Enter your email address:

Delivered by FeedBurner


E-mail Steve
This form does not yet contain any fields.
    Listen to internet radio with Steve Boese on Blog Talk Radio

    free counters

    Twitter Feed

    Entries in security (3)


    When HR's 'Do not reply to this email' becomes a security issue





    We have all seen these kinds of messages in emails coming from organizations - retailers, mass marketers, maybe even from e-newsletters from big publishers like the New York Times or the Huffington Post.

    Mostly, we don't give these messages, and their admonitions to NOT REPLY all that much thought. Who wants or needs to reply to Target's daily e-mail reminder of the TREMENDOUS Black Friday deals that are upcoming anyway?

    But there is definitely at least one scenario where these DO NOT REPLY emails are used where they are much more likely to elicit an actual response from the recipient - in the context of job applications when the DO NOT REPLY emails are going out to candidates from an ATS or a recruiter.

    It is an extremely plausible scenario that an applicant would want to reply to an auto-generated message from the ATS to ask additional questions, to make sure that all the needed application materials were received, or to simply inquire about the current status of the application itself. And while the argument over whether, especially for large organizations that receive millions of applications each year, should or can be able to respond to every possible candidate email will continue to rage, one thing is for certain - you should NEVER do what it appears Chiplotle (the big restaurant chain) did.

    Details below, courtesy of the Krebs on Security blog:

    The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “chipotlehr.com” — a Web site name that the company has never owned or controlled.

    Translation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain “chipotlehr.com”. Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

    (Michael) Kohlman said after submitting his resume and application, he received an email fromChipotle Careers that bore the return address @chipotlehr.com. The Minnesota native said he became curious about the source of the Chipotle HR email when a reply sent to that address generated an error or “bounce” message saying his missive was undeliverable.

    “The canned response was very odd,” Kohlman said. “Rather than indicating the email didn’t exist, [the bounced message] just came back and said it could not resolve the DNS settings.”

    A quick search for ownership records on the domain showed that it had never before been registered. So, Kohlman said, on a whim he plunked down $30 to purchase it.

    The welcome message that one receives upon successfully submitting an application for a job at Chipotle discourages users from replying to the message. But Kohlman said a brief look at the incoming email associated with that domain revealed a steady stream of wayward emails to chipotlehr.com — mainly from job seekers and people seeking password assistance to the Chipotle HR portal.

    “In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge,” said Kohlman. “As someone who has made a big chunk of their career defending against cyber-attackers, I’d rather see Chipotle and others learn from their mistakes rather than cause any real damage.”

    There is more to the story over at the Krebs site, including the official response from a Chipotle spokesperson claiming that the company did not see this as a problem at all, the the web domain www.chipotlehr.com was not a functional address and never has been. At least until Kohlman registered it recently. If you go to www.chipotlehr.com right now all you see is a blank page containing one sentence - "This is NOT the Chipotle Human Resources Page".

    Kind of a silly, sort of ridiculous story all around I think, but one that should make HR and Recruiting folks at least take a look at the specifics of the auto-generated messages they are sending out to candidates and applicants.

    I am not at all telling you that you shouldn't use 'DO NOT REPLY TO THIS MESSAGE' emails in your process, but if you do, just make sure you are not potentially exposing your applicant's data to unintended audiences.

    Maybe take 5 minutes today to have a quick call with your Admins or IT team about this. It is worth it for the peace of mind. 


    LEAKED: Two observations from the Sony Pictures hack

    I am sure you have heard or read about the widespread hack and subsequent leaks of massive amounts of corporate information like email archives and other sensitive organizational (and HR) data at Sony Pictures.

    If you would like to be familiar, or at least caught up, a useful timeline of the hack and the leaks, (which appear to be ongoing), is here.

    Embarrassing email exchanges, written potshots being taken at various industry players, and even a dump (in the form of an Excel spreadsheet), of salary and other HR data for the organization's executives.

    A mess. And seemingly not going anywhere, not for a while anyway.

    So here are my two, thought about this for 10 minutes, observations for HR/Talent professionals from this brouhaha.

