Feeds

Online impersonations: no validation required

How do you know what's real and what's not?

Top 5 reasons to deploy VMware with Tegile

Refuting email

In sensitive environments, PGP signatures or similar key-based systems can be used to authenticate the sender. These cryptographic systems validate your identity because only the sender has the right keys. However, few people use PGP for general email communications and it does not authenticate you with new acquaintances.

With free email services, disabling an imposter becomes more difficult. In most cases, you must authenticate yourself before the hosting provider will take action, but not to open the account. For example, anyone can register a Yahoo! Mail account using your name. If Yahoo! Mail has an email account that is impersonating you, then you can fill out their abuse form. This form requires you to describe the incident and identify yourself.

In contrast to Yahoo!, Gmail requires you to print out the imposter's email and mail it to them through the postal service. Gmail offers no method for submitting an online complaint about an imposter.

Although sites such as Yahoo! and Gmail do provide options for refuting and disabling an imposter's account, other public mailing systems are not as responsive. For example, Hushmail allows people to report abuse. However, they will not investigate abuse complaints (other than spam complaints) and refuse to disable any imposter's account without a court order.

Since Hushmail does not authenticate during enrolment and does not remove abusive accounts, you should personally verify the sender's identity before responding. Any email from "hushmail.com", "hush.com", "hush.ai", etc., could be an imposter. While Hushmail does use PGP for email authentication, this only validates that the email was sent using Hushmail; it does not validate the person who opened the Hushmail account.

External authentication is one option to mitigate the impact from general email impersonations. Build a reputation around a known email address and maintain a website that can quickly be used to identify you. If your emails always come from "mydomain.org", emails from some other domain should be suspect.

Mitigating mailing lists

While an imposter's email account can be disabled, the damage from posted messages is usually permanent. While some mailing lists will remove messages from their archives, most will not. And even if the message is removed, many mailing lists are mirrored; an imposter's posting could live indefinitely on hundreds of archive sites. Exposing the imposter by posting to the list or informing the list manager, is usually enough to mitigate any damage.

Unfortunately, some unmoderated forums have a large number of imposters. Contesting an imposter may not be worthwhile; if many people are impersonated, then malicious postings are usually suspect without any feedback from you. In addition, any identification of an imposter could be overlooked in high-volume forums.

Web of lies

Along with impersonating email addresses, imposters can create fictitious websites. Yahoo! Mail includes web space at Geocities, Gmail includes Googlepages, and there are thousands of other hosting providers. The inability to authenticate an owner opens the door to impersonations such as phishing; anyone can create a web page that looks like Citibank and anyone can register a domain name similar to "citibank.com". No validation required.

Refuting a fake website really depends on the type of impersonation and the hosting location. Companies such as Yahoo! and Google are extremely responsive to phishing reports. Due to well-organised efforts by groups such as the Anti-Phishing Working Group, reported phishing sites are usually taken down within hours, and sometimes within minutes. If the hosting site is non-responsive, then network routers can restrict access to these sites until the phishing site is removed.

While web impersonations usually refer to companies, they can also apply to individual people. Unfortunately, if the site is impersonating a person - and not a company - then refuting the site becomes more complicated. Yahoo! Geocities links web pages to email accounts. If you can refute the Yahoo! email account, then you can disable the imposter's web page. In general, your ability to refute a fake web page really depends on the hosting provider. Look at their site for a method to report abuse and be prepared to validate that you really are you.

Internet Security Threat Report 2014

Next page: Invading my space

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.