Uber Data Breach

Uber concealed massive hack that exposed data of 57m users and drivers

• Firm paid hackers $100,000 to delete data and keep breach quiet
• Chief security officer Joe Sullivan fired for concealing October 2016 breach
• Uber disclosed the year-old hack last week. Taken were names, email addresses and mobile-phone numbers of 57 million riders as well as driver's license numbers of 600,000 drivers.

 

 

Doxing

 

Doxing, from "dox", abbreviation of documents, (also spelled ‘doxxing’ or ‘docxing’) is the practice of researching and broadcasting private or identifiable information (especially personally identifiable information) about an individual. This information may include names, addresses, telephone numbers, family information, financial information, vehicle descriptions, and more.

 

The Fordham Law Review has an interesting discussion of the law as it relates to doxing: "The Doxing Dilemma: Seeking a Remedy for the Malicious Publication of Personal Information" 

 

Once this personal information is published on-line it can be accessed by anyone. Doxing is, in and of itself, not necessarily illegal, but it may spur illegal activity such as stalking, harassment, identity theft, physical confrontations, and threats of violence.

In many cases, information used in doxing is already available through public sources. Voter registration, property records, and information from data brokers, such as Pipl, Spokeo, and ZabaSearch can reveal a lot of detail about a person. Freedom of Information Act (FOIA) / Public Records Requests can reveal information that may not be readily available on-line. Social media (i.e. Facebook, Twitter, and Instagram) can reveal more personal information if privacy settings are not strongly configured or if you are careless about the type of information that you post.

 

Doxing is a technique used by both left-wing and right-wing activists, as well as by others who believe that they have been wronged by the person being doxed. Law enforcement personnel are increasing being targeted for doxing, both by activists who believe that police officers acted unlawfully, or as a means of retaliation by individuals that were arrested by the police for come crime. Doxing can be especially dangerous for undercover officers, where doxing can jeopardize police operations and put officers at risk of attack from violent criminals.

 

Preventing Doxing

 

Doxing is best mitigated through good personal OPSEC. An adversary can’t disclose information that he or she can’t find. Personal threat modeling is an important part of your OPSEC plan. What information do you want to protect? What information is already available to others? It is not generally possible to protect every piece of information, so it is important to focus on protecting the information that you consider most personal or sensitive. Whenever possible, have information about you removed from publicly accessible databases and records. Request that web-site owners and data brokers not display your personal information on-line.  

 

Also, look at your public profile. Do you have a job or hold an office that is likely to generate controversy? If so, limit to the extent possible the amount of personal information that you disclose. Use organization / office identifiers and contact information - avoid personal signature blocks in any general distribution. Keep your "official presence" separate from your personal activities on-line. Always act professionally when doing your job. While you can be targeted for no good reason, it is much more likely that you will become a target if you act like a jerk and think that your official position will shield you from public response. According to an article on MakeUseOf  "The people who are most likely to dox you in a malicious way are those who have something against you. Common sense, I know, but it’s easy to think that you can hide behind Internet anonymity [or your official position] and get away with being a jerk. Don’t be a jerk, don’t be a troll, don’t do or say anything you wouldn’t do or say in person. Basically, don’t give anyone a reason to dox you in the first place."  

 

There are several resources that may help you protect yourself against doxing. A few guides are listed below, but all practices intended to increase your personal privacy help to protect you against doxing.

 

Anti-Doxing Guide for Activists Facing Attacks from the ALT-Right

 

Resisting Doxing & Protecting Privacy: Resources For Vulnerable People

 

Doxing: What It Is and How to Fight It

 

So You've Been Doxed

 

Defense Against Doxing (Schneier on Security)

 

Doxxing Can Ruin Your life. Here’s How (You Can Avoid It)

 

Following the advice in the above guides, and in other privacy related guides, such as my Individual OPSEC & Personal Security Guide, can help protect you against doxing, and mitigate the effect if you are targeted. Even if you are not concerned about being doxed, the information in these guides can help protect you against other threats such as identity theft, or loss of your personal information during a data breach.

