by Gary Amos, Esquire1
A crime wave is emerging across the Internet. That crime wave is about to come to the doorstep of your law practice (if not already), and you won't even know it. It can come through web browsing or by using e-mail. By far the biggest threat for lawyers at the present moment is e-mail. E-mail forgery, e-impersonation, and e-stalking have been problems for some time and are becoming epidemic. But the situation has recently gotten much worse.
The tools now exist (and are readily available on the Internet) for people to read your e-mail, track your e-mail, find out who some of your clients are, read your e-mail correspondence with them, and, in short, empower unscrupulous people to sabotage your cases, steal some of your clients, and possibly even jeopardize your practice. This can all happen without you even knowing about it, even if you have a firewall and virus software on your computer. If you value your livelihood, your reputation, and your professional relationship with your clients, please read this paper about the new threats lurking on the Internet.
If, like me, you wonder why you have never heard of this before, you are not alone. Most of us lawyers simply do not know. Rarely is it front page news. We may assume that no news is good news. Not so. We are sitting ducks because of our naivete. Hopefully you will read this paper and take appropriate action before the real damage is done, and not wind up being one of the statistics.
This paper is not meant to shock, frighten, or intimidate. It is meant to inform. It is not about crying wolf. It is not about scare tactics, hyperbole, or hysteria. It is about a warning that is long overdue. The information is shocking, but true nonetheless. We provide this information to the legal community of Hampton Roads as a courtesy to our brother and sister attorneys in the practice of law. There will be those who criticize the tone and content of this paper. We hope that you will not only read but heed what we have to say.
Recently, on 16 March 2001, the Federalist Society sponsored a conference in Washington, D.C., titled "Law Enforcement in Cyberspace: Who Has the Upper Hand - the Hackers or the Cops?"2 One of the speakers was Orin Kerr, a trial attorney with the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, author of the DOJ's guidelines for searching and seizing computers and obtaining electronic evidence in criminal investigations,3 and soon to be associate professor of criminal law, computer crime, and intellectual property at George Washington University. Mr. Kerr warned of a coming Internet crime wave, and frankly warned that we should all be worried.
. . . I think we have a pretty serious problem with computer crime that is coming soon. We should be pretty worried about how easy it is to commit crime in cyberspace and we should be especially worried with how hard it is for the government to catch people, to identify and apprehend those who commit crime online.4
He is right that a pretty serious problem with computer crime is coming soon. In fact the crime wave is already here. And he is right that we should be worried how hard it is to catch people who commit such crimes. Even if you can detect that someone is trying to pry into your cyberspace activities, identifying and apprehending the culprit can sometimes be all but impossible.
As this paper is being written, for example, it was just announced that a hacker from the Netherlands broke into the database for MSNBC's web hosting company (even Microsoft is not immune?), and stole the entire customer database of 46,000 names and credit card numbers.5 Victims have already reported thousands of dollars in fraudulent credit card charges in the past few weeks. The web hosting company learned of the e-burglary and that it really happened when the hacker called by phone to brag, and faxed a list of data as proof of the heist.
The same day, 2 April 2001, ZDNet News reported that another flaw has been found in the latest version of Microsoft's Internet Explorer web browser. The flaw makes it possible for hackers "to view local files and in some cases erase some of the files' contents."6 Internet security expert Georgi Guninski warned that if people visit a Web page using Internet Explorer 5.5, "hackers could read their files, and if the file name is known, those files could be sent to another server."7 The flaw not only affects the Internet Explorer browser, it also affects Microsoft Outlook and Outlook Express, which are widely used by attorneys in Hampton Roads for sending and receiving e-mail!
This flaw affects how Internet Explorer processes MIME (Multipurposes Internet Mail Extensions). It allows Internet Explorer to automatically open HTML e-mail attachments. Ordinarily, for a virus in an e-mail attachment to work, the user has to click on the attachment to open it. But this new flaw means that the attachment can be launched without any action on the part of the recipient, and without displaying a warning dialogue. A Microsoft advisory warned: "This vulnerability could enable an attacker to potentially run a program of (his) choice on the machine of another user. Such a program would be capable of taking any action that the user himself could take on his machine, including adding, changing or deleting data, communicating with web sites, or reformatting the hard drive."8
This most recent flaw was made public by a cyberbug hunter named Juan Carlos Garcia Cuartango.9 Reports say that the flaw is so serious that it "allows attackers complete access and control over any computer running any version of the Windows operating system and Internet Explorer Versions 5 and 5.5."10 This type of flaw is symptomatic of the problems with Internet software in general. It is no understatement to say that "the Internet is full of holes."11 Enterprising snoops make use of those holes everyday. With more than 30,000 hacker sites on the Internet offering hacker software that automates the snooping process, along with instructions on how to use it, nobody is safe.12 Many of us think that the Internet is safer than ever. The truth is it is more vulnerable than ever.
For instance, consider the most recent revelation about a computer hacking program called "Sharesniffer." Sharesniffer, Inc., is a Nashville-based company that offers a software program that bundles a number of standard hacker tools into one easy to use program. "Sharesniffer" immediately turns the novice computer user into an empowered hacker.13 It enables the computer user secretly to search for and download files from the hard drive of another computer. Sharesniffer snoops among the four billion IP addresses on the Internet where computers are connected. It can find and access any computer running Microsoft Windows which is not using passwords or firewalls, and that has file-sharing or print-sharing enabled. (We're talking millions, at least, and possibly yours.) When it finds an unprotected computer, it can download or upload files to or from the computer's hard drive, and modify or delete files on the other computer. (It is being hailed by some as a replacement for Napster because of its powerful file sharing capabilities.) Anyone who wishes to own a copy of the program, use it to intrude upon someone else's computer without their knowledge, break federal and state law, and go to jail (if caught), can download it at www.sharesniffer.com. There are those who will use the program honestly. The unscrupulous will use it to break the law.
