Cyber dangers and glass houses

fingers on a keyboardThinkstock
By Rory Cellan-Jones
Technology correspondent
@BBCRoryCJ

It was marked "URGENT" and promised shocking news about risks to our national security and economy from poor cyber defences.

The email from the accountancy firm KPMG said its survey of British firms showed they were leaking data on an alarming scale. But I'm afraid it awoke my inner mischief-maker - and set me wondering just how secure was KPMG itself.

The company said its cyber response team had examined public data from every FTSE 350 firm to see if they were vulnerable to attackers. They found that every single one of them was leaking email addresses, employee usernames and sensitive file locations - the sort of material that would make the work of hackers a lot easier

But is it possible to leave no trace online that cyber attackers might exploit? To answer this, I recruit my own cyber response team in the form of the security blogger Graham Cluley and ask him to take a look at KPMG's own online public presence. Within minutes he reports back.

"We know from the press release," he tells me, "that KPMG's email format is firstname.lastname@kpmg.co.uk. Go to LinkedIn, search for KPMG UK employees. I'm seeing 2742 results at the moment.

"I could email those 2742 employees, forging my email address to be the chairman of KPMG. He helpfully gives his email address on the company website.

"The email could say something like 'Great news team! We have launched a new KPMG intranet at (insert dangerous link here). Simply login with your usual network username and password to get the new great content... blah blah' and chances are that I would phish some of the KPMG team.

"Of course, it would be easy to be more targeted than that. Once I have the network username and password, I might be able to install spyware, or use stolen details to remotely log into their network or get up to other mischief."

A little later, he comes back with another discovery: "Oh dear - documents marked 'confidential' on KPMG's website, accessible via a simple Google search." He encloses a screen grab, with a list of documents, one marked:

"This document is CONFIDENTIAL and its circulation and use are RESTRICTED under the terms of KPMG's engagement letter"

Now KPMG is not doing anything that just about every other organisation on the planet does, and I am sure that its employees are well-versed in spotting the kind of phishing attack that Mr Cluley describes. But it might be better to check your own defences before sending out shocking reports about the state of other companies.

When I ask KPMG to comment, the company says:

"As you might expect, KPMG put its own site through the same examination as we did other sites. We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so."