    1. It's time to stop thinking of Email as private, secured communication. I think since the rapid rise, and subsequent realization of the lack of privacy of public social networks like Twitter and Facebook, we somehow look at email, in comparison, and think it is private and secure. And while it should be, the Sony hack is just another example that reminds us that any communication in written, digital form is not ever 100% secure. We use Email so much, and in the large company environment it is so essential and ubiquitous, we have become beguiled to accept it as (mostly) private by default. And that is, in a word, insane. Forget about getting hacked by a malicious 3rd party - all it takes for your private, sensitive, possibly career-threatening email to get out into the world is one tiny error in the CC box, or one slip-up when forwarding something to John Jones and having it go to John Johnson instead. Lesson: Stop emailing so much (general). And talk to your leaders, managers, and employees about maybe picking up the phone once in a while.

    2. Employee and HR data in Excel spreadsheets is likely your single largest HR data-related risk area. Every single company has HR or Comp people with salary, bonuses, and other HR/Compensation data sitting in Excel spreadsheets on individual PCs and company servers. For smaller companies, this is usually out of necessity: Excel is the only tool available to them to do comp calculations and analyses. But even in larger companies that have powerful and sophisticated Compensation Planning tools, often these tools are used to simply dump Employee and Comp data into Excel for additional manipulation and even file sharing. The Comp planning systems are powerful and secure. Excel spreadsheets are powerful and highly insecure (ask Sony). Where should you insist your Comp data remain?

    We have spent literally years reminding our kids and each other that nothing that gets posted on Facebook or Instagram is really private.

    It is also time to remind ourselves and our employees that nothing posted anywhere is really private either.

    Have a great week!


    'And we're going to track one of our employees'

    There you go, happily wandering around the internet and the social networks. A Twitter conversation here. A Foursquare check-in there. Maybe a quick cruise up and down your Facebook feed dropping a few 'likes', and uploading a cool snap from your weekend trip to winery or petting zoo or ballpark. It's fun, it's social, and in 2013 for many of us, updating, connecting, and participating in social networking and contributing to the colossal Big Data set that is the social graph is an essential part of our lives.

    Sure, every so often we get a little tired of it all, maybe we take a Facebook vacation, or go on a little Twitter hiatus. We forget to update our LinkedIn profile for a while, (at least until we decide we need a new job), or decide 'checking-in' every time you get a coffee on the way to work is kind of silly. But eventually we come back. Too much of our lives, personal for sure, and increasingly professional, are wound up in the social web. 

    That essential nature of social networking that not only compels us to Instagram our pancakes before digging in or fighting over meaningless 'Mayorships' at your kid's preschool also leads to a kind of softening in our views of privacy and security. Through a combination of often confusing and shifting privacy policies, and a pessimistic, (probably realistic), rationalization that no matter what 'privacy' settings or controls one chooses, that their data, once submitted to the great big social graph in the cloud, will eventually become if not public, at least privy to people and programs for which it was never intended.

    We sort of get it, we get the tradeoff, we (mostly) accept it as a 'cost of doing business' where the value we derive, (fun, connections, business opportunities), is greater than or at least equal to the darker side of social - loss of privacy, more and more ads, the occasional backlash in the form of 'If your not the customer, you're the product' bitterness. Ok, that last one is mostly my pet peeve.

    But despite all that, and our real understanding that nothing on the internet is ever truly private, it is enlightening to catch a glimpse, a snippet, of just what is happening with all that social exhaust we leave as we traverse the social networks and live our lives online.

    The UK's Guardian site managed to get a hold of a pretty amazing video created in 2010 by the defense and security firm Raytheon, that features a short product demonstration of a tool called RIOT (Rapid Information Overlay Technology). The Raytheon system was designed to exhibit just how simple and powerful social network data can be for the purposes of identification, tracking, and predicting one's movements. Take a look at the video below, (RSS and email subscribers please click through)

    Pretty incredible, right? And remember this video of RIOT is from 2010. No doubt development has continued on RIOT, and no doubt that Raytheon was or is not the only company interested in this sort of thing.

    But a great reminder nonetheless. 

    We KNOW the data that we publish, push, and post on social media is never private.

    But we don't usually get to SEE a reminder of what that actually means.

    What's your take? Creeped out by RIOT? Or simply do you chalk it up as the way the world works today?

    Happy Thursday.

    Aside - Did you notice the Raytheon demo guy from the video looks just like comedian Louis C.K.? Weird.