I subscribe to DHS Daily Report, a service provided by the Department of Homeland Security that abstracts various news reports about things dealing with various aspects of Homeland Security and then emails that abstract to subscribers. It is a valuable service that anyone involved in the homeland security business ought to subscribe to; obviously many people do. “How many?” subscribers found out today when one subscriber tried to get his address changed by replying to today’s message, and hit the “Reply to all” button on his email; his message went to everyone that receives these daily reports.
Rather than letting this simple, obvious and all too common mistake slip by, many people receiving this ‘reply’ responded with one of their own, again hitting the “Reply to all” button. I stopped counting when the number of replies got close to 100. Many people simply pointed out how stupid the original replier had been, others realized that they had an excellent mass mailing marketing opportunity to get into contact with other people in the security business, and quite a few just seemed to have too much time on their hands.
What few of these people realized is that they were violating a cardinal rule of internet communications security, they were giving an unscreened audience a view into how their organization’s email systems were set up; understanding the email naming conventions used by an organization makes it easier to craft denial of service attacks and start sophisticated spam campaigns. These follow-on repliers also provided anyone that was interested with a confirmed list of email addresses (found in the list of ‘To:’ addressees). Both of these are valuable services to a wide variety of spammers. The confirmed list of email addresses is a commodity that can be sold to any number of legitimate marketing and not so legitimate spamming organizations. Every one of the subscribers will start to receive an increase in the amount of spam that they receive.
Furthermore, most of these repliers provided a sophisticated signature block on their email. The block provided name, organization, title, email, fax, phone and mailing address for someone involved in the security of the organization; someone that is apparently not sophisticated in the area of counter intelligence. This provides various intelligence agencies with a list of possible human intelligence targets that could be used to circumvent the internal security of those organizations. Many sophisticated terrorist organizations probably have intelligence units that could exploit this type of information and almost all countries actively try to develop such intelligence targets. A major gift was handed to these organizations today.
The internet and email are forms of communication that are invaluable to today’s society. But, they are communications mediums and are subject to intelligence gathering techniques. The sooner that people realize this, the sooner they will be able to take an active role in the security of their organization.
One last point; I am disappointed that DHS had not taken actions to disable the “reply to” capability on these messages. The DHS security managers should have recognized the potential intelligence information bonanza that could be reaped by sending a simple “Reply to All” message to one of these daily messages. It is very disheartening to see that information security is so poorly understood by the largest single US Government security agency. Some counter intelligence training is definitely needed.