Wednesday, December 19, 2012

bcc: Anyone?

 How is it possible that a Dept of Defense IT service provider continues to send announcements (maintenance windows, outages, etc.) to a HUGE list of clients and simply adds all of the client email addresses to the To: line?

Seriously?

If I were evil I would farm that list for potential victims and also for an easy information set to use in a social engineering attack on the service provider.

Come on folks!

This is basic Operational Security stuff!