Information Security News mailing list archives
Whom to Sue for Nike.com Hack?
From: InfoSec News <isn () C4I ORG>
Date: Thu, 29 Jun 2000 13:34:29 -0500
http://www.wired.com/news/politics/0,1283,37286,00.html by Craig Bicknell 3:00 a.m. Jun. 29, 2000 PDT Net entrepreneur Greg Lloyd Smith just seems to have bad luck when it comes to dealing with big U.S. companies. Last year, after Smith set up a book-selling website called Amazon.gr ("Greece's biggest bookstore") and tried to interest Amazon.com in a partnership, Amazon.com sued him, claiming Smith "tried to extort us in a thinly veiled shakedown by ripping off Amazon's name and site in an effort to deceive people." Now it's Nike that's causing Smith grief, though this time Smith is the one threatening legal action. His beef: When Nike's website was hijacked last week, whoever hijacked the domain re-directed Nike.com's traffic through Smith's Web servers in the U.K., bogging them down and costing Smith's Web hosting company time and money. Smith wants Nike to pay him damages, claiming Nike negligently allowed its domain to be hijacked, and is therefore responsible for the consequences. Smith tried unsuccessfully to bill Nike for compensation. Now Smith's lawyers are drafting a legal complaint seeking redress. "Some might say the hacker or hackers are/were responsible," Smith wrote in an angry note on a self-created website called Shame on Nike. "To a small degree that might be true. However, Nike must surely bear the responsibility, since it was their total lack of security that allowed it to happen in the first place." The problem, says Smith, is that Nike selected the lowest form of security when it registered the Nike.com domain with registrar Network Solutions, a level of security called "mail-from" that would allow anyone sending email from an approved Nike email address to alter Nike's registry data. That's just inviting email-spoofing hijackers to strike, Smith claims. "Perhaps an appropriate analogy would be that if one were to leave a loaded gun laying about and if another person picked it up and killed someone with it, the owner of that gun would be held responsible for negligence," Smith wrote. "He is inaccurate," said Nike spokeswoman Corby Casler. "We had the same high level of security used by other companies who use Network Solutions" -- a password-protected security level called Crypt-PW. "This means that our administrative and technical contacts who were allowed to make changes had encrypted security." If anyone screwed up, said Casler, it was Network Solutions, which apparently allowed the hijacker to change Nike's registry information on the basis of a spoofed email from the Nike billing contact -- a person that did not have password authority to make changes to Nike's domain status. Network Solutions did not return calls seeking comment. However, a number of other domain holders have complained that their domains were hijacked when Network Solutions ignored its own security system, allowing email spoofers to make domain changes without supplying passwords. In any event, Nike said, the real villain in the hijacking case is the hijacker, whose identity remains a mystery. Nike's website was redirected to the site of an anti-corporate globalization group called S-11.org, but the group disavows any responsibility for the hijack. Smith also denies any responsibility for the re-direct, vehemently dismissing any suggestion that he might have tried to set Nike up for a damages claim. "It goes without saying that neither this corporation, its employees or (indeed) I had anything what so ever to do with the re-direction of their domain to our servers," Smith wrote in an email. "We did do everything we could to assist Nike, Inc., at great expense to our company and our customers." Security experts, meanwhile, say that the case illustrates the growing difficulty in assigning blame for security breaches in computer systems that span more than one company, in this case Nike and Network Solutions. "The issue it raises is about matrix security -- when you have a whole matrix of people and companies controlling different parts of a network, the network may have holes or open ports," said Narender Mangalam, director of security strategy at Vigilante, a Net security firm. "It's a systemic problem." Should Nike be responsible for making sure Network Solutions follows its security procedures? Should Network Solutions be responsible for ensuring that Nike opts for the highest security levels available? "Laws have to be designed to enable people to know who the target of an investigation should be," said Mangalam. In any event, the grounds for complaint against Nike look shaky at best, said Mangalam. For its part, Amazon.com, which won a preliminary injunction last year preventing Smith from using the Amazon.gr domain, seemed to wonder whether Smith's charges against Nike were made in entirely good faith. Or as Amazon.com spokeswoman Patti Smith put it, "You're right to look at whatever he sends you with a critical eye." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Whom to Sue for Nike.com Hack? InfoSec News (Jul 01)