Publishing your email address isn't a security disaster
Posted on 30 Apr 2012 at 11:25
Davey Winder says businesses have no good reason to hide their email addresses online
Every now and then, some well-meaning but completely bonkers advice comes my way from a most unlikely source.
I wasn’t too amazed when an elderly relative of mine expressed surprise that his PC was heavily infected despite the installation of internet security software years ago. It didn’t particularly faze me to discover a man who thought he knew everything there was to know about computers, but who didn’t realise that you have to pay your annual subscription fee to continue receiving threat protection database updates.
I was fazed, though, when an IT security vendor seemed to be suggesting that a business that publicly reveals its email address is somehow compromising data security and putting itself at risk. I understand that risk is relative, and an exposed business email address creates a corporate data security risk – from social engineers, phishers, hackers and cybercriminals – than if no such email contact points were disclosed.
The cherry on top of this farrago of nonsense was the advice to employers to discourage staff from sharing email addresses on Twitter
However, I also understand that the dictionary definition of an address is a place where a person or organisation can be found or communicated with, and that’s just as true of a street or an email address. The point of having a business email address is to enable people, including potential as well as existing customers, to get in touch with you, and there’s no point having one at all if you don’t let anyone know what it is.
So what on Earth were the folk over at the Websense Security Labs on about when they informed me that “thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter”, and which went on to argue that because those addresses are “connected with their inboxes, social media identities and bank accounts”, it leaves these business users exposed to the potential for “advanced social spear phishing attacks”. The cherry on top of this farrago of nonsense was the advice to employers to “re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter”.
To be honest, I think that in this particular case the security vendor was well intentioned, but perhaps got a little carried away while preparing its email security risk message. Yes, indeed, there are people out there with bad intentions, who target business users on social networks in order to infiltrate their systems using an old social-engineering strategy known colloquially among security types as “spear phishing”. It’s so called because such an attack is focused upon an individual within a specific department, rather than adopting a scattergun approach to the problem of how to get a RAT (remote access trojan) or similar piece of malware installed within the corporate network security perimeter.
By concentrating upon a vulnerable individual, especially one who is active on Twitter or Facebook, it’s possible to build up an accurate profile of that person both personally and, most importantly, professionally. Assuming the targeted person hasn’t opted to make their information available to only friends, for example, it’s all too easy to quickly scan through their friends list and, after putting in a bit of graft, compile a dossier of work colleagues and customers.
Link this information to conversations posted to the target’s wall on Facebook, and that previously mentioned business email address, and the bad guys have the ammunition required to impersonate someone already known to that employee. Exploiting this basis of trust allows the attackers to then attach an “important document” or a link to something they may be interested in, and by so doing solicit the vital click that installs malware.
So, yes, I can see where the Websense chaps were coming from, but I’m afraid that it all sounds a little bit too Chicken Little for me. The sky will not fall in if you post your business email address on Facebook, and acceptable use policies shouldn’t be altered to make doing so a hanging offence. Especially since it’s oh-so-easy to guess specific email addresses, given the standard address format used by just about every company, which is going to use one of only two or three formats.
Tracking down which is used is only a matter of visiting the company’s website and taking a quick look at the “about us” page, or the list of contact options for the directors or sales executives.
You can attract loads of spam and / or have your email address hijacked and used by spammers if you publish it in a machine readable form on your website though.
I regularly found my inbox full of 'undeliverable message' messages until I hid my address behind a third-party contact form.
By Pantagoon on 30 Apr 2012
Well the less I say about websense the better as from our dealings with them they have been found wanting in many areas.
But back to the matter at hand I have to agree and I think the websense guys may have this a bit muddled.
It's good sense to not publish the emails of individual employees but it's perfectly desirable to publish a public company email like info@ or sales@ as these are valid contact methods that people need to know about but these types of emails don't need to have any specific network accounts/privileges or indeed be used with relation to banking or for social media or any other external or sensitive accounts.
Indeed good policy would be to have different specific email addresses for non public use. This way you can be more secure and still be contactable.
It all down to some common sense. I really wish more advisers would stop making dumbed down general type recommendations and start educating people properly.
And people need to stop expecting all advise to be very short and stupidly simple. It shouldn't be overly complicated either but it's just a matter of people being willing to learn a little.
You should be able to say something like, "We advise that while it's ok to put public facing email addresses out there, for your business security you shouldn't use any of these email addresses for sensitive things."
By koshthetrekkie on 30 Apr 2012
By Jodys on 1 May 2012
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- 1.6TB SSD: why would you need one?
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Nokia XL review: first look
- Samsung Galaxy S5 review: first look
- Nokia X review: first look
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware
- Office 365 gets two-factor authentication