[conspire] 'Frighteningly effective' GMail phishing

Rick Moen rick at linuxmafia.com
Fri Mar 24 12:11:35 PDT 2017


Quoting Nick Moffitt (nick at zork.net):

> "You called me!  I need proof that YOU are who you say you are, before
> I'll give over any personally identifying information over the phone."
> 
> He was suddenly off-script.  He had NO IDEA how to respond to this.

Anecdotes like this have been grist for the mill of RISKS Digest for
many, many years.  http://catless.ncl.ac.uk/Risks/


The rot also affects company-internal operations.  At several employers
(I'll use Cadence Design Systems as an example), I suddenly received an 
e-mail at my employee mailbox asking me to fill out a survey at some
exterior, apparently unconnected non-Cadence Web site.  I checked the
survey, and it appeared on at least its first page to be prompting for
information that is non-public if not actually sensitive.  So, I
politely inquired with management, CC'd to the network security team,
very delicately (so as to not actually call any VP an idiot) suggesting
that it's a really bad idea to create the expectation among employees of
blabbing on internal company matters elsewhere, especially without
advance warning verifiably from management.  Among other things, I said,
if they must outsource such functions, at least they could run them at a
company FQDN like employeesurvey.cadence.com on company IP space with
the corporate Web cert.

To which I received a bland reassurance that the survey was authorised,
ignoring my implication about bad policy.

That sort of encounter has always been disappointing, but the one that
really boggled me was when Kaiser Permanente, the HMO, did the same
thing with an outsourced patient survey.  This time, I refused because I
didn't _care_ that management had authorised this; it was nonetheless
an extremely bad security practice if only because it habituates
patients to enter sensitive medical information
anywhere-nowhere-in-particular.  I wrote a letter to management, which
resulted (predictably) only in a telephone call from some flunky who 
obviously really didn't understand what the problem was, but just wanted
to make sure I wouldn't make further trouble.





More information about the conspire mailing list