Then there is identity theft. Who has not heard of the New York busboy who may have bilked millions from America's wealthiest whose names he culled from the Forbes Magazine list of "The Richest People in America"? His scam began to unravel when he tried to wire transfer $10 million from the Merrill Lynch account of Thomas Siebel, CEO of Siebel Systems. The brokerage firm called Siebel in person to make sure that they had the details right for the transaction. Siebel had given no such instructions.14 The lead detective with NYPD's special cybercrime unit who cracked the case called the 32-year-old E-swindler "the best I have ever faced."15 Allegedly he succeeded in fooling the three credit reporting agencies into giving him all kinds of personal information on the rich and famous. He is said to have gained access to the bank, brokerage accounts, and credit card accounts of such luminaries as Steven Spielberg, George Lucas, Oprah Winfrey, Ross Perot, Warren Buffett, Carl Icahn, Michael Bloomberg, and Michael Eisner, to name a few.16
Is there an unprecedented crime wave around the corner? Yes. Experts from the Gartner Research Group are predicting that a new kind of crime - "mass victimization" - will achieve notoriety within the next two years.17 One report puts it this way: "Mass victimization crime, or online theft from thousands of people simultaneously by one individual, is less than two years away and the perpetrator will probably get away with it, . . ."18 According to the Gartner Group, the tools are already in place: "cybercriminals can now surreptitiously steal millions of dollars, a few dollars at a time, from millions of individuals simultaneously . . ."19 They predict that the cost of such crime will increase by 1,000 to 10,000 percent by 2004.
But has a crime wave already started? Yes.20 The United States government has 1,400 active cybercrime investigations already underway, and more are being opened daily.21 About fifty new computer viruses are generated each week.22 Last year "[a]t least 155 federal computers systems - some with sensitive research information or personal data on Americans - were temporarily taken over by hackers. . ."23 There are there are currently 102 open investigations of computer intrusions into U.S. government systems alone.24 The number of cybercrime cases being investigated by state governments is skyrocketing. The Ananova News Service of Great Britain, reported on 3 April 2001 that one of every three businesses and public service organizations in England has already been infiltrated by computer hackers.25 In a March 28, 2001, special report titled "The Internet's Absolute Worst Threat," authors Dan Gebler and Mick Brady reveal: "According to a recent report from the Computer Emergency Response Team at Carnegie Mellon University, attacks on Web sites increased from 2,000 in 1997 to 21,000 in 2000. Meanwhile, Web site defacements totaled 5,000 last year, up from just five in 1995."26 The Associated Press web site was disabled by hackers only days before this whitepaper was written.27 Despite this trend, only about 40% of the networks connected to the Internet have a "firewall," special security software to fend off computer invasions from outside. On March 9, 2001 it was reported that many IBM e-commerce servers are vulnerable to hacker attacks.28
According to the FBI, one of the most serious organized threats comes from Russia and Ukraine. In recent months, Russian and Ukrainian hacker teams "stole more than 1 million credit card numbers from 40 American e-businesses."29 All of the targets were online merchants and Internet banks. The hacker groups exploit well-known weaknesses in Windows-based and Linux-based systems.30 They demand protection money from the victims and probably sell the stolen data to organized crime groups around the world anyway.31 These groups represent a new twist in cyber crime because they not only steal sensitive financial data, they also physically threaten their merchant victims.
Historically, hackers have paid most of their attention to large networks and servers. Now more attention is being paid to attacking the personal computers of private individuals. Over half of the PCs in homes lack updated virus software, and only a fraction have personal firewalls.32 Individuals store passwords, credit card numbers, personal financial information, and other kinds of sensitive data on their personal computers. Business and professional information often goes unprotected on home PCs even when the network at the office uses firewall software to ward off hackers. Unprotected individual computers represent an endless treasure trove of information. Most of the victims are chosen at random but do not have to be. All that is needed is a motive to target a specific individual (do angry employees or ex-spouses have motives?). Then all bets are off.
Imagine a situation you have seen dozens of times before. You are sitting at your computer surfing the web. You click a link to go to a particular site. As you sit patiently waiting, the banner ads, various pictures, Java applets, text and content begin to paint themselves one at a time across your screen. But something goes wrong. A gray rectangle appears on your screen and says "Error processing CGI scripts. Do you wish to continue processing scripts? Yes; No."
Never before have you asked what CGI means. It means "common gateway interface." It is the standard way that the Internet provides pictures and text to your computer and your computer willingly accepts it. Unless something goes wrong, it all happens automatically. The words "common gateway interface" should tell you all you need to know. When a gate is open you can go in or you can go out. Since your computer is already programmed to accept CGI scripts, content providers and hackers use them to get into your computer without even knocking. The pictures are the key.
Since a picture can be a small as a single pixel (or white or transparent), it is therefore invisible to the naked eye. Web sites that want to track you secretly can send single-dot pictures called "web bugs" to your computer, telling it to send back various types of information. You can be tracked and monitored with "web bugs" and never, ever know it.33
Web bugs are a significant advance over earlier methods used to track people as they surf the web.34 Before the advent of Web Bugs, the standard method of planting identifying data on a person's computer was the "cookie." A "cookie" is a tiny one-hundred byte string of information placed by a web site on a user's computer. It can be used to store a password, a set of preferences, or a user ID for particular web sites.35 Cookies provide a rudimentary way to track an Internet user's web surfing habits. When cookies and web bugs are used in tandem, they provide a highly effective surveillance tool to track Internet users.36
What does all this have to do with e-mail? The answer is simple. Most modern computer programs are "suites" of interconnected programs intentionally designed to share information from one program to the next. More often than not these cooperating programs share one or more similar flaws and weaknesses. E-mail programs are intentionally designed to interface with these other programs. A weakness in one program grants a hacker access to other programs so that he can use their special functions to the hacker's advantage. At present the easiest path of access into another computer is by e-mail. And it is here that the mischief makers are having a field day.