 



Operations Security (OPSEC)

 

Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by an adversary, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly information. In a more general sense, OPSEC is the process of protecting individual pieces of data that could be grouped together to give the bigger picture (called aggregation).

 

OPSEC is most effective when fully integrated into all planning and operational processes.  OPSEC should also be a part of your personal daily routines and activities. An adversary won’t just target you during duty hours, or through official channels, but will look for any weakness or vulnerability that he or she can exploit.

 

OPSEC is a continuous process.

 

The OPSEC process involves five steps:

 



 

1. Identification of Critical information: Critical information is information about friendly intentions, capabilities and activities that allow an adversary to plan effectively to disrupt their operations.

 

2. Analysis of Threats: A Threat comes from an adversary - any individual or group that may attempt to disrupt or compromise a friendly activity. Threat is further divided into adversaries with intent and capability. The greater the combined intent and capability of the adversary, the greater the threat.

 

3 .Analysis of Vulnerabilities: Examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified conducting analysis of threats. Threat can be thought of as the strength of the adversaries, while vulnerability can be thought of as the weakness of friendly organizations.

 

4. Assessment of Risk: The core premise of assessment of risk is that the probability of compromise is greatest when the threat is very capable and dedicated, while friendly organizations are simultaneously exposed.

 

5. Application of Appropriate OPSEC Countermeasures: Countermeasures must be continually monitored to ensure that they continue to protect current information against relevant threats. Countermeasures include, controlling one's own actions; countering adversary intelligence collection; and creating difficulty for adversary analysts seeking to predict friendly intent.  

 

Know The Laws of OPSEC

 

The First Law of OPSEC

If you don’t know the threat, how do you know what to protect? Although the first step in the OPSEC process is identifying your critical information, different adversaries will be interested in different types of information. Foreign intelligence services are interested in your operations, capabilities and limitations, while criminals are more interested in your personal information. Terrorists may be interested in both. Some threats change from location to location, while others remain the same. You need to make sure that members of your organization know the threat environment for your unit’s location so they can determine what to protect.

 

The Second Law of OPSEC

If you don’t know what to protect, how do you know you are protecting it? The "what" is your critical and sensitive information that the adversary needs to meet his objective. This, of course, depends on your response to the first law of OPSEC. Too many times individuals have found that they were concentrating on protecting information that was already known or wasn’t really important to the adversary.

 

The Third Law of OPSEC

If you are not protecting it (the critical and sensitive information), the adversary wins. You conduct vulnerability assessments to determine how an adversary can exploit your information. These assessments need to look at what you do and how you do it to determine if there is an inadvertent leak of information. Based on the findings of the assessment, you develop countermeasures to the vulnerabilities and the commander then determines what risks are unacceptable and what risks are acceptable

.

On-Line OPSEC Training & Resources

 

You can learn more about OPSEC by taking free, on-line training courses provided by the Department of Defense. I encourage anyone interested in OPSEC to complete all three of these on-line courses.

 

OPSEC Awareness for Military Members, DoD Employees and Contractors

OPSEC Fundamentals

New Faces of Threat Computer Based Training

 

 

The DoD Education Activity provides OPSEC information on their web-site. 

 

IVPN'S, four part article, "Online Privacy Through OPSEC and Compartmentalization" is an excellent overview of personal OPSEC.

 

My guide to Individual OPSEC and Personal Security is available here. 

 

CyberStalking

 

In July 2017, a Pew Research Center survey found that forty-one percent (41%) of Americans claimed to have experienced some form of on-line harassment. Of those claiming to have been harassed on-line, the majority described this harassment as name calling or intentional embarrassment. Only eighteen percent (18%) of those surveyed claimed to have experienced a more sever type of harassment such as "physical threats, sustained harassment, stalking and sexual harassment". (1)

 

Of all of those who claimed to have been a victim of on-line harassment, fifty-eight percent (58%) claimed that the harassment came through social media (i.e. Facebook and Twitter), twenty-three percent (23%) claimed that the harassment occurred in the comments section of a web-site, while fifteen percent (15%) claimed that they were harassed through a text message or messaging app.

