I received a password protected document from a security company that we do business with. I did not know the password so I sent him an email letting him know that. I expected to get a phone call but to my surprise and disappointment I received an email with the password in plain text. Now the document was not of a highly sensitive nature but it's not something that is meant for the public eye.
Of course the sensitivity of the document is not the issue here. The issue is that the password was sent via email. An worse than that is the fact that it was a security professional that did it. Someone who really should know better. I realize that the chance of someone actually sniffing out connection at that moment and pulling the password is remote and that it is even more remote that he would have been able to capture the earlier email with the document attached to it.
It's just one of those things that gets my goat just a little. Of course shortly after I started writing this I received another email with a password in it. This one was from a friend and Security Professional. What am I gonna do with you guys! :)
Security's Everyman
Monday, July 16, 2007
You know better than that
Tuesday, November 21, 2006
The right bait
I often get phishing emails. They don't bother me because I'm aware of them and I'm very careful before clicking on links. Every now and then I get one that catches my attention and I check into it a little further before declaring it as phish. This morning I got one that made my heart beat a little faster and made me quickly check my paypal account. Below is the text of the email.
You have added restenterprises@yahoo.com as a new email address for
your PayPal account.
If you did not authorize this change or if you need assistance
with your account, please contact PayPal customer service at:
https://www.paypal.com/us/cgi-bin/webscr=_email-login
Thank you for using PayPal!
The PayPal Team
Please do not reply to this e-mail. Mail sent to this address cannot
be answered. For assistance, log in to your PayPal account and choose
the "Help" link in the header of any page.
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
https://www.paypal.com/. Protect yourself against fraudulent websites
by opening a new web browser (e.g. Internet Explorer or Netscape)
and typing in the PayPal URL every time you log in to your account.
PayPal Email ID PP0018
HHIKCSLWEFSWXIRMDXOCHIDSSJDZBRRBYLDHYCWhat really scared me about this is that it came to the email account that I have registered with paypal. Most of the phishing emails I get don't come to the address that I have registered with the site in question or if it is the email is so obviously fake that I know it right away. It did't take too much investigation to discover that the link is redirected to somewhere in the Asia/Pacific rim but it still gave a little jump to my blood pressure. I can't imagine what I would have done if I was the typical uninformed user. I hate to think that I would have just opened up my paypal account to joe hacker. Even after confirming that it was a phish I still logged in to paypal to make sure. I still had a sinking feeling that I had been compromised. I need to go take a shower. This makes me feel violated.