E-mail has become the weapon of choice for a broad range attacks on the unwary and unsuspecting. A great deal of malicious conduct that can be carried out through e-mail is not yet illegal. Even worse, much of the illegal use of e-mail is all but invisible to the unsuspecting. By now the typical computer user knows not to open strange looking attachments which might contain viruses, and to regularly update one's virus software. But most computers users are oblivious to the other kinds of abuses that take place through e-mail. The technology now exists where harmless looking e-mails or attachments can plant tracking bugs on an individual's personal computer without being intercepted by firewall programs or virus software. Almost any e-mail coming into your system might contain the hidden codes that plant an "e-mail wiretap." These bugs are all but impossible to detect if they are written in basic code.
It is safe to say that most Hampton Roads attorneys use e-mail on an almost daily basis.37 Some are more knowledgeable about the risks than others. But even those of us who know that e-mail is insecure are likely to use it as if it is not. Here is where the problem lies. E-mail is not only insecure, it is becoming more insecure everyday. While we are becoming more and more comfortable with e-mail, e-mail is becoming more and more insecure. In the present environment, using e-mail in a casual or presumptuous way in your law practice is like giving Jesse James the combination to your safe. Using unencrypted e-mail for important correspondence in your law practice is like doing your correspondence by postcard.38
Many of us have been lulled into complacency assuming that what we don't know can't hurt us. Nothing could be more wrong. Few of us know how e-mail works. Thus we assume many things about e-mail that are simply incorrect. For example, as attorneys we know that the confidentiality of telephone conversations over private phone lines is protected by federal law.39 The law creates a "reasonable expectation of privacy" in such communications. Professional responsibility regulations take into account this presumption of a "reasonable expectation of privacy" when an attorney is discussing confidential information with a client by telephone. Federal law has extended that protection to e-mail.
As attorneys we know that a majority of the states' Bar Rules Committees and the ABA have affirmed an attorney's "reasonable expectation of privacy" in e-mail correspondence with clients. Thus the attorney who uses unencrypted e-mail does not violate his duty to protect his client's confidential information. This became big news when the American Bar Association recently reversed its earlier negative position on the confidentiality of ordinary e-mail.
Prior to 1999 the ABA took the position that e-mail was insecure. But in March 1999 the ABA issued Ethics Opinion 99-413, which affords the attorney a reasonable expectation of privacy to unencrypted e-mail in much the same manner as commercial mail, fax transmissions, and land-line telephone communications. The Committee concluded in a head note summary that:
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail. . . .40
This ruling has served to give lawyers a false sense of security that all is well in their use of e-mail. We have equated being within the rule as not being at risk. The Committee's ruling rested, in part, on the questionable notion that e-mail offers no greater risk of interception or disclosure than land-line telephones, fax transmissions, and ordinary mail. Even if that conclusion was sound in 1999, it is not sound today, at least in terms of present technology. One should note that the ruling in Ethics Opinion 99-413 was expressly conditioned on technological considerations. If technology changes (as it has), a different result might obtain:
The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate.41
Whether the ruling was correct or not is not the issue, however. You or your clients can be victimized by e-mail and suffer real damage even if you are technically in compliance with the Rules of Professional Responsibility and the ABA opinion. That is why it pays to know and understand the kinds of abuses that can take place through e-mail. Here are some of them.
What can an "e-mail wiretap" do? It provides a nearly perfect platform for private spying on other people's e-mail.44 For example, a job-seeker can e-mail a resume with an embedded web bug to an employer. As the employer forwards the e-mail to others to read, and discusses the potential hire by e-mail, copies can be sent back to the applicant letting her know what is being privately discussed about her. An adjuster or attorney from an insurance company can send an e-mail to a personal injury lawyer (or vice versa) about his injured client and then track the e-mail comments as they are forwarded back and forth. E-mails exchanged between employees of corporations could be used as a type of industrial espionage. Opposing counsel might send you a confidential settlement proposal with an embedded web bug. When you forward the proposal to your client, and exchange messages back and forth, copies might be sent back to the other attorney without your knowledge. Seemingly innocuous e-mails from relatives, friends, or third parties might be the tool whereby confidential medical information, family secrets, private dalliances, or minor conspiracies are uncovered. The permutations of the theme are limited only by the ingenuity of the sender.
For example, it is common courtesy to respond to e-mails, and to forward them to appropriate parties for review. A continuous stream of new e-mails from opposing counsel might look like due diligence and zealous representation. In reality it might be a continuous feed of bugged e-mails to keep him or her up to date on what is happening on your side of the case. To the extent that these get forwarded around, and commented upon, the opposing attorney will track you step by step.
Let's suppose that a sender wants to frame someone else with a crime. Using basic hacker tools to obtain another person's Internet Protocol (IP) address, and creating a forged e-mail containing a web-bug that ostensibly forwards the returned e-mail to an innocent party (as if he or she was the originator), a person who did not create the e-mail wiretap can be made to appear as the criminal. Granted, it is not a foolproof system, and impersonating others by e-mail is not as easy as it used to be. Nevertheless, in this kind of scenario, the really vindictive hacker could theoretically frame an innocent person with a federal crime and maybe send him or her to jail. At least he could put an innocent person under intense scrutiny and suspicion, and wreak havoc on one's name and reputation. There are endless variations of this theme.
The really smart wiretappers will create self-erasing or "disappearing" web bugs. Otherwise, when bug scanning software comes on the market and you run the software over your archive of old e-mails, you will be able to discover that you were bugged (and maybe by whom). This will cause all sorts of legal headaches and liability problems for the originator (or the framed "as if" originator). The potential for e-framing is huge at this point, since it is the practice of many to "delete" their old e-mails. If a forged or altered e-mail containing a web bug continues to exist and the bug is discovered, but the original e-mail (which never had the bug in the first place) has already been expunged from your hard drive, the innocent victim of the frame-up will not be able to prove that he did not send the bug. Try explaining that to a judge or prosecutor who thinks he has your e-mail in hand and the digital copy containing the bug.
