|Peter Bowditch's Web Site|
|Home | Interests | Writing | Speaking | Videos and Photos | Books | Podcast|
A Different Internet Security Problem
This is the text of a presentation given to the Australian Computer Society's Western Sydney Chapter on September 3, 2002
What is this about?
Credit card fraud
These are all legitimate security threats, but most of them have technical solutions or prevention methods, and many of them are covered by the existing criminal laws. For instance, the use of stolen credit card numbers is illegal whether it happens because someone has sent a card number across a wire or it happens because someone in a shop has touched a physical card. Also, most of these are internal threats which affect the internal operations or infrastructure of a business. This talk is about external threats to the reputation of an organisation and the consequences of those threats to the organisation. Much of the talk is based on the experience of running a controversial web site, RatbagsDotCom, where much of the reaction has taken the form of attacks on the business and personal reputation of the site owner.
The specific problems addressed are domain name hijacking, impersonation, denial of service, association with spam, harassment, stalking, direct contact with associates, and legal threats.
Domain name hijacking
The rules in Australia for acquiring a .com.au domain name are relatively strict, and these names will not be registered to just anyone who asks. Registration of US-based .com domain names is, however, on a first-come, first-served basis, so any Australian company which does not also own the corresponding .com domain is leaving itself open to a competitor or a critic taking up the US name and using it in a manner which can damage the company. The annual fee is cheap insurance, and there is no need to delegate (or point) the domain name to any site. Being the registered owner prevents anyone else using it, which is the real purpose of owning it.
It is not enough to own a domain name, however. It is important to make sure you keep owning it. I made the mistake of registering a .com version of my company with a cut-price registry organisation who went out of business before they had managed to send me a renewal notice. I found out then about organisations who exploit this sort of thing by monitoring the expiry dates of domain names and registering any which they find have expired without renewal. They then ask for payment to give the names back. This would just be a sharp business practice, except that they go one step further into blackmail by delegating the names to pornography sites. The obvious intention is to embarrass people into paying to recover their domain names. If you click on the image at the left, you can see what the site with .com.au looks like. The image on the right shows the .com version as it appeared on September 2, 2002. I refused to be blackmailed, but I will be checking regularly after the expiry time to see if I can get the name back, and I won't be using any cheap registry services in the future. And yes, someone (not the domain registrant) did try to tell people that the pornography site really belonged to me.
It is almost impossible to prove who you are on the Internet. Most of the identifying information can be forged in even the most common of email programs. This also works the other way, as it is impossible to prove that you are not someone. This is not just an interesting logical argument about the impossibility of proving a negative – it can leave people with the impression that you have said something or hold particular views that they read in a message apparently from you without there being any way to really prove that the source of the information was not you. The proliferation of free email systems has made this worse, although most will pass on the IP address of the writer so it may be possible to at least detect their ISP. The use of anonymous remailers removes even that measure of indentfiability. Consider the following message, sent to a Usenet newsgroup from someone using the email address "firstname.lastname@example.org":
Several people expressed sympathy for the fake Belinda. In this case, I was able to prove that the message was a forgery because the originating IP address belonged to an ISP in Canada, but if someone in Sydney had done this it would have been impossible to prove that it didn't come from my daughter. People who know my family would know that I have never had a bypass operation, my daughter is not 12 (and she is too smart to say anything as stupid as "my father ... is quite a bit older than I am"), and that I don't listen to toilets. Potential clients might not know this, though. If your clients started getting emails containing lies about you and your business, they might not know how to detect forgeries even if they suspected that the information was untrue. Similarly, if emails bearing your name start turning up in competitors' mailboxes offering to sell corporate secrets, your only defence might be to point out that you wouldn't be so stupid as to use your own name.
Denial of service
Traditionally, a "denial of service" attack has meant using some form of technology to overload a system to the point where it becomes unusable. This can be done by sending a huge number of messages or requests for action, for example, so that the system simply cannot respond fast enough. This sort of attack requires some sophistication, but a similar effect can be generated for a small business by inducing a huge amount of email. Someone once spent a weekend subscribing me to about 500 mailing lists. Luckily, most of the lists required confirmation of a subscription so all I had to do in those cases was delete the request for confirmation, but I was still left with many lists where I had to manually unsubscribe. A targeted attack by a group of activists against a corporation could see thousands of subscriptions generated, clogging mailboxes and wasting a lot of staff time.