 

The most commonly cited reason for being harassed on-line was because of one’s expressed political views. Of those individuals who claimed to have been the victim of on-line harassment, thirty-five percent (35%) related this harassment was in response their expressed political views. Political harassment was equally likely with both Republicans and Democrats. 

 

To summarize the Pew Research Center data, a small percentage (18%) of Americans claim to be victims of the more sever types of harassment, that harassment most often (58% of the time) is posted to social media, and most commonly (35%) relates to the harassed person’s political views.

 

The video "The Use of Technology to Stalk" highlights how technology may be used in more severe forms of cyberstalking. This 15-minute training video was designed to enhance awareness among professionals working with stalking victims of how stalkers use a vast array of technologies available today. 

Most commonly offered advice for victims of on-line harassment goes something like this: Never respond to the harasser, document everything, file complaints with the Internet Service Provider and with the police. While this is reasonable advice, let’s look at a few other things that we might do.

 

First try to identify the reasons you have become a target for on-line harassment. If you are being harassed on-line, you probably have some kind of an on-line presence. Are you posting comments on-line that others might consider inappropriate, offensive, or harassment from you? Yes, you certainly have a right to express an opinion about controversial topics on-line, but others have a right to respond; and controversial topics often lead to heated discussions, some of which may get out of hand. If you are involved in an on-line debate that is getting out of hand, stop posting and commenting yourself, and let the situation cool down a bit.

 

Avoid making public accusations about the person(s) whom you believe to be harassing you. If you are right, this just feeds the cyberstalker and keeps him/her interested in you (never respond to a harasser). If you are wrong you may find yourself facing a lawsuit for libel and defamation. Generally speaking, your best course of action when dealing with cyberstalkers is to block their ability to contact you, and limit their ability to gather information about you (i.e. employ good personal OPSEC).   

 

On most social media sites, you can block other users from contacting you or accessing your on-line posts. You can also set e-mail filters to block e-mail from specific addresses or domains, and to filter out messages containing specific content (such as profanity). On your cell-phone / smartphone you can block text messages and calls from specific numbers. Blocking works when you know who is harassing you. Filtering works when you want to avoid specific content. Whitelisting is another option where you set your accounts to accept messages only from people that you have specifically approved.

 

Most social media platforms have simple steps that you can take to block another user who is bothering you. Here are just a few examples:

 

How to Block Someone on Facebook

How to Block Someone on Twitter

How to Block Someone on Instagram

How to Block Someone on Pinterest

How to Block Someone on Snapchat

How to Block Someone on WhatsApp

How to Block Someone on Gmail

 

On-line Safety Tips



 

 

Practice Individual OPSEC and Personal Security on a daily basis. Incorporating good security practices into your life can protect you from on-line harassment as well as mitigating threats that you may face from other sources.

 

While all of the above applies to your personal social media accounts and personal communications, the question arises: Do public officials have the right to block users who insult them or post scathing comments publicly? According to a ruling by at least one court, the answer is no.

 

An interesting August 2017, article on NextGov.Com discusses this question of

 

How Government Agencies Can Protect Their Social Media Accounts - And Employees

 

Government employees are facing an interesting dilemma. They're trying to meet citizen demands for more personal forms of engagement with government. Yet, when they adopt social media channels to do this, they open themselves up to public feedback and criticism.

 

As a public official, do they have the right to block users who insult them or post scathing comments publicly? Apparently not. In July, the American Civil Liberties Union asked Kentucky Gov. Matt Bevin to stop blocking people from following his social media accounts; Michigan state government accounts were reported to have blocked more than 800 Twitter handles, including @POTUS; and the El Paso Police Department's public affairs staff blocked users from the department’s Twitter and Facebook accounts.

