I first heard about this in January when our department secretaries responded to one of these emails with their email address, current password, intended future password, and birthdate. (Yeah...)
They then got an email from Taylor Payne (OIT Network Security) saying that if "such and such" (he included the actual password they had been sent in the reply) was actually their password, they had been scammed and should switch it immediately. I was both surprised and impressed at their rapid response. It saved the department potential problems and embarrassment. The victim was also rather embarrassed and less likely to fall for this in the future. -Joseph Mechanical Engineering On Wed, Feb 24, 2010 at 5:20 PM, Robert LeBlanc <[email protected]>wrote: > On Wed, Feb 24, 2010 at 5:11 PM, Andrew McNabb <[email protected]>wrote: > >> On Wed, Feb 24, 2010 at 04:29:23PM -0700, Robert LeBlanc wrote: >> > >> > As I talked with the security guy, he mentioned that when they get a >> > phishing message like the one you got, they put a rule to rewrite the >> > reply-to address so that that it goes to them rather than the phisher. >> They >> > can then inform the sender that they were phished without their >> sensitive >> > information actually reaching the wrong hands. >> >> What you describe here isn't what they did in this case, but if it were >> what they did, it would be evil. I don't want anyone silently changing >> emails to or from me. That would just be evil. (BYU didn't silently >> change network traffic in this case, but I've had weird creepy problems >> with ssh traffic that could probably be explained by meddling from OIT). >> >> >> > This is not some thing that they are constantly watching as they record >> > about 4 TB of network traffic a day. Usually if they get an alert they >> just >> > tell us CSRs that there is a problem with the computer and don't give us >> the >> > traffic. I had to specially request it from them in this case. The >> e-mail is >> > different because they what to help educate the users. >> >> When some email message is matched by their filter, David reads it. He >> read my personal email message without my permission. I don't care how >> much he was trying to help. >> >> At one point, the CS Department logged all requested URL over HTTP, but >> they were careful to let everyone know what they were doing, and they >> didn't store personal stuff like POST data. What BYU Network Security >> is doing is completely secret and stores all of my private data. As >> great as it would be to have everyone use GPG, it's simply not feasible >> to encrypt most email messages. >> >> >> > I'm grateful for their efforts to help secure our computing environment. >> > Understanding what they are doing, why and how has helped ease my mind >> about >> > it. By the way, they can't look into SSL traffic, but they can >> reconstruct >> > unencrypted traffic to find files and what not. It is very useful to see >> the >> > payload in an attack. This is not done on the fly, but has to be >> > specifically requested for a host and a period of time. >> >> I'm grateful that they want to help secure our computing environment, >> but I don't think that this is always possible without violating higher >> principles. In this particular case, they read my email and confronted >> me with its contents. The Bush and Obama administrations may not >> believe in warrants, but I think that looking through the contents of >> personal messages should require probable cause. >> >> > I'm not a lawer so I don't know all the details. I do think that US law > does allow an employer or institution to do what they want with traffic on > their network. I remember hearing that this is not true in Germany or was it > the other way. In any case, if you want it secure, encrypt it. If you can't > encrypt it and you are concerned about privacy, don't do it at your > employer's place. I have to say that I think the FBI is requireing all ISPs > to record all traffic on their networks, and to increase that to 6 months. I > think the only safe option is encryption. Sorry, I can't do anything about > you feeling that your rights are being violated. > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > > -------------------- > BYU Unix Users Group > http://uug.byu.edu/ > > The opinions expressed in this message are the responsibility of their > author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. > ___________________________________________________________________ > List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list >
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
