Posted by Virus Bulletin on Jul 24, 2013
Beware of a false sense of security.
Security blogger Graham Cluley points to hypocrisy in a KPMG press release in which it criticises FTSE 350 companies for 'leaking data that can be used by cyber attackers', while making the same mistake themselves.
KPMG found that every single company in the FTSE 350 index (the 350 largest companies listed on the London Stock Exchange) had published employee usernames, email addresses and sensitive documents on their website - all of which can be used by hackers to gain access to the internal networks. But, as Cluley points out, the same holds for KPMG, which not only publishes email addresses of various high-ranking employees on its websites, it also uses a standard format for email addresses that makes it easy to guess the addresses of the more than 2,700 UK-based KPMG employees he found on LinkedIn.
I agree that the press release is rather hypocritical and that KPMG should practise what it preaches. But I don't agree that publishing some employees' email addresses, or making the addresses of others easy to guess, is such a big deal in the face of targeted attacks.
The whole idea of an email address is that it is known to others: those that you send email to, or want to receive email from. It is possible to have email addresses that can only be used internally (these typically use a local top-level domain that cannot be resolved by public DNS servers), but these are also hard to forge by an attacker that doesn't already have access to the organisation's network. Email that is forged with such an address as the sender can easily be blocked by the mail server.
But once an email address has been shared with outsiders - for instance because it has been used to send an email to an external contact - it is best to assume it is known to the general public. Keeping the addresses 'secret' and using a format that makes it hard to derive the email address from an employee's name will frustrate communication, while doing little to keep those targeting the company at bay. Worse, it may give a false sense of security.
It is known that publishing email addresses on websites makes it likely the address will start receiving spam - this is a common technique used to set up spam traps. But even addresses that are never published will receive spam eventually. If spammers are able to obtain someone's email address, surely hackers are too.
350 FTSE companies can be wrong in some cases - but in this case I believe they aren't.
Posted on 24 July 2013 by Martijn Grooten