Hacker News new | past | comments | ask | show | jobs | submit login
Out-Of-Office Messages Are a Security Risk (lonesysadmin.net)
161 points by zdw 42 days ago | hide | past | web | favorite | 88 comments

Stuff like this is what keeps organizations from taking corpsec guidance seriously. Whatever the infinitesimal risk you accept by setting an autoresponder, it's dwarfed by the risk of convincing the rest of your team that you're a crank, and that what you have to say about phishing and email attachments isn't to be taken seriously.

my current job lets you set the autoresponder to only autorespond to people in the org. how is that such a bad risk?

It's not a risk. That's a useful feature, but not because there are any security implications.

I agree absolutely. It's similar to previous companies I've worked at that do phishing test emails for all their employees (usually at 9am on a Monday). There's little evidence it works, it is security theater and generally harms productivity. Knowing when not to bother people about security can be really helpful.

I've watched phishing exercise emails work (where by "work" I mean "marked increase in reports of real phishing attempts"), so I'm not sure that's the best example of theatrical corpsec practices.

Possibly stupid question:

Is there any fundamental reason your corporate email system couldn't, for example, just not interoperate with the rest of the Internet, at least by default? I understand if this doesn't work for people in sales or consulting or whatever, but 90-99% of my work email is entirely within the same company, and I think it would be less onerous and more secure to just block external email by default and use a separate, secured system when you had to email anyone outside the company.

What we do (and a lot of companies do) is append [EXT] to the subject line of any incoming message from outside the org. Blocking external email by default will drive people to use their personal gmail for work.

This is a problem with a lot of security people. They want to forbid everything to make it safe. But you need to let people do what they want to do, otherwise they will find way more unsafe ways to do it.

A friend of mine works in industrial safety. He sees this a lot. He told me the rule "Jedes Verbot braucht ein Gebot", which roughly translated means "Every thing that is forbidden should be accompanied by a permission". So you can't just forbid people to smoke somewhere, you have to find a place where they can smoke. Otherwise they might find one themselves.

> Blocking external email by default will drive people to use their personal gmail for work.

But how? They could only email with other people who also used their personal gmail for work—they couldn’t book conference rooms or look up anyone they hadn’t emailed before.

They will use personal gmail to email external people only, and internal for internal.

Clearly denoting if the email is unsafe is great. If there is a lot of communication with a few outside orgs then a whitelist could be used

You might as well use IRC/Slack/HipChat rather than trying to set up your own isolated MX.

Unless you actually want email instead of chat.

I'm going by studies such as these: https://www.computer.org/cms/Computer.org/ComputingNow/pdfs/...

I suppose it depends on how we measure effectiveness. What was the false positive rate you observed in addition to the marked increase in reports of real phishing attempts? It would be interesting to see what impact the "blame and train" internal phishing has on overall company productivity compared to just not doing it.

Followed immediately by HR sending an unsigned email about critical deadlines for benefits or something, telling you to click a link and/or a PDF attachment.

The most obvious phishing email I ever received was from some random domain informing me I had not take the required anti-phishing tracking and to please click the link to take it. Like a good employee, I sent the email to our spam@ account and didn't give it any more thought. A month later, my manager comes in and informs me that the anti-phishing training is not optional and I had a week to complete it.

Back when I worked at HP, our anti-phishing training even had a joke in it about how, yes, all HP URLs look exactly like the phising URLs they were describing...

What's with https://h20195.www2.hpe.com/? Why?

At a large company, shouldn't someone be monitoring the address where people report phishing, who can tell you if a reported message is legitimate?

I work at a small company, so I don't know if this is how any IRL organizations work, but it's how I assumed the procedure went.

Anecdote time:

At one of my previous jobs, there was this big part of intranet that was used by sysadmins, and various other people from fields other than software development. My team didn't have to deal with it, so we weren't even aware of it, much less had access to it. One day, however, someone wanted me to review a document from there. I bounced off the "Unauthorized" error, and dutifully followed the instructions to fill in an appropriate box with a justification, and send a request to be granted access.

The issue wasn't critical, so I didn't pester anyone about it, just patiently waited for the access, re-filing my request every other month. Many months later, with me still not getting access, I eventually brought this up to my boss, who then smiled and told me that this access request form literally goes to /dev/null. Apparently after some software migration, no one bothered to connect this to anything.

