What a way to start off RSA. I’m not even there yet!
Well I *just* got off the phone with the Press Secretary for Office of the Director of National Intelligence.
If you don’t know what happened, several of us in the ‘security community’ simultaneously received unsolicited emails, claiming to be communication and a press release from the Office of the Director of National Intelligence (U.S.). In addition to the content of the email, which Jack so kindly posted in its entirety, there was a PDF attached. You can see the PDF online from DNI’s site.
After a few chats with folks, we were all wondering what the source of the really was, and where the contact list had been pulled from. The entire thing was a bit suspicious, especially on the eves leading to RSA (or any security conference).
Our suspicions were confirmed. It’s all completely innocent. The DNI pulled the RSAMedia Contact list to publish their press release. Evidently there were plans to send an introductory email, but time was short (I’m sure we all understand that), so the intro was omitted and the press release sent as-is.
I sent an inquiry to GovDelivery (the sending entity) which was quickly forwarded to the press office of DNI. Their representative was kind enough to immediately give me a call to confirm the communication was legit.
We had an interesting conversation.We- me, the paranoid security person and he, the press person just trying to get the department’s news out. When he started to apologize for the unsolicited email, I stopped him to assure him I was less concerned with him having my email address, and more concerned that dozens of security specialists were unexpectedly contacted with a PDF attachment prior to a large security conference.
Although he didn’t immediately understand what the concern was in receiving this email, he was extremely polite and interested in ideas for (safely) contacting us security folk. I spent a few seconds explaining why we wouldn’t open attachments from unknown sources, and why we also would not be clicking on any links labeled ‘unsubscribe’ unless we were familiar with the source. As well as why calling the number on the same said email was not a suitable solution for us.
Yes, we’re all paranoid freaks. Well, those of us in the Security Bloggers Network, for sure. But hey, better safe than sorry, right?
# # #