Association with spam
Spam, or unsolicited email, is an enormous problem for everyone. It fills mailboxes, offends people with its relentless offers of pornography, and wastes time as people try to filter it or cut it off at its source. A new danger has appeared where, rather than receiving spam, it looks like you are the person sending it out. The spammers use legitimate, deliverable email addresses in the "From:" email headers which have nothing to do with the person or organisation sending out the messages. While this might look like an example of impersonation, it is highly unlikely that it is being done by anyone trying to deliberately target your organisation. The spammers just pick an address at random from the lists they have already collected, because the object is not to pretend to be someone else but to avoid receiving automated replies about undeliverable mail.
This practice can have several unfortunate consequences for the victimised owner of the forged address. Firstly, it can have the same adverse effect as true impersonation, because your organisation is identified with the spam. (Most email client programs show the "From:" address in the inbox list, so recipients see it before they see the message contents.) Secondly, it can have the same effect as a denial of service attack when mail servers reply with messages about undeliverable mail. If a spammer sends out a million messages with your email address in the "From:" header and 1% of them have invalid email addresses, you could receive 10,000 bounce messages. If you click on the picture, you can see an example of one of these messages. The very first email address I ever used, "email@example.com", has been made useless because it is used several times each week by promoters of pyramid schemes and medical quackery.
Another threat is more pernicious, because you might not know that it is happening to you. You could find yourself cut off from parts of the world. There are several organisations which maintain "blacklists" of offending spammers, and ISPs can use these lists to filter incoming mail. Unfortunately, the blacklist operators don't bother to do much checking when they get a complaint and these lists are a lot easier to get on to than they are to get off again. If someone complains about spam apparently coming from you, you might find that the computer that handles your mail could be blacklisted. The Chairman of one of the Branch Executive Committees of the ACS complained recently about how mail addressed to his acslink.net.au address was not getting through. His ISP was using a blacklist, and if you click on the image at the right you can see the SpamCop blacklisting of the IP address of the machine which does the final distribution of all acslink mail. This emphasises another danger, which is that the blacklists work by IP address, not domain name, so all mail through a particular mail server will be blocked, not just that from the reported domain. At one stage several of the mail servers operated by Telstra were blacklisted, so none of the customers of the largest ISP in Australia were able to send email to anyone whose ISP was using the relevant blacklists.
Harassment and Stalking
Strictly speaking, stalking is when someone is followed around the Internet and responses are made to any activity such as posting to newsgroups or mailing lists and harassment is an active attack without any necessary stimulus, but they both have the same effect. Both involve a barrage of lies and accusations appearing in a variety of forums. Often the harasser will try to remain anonymous (although they may deceive themselves about how anonymous they really are) or will use false identities (called "sock puppets") to try to convince others that there is more than one person doing the criticising and attacking. Sometimes the stalking and harassment can become an obsession for the stalker, and you can click on the image on the left to see some statistics for someone who has had me as a project for more than two years. You will generally know about stalking as much of it happens in response to what you do and you will be checking for responses anyway, but you may not be aware of other attacks. It is useful to occasionally look for your name or organisation in the major search engines and investigate anything that looks suspicious. If you click on the image at the right you can see something that I found when I looked up my name in Google. The OzGateway site is a good-looking attempt to create a directory of Australian businesses, but the operators of the site need to tighten up the procedure for getting a listing. Stalking is easier to manage than ambush, because you can sometimes establish a sort of dialogue (although your responses are directed towards other readers, not the stalker), but usually the only way to respond to things like the OzGateway page is to approach the site and ask for the offending material to be removed before too many people see it. Obsessive stalking and harassment can be a lot less harmful that it might at first appear, simply because observers can see the pattern, but one-off attacks can be very damaging unless stamped on immediately.