That's amazing.

In my company a lot of systems like HR have gone from internal servers to cloud so E-mails come from a lot of different URLs as sender. I consider myself pretty savvy but if a mail looks halfways plausible I don't really know how to tell if it's legitimate or not. The only way to fix this would be to sign E-mails so we can verify authenticity.

I think it shouldn't be too hard to write an Outlook plugin to do this.

The Corporate Overlords hired a company to send us fake phishing emails to test us peons. I found out that this company will set a header saying it's a fake phishing email, probably to get it past our spam firewall.

If I am not sure whether an email is legitimate or not, then I just ignore it assuming that if it is something real and important, then the other party will find a way to contact me (send another email, call me, approach me in person etc.).

With stuff like information about health insurance or 401k information there won't be any follow-up but it's very important to me.

Those are easy. Just log into the portal directly.

Imagine if someone from your benefits provider called and asked for your social security number or other PII for confirmation. Would you give it to them? I hope not. You should ask (as I always do) for their name and extension and tell them that you'll return their call through a published telephone number. Never once have I had someone balk at that, and I've done it countless times for many years.

For a link to a benefits provider, it's trivial to log into the portal through a known good domain and look around for whatever piece of information or news they were trying to communicate.

The hard issues come with all the random services HR contracts for stuff like harassment training, etc. If I can't corroborate a link myself then as a last resort I can simply ask HR (or w'ever department) directly, or as previously said just ignore it and wait for someone to say something.

At some point the usage of so many third-party services is just an insane security risk. It's almost comical when the corp security team runs a phishing test and on the same day you get a half-dozen e-mail messages from other departments with twice as many links to random domains. At some point you're just like, "fsck 'em" and have half a mind to not bother caring anymore. But it's not just their security on the line, it's yours, too.

I still use mutt for personal e-mail so maybe this is all easier for me. I've yet to become accustomed to hidden links or embedded multimedia in e-mail.

I just flat out don't read work email anymore. Everything gets deleted. If it is important someone has mentioned it in slack, came over to my desk to tell me or it was publically abounced

So the real issue here is not emails or autoresponders, but lack of IT security knowledge among employees. Hence, do (mandatory) trainings or something.

I'm not sure there's much evidence that it works though. Probably more effective is having employees use yubikeys or something.

Our security team makes their phishing emails look way too professional.

Targeted phishing for corporate espionnage would look very professional. Even regular bank phishing is getting very pro these days. https://krebsonsecurity.com/2018/10/voice-phishing-scams-are...

Corporate security theater in general is starting to get out of hand. I just had to take a yearly sec training, and the videos are absurdly over-the-top. I can imagine them being quite alarming for people who don't have the technical background to know what is actually important. Just a series of videos trying to conjure up this strange sense of paranoia -- telling us that "HACKERS" are CONSTANTLY trying to 'break in,' and will try to SOCIAL ENGINEER us by reading everything they can find on our facebooks! Advice such as, "If a friend posts a picture of you without your permission, consider asking them to remove it." How does that relate to corporate security in the slightest?

The kicker was when they told us that, if our mobile devices become more than a few years old, we just had to buy new ones in order to stay secure. I was flabbergasted. This is speaking about our own personal devices, not company-issued ones. Seriously, the gall to make people think the only way to be safe is to spend hundreds of dollars on new phones every 2 years.

It's just bizarre, and it's never been applicable in any of my workplaces. And I have worked for large, global law firms on quite famous litigation with huge international conglomerates as clients -- as a poorly paid grunt, not an associate, but that just meant I had more direct access to sensitive documents. I've probably received ~100 "phishy" emails over the years, and zero of them have been actual phishing attempts. Just more of that "the molesters are waiting around every corner and hiding behind every tree" nonsense, now migrated into the workplace.

A lot of financial related phishing emails use info gathered from social networks. The attackers use it to see who does what in the company and to come up with a nice email to someone in the finance department.

Sure there is a lot of security theater but I think its important to understand that for attackers its definitely worth to spend a couple of hours on research. A successful email can quickly reach a 5 figures reward.

