Found an interesting blog over at Security Monkey which, while it might seem a little off topic for computer security, still carries a valuable lesson. Going through his to-do list, the Chief, as the Security Monkey likes to be called, telephoned a CSO and got the following message:
"Hi, you've reached Joe Blow, Chief Security Officer of Company, Inc. I'm going to be out of the office on vacation from (date) to (date) and unable to check my voice mail or e-mail. Please leave a message, or you can dial '0' and talk to my administrative assistant. Thanks!"
What is wrong with this message? The CSO gave his name, title and company name, and said exactly how long he was going to be away for, which is ideal information for a scammer. What follows is a couple of scenarios where someone might use that information for no good.
First, someone impersonating the CSO could call the help desk number, say he's on vacation and cannot remember his access, or say his access isn't working, and ask to reset it. As far fetched as this may sound, this trick is often very effective.
Second, a crude but effective code-cracker can start hitting trying to crack the web portal, email account, and other remote access systems by inundating the system with attempts. If the CSO is frozen out, what does it matter, as they won't be back for awhile.
Third, an inside attack, where an employee might want to know if the CSO is investigating them. Say they start trying to guess the CSO's email password, or convinces facility security to creat a duplicate employee badge by saying the CSO is busy at another facility.
And who knows what someone really determined to might think of. Here is what the voicemail message should have said:
"Hi, this is Joe. I'm unavailable to take your call. Please leave a message, or dial 0 and we'll redirect your call to someone that can help you. Thanks for calling."
Tag: voicemail, CSOl, voicemail, Social Engineeringl,
Leave a comment