Then there is always the respondeat superior angle. What if a junior attorney in your firm - without your knowledge and without your approval - engages in web bug activity in dealing with cases and clients. Then one day your firm gets hit with a criminal subpoena for all your e-mails and hard drives. How will you feel with your firm's name on the front page of the local paper under investigation for surreptitiously tampering with cases by means of e-mail wiretaps? This is not a pretty picture.
Many of us assume when we are handed a print-out of an e-mail that it is the real thing. But it may not be. It could have been loaded onto a word processor such as MS Word or Wordperfect, changed here and there, and then printed off. Unless you have a copy of the original, you cannot be sure that it has not been altered.
But, even worse, it is entirely possible [though increasingly difficult] to send an entirely fake e-mail pretending to be someone else. We could call it e-forgery or e-impersonation. The nickname for the practice is called "spoofing."46 It can be done as a harmless gag or prank between friends. Or it can be used in a more sinister way to defame someone and destroy his or her reputation. For example, e-forgery could be used by a person who is emotionally and mentally unstable - such as someone suffering from "love obsession," or "erotomania" - who has begun stalking the person who is an unwilling and uncooperative "love interest."47 E-mail provides an extra method of "stalking." E-forgery provides the obsessed with power and leverage.
Here's how it might work. The obsessed individual first initiates an e-mail exchange with a person for apparently legitimate reasons. Then the e-mail begins to be daily and the numbers increase. When the object of the affection becomes unwilling or scorns the attention, the stalking conduct begins. The stalker might send dozens of e-mails per day.48 So long as the stalker does not make any direct or overt threats, the annoying e-mail barrage is not illegal (if it does not rise to the level of "spamming").49 Any legitimate e-mails that were received by the stalker in the early phase can then be altered to "prove" that the victim really loves the stalker. These doctored e-mails can then be used to frame or blackmail the victim unless the victim has kept copies of the undoctored originals. If the victim's spouse or employer (in sexual harassment claims) does not know that e-mails can be forged or altered, the victim - though innocent - will look very guilty. In addition, the stalker can create new e-mail accounts that are anonymous and send himself or herself e-mails pretending that they are coming from the unwilling love interest. A jilted stalker may try to frame the victim with such e-mails, or try to punish him or her by infuriating his spouse with such fake e-mails, or to disgrace him or her in the community.50
If the stalker has even rudimentary hacking skills, and the victim and the stalker are both online during an e-mail exchange (or if "instant messenger" is being used), the stalker might be able to obtain the victim's real time IP address and use it to create e-mails that can be "traced" (erroneously) back to the victim's computer.51 (The risk is especially high if the stalker hacks into the computer of the victim and uses it as a dummy or zombie to send e-mails through the victim's own Internet Service Provider. In that situation, the e-mail trace route would lead directly back to the victim, even though the e-mail had been initiated by the stalker.) Although a forgery, it would appear to be impressive evidence to members of law enforcement, one's spouse, or one's employer. If investigators check with your service provider to see if you were online at a particular time of day, and if the IP number of the forged e-mail matched the number assigned to you for that session, denying that you sent it could be very difficult (unless your Internet service provider can corroborate your story with routing data, or you pay a cyber forensics lab some really serious dollars to sleuth the forgery).52 Change the fact pattern a bit and the forgery could be about legal malpractice. If there is a sufficient economic motive, why not?
The same thing is true where someone wants to be online with you in order to discover your IP address regardless of the motive. Once the hacker has your real time IP address, he or she can hack at your computer directly as long as you remain online. Otherwise it may be difficult for the hacker to distinguish your computer from millions of others, leaving him unable to mount a direct attack. Always be suspicious when someone insists that you be online and corresponding by e-mail with them at precisely the same moment. That person could be cloning your computer identity to impersonate you. Or she might be using hacker tools to place stealth programs on your hard drive (or stealing passwords, etc.). Regardless of the motive, you are being hunted.
It should be rather obvious at this point that the combined tools of e-mail forgery and e-mail wiretap can wreak havoc on an individual victim, and even upon your professional law practice. A person with hacker skills can disguise his or her activities well enough that it might be nearly impossible to detect [for now] that an e-mail wiretap has occurred, or to prove that one is a victim of e-mail forgery. The time, expense, legal processes required, and law enforcement resources needed, may mean that for some individuals some forms of e-mail abuse must simply be suffered rather than prosecuted.
You may be feeling a bit smug and satisfied by now if you do not use Outlook, Outlook Express, or Netscape 6. But before you congratulate yourself on your good fortune, realize that other forms of e-mail are afflicted with different kinds of problems. For example, you may be a regular user of Hotmail, Yahoo mail, or other web based e-mail programs. If you used Hotmail last summer (2000), you were using it during a period when it suffered from a glitch called "data spill."53 In July 2000, C/Net News reported that this glitch in Hotmail exposed subscribers' e-mail addresses and other private information to online advertisers. The same problem occurred for hundreds of Internet companies who made personal information available in URL's, or Web addresses.
Hotmail, like millions of other web sites, was designed to accept banner advertising. Hotmail's server computers, in disclosing to banner ad computers where to send the advertising, literally "leaked" personal and confidential data about customers to the ad companies' computers. The private information was no longer private. In the data spill fiasco, over a million Hotmail addresses were exposed.