Source: I work in email security

It's because phishing works, and the success rate is a combination of the right message and the number of attempts. Of course smart people will notice right away, but how to discern who is smart and who is not before the incident happens? To make sure you make everyone undergo the training.

As for the smartphone example: they could just have said to make sure you always have the most recent version of the OS, which is quite easy if you own a certain brand of smartphones, and can be frustratingly difficult if you use something else. I'm sorry to say but they were right: most vendors don't care for customers who have devices older than a few years because they don't bring them any money. It's a general problem in the industry, nothing surprisingly new.

Totally agree. I've never been on an engagement and found an auto responder with useful information.

I already have your team structure from LinkedIn. I probably know about your trip from Facebook or Instagram. I don't really care when you get back, because i'll be stealthy either way.

As always with security the first thing to ask is "What is your threat model?"

This person's threat model seems to be people who email him for a legitimate business reason, but see that he's away & take the opportunity to attack him? I just don't buy it - I think there is nothing wrong with always setting an autoresponder.

Yeah, this is a stretch...

I'm getting pretty tired of this kind of thing. It's pretty clear to me that the infosec industry (within appsec and netsec at least, not risk and compliance) is bifurcated into two distinct groups. The first group consists of people who have real technical expertise, find serious vulnerabilities and make concrete suggestions about legitimate issues.

The second group, and the one I see more and more often (especially in bug bounties), consists of people who find ridiculous "security" "risks" in all manner of things. They're not appsec or netsec people but they think they're identifying actual security issues. Sometimes they point out superfluous implementation issues but more often than not they're writing articles like this - nitpicking the design of a thing without clarifying their threat model and with only a vague grounding in the potential risk of compromise.

I mean did we really need a security PSA about the risk of email autoresponders? Come on.

I've had a member of the second group, describing himself as a "certified white hat hacker", sign up for a small SAAS product I'm involved with, mess around a bit and then file a slew of "urgent vulnerability reports" of supposed security issues, all of them profoundly so-whattish in the context of a niche business SAAS. When I closed them all without further action, the chap then had the gall to demand payment - or at least a "certificate of appreciation" he could parlay into future business. Needless to say we declined.

This lack of any concept of a threat model was precisely why his (considerable) effort was totally wasted and I can imagine similar "researchers" giving the industry as a whole a bad name.

I have heard the term "security vultures" being applied to the second group, and wish it was more common (the term, not the group...)

I like "security fatalism" for the underlying behavior.

At some point we just can't do more to thwart every possible threat. What are we going to be told to sneak out the back door of our house and walk 3 blocks to where we parked our car?

Absolutely couldn’t agree more.

This is an interesting discussion. I can see the author's point - maybe, as a thought experiment, an attacker could latch onto the fact that someone is out of the office and use that as a wedge.

Along the lines of "John and I had a payment planned, but he's out of the office, can you send it to [fake destination]?"

But, like other people have noted, you also have to weigh the chance of that happening in real life. It seems like the amount of planning on the attacker's part would be significant enough that if they could pull it off, they would have found easier targets by then.

I actually did see a situation just like that, and it amounted to lucky diligence on the part of a third-party that the situation was detected before it was too late.

A guy in an Accounts Receivable role got phished. He went on a two week vacation, and bright-and-early on the first day he was out the phisher sent out emails as the vacationing AR person to a number of Customers advising them that remittance processing was being handled by a new third-party. They directed all the Customers to that third-party's "new" bank account. The attacker helpfully put a rule on the guy's Inbox to move new messages from every domain that the attacker emailed directly to "Deleted Items".

One of the Customers thought it seemed a bit fishy and called-in to confirm that very first day.

Even that would be hard to use in real life, as an "out of office message" does not mean that their colleagues can't easily reach them.

If you're some outsider you don't know if that person is really unreachable or if their colleagues can easily reach them on Slack/send them a text/whatever if they have some important question.

And if you are internal/close enough to know their time off plans and that they're going backpacking in the Canadian Arctic, you didn't need the message to tell you they're out of office.

I think the point is that autoresponders will autorespond to legitimate business emails as well as phishing/scam/whatever other emails.

So the attacker gets autoresponse. What's next? What is the attack vector here?

