Is publishing your employees' email addresses such a big deal?

Posted by   Virus Bulletin on   Jul 24, 2013

Beware of a false sense of security.

Security blogger Graham Cluley points to hypocrisy in a KPMG press release in which it criticises FTSE 350 companies for 'leaking data that can be used by cyber attackers', while making the same mistake themselves.

KPMG found that every single company in the FTSE 350 index (the 350 largest companies listed on the London Stock Exchange) had published employee usernames, email addresses and sensitive documents on their website - all of which can be used by hackers to gain access to the internal networks. But, as Cluley points out, the same holds for KPMG, which not only publishes email addresses of various high-ranking employees on its websites, it also uses a standard format for email addresses that makes it easy to guess the addresses of the more than 2,700 UK-based KPMG employees he found on LinkedIn.

I agree that the press release is rather hypocritical and that KPMG should practise what it preaches. But I don't agree that publishing some employees' email addresses, or making the addresses of others easy to guess, is such a big deal in the face of targeted attacks.

 Are we making it too easy for hackers?

The whole idea of an email address is that it is known to others: those that you send email to, or want to receive email from. It is possible to have email addresses that can only be used internally (these typically use a local top-level domain that cannot be resolved by public DNS servers), but these are also hard to forge by an attacker that doesn't already have access to the organisation's network. Email that is forged with such an address as the sender can easily be blocked by the mail server.

But once an email address has been shared with outsiders - for instance because it has been used to send an email to an external contact - it is best to assume it is known to the general public. Keeping the addresses 'secret' and using a format that makes it hard to derive the email address from an employee's name will frustrate communication, while doing little to keep those targeting the company at bay. Worse, it may give a false sense of security.

It is known that publishing email addresses on websites makes it likely the address will start receiving spam - this is a common technique used to set up spam traps. But even addresses that are never published will receive spam eventually. If spammers are able to obtain someone's email address, surely hackers are too.

350 FTSE companies can be wrong in some cases - but in this case I believe they aren't.

Posted on 24 July 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.