Welcome to Practical Issues in Information Security. In these pages you will find ideas and tips for your consideration as you work to improve the information security and privacy of your organization. Even though most of the information is focused on the home or personal user and small business, the principles are applicable to larger organizations in most industries..

Over 1200 Private Email Addresses Exposed

by d.strom, cissp, gsec, gsna on March 5, 2010

I received an email earlier today from my bank which proudly announced upcoming changes to their on-line presence. This email spoke about the improved ease of use, and the increased security. Additional features, such as changes to bill pay, were also discussed.

It all sounded very nice.

That is, until I took a quick look at who this email was sent to.

The VP who sent this out put over 1200 email addresses in the CC field of this email. Thirty minutes later, he tried to “Recall” this message. (Recalls only work if the recipient is using the same email system as the sender. In this case, the sender was using Exchange, and I’m not…)

So, now I have over 1200 email addresses available to send spam to.

What’s the problem with this?

  1. My email address is exposed to over 1200 other folks for them to use as they wish.
  2. Most spam filters will block a message with over 10-15 recipients in the list. I’m surprised that this went through.
  3. I work hard to keep that particular address from being available to others. Now at least 1200 other people have access to that one.
  4. The credibility of the bank has just dropped. If they cannot protect my personal email address, am I to expect them to protect my personal banking info?

Yep, this is a fairly minor situation, but I’m left wondering if I should explore another bank to use…

- Dan

{ 0 comments }

Trust (part 2)

February 23, 2010

A few weeks ago I wrote about Why Trust is Important. In that post, the example of using your credit card at the gas station was presented, along with the assumptions about trust that are made.
Yesterday, there was an article posted at dark Reading detailing recent credit card skimming incidents at gas station pumps. It [...]

Read the full article →

Tiger Woods Apology

February 19, 2010

*** Warning ***
This post is not directly related to information security.
Ok. So I just watched the press conference and apology from Tiger Woods, and I saw something that we rarely see. He took confessed the wrongfulness of his actions, and took personal responsibility for what he did. He “has a lot to atone for.”
Here’s what [...]

Read the full article →

Experiences with the Verizon Wireless Network Extender

February 2, 2010

It’s been over two weeks now since I installed a Verizon Wireless Network Extender at home. We can get a weak Verizon signal at our house, but it varies based upon where in the house the phone is. I wanted to have a way to reliably use my Verizon Wireless cell phones at home. That [...]

Read the full article →

Why Trust is Important

January 27, 2010

President Ronald Reagan said, “Trust, but verify.” I used to hold fast to that, but recently have learned that you cannot, nor should you, always verify.
Trust is a critical foundational element of life, government and information security.
Things would be different if trust was non-existant…

Husbands and wives would always be paranoid.

Negotiations between teachers and school [...]

Read the full article →