UPD: also, I guess any attacker could just assume that you're Out of Office at night time.

EDIT: To be clear, I don't think this is a serious threat whatsoever, and went through the exercise as an explanation. Go easy on my comments, just having fun thinking it through.

Impersonate the person out of town to escalate to their privilege level.

Imposter: "My password isn't working, can you help me reset it?" Yes, this is unlikely to to work in smaller orgs where you know people face to face. It is more likely to work as the org scales up in size (think enterprises with their own helpdesk).

Once you have email and/or other federated access, you have a toehold. Bonus points if you've cloned their work cell SIM or have rerouted SIP for their desk phone to keep them out of the loop. I have seen weaker phishing attacks on financial/accounting staff who have the authority to move millions of dollars of corporate funds.


> Whom the would-be attackers send this email to?

Phishing target

> Do they send this email from their own email address?

Throw away address or spoofed address from a familiar-to-the-business domain.

> Is there an assumption that sysadmin/support team will blindly reset a password on someone else's request?

This is one assumption.

> How do attackers bypass corporate VPN?

VPN access might not be required to obtain the level of access desired. Do all of your SaaS providers require 2FA? Your business bank accounts?

Any organisation where “hey I forgot my password, can you reset it?” from an unknown email address is an attack that has chance of success is an organisation where there’s dozens of major problems long before you get to auto-responders identifying who is away from the office.

You're assuming I can't hop on the phone (appearing to come from a known number using Caller ID spoofing, using LinkedIn to get a general idea of the org chart) and bluff my way through it with your underpaid, overworked help desk staff. People are the weakest link.

This is only a few steps above Indian scammers taking remote control of users’ computers and convincing those users to send them hundreds of dollars of gift cards to prevent legal action by the IRS. Consider your average user, not the HN participant.

https://www.youtube.com/watch?v=YVqurfWzB-Q (Hacking Humans : Social Engineering Techniques and How to Protect Against Them - Stephen Haunts)

We are arguing different points. I’m saying _if_ an organisation _is_ insecure enough for social engineering to work then a vacation auto-responder is not going to represent any meaningful increase in risk.

I am arguing that _most_ organizations are insecure enough for social engineering to work, and that autoresponders are yet another vector. Orgs that observe proper operational security are still a minority.

Yes, we know what you are arguing. And if auto-responders are yet another vector for an org, then it does not represent a meaningful increase in risk.

> Impersonate the person out of town to escalate to their privilege level.

> Imposter: "My password isn't working, can you help me reset it?"

This doesn't have anything to do with being out of town or autoresponses.

Sorry, still not clear to me.

- Whom the would-be attackers send this email to?

- Do they send this email from their own email address?

- Is there an assumption that sysadmin/support team will blindly reset a password on someone else's request?

- How do attackers bypass corporate VPN?

I agree with you that under these circumstances autoresponses could be a security risk. But then I'd better fix the underlying security problem(s) and let everyone use autoresponders if they wish to.

If attacker gets info you are out of office for 2 weeks it most likely also means you are traveling and out of home for 2 weeks. Perfect opportunity for burglary.

This is not a hypothetical scenario, almost every year there is some idiot saying they going for vacation in those mini-interviews in the local newspaper and then they get their house broken into.

However the probability that someone does email you and is a burglar at the same time is extremely small.

Not all of them do. Gmail can be set to only respond to people who you've had contact with before.

Wouldn't an autoresponder for your email domain users and people in your addressbook be enough? The rest of the people don't need to know you're out of the office (by and large). Of course, if you're in sales that's diff but also has little sec implication. (Any internal threat would know you're out by other means anyhow)

Maybe his threat model is an attack to his position/team from within the corp. Should also apply to politicians within the party :-) Then it of course makes sense to not send these mails and read and answer them.

Still, I’d rather just forward my email to my assistant while I’m gone. If it’s urgent it’ll get handled. If not, it’ll wait.

Can we all forward our email to your assistant too?

And who assists the assistants?

Or you just check the box that says "only send to people at my organization".

What if you are working mainly with customers? BTW, the article says: > Set the autoresponse to the smallest group possible. In many cases you can narrow it down to coworkers, and/or have a different message for people inside your organization than outside your organization.

