financial/accounting staff who have the authority to move millions of dollars of corporate funds.
> Whom the would-be attackers send this email to?
> Do they send this email from their own email address?
Throw away address or spoofed address from a familiar-to-the-business domain.
> Is there an assumption that sysadmin/support team will blindly reset a password on someone else's request?
This is one assumption.
> How do attackers bypass corporate VPN?
VPN access might not be required to obtain the level of access desired. Do all of your SaaS providers require 2FA? Your business bank accounts?
This is only a few steps above Indian scammers taking remote control of users’ computers and convincing those users to send them hundreds of dollars of gift cards to prevent legal action by the IRS. Consider your average user, not the HN participant.
https://www.youtube.com/watch?v=YVqurfWzB-Q (Hacking Humans : Social Engineering Techniques and How to Protect Against Them - Stephen Haunts)
> Imposter: "My password isn't working, can you help me reset it?"
This doesn't have anything to do with being out of town or autoresponses.
- Whom the would-be attackers send this email to?
- Do they send this email from their own email address?
- Is there an assumption that sysadmin/support team will blindly reset a password on someone else's request?
- How do attackers bypass corporate VPN?
This is not a hypothetical scenario, almost every year there is some idiot saying they going for vacation in those mini-interviews in the local newspaper and then they get their house broken into.
However the probability that someone does email you and is a burglar at the same time is extremely small.
Bikeshedding for a moment, I suspect the right response for people "working mostly with customers" is for the CRM to automatically re-route known-customer and cold-call emails to someone else on the "working mostly with customer" team, instead of first up telling customers or leads "Sorry, Bob's away for 2 weeks", which is _never_ going to be the message you want to be sending there...
This "threat" is a fugazzi. Honestly I can't believe this hit the front page of HN. What a ridiculous "security risk."
> Set the autoresponse to the smallest group possible. In many cases you can narrow it down to coworkers, and/or have a different message for people inside your organization than outside your organization.
That's a borderline contradiction.
“If you’re gone be gone.”
I don’t respond to emails on vacation or after I get off of work. Not even meeting invites. If I happen to be working late trying to figure out something, I make it a point not to let anyone know. I don’t want to set the expectation that I’m always reachable.
I have a project manager and a QA person who will send me messages on our Slack channel. They ask me did I see it I tell them when I’m home I’m home.
One exception is that I will answer an email to our offshore team, but even then I take the local developers and manager off of the email list.
A "well, i was out of office. jamaica is amazing... have you been"
Q "No, uhm, so the thing is that we are going to lose 5 bajillion dollars if this is not done by 2 pm"
A "jerk chicken. its just like my mind opened up to a whole new way of seeing the world.... "
Q "Right so.. .. will we be able to have that paper by noon maybe? Then I can get it signed and we can rush it back to the.."
A "no, sorry, it takes 3 days to send it through Central, then West has to backsearch the kumquats, its not something i really have control over"
Q ".... was your out of office not working? i couldnt see it.. i mean i thought you were there..."
A "no, thats a security risk. i wouldnt want us to lose money due to some scammer"
Q "what.. is that some new IT policy? i dont remember seeing that..."
A "no, no, i read about it on this site for experts in computer stuff, its called Hacker News, you should check it out"
Maybe that's a risk for a single person working in a coworking space. Probably less so for companies that have >1 employee.