Whom to Sue for Nike.com Hack?

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/politics/0,1283,37286,00.html

by Craig Bicknell
3:00 a.m. Jun. 29, 2000 PDT

Net entrepreneur Greg Lloyd Smith just seems to have bad luck when it
comes to dealing with big U.S. companies.

Last year, after Smith set up a book-selling website called Amazon.gr
("Greece's biggest bookstore") and tried to interest Amazon.com in a
partnership, Amazon.com sued him, claiming Smith "tried to extort us
in a thinly veiled shakedown by ripping off Amazon's name and site in
an effort to deceive people."

Now it's Nike that's causing Smith grief, though this time Smith is
the one threatening legal action.

His beef: When Nike's website was hijacked last week, whoever hijacked
the domain re-directed Nike.com's traffic through Smith's Web servers
in the U.K., bogging them down and costing Smith's Web hosting company
time and money.

Smith wants Nike to pay him damages, claiming Nike negligently allowed
its domain to be hijacked, and is therefore responsible for the
consequences. Smith tried unsuccessfully to bill Nike for
compensation. Now Smith's lawyers are drafting a legal complaint
seeking redress.

"Some might say the hacker or hackers are/were responsible," Smith
wrote in an angry note on a self-created website called Shame on Nike.
"To a small degree that might be true. However, Nike must surely bear
the responsibility, since it was their total lack of security that
allowed it to happen in the first place."

The problem, says Smith, is that Nike selected the lowest form of
security when it registered the Nike.com domain with registrar Network
Solutions, a level of security called "mail-from" that would allow
anyone sending email from an approved Nike email address to alter
Nike's registry data.

That's just inviting email-spoofing hijackers to strike, Smith claims.
"Perhaps an appropriate analogy would be that if one were to leave a
loaded gun laying about and if another person picked it up and killed
someone with it, the owner of that gun would be held responsible for
negligence," Smith wrote.

"He is inaccurate," said Nike spokeswoman Corby Casler. "We had the
same high level of security used by other companies who use Network
Solutions" -- a password-protected security level called Crypt-PW.
"This means that our administrative and technical contacts who were
allowed to make changes had encrypted security."

If anyone screwed up, said Casler, it was Network Solutions, which
apparently allowed the hijacker to change Nike's registry information
on the basis of a spoofed email from the Nike billing contact -- a
person that did not have password authority to make changes to Nike's
domain status.

Network Solutions did not return calls seeking comment. However, a
number of other domain holders have complained that their domains were
hijacked when Network Solutions ignored its own security system,
allowing email spoofers to make domain changes without supplying
passwords.  In any event, Nike said, the real villain in the hijacking
case is the hijacker, whose identity remains a mystery.

Nike's website was redirected to the site of an anti-corporate
globalization group called S-11.org, but the group disavows any
responsibility for the hijack. Smith also denies any responsibility
for the re-direct, vehemently dismissing any suggestion that he might
have tried to set Nike up for a damages claim.

"It goes without saying that neither this corporation, its employees
or (indeed) I had anything what so ever to do with the re-direction of
their domain to our servers," Smith wrote in an email. "We did do
everything we could to assist Nike, Inc., at great expense to our
company and our customers."

Security experts, meanwhile, say that the case illustrates the growing
difficulty in assigning blame for security breaches in computer
systems that span more than one company, in this case Nike and Network
Solutions.

"The issue it raises is about matrix security -- when you have a whole
matrix of people and companies controlling different parts of a
network, the network may have holes or open ports," said Narender
Mangalam, director of security strategy at Vigilante, a Net security
firm. "It's a systemic problem."

Should Nike be responsible for making sure Network Solutions follows
its security procedures? Should Network Solutions be responsible for
ensuring that Nike opts for the highest security levels available?
"Laws have to be designed to enable people to know who the target of
an investigation should be," said Mangalam.

In any event, the grounds for complaint against Nike look shaky at
best, said Mangalam.

For its part, Amazon.com, which won a preliminary injunction last year
preventing Smith from using the Amazon.gr domain, seemed to wonder
whether Smith's charges against Nike were made in entirely good faith.

Or as Amazon.com spokeswoman Patti Smith put it, "You're right to look
at whatever he sends you with a critical eye."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".