Now history has repeated itself. In February 2001 it came to light that Hotmail, Yahoo Mail, ZDNetmail, Caramail, and others were still vulnerable to a "Trojan horse" attack [such as was carried out in May 1999]. A Trojan Horse is a malicious computer program masquerading as a normal part of the Windows operating system. Once a hacker uploads a Trojan into your
computer, he can use it to control your computer, use your computer to do things without your knowledge, or to trash it.56
In this latest episode, what was particularly troubling was the ease with which a hacker could obtain a user's Hotmail password. Hackers were able to display counterfeit screens which looked like Hotmail screens. When users logged on to the bogus forms, their private information went straight to the hacker. Users were unlikely to be able to tell that they were giving e-mail account information to a bogus log-in screen.
The flaw has since been fixed, but there is a lesson here. Even with a system as intensely engineered as Hotmail, flaws keep being revealed. Repeatedly we discover that private information is more vulnerable than we like to think. Lawyers who are users of web-based e-mail should not naively assume that such e-mail systems are secure, particularly since lawyers have a duty to preserve the confidences and secrets of clients.
Three recent developments have added to the remarkable insecurity of the Net. One affects e-mail. The other two affect network systems. First, a weakness has been discovered in the world's most popular encryption program which, in some circumstances, allows the encryption program to be completely bypassed.57 People using this program to encrypt e-mail to protect its privacy and confidentiality may be thwarted despite their efforts. Second, hackers have recently discovered a cloaking program which allows them to blow past firewalls on servers and networks without being detected.58 Third, a flaw has been announced affecting networks around the globe regarding the file transfer protocol [FTP] used on the Internet.59 These three revelations taken together are seriously bad news for Internet privacy, confidentiality, and security.
For several years lawyers have been advised to use encryption programs to scramble sensitive e-mail messages before sending them. The most popular encryption program is called PGP, or Pretty Good Privacy, invented by Phil Zimmerman a decade ago. PGP is a dual key, algorithm-based, code system which makes encrypted data practically impossible to decipher. PGP is now owned by Network Associates, Inc., who made Zimmerman a senior fellow for development. Of the 400 million people using the Internet, about 10 million use PGP to encrypt e-mail.
In February 2001, Zimmerman announced his resignation from NAI to work for Hushmail (an encrypted e-mail system), aiming to make the use of PGP simpler and user friendly.60 His second goal was to work toward making PGP an international standard. To everyone's surprise, a month later, in March 2001, two engineers with a Czechoslovakian research group announced that they had found a serious flaw in the open PGP format.
How serious is the problem? Very. If a snoop can gain physical access to your computer or floppy disk where you store your secret key, he can modify it and wait for you to use it. When you do, he is secretly notified. From that point on he has access to the rest of your encrypted personal information and you never know it. In effect, the snoop bypasses a user's password, and bypasses the effects of encryption entirely. In this instance, the protection offered by encryption is illusory.61 Likewise, if a hacker can electronically break into your computer, and you have your secret key stored there, the security of your digital signature or your encrypted files is worthless.
The flaw is serious for two reasons. First, open PGP is the most widely used encryption system in the world. Until recently many systems which make e-commerce available by credit card on the Internet have been based on PGP. These products are still in use worldwide. Second, the theory behind PGP is essentially the same as used in the RSA standard for digital signatures. The presumed "security" of this technique was what persuaded Congress to pass the Digital Signatures Act, which is based on RSA standards.[What are the implications for electronic filings of briefs or other court documents signed with a digital signature? What are the implications for digitally signed contracts whose authenticity is being challenged? If you are a victim, how can you prove that you were hacked and your files modified? We are talking "industrial espionage," you know. Is lawsuit espionage the next big field of crime?]62
Where the second problem is concerned - code cloaking - the balance has definitely shifted in favor of hackers. Up until now, hacking tools have been detectable eventually because they create certain predictable "patterns" of attack on computers and networks. But now it has been learned that a new method of hacking has been discovered which continuously morphs and changes [the same type of phenomenon which has made defeating the AIDS virus so difficult]. This technique of "polymorphic coding" allows hackers to change their hacking tool codes as many times as needed to "fool" intrusion detection systems on computers and servers. Anti-hackers [including law enforcement specialists fighting cyber crime] rely on pattern matching. Polymorphic coding blows away any pattern matching. It also allows the hacker to use the tools and practices of law enforcement and corporate anti-hacking specialists against themselves. A hacker using polymorphic coding can secretly enter a system and then intentionally leave "false" traces and patterns to frame someone else for the intrusion.
The third problem represents a major threat to the security of global networks that operate on a Unix platform. The vulnerability is, as we have said, in the File Transfer Protocol [FTP] function, which allows one computer to send or receive files from another computer. Ninety percent of businesses on the Internet use network-sharing features that include FTP. To speed up the ability to find another computer on the network and to speed the file transfer process, FTP uses name shortcuts and abbreviations rather than detailed specifics in creating a match. Since special characters are used as shortcuts, hackers can use these special characters in the search term to introduce malicious codes or commands. This flaw allows for data loss, attacks against private networks, and other types of malicious conduct.63 Since these characters are a standard part of the FTP process, they pass through the system seamlessly. They provide a form of invisibility to the hacker, since the malicious code passes through the system masquerading as normal code. The threat posed by this phenomenon is huge, affecting networks and servers by the thousands worldwide.
This flaw can allow an attacker to take full control of the vulnerable system. . . . Once an attacker has taken control, he can do anything on the system that the system administrator can do, including reading, replacing or deleting data, and altering the contents of websites. He can also replace downloadable files with malicious files containing viruses or other malevolent programs. . . . The affected server can also be used . . . to break into other machines on the network.64 [Emphasis added.]
As I finish writing this paper, a national gathering of cryptography experts is meeting in San Francisco. Their primary focus is dealing with security problems facing computers and the Internet.65 On Monday, April 9, 2001, the first day of the conference, speaker after speaker warned that security on the Internet is falling apart. ZDNetNews opened its report on the conference in these stark words:
The state of Internet and network security is bad and getting worse. That was the grim message delivered Monday by a panel of cryptographic heavyweights on the first day of the annual RSA Security conference here.66 [Emphasis added.]
