Publishing your email address isn't a security disaster

Posted on 30 Apr 2012 at 11:25

Davey Winder says businesses have no good reason to hide their email addresses online

In other words, telling your staff not to publish an already public email address on a social network is akin to standing in front of the sea and ordering the waves to retreat. Far better to address (if you’ll excuse the pun) the real problem, which, once more, is that of user education. Ensure your employees are aware of the kind of phishing techniques used online, of the dangers of trust by association when using social networks, and why it’s important not to become a link-clicking nutjob.

One way of doing this that appeals to the geek in me is to use the Simple Phishing Toolkit (SPT), which isn’t quite as dangerous as its name suggests. This open source toolkit makes it easy for a business to test how phishing-aware its employees are, by creating the kind of lures that the bad guys use and deploying these to direct less security-savvy staff to a cloned decoy site that you’ve set up using the supplied site-scraper tools. In effect, the toolkit makes it possible to phish your own firm and produces a bunch of logs that reveal which links were clicked and by whom, which you can then employ to better target your training sessions.

If you can identify those employees most at risk of falling for phishing scams, you can then educate them and reduce the risk of it happening

Here’s what the SPT developers have to say about it:
“The SPT project is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. Organisations spend billions of dollars annually in an effort to safeguard information systems, but spend little to nothing on the under-trained and susceptible minds that operate these systems, thus rendering most technical protections instantly ineffective.

"A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done. SPT was developed from the ground up to provide a simple and easy-to-use framework to identify your weakest links, so that you can patch the human vulnerability.”

If you can identify those employees most at risk of falling for phishing scams, you can then educate them and reduce the risk of it happening. And before you say it – yes, there will be those criminals or cruel employers who will use such a toolkit for evil. However, open source phishing toolkits aren’t new, and existing resources such as Metasploit are already well exploited by the criminal fraternity.

These kits offer far more complex and advanced phishing opportunities: SPT doesn’t even have a data capture function, for example. What it does have is the potential to be a great in-house resource for teaching employees what not to do.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site

1 2

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here

User comments

Spam

You can attract loads of spam and / or have your email address hijacked and used by spammers if you publish it in a machine readable form on your website though.

I regularly found my inbox full of 'undeliverable message' messages until I hid my address behind a third-party contact form.

By Pantagoon on 30 Apr 2012

Well the less I say about websense the better as from our dealings with them they have been found wanting in many areas.

But back to the matter at hand I have to agree and I think the websense guys may have this a bit muddled.

It's good sense to not publish the emails of individual employees but it's perfectly desirable to publish a public company email like info@ or sales@ as these are valid contact methods that people need to know about but these types of emails don't need to have any specific network accounts/privileges or indeed be used with relation to banking or for social media or any other external or sensitive accounts.

Indeed good policy would be to have different specific email addresses for non public use. This way you can be more secure and still be contactable.

It all down to some common sense. I really wish more advisers would stop making dumbed down general type recommendations and start educating people properly.

And people need to stop expecting all advise to be very short and stupidly simple. It shouldn't be overly complicated either but it's just a matter of people being willing to learn a little.

You should be able to say something like, "We advise that while it's ok to put public facing email addresses out there, for your business security you shouldn't use any of these email addresses for sensitive things."

By koshthetrekkie on 30 Apr 2012

Jody

I have a Website and I remember many years back that I got loads of spam to my domain - you can't believe the amount of spam I was getting, rubbish how it got to understanding that spammers harvested my domain mail address from my main page as it was there in plain sight, since then it's well hidden with some JavaScript I found to use for hiding. why do you think addresses can't be harvested from Twitter? Bit funny, the addresses are served there on a silver platter from what I see, sounds like an opportunity for email harvesters I would say

By Jodys on 1 May 2012

Leave a comment

You need to Login or Register to comment.

Davey Winder

Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.