Feeds

Online impersonations: no validation required

How do you know what's real and what's not?

Security for virtualized datacentres

Refuting email

In sensitive environments, PGP signatures or similar key-based systems can be used to authenticate the sender. These cryptographic systems validate your identity because only the sender has the right keys. However, few people use PGP for general email communications and it does not authenticate you with new acquaintances.

With free email services, disabling an imposter becomes more difficult. In most cases, you must authenticate yourself before the hosting provider will take action, but not to open the account. For example, anyone can register a Yahoo! Mail account using your name. If Yahoo! Mail has an email account that is impersonating you, then you can fill out their abuse form. This form requires you to describe the incident and identify yourself.

In contrast to Yahoo!, Gmail requires you to print out the imposter's email and mail it to them through the postal service. Gmail offers no method for submitting an online complaint about an imposter.

Although sites such as Yahoo! and Gmail do provide options for refuting and disabling an imposter's account, other public mailing systems are not as responsive. For example, Hushmail allows people to report abuse. However, they will not investigate abuse complaints (other than spam complaints) and refuse to disable any imposter's account without a court order.

Since Hushmail does not authenticate during enrolment and does not remove abusive accounts, you should personally verify the sender's identity before responding. Any email from "hushmail.com", "hush.com", "hush.ai", etc., could be an imposter. While Hushmail does use PGP for email authentication, this only validates that the email was sent using Hushmail; it does not validate the person who opened the Hushmail account.

External authentication is one option to mitigate the impact from general email impersonations. Build a reputation around a known email address and maintain a website that can quickly be used to identify you. If your emails always come from "mydomain.org", emails from some other domain should be suspect.

Mitigating mailing lists

While an imposter's email account can be disabled, the damage from posted messages is usually permanent. While some mailing lists will remove messages from their archives, most will not. And even if the message is removed, many mailing lists are mirrored; an imposter's posting could live indefinitely on hundreds of archive sites. Exposing the imposter by posting to the list or informing the list manager, is usually enough to mitigate any damage.

Unfortunately, some unmoderated forums have a large number of imposters. Contesting an imposter may not be worthwhile; if many people are impersonated, then malicious postings are usually suspect without any feedback from you. In addition, any identification of an imposter could be overlooked in high-volume forums.

Web of lies

Along with impersonating email addresses, imposters can create fictitious websites. Yahoo! Mail includes web space at Geocities, Gmail includes Googlepages, and there are thousands of other hosting providers. The inability to authenticate an owner opens the door to impersonations such as phishing; anyone can create a web page that looks like Citibank and anyone can register a domain name similar to "citibank.com". No validation required.

Refuting a fake website really depends on the type of impersonation and the hosting location. Companies such as Yahoo! and Google are extremely responsive to phishing reports. Due to well-organised efforts by groups such as the Anti-Phishing Working Group, reported phishing sites are usually taken down within hours, and sometimes within minutes. If the hosting site is non-responsive, then network routers can restrict access to these sites until the phishing site is removed.

While web impersonations usually refer to companies, they can also apply to individual people. Unfortunately, if the site is impersonating a person - and not a company - then refuting the site becomes more complicated. Yahoo! Geocities links web pages to email accounts. If you can refute the Yahoo! email account, then you can disable the imposter's web page. In general, your ability to refute a fake web page really depends on the hosting provider. Look at their site for a method to report abuse and be prepared to validate that you really are you.

Beginner's guide to SSL certificates

Next page: Invading my space

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.