 

This culminated recently when a federal court judge ruled against a Virginia official  who banned a user from accessing her Facebook page. The results of this case pose serious consequences that could reach as far as the White House - a similar suit has been filed against President Donald Trump with regards to his personal Twitter @realDonaldTrump.

 

 



VeraCrypt

VeraCrypt  is a free open source disk encryption software for Windows, Mac OSX and Linux; based on TrueCrypt 7.1a. VeraCrypt allows you to (1) Create an encrypted file container, (2) Encrypt a non-system partition / drive (such as a flash drive), and (3) Encrypt the system partition or entire system drive.

 

Once you have downloaded and installed VeraCrypt on your computer, making an encrypted container is very simple. Just run VeraCrypt, click the ‘Create Volume’ button and follow the steps in the wizard to create an encrypted file container. Once created, the VeraCrypt encrypted file container works like another drive on your computer. Choose an unused drive letter, mount your encrypted file container and everything in the container is available to use. When you dismount the container everything in it is encrypted, helping to protect your sensitive files and folders if your computer is ever hacked, seized, or stolen.

 



To mount an encrypted file container, run VeraCrypt and select the file that is your encrypted container. Click the ‘Mount’ button and enter the password for that container (VeraCrypt recommends passwords of at least 20 characters). The container is then decrypted and becomes available. To re-encrypt everything in the container, just select the drive letter for the container and click the ‘Dismount’ button. You can have multiple encrypted file containers on your computer, as long as you have available space on your hard-drive to create them.

 

VeraCrypt has several additional features, all of which are explained in the VeraCrypt User Guide . Take time to read this documentation and learn how you can use VeraCrypt to safeguard your private and sensitive information. I use VeraCrypt and recommend it as an effective means of adding additional security to your digital files and folders.

 

Download Your Copy of VeraCrypt here: https://www.veracrypt.fr/en/Home.html

 



WHONIX

 

Whonix is a desktop operating system designed for advanced security and privacy. Whonix mitigates the threat of common attack vectors while maintaining usability. Online anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks. Commonly used applications are pre-installed and safely pre-configured for immediate use. The user is not jeopardized by installing additional applications or personalizing the desktop. Whonix is under active development and is the only operating system designed to be run inside a VM and paired with Tor. Whonix is available for all major operating systems. Most commonly used applications are compatible with the Whonix design. https://www.whonix.org/

 

 

Carpenter v. U.S

 

When the US Supreme Court Justices return from holiday break this month they are expected to rule on the case of Carpenter v. U.S. At issue is "whether the warrantless seizure and search of historical cellphone records revealing the location and movements of a cellphone user over the course of 127 days is permitted by the Fourth Amendment."

 

Timothy Carpenter argues that his Fourth Amendment rights against unreasonable search and seizure were violated when the government obtained his cell phone location records from MetroPCS and Sprint without a warrant. The government argues that it has the right to obtain this type of cell-phone record without a warrant under the 1986 Stored Communications Act, that allows this type of data to be searched if the government can show reasonable grounds to believe it will be relevant to a criminal investigation. The government further argues that Carpenter lacks a legitimate expectation of privacy because he voluntarily turned his location information over to a third party when he signed up for cell service.

 

Over a dozen companies are urging the US Supreme Court to rule that Fourth Amendment protections apply to the cellphone location data. Apple, Google, Microsoft, Facebook, Verizon, and other technology and telecom companies have filed an amicus brief with the Supreme Court, arguing that the phone data should not be accessed by law enforcement without a warrant or court order.  

 

The decision in this case is likely to have broad and long-term effects on the privacy rights of Americans. It is my belief that we do have a reasonable expectation of privacy in our digital data. As Justice Roberts said in Riley v. California "Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans "the privacies of life". The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought." 




