Is publishing your employees' email addresses such a big deal?

Posted by   Virus Bulletin on   Jul 24, 2013

Beware of a false sense of security.

Security blogger Graham Cluley points to hypocrisy in a KPMG press release in which it criticises FTSE 350 companies for 'leaking data that can be used by cyber attackers', while making the same mistake themselves.

KPMG found that every single company in the FTSE 350 index (the 350 largest companies listed on the London Stock Exchange) had published employee usernames, email addresses and sensitive documents on their website - all of which can be used by hackers to gain access to the internal networks. But, as Cluley points out, the same holds for KPMG, which not only publishes email addresses of various high-ranking employees on its websites, it also uses a standard format for email addresses that makes it easy to guess the addresses of the more than 2,700 UK-based KPMG employees he found on LinkedIn.

I agree that the press release is rather hypocritical and that KPMG should practise what it preaches. But I don't agree that publishing some employees' email addresses, or making the addresses of others easy to guess, is such a big deal in the face of targeted attacks.

 Are we making it too easy for hackers?

The whole idea of an email address is that it is known to others: those that you send email to, or want to receive email from. It is possible to have email addresses that can only be used internally (these typically use a local top-level domain that cannot be resolved by public DNS servers), but these are also hard to forge by an attacker that doesn't already have access to the organisation's network. Email that is forged with such an address as the sender can easily be blocked by the mail server.

But once an email address has been shared with outsiders - for instance because it has been used to send an email to an external contact - it is best to assume it is known to the general public. Keeping the addresses 'secret' and using a format that makes it hard to derive the email address from an employee's name will frustrate communication, while doing little to keep those targeting the company at bay. Worse, it may give a false sense of security.

It is known that publishing email addresses on websites makes it likely the address will start receiving spam - this is a common technique used to set up spam traps. But even addresses that are never published will receive spam eventually. If spammers are able to obtain someone's email address, surely hackers are too.

350 FTSE companies can be wrong in some cases - but in this case I believe they aren't.

Posted on 24 July 2013 by Martijn Grooten



Latest posts:

The road to IPv6 is generally smooth but contains a few potholes

Most of the switch from IPv4 to IPv6 will happen seamlessly. But we cannot assume it won't introduce new security issues.

New paper: Powering the distribution of Tesla stealer with PowerShell and VBA macros

Since their return four years ago, Office macros have been one of the most common ways to spread malware. Today, we publish a research paper which looks in detail at a campaign in which VBA macros are used to execute PowerShell code, which in turn…

VB2017 paper: Android reverse engineering tools: not the usual suspects

Within a few years, Android malware has grown from a relatively small threat to a huge problem involving more than three million new malware samples a year. Axelle Apvrille, one of the world's leading Android malware researchers, will deliver a…

Patch early, patch often, but don't blindly trust every 'patch'

Compromised websites are being used to serve fake Flash Player uploads that come with a malicious payload.

Virus Bulletin at RSA

Next week, VB Editor Martijn Grooten will be at the RSA Conference in San Francisco.