|
Spammers Anonymous
Most of you who caught my phishing column last
time would have realised that a good number of the Web’s security
problems originate from the anonymity that e-mail provides to those
tech-savvy enough to cover their tracks completely.
Cyber security conferences and the popular press often sensationalise the more
glamorous cybercrimes like cyberstalking, hacking of popular websites, denial-of-service
attacks and corporate espionage, and also warn of the impending threat of cyberterrorism.
But the problems that cause the most damage to the majority of Internet users
(either directly through data and financial loss, or indirectly through productivity
loss) are often glossed over, as they are of a relatively mundane variety—viruses,
worms, spam, spyware and phishing.
To date, there has been only one incident that can truly be classified as cyberterrorism.
This was back in 2000 when a hacker broke into the computer systems of an Australian
sewage plant and succeeded in releasing a million litres of untreated sewage
into rivers and coastal waters of a small town in Queensland, which resulted
in the demise of a large number of fish (but fortunately no loss of human life).
Experts agree that it is very unlikely that religious fundamentalists or other
fanatics would resort to the extremely complex option of cyberterrorism—where
loss of life is an unlikely outcome—when they have far simpler physical
means to inflict extreme terror.
On the other hand, 65 percent of e-mail moving across networks today is spam
(says security-firm Symantec), phishing attacks number in the tens of millions,
and quick-spreading new viruses and worms cause billions of dollars worth of
damage with every new vulnerability that’s exposed in Windows and other
popular software. All this the work not of terrorists or master criminals, but
of misguided teenage hackers, unscrupulous marketeers, scammers and petty criminals,
who look at the Net as just another medium from which to carry on their lifelong
vocation of relieving you of your burdensome riches.
Quite an unacceptable state of affairs this, if the Net is ever to live up to
its enormous potential and promise. But there’s no single solution to stem
the rot. What we need is a combination of more stringent legislation, tweaking
of technology, industry collaboration and, perhaps most importantly, education
of Net users.
Indeed, spammers and scammers depend upon the naiveté of first-time and
novice Net users for the success of their transgressions. So, creating awareness
of the potential risks while online, and educating novices on how to avoid them,
is an essential and on-going task. This is something that the Cyber Safety Week
initiative of the Mumbai Police, in collaboration with Nasscom, achieves admirably.
Held in the last week of August, and in its second iteration this year, the
Week once again succeeded in spreading the message of cyber safety to hundreds
of police officers, and thousands of other Mumbai residents and college students
(this last group, thanks to the initiative of the Mumbai chapter of the Computer
Society of India, under the able leadership of chairman V L Mehta and his enthusiastic
lieutenants Chetan Samant and Wilson Pinto). The Cyber Safety Week is a fine
example of industry teaming up with law enforcement authorities to fight cyber
crime, a collaboration which has also resulted in the formation of the Mumbai
Cyber Lab (www.mumbaicyberlab.org). It would be great if the Lab’s website,
as well as the rarely-updated website of the Mumbai Police (www.mumbaipolice.com),
were made more interactive and used to carry on cyber safety education all through
the year.
Vinton Cerf, one of the pioneers of the Internet, vociferously advocates “cyberhygiene”,
wherein users make a daily habit of routinely running anti-virus software, anti-spyware
and spam filters, much like they brush their teeth every morning. But everyone,
Cerf included, is quite clear that education and awareness can only take us
just so far. To hit at the root of spam and other cyber crimes facilitated via
the anonymity afforded through e-mail, the fundamental protocols of e-mail transmission
need to be fortified or modified. Simple Mail Transfer Protocol (SMTP) has no
inherent authentication mechanism to establish a sender’s true identity,
and spoofing of the return address is easily achievable. Of course, there are
enterprise-level, proprietary solutions for secure e-mail, and vendors like
Sigaba, for instance, have been offering robust e-mail authentication for quite
some time now.
For public e-mail, various bizarre solutions have been suggested
in the past, including charging a tiny tax on every e-mail (the total cost would
then be prohibitive for spammers), automated micropayments accruing to every
recipient who reads the junk mail, and so on.
Fortunately, none of these have caught on. Instead, adding a reliable layer
of authentication onto SMTP has been gaining credence. The Internet Engineering
Task Force has been reviewing alternative proposals, and Microsoft’s Sender
ID technology, which authenticates incoming mail by validating the sender’s
return address, seems to be ahead of the pack. Also in the fray are Yahoo’s
DomainKeys and Cisco’s Identified Internet Mail both of which are based
on the concept of encrypted digital signatures on outbound mail.
Any which way, it’s quite evident that the days of complete anonymity on
the Web are numbered. While this may be hard to stomach for privacy advocates
and libertarians, the challenge is to reach a balance between freedom and controls
on the Net so that an individual’s privacy is respected, yet, when required,
criminals can be positively identified and apprehended. Welcome to the realistic
Internet world.
Val Souza, Editor
valsouza@expresscomputeronline.com
|
