Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Caveat Emptor

Published: 2009-01-11
Last Updated: 2009-01-11 14:59:01 UTC
by Chris Carboni (Version: 1)
1 comment(s)

Jon dropped us a note pointing to an interesting article by Gene Spafford on the dangers of automatic updating of systems.

www.cerias.purdue.edu/site/blog/post/customer_disservice/

While not specifically written about a firewall, or other information security component it is a sobering view of what happens when QA for patches isn't done properly.

Keywords:
1 comment(s)

The Frustration of Phishing Attacks

Published: 2009-01-11
Last Updated: 2009-01-11 02:37:34 UTC
by Deborah Hale (Version: 1)
3 comment(s)

Over the last few months I have been involved in tracking down and attempting to prevent phishing attacks and cleaning up the mess that can result.  It is extremely irritating and frustrating that these continue to happen and some users continue to fall for the scams.  In spite of publishing an advisory on our webpage, publishing it in our newsletter, putting it on our message on hold for our help desk and repeatedly reminding people that we will never send out an email asking for the customer’s userid and password the customers continue to fall for the phish.  So what do you say to a customer that has fallen for the phish?  I feel bad for them because in some cases they felt like they had been violated yet I still can’t help but get ticked off.  Why would you be more willing to send someone your userid and password to login to your email account than you would to give out any other personal information? 

The frustrating thing for me is dealing with the blacklisting and cleanup that follows.  I have spent hours cleaning up the mail queues, answering questions for other customers who have lost their ability to send email because of the blacklisting and contacting the blacklisters to get the servers cleared. 

What is even more irritating is the companies, banks, etc that do send out emails that are phish like. This week I received an email from a company that I do business with at home.  They have a page setup on their domain which allows you to login and check your account, request changes to service or request information.  They are doing a server upgrade, putting in new hardware.  They sent out an email to that effect and said that the passwords on the new system will be changed, if you want your password to be the same on the new server send them your password and they would set it for you.  Now I realize that this is a really low target for phisher’s but none the less is a bad idea.  I called them and voiced my opinion and let them know that they didn’t need to set my online access back up.  If I have any questions I would just call them.  They couldn’t understand my concern or why I no longer wanted on line access to their system. 

I just hope someday Internet users will understand the importance of protecting their email information.  Until they do, I will continue to clean up the servers and try to manage as best I can.

So my question to our reader’s is: 

What do you do to educate your employees, customers, family and friends to the do’s and don’ts of email? 

I look forward to your input and will print some of your ideas in a later diary.

 

Keywords: Phishing email
3 comment(s)
Diary Archives