How bad is the problem? Paul Kocher, president and chief scientist at Cryptography Research Inc., in San Francisco said: "Our current security systems are failing catastrophically."67 Those were not the words of a computer-neophyte, non-scientist attorney trying to sound a warning in Hampton Roads. They were the words of a cryptographic/scientist expert who needs to be taken seriously. Naysayers will read this whitepaper, shrug their shoulders, and deride its author for any minor technical error that might be found within its pages. But the Platonic Guardians of the Net, meeting today in San Francisco, are saying the same thing.
Ron Rivest, one of the three inventors of the RSA cryptography algorithm (used in the digital signatures system adopted by federal law), was a keynote speaker. Now a professor of computer science at MIT, Rivest opined: "On the Internet, we're all Stevie Wonder - we're blind and at the mercy of others. . . ." He went on to say: "PCs are doing too many things to be trusted as security devices. They have the intelligence of a four year-old. We have to find some trusted way to do business." Whitfield Diffie, who invented the public key cryptography system, was equally sanguine. He remarked: "It's not clear that we can secure ourselves by ourselves."68
This whitepaper is only step one - to call attention to the problems. Finding a "trusted way to do business" is a much more difficult question. One thing is clear, taking no steps to protect sensitive computer files or the confidentiality of your e-mail is completely irresponsible. There may be holes in every system we use, but some protection is better than none. One step is to take advantage of security products that are available. A number of new cutting-edge products were unveiled at the security conference in San Francisco just this week.69
There may be managers, other attorneys in your firm, or computer system operators who will tell you that this paper overestimates the threat. For example, there will be those who play down the risk of such threats as e-mail wiretapping. If you are asking the opinion of someone who seems to be computer literate, but who thinks I am crying wolf, ask him or her the following questions. Have you disabled Active X, Java scripts, and file sharing on your computer? (If so, why didn't you tell me?) What special steps have you taken to preclude web bugs from being smuggled into your computer through CGI scripts? (Most likely the answer will be "nothing." But if there is an answer, again ask: "Why didn't you tell me?")
If he says there are no real threats, ask him to recite a list of the undocumented features in his version of the Windows programming system that work secretly and invisibly without the computer user knowing anything about them. (It can't be done, unless someone is an IT expert who has taken special steps to obtain the information directly from Microsoft. These are the features that hackers use to their own advantage because they work invisibly. What you don't know can hurt you where computers are concerned.) Ask him how many times he has downloaded and installed software patches that keep hackers from viewing, retrieving, changing, or deleting files on his hard drive. Better yet, have him show you how it is done, and which of the hundreds of patches he decided to use.70
Ask him if he has ever received an e-mail containing an embedded hyperlink to take him directly to an Internet web site, and he clicked the link. (Nearly everyone who uses a computer has done this. But it is now a favorite tool for activating surveillance bugs on your computer system.) Ask him if he has ever received a forwarded e-mail that contained all the graphics and html text from a web story or item of interest. (It happens every day. And it is a handy way to activate surveillance bugs on your computer.) Ask if he has downloaded or received pictures through e-mail. (It is all the rage today. But hidden bugs can ride into your computer with the pictures.)
These are just a few of the ways that a web bug can enter your computer unnoticed. The next time you are tempted to click on a hyperlink that is embedded in an e-mail message in your inbox, just remember that you might be activating a tracking program that allows someone else to follow you everywhere you go on the Internet, or to wiretap your e-mail correspondence. (If you are using an older version of Outlook Express - before version 5.5 - you are still vulnerable to a "read over your shoulder" bug if you have not downloaded the software patch that fixes the problem.)71
It is only a matter of time before people realize that gaining information surreptitiously from lawyers and law firms can be as lucrative as stealing credit card numbers from an e-commerce web site. It is only a matter of time before an adversary to one of your clients decides that cheating by computer to get an advantage during litigation is a temptation that is too great to resist. It is not out of the question that another lawyer might someday be the person who yields to that temptation. That is why if the information in this paper fits your situation, and the numbers will be high, the time to act is now. The Internet crime wave will eventually find you if it hasn't already. Or you can roll the dice and hope that nobody will notice you. If you are prudent, you will take steps to build an e-moat around the walls of your computer tower to slow down the advance of the e-pillagers, e-looters, and e-bandits who will try to scale your digital walls. May you meet with success in your efforts.
2. The Federalist Society, "Law Enforcement in Cyberspace: Who Has the Upper Hand - the Hackers or the Cops?" Panelists: Bill Jordan (Alston & Bird, Atlanta); Orin Kerr (Computer Crime and Intellectual Property Section U.S. Department of Justice); Michael O'Neill (George Mason University School of Law); Marc Rotenberg (Electronic Privacy Information Center). March 16, 2001, C-Span Online. Http://www.c-span.org.
6. Melanie Austria Farmer, "Another IE Bug Scratches at Security," ZDNet News, April 2, 2001 9:55 AM PT, at http://www.zdnet.com/zdnn/stories/news/0,4586,5080500,00.html. This type of conduct is criminal under Code of Virginia § 18.2-152.4 - Computer Trespass, and § 18.2-152.5 - Computer invasion of privacy. The computer trespass section provides: "It shall be unlawful for any person to use a computer or computer network without authority and with the intent to: . . . 3. Alter or erase any computer data, computer programs, or computer software; . . ." Unauthorized erasing of computer data belonging to another is punished as a Class 3 misdemeanor. The Computer Invasion of Privacy statute says: "A person is guilty of the crime of computer invasion of privacy when he uses a computer or computer network and intentionally examines without authority any employment, salary, credit or any other financial or personal information relating to any other person. `Examination' under this section requires the offender to review the information relating to any other person after the time at which the offender knows or should know that he is without authority to view the information displayed."
http://wired.lycos.com/news/technology/0,1282,42798,00.html: "A hacker who discovered a potentially devastating security hole in Microsoft's Internet Explorer says he has found himself in the undesired position of providing technical support to people who cannot install the patch that Microsoft released to fix the flaw. Hacker Juan Carlos Garcia Cuartango discovered a dangerous hole that allows attackers to remotely access and control any computer running any version of the Windows operating system and Internet Explorer." See also, Wired News, 8:00 a.m. Mar. 30, 2001 PST, Michelle Delio, "IE Hole Surrenders Your Computer," http://www.wired.com/news/technology/
0,1282,42750,00.html: "A dangerous security hole has been discovered in Microsoft's Internet Explorer. Spanish security expert Juan Carlos Cuartango discovered the hole, which allows attackers complete access and control over any computer running any version of the Windows operating system and Internet Explorer Versions 5 and 5.5."