Free Computer Forensics Tools

 

 

Cyber-security professionals, system and network administrators, and various law enforcement and security agencies may all have a need to conduct a forensic examination of a computer. Skilled computer users (hackers) may want to conduct forensic examinations of their own computer systems to better understand how they work, and how information flows across their home networks.

Below are some of the more popular computer forensic freeware programs. Downloading and learning to use these programs will improve your forensic and security knowledge, and will enhance your ability to secure your own computer systems against attack and against forensic analysis.

Autopsy is a forensic tool which is used by the military, law enforcement, and corporate examiners to investigate what had happened on a smartphone or a computer. The Autopsy has a plug-in architecture which allows the user to find add-on modules or even develop custom modules written in Java or Python. Autopsy analyzes disk images, local drives, or a folder of local files. Disk images can be in either raw/dd or E01 format. E01 support is provided by libewf.  Download a Free copy of Autopsy here: http://www.sleuthkit.org/autopsy/download.php

 

Browser History Capturer is a free tool that allows you to easily capture web browser history from a Windows computer. The tool can be run from a USB dongle to capture history from Chrome, Firefox, Internet Explorer and Edge web browsers. The history files are copied to the chosen destination in their original format, allowing them to be analysed later using your tool of choice. The data captured includes bookmarks, cached files, cookies, downloads, form history, saved logins, searches, website history and more. Download a Free copy of Browser History Capturer here: https://www.foxtonforensics.com/browser-history-capturer/

 

Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998. Download a Free copy of Wireshark here: https://www.wireshark.org/

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Download a Free copy of Nmap here: https://nmap.org/download.html

HxD - Freeware Hex Editor and Disk Editor is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size. Download a Free copy of HxD here: https://mh-nexus.de/en/hxd/

PlainSight is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools.PlainSight has taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment. Download a Free copy of PlainSight here: http://www.plainsight.info/index.html

FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer. Download a Free copy of FTK Imager here: http://www.accessdata.com/product-download

 

Hiren’s BootCD is a boot disk utility that will help in resolving and making reformatting your computer easy. This kind of compilation software provides a compilation of programs to help resolves most and some uncommon Internet and computer issues like driver failure, intermittent internet connection and other computer malfunctions. Download a Free copy of Hiren’s BootCD here: http://www.hirensbootcd.org/about/

 

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, Seven, 8, 8.1, Server 2012, and 2012 R2. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or virtual machine snapshot, Volatility is able to work with it. Download a Free copy of Volatility here: https://code.google.com/archive/p/volatility/downloads

 

Field Search is a suite of software products designed for use in the field by non-technical criminal justice personnel to allow them to quickly and efficiently search a target computer and create a detailed report of the findings. This approach provides a fast and powerful, yet easy method of examining and monitoring computer use. Field Search blends preview functions with evidence gathering and reporting functions. Download a Free copy of FieldSearch (for LE Agencies) here: https://www.justnet.org/app/fieldsearch/request.aspx

 

Video Previewer quickly processes a video and shows its key frames in a PDF file. It is particularly useful in investigations where watching a video is time consuming. It allows specification to select frames at equally spaced intervals, or to perform intelligent selection of frames based on scene changes. Download a Free copy of Video Previewer here: https://dfcsc.uri.edu/research/videoPreviewer

USB Historian parses USB information, primarily from the Windows registry, to give you a list of all USB drives that were plugged into the machine. It displays information such as the name of the USB drive, the serial number, when it was mounted and by which user account. This information can be very useful when you’re dealing with an investigation whereby you need to understand if data was stolen, moved or accessed. Download a Free copy of USB Historian here: http://www.4discovery.com/our-tools/

 

 

 

 



Blind Carbon Copy (BCC) For Privacy

Large e-mail lists are often developed when sending out newsletters, bulletins, or daily announcements. If you send an e-mail to multiple people, a security best practice is to place all of the e-mail addresses on the Blind Carbon Copy (BCC) line of the message. Addresses on the BCC line are not visible to recipients of the e-mail, unlike addresses on the To: and Cc: lines which everyone can see. Everyone listed on the BCC line will receive a copy of the e-mail, but their e-mail address will remain invisible to other recipients of the message.

