150 infosec bods now know who they're up against thanks to BT Security cc/bcc snafu BT Security managed to commit the most basic blunder of all after emailing around 150 infosec professionals who attended a jobs fair – using the "cc" field instead of "bcc". The email, shown to The Register by a non-trivial number of aggrieved recipients, thanked them for attending the Westminster Cyber Expo and popping by the …
Not at all, they should have attended the same privacy course my company forced me to attend. They explained that only personal addresses had to be put in BCC, while non-personal ones had to be put in CC, and it was an error to answer "simply put all those bloody addresses in BCC so others won't know to whom else the mail was sent to, and I have not to check each address to understand if it is personal or not".
Damn right. I once worked on a contract for Shell, and had a Shell email address. Every now and then some eejit would send an email to a relatively small proportion of Shell's workforce, but that would still amount to thousands of people. It was quite informative to see the resulting email war spreading around the planet, and seeing how long it took. But that in no way compensated for having frequently to delete hundreds of emails...
My favorites are mailing lists misconfigurations, my kid's school mailing list administrator has a bad habit of regularly setting them to relay all replies to the whole list... until enough people start asking to be taken out of the list and others angrily telling everyone not to reply to all, others commenting on the original mail or on any other subject, ad infinitum
I just laugh.
Yep, they're no laughing matter, mostly when you're in charge and are watching in despair the 1-5% idiots replying to all, exponentially loading all systems and storage !
With only 150 recipients, risk is almost 0, but with X thousands, like I could myself verify, things can go titsup quite quickly. Then, you'll need to take down all replies, if at all possible giving the architecture, before the Great Global Collapse tm.
For those blaming the poor sod, this is a bit stupid. Everyone has done this at least once, and given how retarded outlook controls are (aka, you need to manually move from cc to bcc before sending, as bcc is not available by default), of course people are doing mistakes. You forgot to do the last drag before sending ? Bam, you got it !
No, I haven't. Ever. The fact that I don't use Outlook might have helped, from the look of things, but first and foremost I actually pay attention when I reply to or write an email.
There's also the fact that never use Reply To All - my ego is not of sufficient size to believe that everyone is interested in my response.
Maybe, some time in the future after my brain aneurysm I might, but up to now my record is spotless on that account.
"given how retarded outlook controls are (aka, you need to manually move from cc to bcc before sending, as bcc is not available by default), of course people are doing mistakes. You forgot to do the last drag before sending ? Bam, you got it !"
Is this also why BT said "could you recall the message" in relation forwards etc? I don't recall using a mail system where "recall" was an option, or if it was, it worked in any reliable way. It sounds very much like something MS would implement as if it was some sort of proper and official standard.
Who, working in info-sec,
a) uses a "real" email address for such things, you'd usually use a throw-away address, such as bt.stand@mydomain.com, or even a disposable gmail or similar address.
b) uses their work email address when looking for a new job (that goes to anybody, not just info-sec bods). 30 years ago, maybe, but today?
That said, a complete balls-up by BT
It's far too easy for those employees who deal with mailing lists regularly to miss out the step of switching to BCC. It's the primary source of minor data protection breaches for us and I guess for the majority.
You'd think that since it's so common a problem it would be easy to have the default sending option set to BCC, then you'd have to actively switch to make a mistake (the fail option being a safe state). But no if you use MS Outlook it does not have an easy option to set BCC as the default.
If anyone can correct me and point me to a nice switch to make email default to BCC I'd really like to know. Then I'll vigorously beat our exchange admin with the knowledge until they make it happen.
I've not done it, but you should be able to use the developer tools to edit the "Message" form and substitute the To: field with the BCC field and save it as the default new message form. There is a way to assign that new form across all outlook deployments as the default but I can't remember how off the top of my head.
We had a BT Eco Repair account created for us today. For those who don't know this is used to report faults on BT lines and circuits.
Logged in and could immediately see fault reports for lines which didn't belong to us. Took a look at one and it contained the contact name, mobile phone number and installation address at the British Transport Police.
Our previous service desk was maintained by a certain outsourcing company with a name starting with 'C'. I pointed out to them that, despite their protestations that we were in an isolated partition, I could see information on all their other contracts, including Police and Local Government contracts.
Needless to say, that situation persisted until we ejected them.
I managed the telephony contract re-tender for a county council.
A key requirement was for the incumbent supplier to give us a full list of all lines, locations and tariffs. Unfortunately they couldn't provide this with any level of accuracy as they had accidentally transferred all the city council lines to our account previously. Whilst billing was correct they couldn't manage to provide a report which just had our properties. We also had a suspiciously large number of out-of-county lines. Whilst we had a couple of care homes and outward bound type educational establishments we didn't own the public payphone in the middle of an RAF base or various magistrates courts scattered around the UK. When we asked for a similar report from out mobile phone provider hey sent us a complete extract of all mobile numbers, usage, phone type user name and contact details within 48 hours. The only problem was they sent the data from a completely different County Council.
In a certain computer company the email system used to send your mail to everyone in the company whose address started with that letter if you mistakenly left a single letter in the To field. Hence people from South Africa to Reading were all aquainted with the details of a young lady's party mishap. Unfortunately it was the letter"B" and so was a Mr Bonfield.
However it doesn't solve two problems:
1/ Ordinary mortals having to beg permission to create a list (or have someone else do it for them)
2/ Said mortals taking a shortcut because it isn't worth the hassle
On the whole, I think mail servers should be configured so they reject more than, say, half a dozen total recipients (CC'd or BCC'd), any of which could be the ID of a mailing list, of course: there's rarely any genuine reason to copy more than 6 named people into e-mails and if there is a need to inform a larger number of roles you probably need to formalise it with a list anyway. It would limit potential information leaks and get a rid of a lot of arse-covering irrelevance.
I think many are missing something here, namely, how did the contact details of 150 potential applicants get into the cc field of an email. To me, this says that whoever processed the contact information (personal data), did so outside of normal HR and contact management systems. Ie. those contact details are being retained within an individual's own address book, perhaps someone didn't understand their GDPR training..
Buhahahahahahaha!
Are you KIDDING me? They. Are. Hilarious. And have been ever since I got online in 1993. Deliberately replying-all to a mass cc'ed email is an efficient way of driving the point home both to idiot users in dire need of a clue bat, and lazy admins who don't understand that exponential backoff isn't something you just read about.
I can understand that into the mid-nineties, that protections against these things might not have been in place. Even as late as 2000, it is understandable that mid-sized organizations might not have gotten up to speed. But to claim that you are running an enterprise IT department at the end of the 2019 that cannot deal with a simple reply-all storm? Grow up, kid. This ain't DIsneyland.
I understand HOW the original snafu could occur, lack of checks, some underpaid person clicking the wrong field in outhouse, etc.
But WHY is it always compounded by someone doing a reply all? Is there a mail client where the default to a multirecip message is 'reply all'?
And if so, why hasn't the programmer been shot?
Given the unlikelihood of mail clients being modified to make this sort of thing less likely to happen by accident or ignorance, perhaps there is mileage in writing an updated Message Transfer Agent RFC that requires that the agent can count the number of names in a 'cc' field and refuse to transfer the mail if it is above a certain number?
If you really want to cc a lot of people, request permission from the MTA first; or maybe the MTA puts the message in quarantine and requests the sender to confirm they want the mail to be forwarded.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
