Security | Tom Raftery's Social Media

I saw a post on David Smalley’s blog about Microsoft Exchange Server Out of Office Replies. In his post David mentions that in Exchange server 2000, Out of Office Replies (OOR’s) are not sent outside of the Exchange organisation, and he goes on to explain how you can configure Exchange to allow OOR’s to go outside of the your organisation.

While this behaviour by Exchange would appear to be a bug - there is a good reason behind it - it is for protecting the privacy of your Exchange users. It is entirely possible to spam a company (or more likely companies), do automated searches for Out of Office Replies, cross reference them with phone book entries, and then burglarise houses secure in the knowledge that “Sally is on holidays in Bali until the 15th!”.

Out of Office Replies like these will also tell any cracker that this person’s logon will be unattended for the next x days so they can merrily ring the helpdesk saying “I have lost my password, can you re-set it for me?”

Also, OOR’s will reply to ‘normal’ spam mails, confirming the email address as a live one.

From an IT/security point of view, it is preferable to maintain the current situation of OOR’s not going beyond you Exchange organisation but I can see that from a client service point of view this might not be acceptable.

If you do need to allow OOR’s in your company, then you really need an OOR policy document and as we are rapidly coming into holiday season, you need to make all your staff aware of it asap for their own protection.

Staff shouldn’t say how long they are out for nor why they are out. They shouldn’t include their sig file as this gives away too much information (Job Title for instance - the more senior the position, the more likely (extended) travel is involved), and they should include the name of an alternate contact along with the main company number (but they shouldn’t include the job title of the alternate contact).

The following is an example of a reasonably safe and yet informative Out of Office Reply:
“Thank you for contacting me - unfortunately I am away from my email right now but I will reply to you on my return. In the meantime, if you need some assistance, please call John Doe at 555 1234.”

The podcast of this post is available here thanks to Pete Prodoehl whose comment on my last post explained how I could use Ourmedia.org to upload podcasts to the Internet Archive without the 24 hour wait!

Lockpicking is the art of opening a lock without damaging it or using a key - and recently lockpicking has become a sport with clubs and championships. Who knew?

One such club is TOOOL (The Open Organisation of Lockpickers). One of the founding members of this organisation is Barry Wels whose video on how to open a Kensington laptop lock with a toilet roll and a pen have gained him a lot of notoriety lately.

In a similar vein, Barry gave a talk at the Physical Security Workshop at 21st Chaos Communication Congress (21C3) in Berlin where he demonstrates a new technique for opening just about any physical lock in seconds. The technique is called the bump key method and a pdf explaining the bump key method is available here.

The talk is now available online and makes for scary viewing - be warned though, it is over 600mb so if you want to view it you will need a decent Internet connection.

Hat tip to Eric Marvets on whose blog I first saw a reference to this video.