(Update 5 September, 2002: This talk was publicised on several web sites. Somebody who apparently doesn't like me provided a perfect example of stalking behaviour the next day. You can click here to see it, but be warned it is rated "M – some coarse language".)
(Update 15 October, 2002: The OzGateway people have informed me that the offending page has been removed from their directory and they are working on changes to the submission process to limit this kind of abuse in the future. I congratulate them for this, especially as I didn't complain to them. They did just what I was talking about above and searched for their name in Google, which led them to the page you are reading now. When they found that their system was being abused, they fixed things immediately.)
Direct contact with associates
Everyone likes to boast about their excellent clients and suppliers and other business relationships. Mentioning these on a web site, however, can give an attacker some clues about where to go to do some damage. I removed all mention of my clients from my business web site and all names of previous employers from an online résumé because people were attempting to contact them. Some relationships, however, are difficult or impossible to hide. Within a week of my moving my sites to a new hosting service, the page that you can see from the image on the left was created at the previously-mentioned OzGateway defaming Enet21, the new host. (Approaches were also made directly to Enet21, demanding that my sites be closed down). Earlier in the year, the fax you can see from the image at the right was sent to the Australian Computer Society. Luckily, in both cases I had a relationship with the recipient of the complaints that eliminated any bad effect that the complainer had wanted. Things may have been very different if I had not been a relatively high-profile member of the ACS or if I hadn't known the manager of the ISP for some time. (It is worth checking how your web hosting service or ISP reacts to complaints. There is a perception that smaller organisations will be more likely to fold in the face of complaints, but I have had excellent moral support from the two small ISPs I have used for site hosting. On the other hand, I know someone who was threatened with having her account with a large ISP suspended on the basis of a single anonymous complaint.)
One form of harassment that cannot be ignored is a legal threat. Even the most fatuous letter from a lawyer requires a response, and a court summons generally means that the response has to come from a lawyer. It is no consolation if you win or if the action is later dropped or dismissed, because it costs time and money to defend even ridiculous claims and there might not be any money to pay costs when the court awards in your favour. The image at the right leads to a summons in a bizarre court action where I and several other people (and some non-persons such as some domain names and a mailing list at Yahoo!) were accused in a civil case of a ludicrous range of offences. This case had no chance of success. As an example, even a cursory examination of the document would have people asking how any action for trespass in a California county court could succeed against residents of Australia and Denmark. The true purpose of the action was revealed when the public relations firm acting for the plaintiff issued a press release gloating about how all the defendants would be bankrupted by the suit. (This press release was actually an encouraging sign. It is illegal in California to bring suit simply to financially damage someone, so it looked as if the plaintiff's legal advice might be flawed. This impression was heightened when I found that the lawyer whose name is on the summons had publicly referred to me as a "bottom dwelling parasite".)
Despite these obvious deficiencies in the case, it was 260 days before it was finally dismissed. It didn't cost anyone much money, because only a handful of the defendants were served with the summons and the matter never really got to court, but time was wasted and there was a cost in adverse publicity. People and organisations who were unrelated to the plaintiffs but shared their opinion of the defendants were only too ready to help. During the 260 days several web sites published the text of the summons (and have yet to publish the fact of the dismissal), and much emphasis was placed on how all the evil defendants were being sued for $10 million. Mud sticks.
Some of the strategies that you can use to combat these threats are to do nothing, to run to lawyers, to retaliate in some way, or to use exposure.
Often, the best thing you can do is to do nothing, or just take the minimum action necessary. I reduced my daily spam load by several hundred messages by simply changing the contact email addresses on my web sites and disabling the old addresses at the mail server. Don't ever respond directly to hate or abusive email. Keep it by all means but there is no need to acknowledge receipt, although some action must be taken in the case of extended abuse or harassment. In many cases, making a big issue of something can just bring it to the attention of more people when ignoring it will allow it to fade away unnoticed. An exception is that if criminal activity is mentioned, such as threats to poison food, damage property, or cause physical harm to a person, then you always need to contact the police. Let them talk to the person making the threat.
The body of law relating to the Internet is still in an extremely tentative state of evolution. There is a lot of academic legal opinion but precious little case or statute law. One of the problems is jurisdiction – deciding where the offence took place. An example of this was a case of someone in Canada who was impersonating me. There seemed to be no doubt that this is a criminal offence in Canada, but I found that The Royal Canadian Mounted Police, who were the relevant authority, will only accept complaints in Canada from Canadian citizens or permanent residents. They will accept complaints from foreign police forces, but the New South Wales Police aren't really interested in offences committed in other countries. It can get even worse that this. I know a Canadian citizen who tried to take action over a published defamation but nobody could decide whether the offence happened in the province where the message originated, the province where the receiving server was located, or the place where the user was when he remotely accessed the server and read the message for the first time.
There is the possibility of successful legal action for defamation on a web site or to obtain a restraining order against a harasser, but the problems of identity and location will have to be addressed. A recent action by radio announcer Steve Price against the web site Crikey for defamation was successful, but Crikey is a journalistic publication, everybody involved knew each other before the event took place, the offence was admitted, and the action was basically the same as that which would apply to a printed newsletter or magazine. It would be a totally different matter to pursue the author of a free web site at Tripod.com or to recover the access logs of an anonymous remailing service in Holland. These sorts of actions require very deep pockets and the willingness to spend a lot of time as well as money.
There is a temptation to fight back using the tools and methods of the attacker, but this is counterproductive. Firstly, it brings you down to their level and, secondly, it weakens your position should you ever end up in court. I make a point of being excessively polite if I ever have to respond to an attack, and nothing seems to drive the attackers up the wall faster than being referred to as "Mr Soandso". They want and expect a hostile response. Don't give it to them. The one exception I make to this rule is that I will not tolerate impersonation. People can say whatever they like about me as long as they don't pretend to be me while they are saying it. Whenever I see a case of impersonation, I immediately contact any email provider or ISP I can and have the offending account closed. This is usually successful, although I did find it strange that Hotmail would close accounts that approximated my name without question but they wanted photo identification to close "peterbowditch" because it was exactly my name. As it turned out, the person using the address used the same password in several places and made a mistake one day which allowed me to find out what it was. Now all his base are belong to us.
I have found this to be the most effective response, because it removes some power of control from the harasser. One of the worst things you can do if you are harassed or false rumours are being spread is to hide this fact. If you openly publicise the threats you can reassure people and also remove from the harassers the weapon of claiming that there is a cover up, with the implication that there are things that you don't want people to know. You don't have to publish every bit of hate mail (although this has always been my policy at the RatbagsDotCom site), but you should at least have a mention on your web site of the campaign against you, with suggestions about where interested people can get more information. The impact of rumour and innuendo can be reduced if you are seen to be addressing them openly. After all, why would you be repeating these bad things about yourself if they were true? As examples, my business web site carries notices about spam apparently from the domain, about the fraudulent use of the ".com" domain, and about the harassment campaign to contact clients and other business associates.
The Internet has brought enormous changes and benefits to the way organisations can do business and interact with other businesses, people, government authorities and so on. It has opened up opportunities that would be unthinkable without this technology, and it has allowed the creation of new kinds of businesses as well as new ways of conducting traditional commerce.
With these benefits come risks. A major issue for anyone doing business on the Internet, or even just using it for communication, is security. The 'net has ways of exposing the internal workings of an organisation to the world that just cannot be done with, say, telephone and fax communication. Much work has been done over the years to make organisations secure against physical attacks such as penetration of internal networks, theft or misuse of confidential data, and outright fraud.
The 'net can also allows another forms of threat to organisations, such misrepresentation, defamation, harassment, identity theft, and blackmail. Hamlet may have been optimistic when he said "the readiness is all", but readiness is certainly a major part of addressing these threats and minimising the damage.
(Update 5 November, 2002. I received an email from someone who had an unfavourable opinion of this article. The criticism comes from someone who claims to be a computer professional and, in fact, not only runs a computer manufacturing company but also is the head of an organisation calling itself the American Computer Scientists Association. It nicely illustrates some of the things I was talking about, and you can read it here.)
|Copyright © 1998- Peter Bowditch|
Logos and trademarks belong to whoever owns them