Is publishing your employees' email addresses such a big deal?

Posted by   Virus Bulletin on   Jul 24, 2013

Beware of a false sense of security.

Security blogger Graham Cluley points to hypocrisy in a KPMG press release in which it criticises FTSE 350 companies for 'leaking data that can be used by cyber attackers', while making the same mistake themselves.

KPMG found that every single company in the FTSE 350 index (the 350 largest companies listed on the London Stock Exchange) had published employee usernames, email addresses and sensitive documents on their website - all of which can be used by hackers to gain access to the internal networks. But, as Cluley points out, the same holds for KPMG, which not only publishes email addresses of various high-ranking employees on its websites, it also uses a standard format for email addresses that makes it easy to guess the addresses of the more than 2,700 UK-based KPMG employees he found on LinkedIn.

I agree that the press release is rather hypocritical and that KPMG should practise what it preaches. But I don't agree that publishing some employees' email addresses, or making the addresses of others easy to guess, is such a big deal in the face of targeted attacks.

 Are we making it too easy for hackers?

The whole idea of an email address is that it is known to others: those that you send email to, or want to receive email from. It is possible to have email addresses that can only be used internally (these typically use a local top-level domain that cannot be resolved by public DNS servers), but these are also hard to forge by an attacker that doesn't already have access to the organisation's network. Email that is forged with such an address as the sender can easily be blocked by the mail server.

But once an email address has been shared with outsiders - for instance because it has been used to send an email to an external contact - it is best to assume it is known to the general public. Keeping the addresses 'secret' and using a format that makes it hard to derive the email address from an employee's name will frustrate communication, while doing little to keep those targeting the company at bay. Worse, it may give a false sense of security.

It is known that publishing email addresses on websites makes it likely the address will start receiving spam - this is a common technique used to set up spam traps. But even addresses that are never published will receive spam eventually. If spammers are able to obtain someone's email address, surely hackers are too.

350 FTSE companies can be wrong in some cases - but in this case I believe they aren't.

Posted on 24 July 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Necurs pump-and-dump spam campaign pushes obscure cryptocurrency

A Necurs pump-and-dump spam campaign pushing the lesser known Swisscoin botnet is mostly background noise for the Internet.

Alleged author of creepy FruitFly macOS malware arrested

A 28-year old man from Ohio has been arrested on suspicion of having created the mysterious FruitFly malware that targeted macOS and used it to spy on its victims.

The threat and security product landscape in 2017

At the start of the new year, Virus Bulletin looks back at the threats seen in the 2017 and at the security products that are available to help mitigate them.

Spamhaus report shows many botnet controllers look a lot like legitimate servers

Spamhaus's annual report on botnet activity shows that botherders tend to use popular, legitimate hosting providers, domain registrars and top-level domains when setting up command-and-control servers.

Tips on researching tech support scams

As tech support scammers continue to target the computer illiterate through cold calling, VB's Martijn Grooten uses his own experience to share some advice on how to investigate such scams.