Feeds

Online impersonations: no validation required

How do you know what's real and what's not?

The Essential Guide to IT Transformation

Refuting email

In sensitive environments, PGP signatures or similar key-based systems can be used to authenticate the sender. These cryptographic systems validate your identity because only the sender has the right keys. However, few people use PGP for general email communications and it does not authenticate you with new acquaintances.

With free email services, disabling an imposter becomes more difficult. In most cases, you must authenticate yourself before the hosting provider will take action, but not to open the account. For example, anyone can register a Yahoo! Mail account using your name. If Yahoo! Mail has an email account that is impersonating you, then you can fill out their abuse form. This form requires you to describe the incident and identify yourself.

In contrast to Yahoo!, Gmail requires you to print out the imposter's email and mail it to them through the postal service. Gmail offers no method for submitting an online complaint about an imposter.

Although sites such as Yahoo! and Gmail do provide options for refuting and disabling an imposter's account, other public mailing systems are not as responsive. For example, Hushmail allows people to report abuse. However, they will not investigate abuse complaints (other than spam complaints) and refuse to disable any imposter's account without a court order.

Since Hushmail does not authenticate during enrolment and does not remove abusive accounts, you should personally verify the sender's identity before responding. Any email from "hushmail.com", "hush.com", "hush.ai", etc., could be an imposter. While Hushmail does use PGP for email authentication, this only validates that the email was sent using Hushmail; it does not validate the person who opened the Hushmail account.

External authentication is one option to mitigate the impact from general email impersonations. Build a reputation around a known email address and maintain a website that can quickly be used to identify you. If your emails always come from "mydomain.org", emails from some other domain should be suspect.

Mitigating mailing lists

While an imposter's email account can be disabled, the damage from posted messages is usually permanent. While some mailing lists will remove messages from their archives, most will not. And even if the message is removed, many mailing lists are mirrored; an imposter's posting could live indefinitely on hundreds of archive sites. Exposing the imposter by posting to the list or informing the list manager, is usually enough to mitigate any damage.

Unfortunately, some unmoderated forums have a large number of imposters. Contesting an imposter may not be worthwhile; if many people are impersonated, then malicious postings are usually suspect without any feedback from you. In addition, any identification of an imposter could be overlooked in high-volume forums.

Web of lies

Along with impersonating email addresses, imposters can create fictitious websites. Yahoo! Mail includes web space at Geocities, Gmail includes Googlepages, and there are thousands of other hosting providers. The inability to authenticate an owner opens the door to impersonations such as phishing; anyone can create a web page that looks like Citibank and anyone can register a domain name similar to "citibank.com". No validation required.

Refuting a fake website really depends on the type of impersonation and the hosting location. Companies such as Yahoo! and Google are extremely responsive to phishing reports. Due to well-organised efforts by groups such as the Anti-Phishing Working Group, reported phishing sites are usually taken down within hours, and sometimes within minutes. If the hosting site is non-responsive, then network routers can restrict access to these sites until the phishing site is removed.

While web impersonations usually refer to companies, they can also apply to individual people. Unfortunately, if the site is impersonating a person - and not a company - then refuting the site becomes more complicated. Yahoo! Geocities links web pages to email accounts. If you can refute the Yahoo! email account, then you can disable the imposter's web page. In general, your ability to refute a fake web page really depends on the hosting provider. Look at their site for a method to report abuse and be prepared to validate that you really are you.

Build a business case: developing custom apps

Next page: Invading my space

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.