 

If a message is forwarded, addresses on the To: and Cc: lines are sent with the forwarded message, but addresses on the BCC line remain invisible and are not included with the forwarded message. If someone selects ‘Reply All’ in a message, the sender and everyone on the To: and Cc: lines receive the reply, but addresses on the BCC line do not receive the reply because they are not visible to the system. Of course, everyone on the BCC line is still able to reply to the sender of the message. In general when using BCC to send e-mail to large groups, put your own e-mail address on the To: since everyone will know the message is from you anyway.

 

Keep in mind that many people do not want their e-mail address and other personal information disclosed to someone that they do not know. Using BCC protects individual privacy by not disclosing the e-mail address of every person on a distribution list to every other person on the list. BCC helps to reduce Spam since BCC addresses cannot be seen and harvested by Spammers and BCC messages cannot not be used to develop lists of names of the employees of a company or members of an organization since, again, the names and e-mail addresses of the recipients are not visible.

It should also be noted that NIST Special Publication 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" lists e-mail addresses as one type of PII. The "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002" (M-03-22, Attachment A. IIA.b.) also specifically identifies email addresses as PII.  You may have specific legal requirements to safeguard PII, especially if you send information to people in multiple businesses, organizations, or separate government agencies.

According to the U.S. Department of Labor, Personal Identifiable Information (PII) is defined as:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

 

BCC helps to protects the privacy of individuals included in large e-mail groups. It also helps protect you (the sender) since someone who receives a copy of your e-mail is unable to see your entire distribution list. Note however that BCC e-mail addresses are visible to someone with access to the Exchange Server, so BCC does not hide e-mail addresses from your e-mail service provider. Additionally, when using encryption with BCC, the encryption system my expose BCC addresses.  In a Stanford University paper Correcting Privacy Violations in Blind-Carbon-Copy (BCC) Encrypted Email, the authors, "show that many widely deployed email encryption systems reveal the identities of Blind Carbon-Copy (BCC) recipients. For example, encrypted email sent using Microsoft Outlook completely exposes the identity of every BCC recipient. Additionally, several implementations of PGP expose the full name and email address of BCC recipients. Email messages should not reveal the identities of Blind-Carbon-Copy (BCC) recipients. We show that many widely deployed email encryption systems, however, reveal the identities of every BCC recipient to all email recipients and to anyone who examines the email message en route. In most cases, the BCC recipient’s identity is exposed by a unique identifier that also exists in publicly accessible databases on the Internet. In some cases, however, the full name and email address of a BCC recipient is included in the clear in the ciphertext of the encrypted email message... Conclusions: many encrypted email systems mishandle BCC recipients and violate privacy. The most severe violations are in implementations of S/MIME, including Outlook, Mail.app, and Thunderbird, where the identities of BCC recipients are completely exposed to anyone with a text editor."

 

Even though encryption can expose BCC addresses, I still recommend using BCC when sending e-mail to large groups of people. BCC protects you from accidental exposure of your e-mail distribution lists, and prevents multiple e-mail addresses from being displayed in printed copies of an e-mail. Also, most recipients of your e-mail messages are unlikely to be attempting to expose the BCC addressees of your message. So, BCC is still a useful security practice. 

 

If the BCC line is not visible when you open a new e-mail message: In an open message, on the Message Options or Options tab, in the Fields or Show Fields group, click Show Bcc or Bcc. (Applies To: Outlook 2016 Outlook 2013 Outlook 2010 Outlook 2007.)

 

Although BCC is not perfect, it is a simple technique to help improve security of your e-mail.  Consider using BCC the next time you send an e-mail to a large group of people.