Publishing your email address isn't a security disaster
Posted on 30 Apr 2012 at 11:25
Davey Winder says businesses have no good reason to hide their email addresses online
Every now and then, some well-meaning but completely bonkers advice comes my way from a most unlikely source.
I wasn’t too amazed when an elderly relative of mine expressed surprise that his PC was heavily infected despite the installation of internet security software years ago. It didn’t particularly faze me to discover a man who thought he knew everything there was to know about computers, but who didn’t realise that you have to pay your annual subscription fee to continue receiving threat protection database updates.
I was fazed, though, when an IT security vendor seemed to be suggesting that a business that publicly reveals its email address is somehow compromising data security and putting itself at risk. I understand that risk is relative, and an exposed business email address creates a corporate data security risk – from social engineers, phishers, hackers and cybercriminals – than if no such email contact points were disclosed.
The cherry on top of this farrago of nonsense was the advice to employers to discourage staff from sharing email addresses on Twitter
However, I also understand that the dictionary definition of an address is a place where a person or organisation can be found or communicated with, and that’s just as true of a street or an email address. The point of having a business email address is to enable people, including potential as well as existing customers, to get in touch with you, and there’s no point having one at all if you don’t let anyone know what it is.
So what on Earth were the folk over at the Websense Security Labs on about when they informed me that “thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter”, and which went on to argue that because those addresses are “connected with their inboxes, social media identities and bank accounts”, it leaves these business users exposed to the potential for “advanced social spear phishing attacks”. The cherry on top of this farrago of nonsense was the advice to employers to “re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter”.
To be honest, I think that in this particular case the security vendor was well intentioned, but perhaps got a little carried away while preparing its email security risk message. Yes, indeed, there are people out there with bad intentions, who target business users on social networks in order to infiltrate their systems using an old social-engineering strategy known colloquially among security types as “spear phishing”. It’s so called because such an attack is focused upon an individual within a specific department, rather than adopting a scattergun approach to the problem of how to get a RAT (remote access trojan) or similar piece of malware installed within the corporate network security perimeter.
By concentrating upon a vulnerable individual, especially one who is active on Twitter or Facebook, it’s possible to build up an accurate profile of that person both personally and, most importantly, professionally. Assuming the targeted person hasn’t opted to make their information available to only friends, for example, it’s all too easy to quickly scan through their friends list and, after putting in a bit of graft, compile a dossier of work colleagues and customers.
Link this information to conversations posted to the target’s wall on Facebook, and that previously mentioned business email address, and the bad guys have the ammunition required to impersonate someone already known to that employee. Exploiting this basis of trust allows the attackers to then attach an “important document” or a link to something they may be interested in, and by so doing solicit the vital click that installs malware.
So, yes, I can see where the Websense chaps were coming from, but I’m afraid that it all sounds a little bit too Chicken Little for me. The sky will not fall in if you post your business email address on Facebook, and acceptable use policies shouldn’t be altered to make doing so a hanging offence. Especially since it’s oh-so-easy to guess specific email addresses, given the standard address format used by just about every company, which is going to use one of only two or three formats.
Tracking down which is used is only a matter of visiting the company’s website and taking a quick look at the “about us” page, or the list of contact options for the directors or sales executives.
You can attract loads of spam and / or have your email address hijacked and used by spammers if you publish it in a machine readable form on your website though.
I regularly found my inbox full of 'undeliverable message' messages until I hid my address behind a third-party contact form.
By Pantagoon on 30 Apr 2012
Well the less I say about websense the better as from our dealings with them they have been found wanting in many areas.
But back to the matter at hand I have to agree and I think the websense guys may have this a bit muddled.
It's good sense to not publish the emails of individual employees but it's perfectly desirable to publish a public company email like info@ or sales@ as these are valid contact methods that people need to know about but these types of emails don't need to have any specific network accounts/privileges or indeed be used with relation to banking or for social media or any other external or sensitive accounts.
Indeed good policy would be to have different specific email addresses for non public use. This way you can be more secure and still be contactable.
It all down to some common sense. I really wish more advisers would stop making dumbed down general type recommendations and start educating people properly.
And people need to stop expecting all advise to be very short and stupidly simple. It shouldn't be overly complicated either but it's just a matter of people being willing to learn a little.
You should be able to say something like, "We advise that while it's ok to put public facing email addresses out there, for your business security you shouldn't use any of these email addresses for sensitive things."
By koshthetrekkie on 30 Apr 2012
By Jodys on 1 May 2012
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- Windows Phone App Studio: an easy way to create your first Windows Phone 8 app
- The end of Windows XP support: what it really means for businesses
- Don't rely on Chrome's password vault
- Using Buffer to manage your social media
- Microsoft needs its own Steve Jobs
- Forget credit cards: hackers want your Facebook account
- Can't get fast enough broadband? Here's what to do
- Leap Motion and the battle against UI stagnation
- How to build a really bad network
- Facebook Graph Search: don't panic
- How to remove SkyDrive from the Windows 8.1 Explorer
- Switching from iPhone to Android? Switch off iMessage
- Why is Google pumping more money into Firefox?
- Sky Broadband Shield review
- Samsung Galaxy S4: how to double your battery life
- Motorola Moto G review: first look
- IBM Watson meets Willy Wonka
- Google’s support policies shove users towards Chrome
- Lenovo Yoga Tablet review: first look
- Michael Dell's reasons to be cheerful
- Microsoft expands encryption over NSA spying "threat"
- UK Cloud Awards 2014: nominations now open
- BlackBerry says "we're still alive" as sales hit new low
- Has HP turned a corner?
- Adobe admits it's struggling to notify hack victims
- Microsoft rolls out Office 365 admin app for mobile
- Office 2013 Service Pack 1 to arrive early next year
- Backup the best defence against CryptoLocker
- UK SMBs can now buy ads on Twitter
- How long do hard drives actually last?