I think the context of the blog post, "the lonely sysadmin", means "working mainly with customers" isn't its target audience.

Bikeshedding for a moment, I suspect the right response for people "working mostly with customers" is for the CRM to automatically re-route known-customer and cold-call emails to someone else on the "working mostly with customer" team, instead of first up telling customers or leads "Sorry, Bob's away for 2 weeks", which is _never_ going to be the message you want to be sending there...

I'm glad I wasn't the only person who thought that. Not only that, my work email is very much decoupled from my personal email.

Or, you could have a system that only responds this way to e-mails to which you had already responded in the past.

But why? At that point I might as well turn off the feature...I can't know everyone who will try to get in touch with me while I'm out of the office. If I could, I'd just tell those people ahead of time. If someone tries to reach me for something unanticipated and I've never responded to them before, they won't receive a notification.

This "threat" is a fugazzi. Honestly I can't believe this hit the front page of HN. What a ridiculous "security risk."

Or? That's one of the strategies that the article states for managing the risk:

> Set the autoresponse to the smallest group possible. In many cases you can narrow it down to coworkers, and/or have a different message for people inside your organization than outside your organization.

> Don’t tell people anything more than they need to know. Does everybody really need to know where you’ve gone and how long? Probably not. You’re just gone. Set some expectations around response time, though.

That's a borderline contradiction.

True -- fixed. Thanks.

'Don't record "we're on vacation"' on you home phone answering machine is ancient knowledge/advice.

Indeed - who has an answering machine these days?

Most people have voicemail which is pretty much the same thing.

In general, touche. For this context, there's a meaningful difference: voicemail, unlike an answering machine, is accessible from anywhere, so there's no reason to set a "we're out of town" message.

Next time a little comment would go a long way confronting with HN guidelines.

I haven’t seen any mention of his other point.

“If you’re gone be gone.”

I don’t respond to emails on vacation or after I get off of work. Not even meeting invites. If I happen to be working late trying to figure out something, I make it a point not to let anyone know. I don’t want to set the expectation that I’m always reachable.

I have a project manager and a QA person who will send me messages on our Slack channel. They ask me did I see it I tell them when I’m home I’m home.

One exception is that I will answer an email to our offshore team, but even then I take the local developers and manager off of the email list.

Microsoft Outlook allows separate settings for internal versus external out-of-office messages. There's no real security risk in telling my work colleagues where I am.

Google allows you to limit our of office messages to within the company as well.

Even worse: Social media posts of traveling/vacation.

Important to keep in mind that security is always balanced with convenience. Individuals need to just judge how much "risk" they want

This reads like something someone logiced out in their head but has no basis in any information that indicates if any of this is a real risk.

2 cents on the topic. Potentially. Auto responders let spammers knows its a live mail account. It can also become a backscatter problem.

I fail to see how being out of office and not responding to work email has any relevance to a person not recognizing when their bank accounts are being zeroed. I also fail to see the vector by which someone being out of office gives an attacker access to their bank accounts.

Q "hey did you get my email? im following up. that thing X needs to be done and they are asking me why not"

A "well, i was out of office. jamaica is amazing... have you been"

Q "No, uhm, so the thing is that we are going to lose 5 bajillion dollars if this is not done by 2 pm"

A "jerk chicken. its just like my mind opened up to a whole new way of seeing the world.... "

Q "Right so.. .. will we be able to have that paper by noon maybe? Then I can get it signed and we can rush it back to the.."

A "no, sorry, it takes 3 days to send it through Central, then West has to backsearch the kumquats, its not something i really have control over"

Q ".... was your out of office not working? i couldnt see it.. i mean i thought you were there..."

A "no, thats a security risk. i wouldnt want us to lose money due to some scammer"

Q "what.. is that some new IT policy? i dont remember seeing that..."

A "no, no, i read about it on this site for experts in computer stuff, its called Hacker News, you should check it out"

Out of office? Its an invitation to a thief with the address attached in the signature.

Is it? If I leave for a week is it assumed all of my coworkers also leave, our doors unlock and alarms are off?

Maybe that's a risk for a single person working in a coworking space. Probably less so for companies that have >1 employee.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact