• United States



sarah d_scalet
Senior Editor


Jan 16, 20034 mins
CSO and CISOData and Information Security

If anyone should be able to recognize a hoax, its the kind of person who corresponds with ISC2, that awkwardly named organization known for doling out certifications to security professionals. But four months ago, the International Information Systems Security Certification Consortium became the target of an e-mail spoofing campaign

and even a group of so many security brainiacs still hasnt been able to close the case.

It started last autumn, when the security community got blasted with a legal notification allegedly from ISC2. On Sept. 3, I myself got the e-mail, which warned that my name, banking information and Social Security number had been sold for marketing research. Supposedly I could send $10 to ISC2, which would then consider deleting its records about me. Otherwise the organization would deduct $50 from my account.

Despite the fact that the e-mail seemed to come from ICS2, listed its real mailing address and was signed with the name of a real staff member, it had hoax written all over it. Its claims were ludicrous, and it gave a vague citation of something called the privacy act as its legal rationale.

Later the spoofing campaign turned really nasty, with antisemitic rants and photos, the details of which arent worth repeating. This round of e-mails appeared to come from ISC2s webmaster.

Dorsey Morrow, general counsel for the Framingham, Mass.-based organization, has been on the case ever since, working with law enforcement officials in Massachusetts, Australia and now Israel, to try to track down the suspect. Theres just one problem: Morrow is not sure exactly what crime has been committed. Because the perpetrator wasnt trying to collect any money himself, the spoofed e-mails dont count as fraud. The crime seems to have been committed in Australia, where defamation and slander are difficult to prove. And the antisemitic e-mails inferred violence but did not explicitly threaten it. He walks up the line, Morrow says. This guys more of an annoyance than anything else.

Morrows biggest hope for prosecution comes from an unlikely place: spam legislation that would have allowed ISC2 to bring charges for misrepresenting the origin of an e-mail. This seems a stretch. After all, 26 states have anti-spam laws already, and have you noticed how much good theyre doing?

The sad truth is, e-mail spoofingin which a message appears to come from someone that its nothas become a way of life. Users have long been told not to trust e-mails from unknown sources. Spammers, and virus writers too, have responded by making it appear as though an e-mail is from a trusted source. (A note for you geeks out there: whos going to slog through the IP header looking for the real trail? As far as most e-mail users are concerned, all that really matters is the from line.)

There are a few things companies can do. First they should make sure their e-mail servers are secured, says Maurene Caplan Grey, a research director for the Stamford-based Gartner Research. Some spammers hunt the Internet for organizations whose e-mail relays are open, and then use them to send spam. The e-mails seem to come from the organization because, technically, they do.

The other, more complicated step companies can take is using smart relays. We see many organizations using an Exchange server or whatever e-mail product they have in-house, Grey says. You can configure an Exchange server to be a relay, but thats not what it was designed to do. Its not smart enough to know if its being attacked. Instead, she says, e-mail relays from anti-spam vendors like Sendmail, CipherTrust or Mirapoint can identify when a spammer is attacking a domain by trying random e-mail addresses. The gist of this is that if spammers cant confirm that an e-mail address is a valid one, theyre less likely to spoof it.

Unfortunately none of this does much good for an organization thats being specifically targeted but whose servers arent actually involved in sending the e-mail. If I were in a darker mood, I might even predict that this could be 2003s one-up on the political website defacements weve seen. Its the perfect crime, because you dont even need to break in.

Meanwhile, the folks at ISC2 have installed PGP to authenticate genuine e-mails, and law enforcement seems to have scared the culprit into stopping. Now, the only thing left for themor any of usto do is to hope that our friends are smarter than our enemies, and can distinguish e-mail spoofs from the real thing.