Security's Everyman

Security's Everyman

Tuesday, September 04, 2007

E-Cards are evil!

Ok, maybe they aren't evil, but they are pretty scary. I arrived at work this morning after a 3 day weekend to discover that an employee had sent an e-card to lots and lots of our users. We have about 5000 employees most of which have an email account. The user doesn't have access to the global email group but was able to send it to a lot of people by selecting different groups that they did have access to plus individual accounts.

As I said, when I saw the e-card in my inbox and noticed that it had also gone to lots of other users I got that sinking feeling in the pit of my stomach. My initial reaction was to send out an email to everyone telling them not to click on the link to view the card. Then I noticed that the card was sent Friday afternoon around 3:30. Too late. If this was malicious then the damage was already done. The good news was that I had not heard of any thing going awry over the weekend. Of course, since lots of people cut out early on Friday there was a good chance that this morning would be the time to fear.

Before I reacted rashly I decided to check out the link to see if it was malicious or not. I did a search on the e-card company. It was one I was not familiar with. Nothing bad came up. I then went to the site and looked around. It looked OK. Then I took the next step and put in the e-card number to view it (all of this was done in a safe environment). Whew, nothing evil appeared. It was a Thank You card for something that the company had done for her.

Of course there is a "dark" side to this. We don't state in our email policy that it is against the rules to send e-cards but we do state that email is to be used for "business purposes". So the user did "break policy". What is really bad though is this.

  • By doing this the user (who has a supervisory role) has told their subordinates and others that it's OK to do this thus increasing the likelihood of others doing the same.
  • By doing this they are teaching the users that clicking on an e-card that seems to comes from someone you know is OK, even at work.
  • By doing this they are reducing the effectiveness of company policies. (Unless something is done which is out of my realm of responsibility).
Something so seemingly innocent and nice really has a negative effect on information security. A simple email saying thanks would have sufficed and would have been much less damaging.

The good thing is that this will give me opportunity to ensure that this and similar issues are addressed in a way that ensures that all understand the importance of following policy and practicing safe computing. Plus it will add to my UA Training listing.


LonerVamp said...

E-cards, a neat thing back in the mid/late 90s has completely been turned on its heels by spammers in the last year and a half. In fact, their whole "industry" is being undermined and abused to the point that I'll ignore even legit e-cards notices (although I don't think any I get are legit, my mom stopped using them years ago...).

You're absolutely correct, actions like this promote bad habits. In a former job, a few of us had worked hard to make sure people started learning the evils of clicking random links in emails. So what does the CTO do one day? Yup, a Microsoft patch had been released for something and he sent out a company-wide email containing a link to download the update...from a site that wasn't even Microsoft! (This was some CNET update/email or something...) Since we were a smaller shop without internal email infrastructure, the damage was done by the time the email arrived in my inbox.

MikeP said...

While I don't disagree that what this user did is a bad thing, why is it breaking policy of email for business purposes only if it's an e-card, but not if it's a note saying thank you?

I understand why you would say so, but from the perspective of a user, what exactly is the difference?

Andy, ITGuy said...

Mike, That is where UA training comes in. If I really looked at it since it was a thank you for something that came from the company you could make an argument that it was business related. So therefore no policy was broken, but if I wanted to really press it and hold the policy to the letter of the law then I could make a case that policy was broken. I think that is a bad idea to get that legalistic. As you know my concern was the bad habits that sending an ecard reinforces. UA training would deal with this as a topic and hopefully make the users see the dangers in this.

MikeP said...

Fair enough, that's all I wanted to get at. Such training should cover precisely the question I asked, and I don't believe bringing up the policy there is the right thing to do; just say the cards are bad because they promote bad email habits.

(Of course, what would happen then would be the user would send a card, then send around an email saying it's ok, they really did send the card and it's ok to click...)

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.