Publishing your email address isn't a security disaster
Posted on 30 Apr 2012 at 11:25
Davey Winder says businesses have no good reason to hide their email addresses online
In other words, telling your staff not to publish an already public email address on a social network is akin to standing in front of the sea and ordering the waves to retreat. Far better to address (if you’ll excuse the pun) the real problem, which, once more, is that of user education. Ensure your employees are aware of the kind of phishing techniques used online, of the dangers of trust by association when using social networks, and why it’s important not to become a link-clicking nutjob.
One way of doing this that appeals to the geek in me is to use the Simple Phishing Toolkit (SPT), which isn’t quite as dangerous as its name suggests. This open source toolkit makes it easy for a business to test how phishing-aware its employees are, by creating the kind of lures that the bad guys use and deploying these to direct less security-savvy staff to a cloned decoy site that you’ve set up using the supplied site-scraper tools. In effect, the toolkit makes it possible to phish your own firm and produces a bunch of logs that reveal which links were clicked and by whom, which you can then employ to better target your training sessions.
If you can identify those employees most at risk of falling for phishing scams, you can then educate them and reduce the risk of it happening
Here’s what the SPT developers have to say about it:
“The SPT project is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. Organisations spend billions of dollars annually in an effort to safeguard information systems, but spend little to nothing on the under-trained and susceptible minds that operate these systems, thus rendering most technical protections instantly ineffective.
"A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done. SPT was developed from the ground up to provide a simple and easy-to-use framework to identify your weakest links, so that you can patch the human vulnerability.”
If you can identify those employees most at risk of falling for phishing scams, you can then educate them and reduce the risk of it happening. And before you say it – yes, there will be those criminals or cruel employers who will use such a toolkit for evil. However, open source phishing toolkits aren’t new, and existing resources such as Metasploit are already well exploited by the criminal fraternity.
These kits offer far more complex and advanced phishing opportunities: SPT doesn’t even have a data capture function, for example. What it does have is the potential to be a great in-house resource for teaching employees what not to do.
You can attract loads of spam and / or have your email address hijacked and used by spammers if you publish it in a machine readable form on your website though.
I regularly found my inbox full of 'undeliverable message' messages until I hid my address behind a third-party contact form.
By Pantagoon on 30 Apr 2012
Well the less I say about websense the better as from our dealings with them they have been found wanting in many areas.
But back to the matter at hand I have to agree and I think the websense guys may have this a bit muddled.
It's good sense to not publish the emails of individual employees but it's perfectly desirable to publish a public company email like info@ or sales@ as these are valid contact methods that people need to know about but these types of emails don't need to have any specific network accounts/privileges or indeed be used with relation to banking or for social media or any other external or sensitive accounts.
Indeed good policy would be to have different specific email addresses for non public use. This way you can be more secure and still be contactable.
It all down to some common sense. I really wish more advisers would stop making dumbed down general type recommendations and start educating people properly.
And people need to stop expecting all advise to be very short and stupidly simple. It shouldn't be overly complicated either but it's just a matter of people being willing to learn a little.
You should be able to say something like, "We advise that while it's ok to put public facing email addresses out there, for your business security you shouldn't use any of these email addresses for sensitive things."
By koshthetrekkie on 30 Apr 2012
By Jodys on 1 May 2012
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- The ICO's shame-faced u-turn on cookies
- Start8 and ModernMix: making Windows 8 work on a desktop
- How to boost your mobile reception
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- IBM's Watson answers customers' questions
- New CEO reorganises Intel to target "new devices"
- Dell profits slide 79% amid buyout talks
- Forget cloud subscriptions: users prefer standard licences
- McAfee: cloud storage could help spread viruses
- Analysts question Windows 8 as UK PC shipments slump
- Google pools storage across Gmail and Drive
- Ofcom accused of killing off VoIP competition
- ShoreTel dock turns iPhones and iPads into desk phones
- Bill Gates says iPad users "frustrated"