11. Michelle Delio, "The Internet: It's Full of Holes," Wired News, 2:00 a.m. Feb. 6, 2001 PST, http://www.wired.com/news/technology/0,1282,41625,00.html: "An invisible snoop may be virtually peering over your shoulder right now. Computer crackers can read your e-mail, collect your credit card data, intercept the information you send wirelessly or pry into your private files. The Internet is riddled with security holes. And those holes are multiplying as quickly as supposedly impenetrable security programs are being written by people and firms with a vested interest in the safety of the Internet."
13. Robyn Weisman, "New Hackerware Makes Everyone a Hacker," NewsFactor Network, March 6, 2001, http://www.newsfactor.com/perl/story/?id=7906. Among techies, there is a difference between a "hacker" and a "cracker." A hacker is someone who tests software and systems to find flaws and holes and then reports them so they can be patched or fixed. A cracker is someone who uses hacking tools and skills illegally to break into other people's systems in order to work various forms of mischief and commit crimes.
14. Deborah Durham-Vichr, "Online Con Artist Steals Identities of World's Richest," News Factor Network, March 21, 2001. http://www.newsfactor.com/perl/story/8326.html. For more details of complicated scheme see Kelly O'Donnell, "Identities of the Rich and Famous Stolen," MSNBC, March 20, 2001, http://www.msnbc.com/news/
15. Ibid. For the complete story see, Murray Weiss, "How NYPD Cracked the Ultimate Cyberfraud," NYPost.com, Tuesday, March 20, 2001. Http://www.nypostonline.com/03202001/news/regionalnews/26868.htm. Also see, Steve Young, "Two Charged with Stealing Celebrity ID's Off the Net," CNN.com, March 20, 2001.
16. Using a computer as an instrument of forgery, such as in forging electronic information in financial transactions, violates Virginia Code § 18.2-152.14, Computer as instrument of forgery: "The creation, alteration, or deletion of any computer data contained in any computer or computer network, which if done on a tangible document or instrument would constitute forgery under Article 1 (§ 18.2-168 et seq.) of Chapter 6 of this Title, will also be deemed to be forgery."
26. Dan Gebler & Mick Brady, "Special Report: The Internet's Absolute Worst Threat," NewsFactor Network, March 20, 2001, http://www.newsfactor.com/. For a list of hacked and defaced web sites go to Safemode.org.
http://www.cnn.com/2001/TECH/internet/03/09/ibm.hack/idg/index.html. See also, Clare Saliba, "Hack Attack Exposes Web Shopper Credit Card Data," NewsFactor Network, March 5, 2001, http://www.newsfactor.com/perl/ story/ 7930.html.
30. Besides exploiting weaknesses in Windows and Linux, cyber thieves have gained unauthorized access to Internet Information Servers (IIS) through Open Database Connectivity (ODBC) data access with Remote Data Service (RDS). This allows unauthorized hackers "to execute shell commands on the IIS system as a privileged user and allows unauthorized access to secured files on the IIS system." Ibid. Hackers also exploit SQL [database] query vulnerability. Abuses here "allow the remote author of a malicious Standard Query Language (SQL) query to take unauthorized actions on a SQL or Microsoft Data Engine (MSDE) database." A third method of abuse is "web server file request parsing," which makes it possible for a hacker to run system commands on a Web server. Ibid.
32. In one twenty minute period of time on March 31, 2001, the firewall program on the author's home PC stopped eight (8) attempted intrusions coming from outside somewhere on the Internet. On April 3, 2001, upon connecting with a British news service, 42 attempted intrusions were logged in one minute and 22 seconds.
33. Brian Krebs, Newsbytes, "Privacy Caucus To Examine Web Bugs, E-Mail Wiretapping," 28 Feb 2001, 6:00 PM CST. Http://www.linuxfw.org/articles/privacy_article-2610.html: "`One way that businesses use Web bugs is to match someone who transacts business at a Web site with banner ads that the person was shown at other sites,' [Privacy Foundation chief technology officer Richard] Smith said. Smith theorizes that these new ad-tracking schemes were invented after click-through rates on banner ads plummeted, and that businesses want these correlation statistics to feel better about all the money they spend on Internet advertising. Smith said Playboy's Web page contains a Web bug that actually probes a first-time visitor's hard drive in an apparent attempt to determine if users have installed Microsoft Office applications such as Word, Excel, PowerPoint, and Access."
34. Paul Festa, "Microsoft Quietly Shadows Web Surfers Across MSN Sites," CnetNews.com, http://news.cnet.com/news/0-1005-200-2768545.html. Dave Murphy, President, Damar Group [IT Trainers] "MS Word Allows Internet Tracking Cookies," http://dgl.com/itinfo/2000/it000831.html. [This article also explains how web bugs and cookies work together to divulge all kinds of information, including one's IP address.]
