Is publishing your employees' email addresses such a big deal?

Posted by   Virus Bulletin on   Jul 24, 2013

Beware of a false sense of security.

Security blogger Graham Cluley points to hypocrisy in a KPMG press release in which it criticises FTSE 350 companies for 'leaking data that can be used by cyber attackers', while making the same mistake themselves.

KPMG found that every single company in the FTSE 350 index (the 350 largest companies listed on the London Stock Exchange) had published employee usernames, email addresses and sensitive documents on their website - all of which can be used by hackers to gain access to the internal networks. But, as Cluley points out, the same holds for KPMG, which not only publishes email addresses of various high-ranking employees on its websites, it also uses a standard format for email addresses that makes it easy to guess the addresses of the more than 2,700 UK-based KPMG employees he found on LinkedIn.

I agree that the press release is rather hypocritical and that KPMG should practise what it preaches. But I don't agree that publishing some employees' email addresses, or making the addresses of others easy to guess, is such a big deal in the face of targeted attacks.

 Are we making it too easy for hackers?

The whole idea of an email address is that it is known to others: those that you send email to, or want to receive email from. It is possible to have email addresses that can only be used internally (these typically use a local top-level domain that cannot be resolved by public DNS servers), but these are also hard to forge by an attacker that doesn't already have access to the organisation's network. Email that is forged with such an address as the sender can easily be blocked by the mail server.

But once an email address has been shared with outsiders - for instance because it has been used to send an email to an external contact - it is best to assume it is known to the general public. Keeping the addresses 'secret' and using a format that makes it hard to derive the email address from an employee's name will frustrate communication, while doing little to keep those targeting the company at bay. Worse, it may give a false sense of security.

It is known that publishing email addresses on websites makes it likely the address will start receiving spam - this is a common technique used to set up spam traps. But even addresses that are never published will receive spam eventually. If spammers are able to obtain someone's email address, surely hackers are too.

350 FTSE companies can be wrong in some cases - but in this case I believe they aren't.

Posted on 24 July 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

New paper: Does malware based on Spectre exist?

It is likely that, by now, everyone in computer science has at least heard of the Spectre attack, and many excellent explanations of the attack already exist. But what is the likelihood of finding Spectre being exploited on Android smartphones?

More VB2018 partners announced

We are excited to announce several more companies that have partnered with VB2018.

Malware authors' continued use of stolen certificates isn't all bad news

A new malware campaign that uses two stolen code-signing certificates shows that such certificates continue to be popular among malware authors. But there is a positive side to malware authors' use of stolen certificates.

Save the dates: VB2019 to take place 2-4 October 2019

Though the location will remain under wraps for a few more months, we are pleased to announce the dates for VB2019, the 29th Virus Bulletin International Conference.

Necurs update reminds us that the botnet cannot be ignored

The operators of the Necurs botnet, best known for being one of the most prolific spam botnets of the past few years, have pushed out updates to its client, which provide some important lessons about why malware infections matter.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.