Imagine you are the CEO of a small company. You have some days off. You relax, buy a newspaper and have a coffee. After browsing through the news and financial section you stumble upon a full-page advertising of your own company. The text reads:
our office is completely deserted. No one’s working at the moment. The rooms are completely unattended. No one will pick up the phone. Only the security guards will walk by and superficially check the door handles. Although the doors are tightly locked and the windows are (probably) closed, you can be sure that no one will enter the office space until INSERT_DATE. So if you want to try picking our locks and rearranging the furniture, feel free. You can take what you want. The coffee machine is plugged in. The coffee cups are in the cupboard. Help yourself. If you run into any problems getting access, just mention Mr./Ms. NAME along with the PHONE NUMBER and ROOM NUMBER to the security service and maybe they will unlock the doors for you. Make sure you tell them that someone forgot something and you were sent to fetch it.
Would you publish something like this? If you said «yes», then you might want to have a talk with your local police and get some information about basic security. If you said «no», then check the vacation messages of the past two years. I am pretty sure that you have announced travels or other kinds of «away time». Although you might not even mentioned it in your e-mail vacation message, you probably sent a tweet, wrote something in your blog or updated your status in your favourite Web 2.0 social engineering web site. Police officials have warned about tweeting vacations plans and announcing promising houses to pick on Facebook updates. Be careful what you post online. Not everyone reading your tweets is as polite and honest as you.
Speaking of e-mail, please make sure that your vacation message contains a reasonable text that cannot be abused easily. Refrain from giving too much information away. Don’t mention your temporary replacement by name, room and phone number. By doing this you enable a potential social engineering attack against your customers or yourself. Your customer probably knows your replacement and any phone call mentioning the name or other data gleaned from the vacation message adds to the attacker’s credibility. It’s better to direct requests to a human, have the callers checked and call back.
In case you want to get more information on what to do with vacation messages and social engineering web site updates, I recommend taking a hard look at the «Social Engineering Training for IT Security Professionals» training at DeepSec 2010. We won’t tell anyone that you’re not in the office. Promised.