37. Numbers are not as readily available in America on aggregate e-mail usage as in England. England's centralized routing system makes it possible to gauge the level of e-mail traffic. At the end of March 2001, 360,000 e-mails per second were being sent in England. With 167 million Internet users in the United States and only 20 million in the UK, the number of e-mails per second in America likely dwarfs that of England. See, George Jones and Michael Smith, "Hacking `Is Now Bigger Threat Than Terrorism,'" Daily Telegraph Online, 31 March 2001. Http://www.telegraph.co.uk.
Sending e-mail unencrypted is inherently insecure. . . . [H]ackers can use software initially designed for network administrators to diagnose Internet problems. Security experts say more sophisticated hackers can even change messages in transit, without the sender or recipient ever knowing. . . . "There's a lack of understanding about the way e-mail is transmitted," said David Sobel, general counsel for the Electronic Privacy Information Center in Washington. . . . Part of the problem is analogy. You refer to electronic messages as e-mail, not e-postcards. Most software for sending e-mail carries pictures of envelopes, not postcards."
46. "It takes only the most rudimentary technical knowledge to `spoof' a message so that it appears to be coming from someone other than the actual sender." Chapter 31, "Using Outlook Express," in Special Edition - Using Windows 98, at http://22.214.171.124/~om-pimpa/buku/0-7897-1488-4/ch31/ch31.htm.
47. "Love obsessional" disorder is focused on people known through the media. "Erotomania" is a delusional disorder where the central theme of the delusion is that another person is in love with the individual. Males are seen most often in forensic samples because of their contact with law enforcement. Females are seen most often in clinical samples. There are a number of other related delusions as well, including schizophrenia. [See, The Diagnostic Statistical Manual, 4th ed. (DSM-IV, 4th ed.)]. In erotomania, attorneys are sometimes the target of such delusions since the object of affection is usually a person of a higher status. For more information on stalking behaviors and delusional disorders see, http://www.stalkingbehavior.com/.
48. Virginia law now makes it illegal to sexually harass someone by e-mail. Section § 18.2-152.7:1 - Harassment by Computer, provides: "If any person, with the intent to coerce, intimidate, or harass any person, shall use a computer or computer network to communicate obscene, vulgar, profane, lewd, lascivious, or indecent language, or make any suggestion or proposal of an obscene nature, or threaten any illegal or immoral act, he shall be guilty of a Class 1 misdemeanor." Obviously there is a great deal of harassing conduct that does not fall within this statute. Much offensive conduct which is harassment by computer will not be punishable under Section § 18.2-152.7:1.
49. Both e-mail forgery (when used in spamming or unsolicited bulk e-mail) and providing software programs that allow e-mail forgery are crimes under the Virginia Code. Section 18.2-152.4 - Computer Trespass, makes it a crime to "Falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail," or to "knowingly to sell, give or otherwise distribute or possess with the intent to sell, give or distribute software which (i) is primarily designed or produced for the purpose of facilitating or enabling the falsification of electronic mail transmission information or other routing information; (ii) has only limited commercially significant purpose or use other than to facilitate or enable the falsification of electronic mail transmission information or other routing information; or (iii) is marketed by that person or another acting in concert with that person with that person's knowledge for use in facilitating or enabling the falsification of electronic mail transmission information or other routing information."
50. "Oracle Systems CEO Larry Ellison fell victim to forgery when a former employee accused him of sexual harassment and used a forged email message to help plead her case. And Bob Rae, the former premier of Ontario, suffered political embarrassment as a result of a forged and sexually explicit email that appeared on Usenet newsgroups. False or assumed email identities have played a part in espionage, as well. Forged email was the key to Clifford Stoll's cracking of a spy ring, recounted in his book The Cuckoo's Egg. Forged email can also be used to acquire information, create enmity among friends, ruin reputations, defraud people of money or valuable information such as passwords, and even spread hate messages and false death threats. In short, anything a forger can attempt to accomplish in the paper world can be done in the electronic world - but much more easily." Source, CNET News at
http://catalog.com/mrm/security/trace-forgery.html; "Reading E-Mail Headers," http://www.stopspam.org/email/ headers/headers.html. Also see, http://www.rahul.net/falk/mailtrack.html; http://www.mcs.net/~jcr/ junkemaildeal.html.
51. Unless you are using a computer with its own permanent Internet protocol address (such as for DSL or cable modem connections), you most likely are using a server which provides random dynamic IP addresses. You are assigned an IP address when you connect to your Internet service provider, but the number will be different each time you connect. Random IP numbers (particularly where someone logs on with a 90-day free trial account, no credit card record, a fake name and street address) make it particularly difficult to trace the originator of anonymous or forged e-mail.
60. For the statement see, http://www.pgpi.org/files/PRZquitsNAI.txt. Compare, Anick Jesdanun, Associated Press, "Tales from the Encryption-Conscious: Users Ensuring Their Email Privacy," PerfectlyPrivate.com, March 19, 2001. Http://www.perfectlyprivate.com/newsresources_HL1.asp.
62. For more on the Czech discovery of the flaw in OpenPGP see, http://www.icz.cz. Also see, Declan McCullagh, "Your E-Hancock Can Be Forged," WiredNews.com, 10:20 a.m. Mar. 21, 2001 PST, http://www.wired.
63. James Middleton, "Global Networks Threatened by FTP Flaw," VNUnet.com, Wednesday 11 April 2001 3:15 AM, http://www.vnunet.com/News/1120337. See also, Robert Lemos, "Holes Found in File Server Software," CNET News.com, April 9, 2001, 3:30 p.m. PT, http://news.cnet.com/news/0-1003-200-5551015.html?tag=owv.
71. Microsoft Security Bulletin (MS00-045), July 20, 2000: "By design, HTML mail can contain script, and among the actions such a script can take is to open a browser window that links back to the Outlook Express windows. . . . [A] vulnerability results because the link could be made persistent. This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to a malicious user." "The vulnerability could allow a malicious user to send an email that would "read over the shoulder" of the recipient as he previews subsequent emails in Outlook Express." http://www.microsoft.com/technet/security/bulletin/