We used to report data concerns to companies in the most archaic manner. We became efficient and employed tools such as Spiderfoot HX to help us scale up this discovery processes. We then tried to streamline reporting and even made a page for victims to explain who we are and why we were reporting the security issue. Companies met this stance with open arms and it has been easier for us since the changes we have implemented. This all stems from wanting to identify useful data and rather than exploiting these data sets, we try to remove them from public reach.
Sometimes, the data is intended to be public and the companies see no danger in sharing it with the world. They actually decide to disregard the dangers of oversharing information online, placing people at risk.
We recently found ourselves in this odd scenario with an unlikely party – The UK Government.
Government Transparency or Stupidity?
The Government Communication Service (GCS) have an open, searchable index of personnel. It allows anyone to make a search for government employees in the hope of better collaboration… when we stumbled across the service it seemed to be like someone had the idea of placing the global address book online. Most absurd. You can just filter people by region, London sees thousands of employee entries returned. Most of the data exposed contains little snippets of information, such as an obscure Twitter account or a mobile phone numbers for staff.
The Dangers Of Data
All good social engineering attacks need data sets, normally LinkedIn is a rich source of information that’s able to provide relevant information on a target company. Criminals use this publicly available data to phish people using sophisticated emails and text messages. Sometimes the data is scraped and the users are unwittingly added to mass email lists. We all need to share our contact information, we get that! but how we share and what privacy we have over our data is everything. When we open contact information up to the world we have to be aware of the risks. We feel these risks have been ignored by GCS and the individual people that have signed up to the service, sharing their information in the process.
Report To NCSC
We were concerned that such a large amount of data was available for all, it would certainly be useful to an adversary. GCS were openly sharing thousands of MOD, HMRC, Cabinet Office names, email address, telephone numbers and social media links. The report to the NCSC was blunt and to the point. Their cold replies reminded us of a tech startup, one that dismisses the significance of the situation and refers you to the terms and conditions page.
Cyber Police
So for our company, it’s an odd situation. We want to protect organisations and share a little of our digital paranoia in the hope they will be a little more resilient, but we are not the cyber police. We can’t impact on their internet freedoms and with a little respect due, they are the elected UK Government, we can only advise them politely. It just irks us that we have to watch this ineptitude in slow motion whilst it effects us. We received an alert email recently from the Crown Commercial Services alluding to the fact someone was trying to sell businesses a bunch of dodgy data useful for companies listed on GCloud 11 to market and spam potential government purchasers with. So we have one government department leaking data and an other warning people of scammers making use of similar data, but a certain cognitive dissonance stops them from seeing the error of their ways.
Further Guidance
If your organisation wants to encourage safe online practices we offer online training for employees via AntiSocial Knowledge Lab but there is plenty of free information available on this very topic from… you’ve guessed it! Another Government Department.
The Centre for the Protection of National Infrastructure (CPNI) offers are great starter pack on keeping your employee information safe online, this can be found here. I did like their take on disrupting hostile reconnaissance, which advises against over sharing although I feel it would be more efficient to take the walk around the corner in Whitehall and pull the GCS service offline! Rather than preach about the risks whilst other departments ignore their own advice.