Auto-Reply Best Practices

The jury is still out on the etiquette involving auto-reply functions for your email. Some deem it unprofessional, creating an appearance that communication with a client must be instant or that your time is not valuable. Security professionals, like myself, are more concerned with the security risks involved with announcing to the world that you are leaving your email account and even your office unattended.
Depending on the amount of detail disclosed in an auto-reply message, intruders may deduce any number of unnecessary details about your professional and personal life. Here are a couple of detailed examples:
  1. Joe: I am out of the office beginning November 13 and will return November 27 vacationing in San Jose, California and later enjoying the Thanksgiving holiday. I will have limited email access and will respond as time allows.
  2. Alan: I will be attending a cybersecurity conference in Nashville, Tennessee prior to the Thanksgiving holiday and will not return to the office until November 27. If you need immediate assistance, please call my office.
Simply by reading either example, an intruder acquires information not necessary to be disclosed:
Example 1 – Joe
  • You will not be in your office from November 13 – 27
  • You will not have physical access to your work computer from November 13 – 27.
  • You will be out of the state likely the week prior to Thanksgiving, meaning you are likely leaving your residence unattended.
  • You will be reading emails but will rely on your auto-reply to answer any emails which are not considered critical.
Example 2 – Alan
  • You will be out of town sometime between November 13 to November 27.
  • You announce you will not visit your office until November 27.
  • You do not mention you will respond to emails as needed, meaning you are neglecting your email from November 13 to November 27.
  • You asked any senders to call the office, meaning someone has not been designated to monitor your email for incoming emails.
It is information such as that disclosed by Joe & Alan in Examples 1 & 2 that provide information to potentially harmful intruders that cause security professional to frown at auto-reply messages. Based on that information, I would conclude that any nefarious activity on my part, if I were an intruder, would be easier to conceal. I would be able to attempt the following:
  1. Spam Joe or Alan’s email account
  2. Sell Joe or Alan’s email account on the market as a known, active email account
  3. Call Joe’s office stating, “I spoke with Joe out in San Jose. He said to call the office and ask for my deposit back.”
  4. Call Alan’s office stating, “I spoke with Alan at his conference; I am his technical support vendor. Since he was in the middle of the conference and could not speak long, he asked that I call the office and get the password we set up for him last week. He said we might have to reset it since he is unavailable in the conference.”
  5. Attempt to gain access to Joe or Alan’s email account, particularly Alan’s since he announced it would be unattended.
  6. Attempt a break-in at Joe’s home since he is in California and to gain access to Alan’s office since he could possibly be in town but is not in the office.
Best Practices
Be as vague as possible. If the information you disclose in an auto-reply message is so critical that a customer must know in an automated email response, then the customer should be calling your office anyways. The less information you share, the better.
Use the auto-reply only for what it is intended, letting someone know that you will not be responding as you normally would. Any other information you disclose is considered unnecessary.
Do not include names, places, or events. Detailed information can be fuel for a phishing call, like #4 and #5 above to add credibility. Information such as “San Jose” and “conference” are essential for the caller to gain credibility to the person receiving the call. The person receiving the call will feel more pressure to comply with an intruder’s request with the more information the intruder is able to recite.
Below is my recommendation for a simple but secure auto-reply message.
I am unavailable. If you need immediate assistance, please call the office at (555) 555-5555.
My recommendation does not disclose any information other than for the sender to not expect an immediate response to his/her email. In contrast to Joe & Alan’s auto-replies, my recommendation does not disclose the following:
  • My physical location; if I am in the office or not.
  • My email activity; if I will respond to your email today or not.
  • My presence in the office or at home; if I am available for a telephone call or not.
  • The extent of my availability; dates or times.
Advertisements

Rival Partnership : Intel & AMD

Intel and AMD, chip rivals, are partnering in an effort to combat Nvidia on a laptop chip. The chip is to include an Intel CPU and an AMD graphics processor.

The chip is considered to be of a small, lightweight design and capable of handling high-performance gaming.

This is the partnership between the rivals since the 1980’s. The move is considered to be mor surprising on the Intel side, as Intel has maintained a high market position over AMD over the years.

More recently, Nvidia has taken a chunk of the graphics card market, making them Nvidia a clear concern for Intel.

The concern is high enough for both Intel and AMD that they feel it is necessary to team up in order to thwart Nvidia.

My recommendation is still the same as it has always been (and as I have always heard). Intel is superior.

Authentication Loops

Have you ever tried to login to an app like Netflix, Hulu, etc.? There are few things more frustrating than knowingly inputting the correct credentials only to get stuck in an authentication loop.

I attempted to authenticate my DIRECTV Now subscription with the National Geographic TV app on my Apple TV this afternoon. I was required to:

  1. Visit natgeotv.com/activate
  2. Insert Activation Code
  3. Choose service provider (DIRECTV Now)

These are common steps and are an annoyance even when they produce results. After Step 3, I was redirected to Step 1 to begin the loop again.

I look forward to the technology to be invented that will bypass the inconvenience of authenticating a service provider. A simple one-step process is needed to activate a device and authenticate an account.

DIRECTV Now App Access

directv-now-apps

Cable-cutting with DIRECTV Now just got easier. Prior to October 14th, if you are a DIRECTV Now subscriber, you were required to borrow a friend’s cable subscription to have access to almost any networks’ app. DIRECTV Now has added a “cable subscription” to DIRECTV Now accounts. Here is a full list of networks currently accepting DIRECTV Now credentials. This opens up all kinds of new content for cable-cutting users who were stuck without their favorites shows or apps.

A DIRECTV Now user myself, I enjoy scrolling through service providers to find my own paid service without having to ask my parents for their cable subscription credentials.

Network Adapter Script

  1. In the elevated command prompt, copy and paste the command below, and press Enter. This will show you all network adapter names on your PC.
    netsh interface show interface
  2. To enable NIC type, the following command:
    netsh interface set interface “network_adapter_name” admin=enable
    (e.g. netsh interface set interface “Ethernet” admin=enable)
  3. To disable NIC type, the following command:
    netsh interface set interface “network_adapter_name” admin=disable
    (e.g. netsh interface set interface “Ethernet” admin=disable)