See Why Library Journal Called "CLICKING THROUGH" One of the Best Business Books of 1999!

ClickingThroughList 1.4 - Blunting the Sting of Cybervandalism 

Welcome to our new readers! First, I wanted to tell you about a few exciting events in which I will be participating. Throughout next week, I will be a special guest expert, discussing online marketing to children, for the ClickZ Forum e-mail list (click on the link to subscribe). My upcoming seminars include the Nassau County (New York) Bar Association E-Commerce seminar on February 29, and another event, "Leaders of the New Economy: Faces of E-Biz," at C.W. Post in Brookville, NY on March 9. The following week, I will be speaking at the upcoming AffiliateForce 2000 conference to be held on March 15-17 at the Miami Beach Convention Center in Miami Beach, Florida. The conference will explore many different aspects of the exciting mix of e-commerce and advertising known as affiliate programs, and I will be speaking on some of the legal aspects I discussed in issue 1.2 of this newsletter. The conference promises a world of information and networking opportunities for merchants and affiliates alike, and should be a great event. I will also be a speaker at the Spring Internet World conference in Los Angeles .

I am also pleased to let you know that some of the top experts in affiliate programs such as Glenn Sobel and Brian Clark have teamed up with Commission Junction for an exciting add-on to the AffiliateForce 2000 conference, namely the “AffiliateParty”. Here's how this works: if you register for the AffiliateForce conference through the AffiliateParty site link , the percentage of your conference fee which would otherwise be paid as a commission to the referring site has been pledged toward funding a major social event for all attendees on the first night of the conference on the roof of the Wyndham Beach Resort. I'll be at the party--I hope to see you there!

This issue’s article focuses on a topic of particular interest to businesspeople using the Internet: how to protect against and deal with the aftermath of cybervandalism and directed online attacks. I welcome any comments or questions you have—just e-mail me at jezor@panix.com. And remember--please feel free to forward this issue to your friends and colleagues, and encourage them to subscribe as well.

BLUNTING THE STING OF CYBERVANDALISM 
by Jonathan Ezor
Director of Legal Affairs, Mimeo.com

A recent series of attacks on major Web sites such as eBay, CNN, E*Trade and Yahoo! has captured the attention of both the technology and business press. These attacks, commonly known as Denial of Service (or “DOS”, which has nothing to do with disk operating systems) attacks, utilize previously-invaded computers attached to the Internet to bombard a targeted site with huge numbers of simultaneous information requests. The servers become so busy responding to all the spurious queries that they cannot provide content to legitimate users, much as a lone salesclerk in a toy store on that “last shopping day” has too many customers screaming for answers to give quality time to a single legitimate purchaser. The result is that the sites are essentially shut down. DOS attacks are not new; they have been part of the arsenal of malicious hackers (also known as “crackers”) for years. Because the recent attacks were so widespread, were apparently carefully coordinated by multiple crackers, and were aimed at some of the most used and highest profile sites, though, DOS is suddenly part of the vocabulary of even the casual Internet user.

The DOS attacks have been particularly worrisome, coming as they did on the heels of revelations in January by online vendor CD Universe that its internal credit card and user records were compromised and ransomed back to them by a cybervandal. It's critical to remember that no credit card information was intercepted in transit; that is, no one was able to snag a credit card number as the user was sending it to CD Universe to make a purchase. Rather, the cracker attacked the stored files of past transactions and, utilizing previously-publicized weaknesses, copied the credit card information. Regardless of the method, though, the result was troubling to say the least.

Web site owners need to be concerned about DOS and these other malicious attacks on their sites, in the same way that a real-world storeowner must contend with the threat of burglary and vandalism. Most site owners, though, don't manage their own connection, security and storage arrangements, choosing instead to work with third-party hosting companies to handle the day-to-day operations of the site. How can these siteowners protect themselves, and their customers, from inconvenience or theft? The short answer is by due diligence and proper contracts with the hosting company, communication with users, and insurance.

Chapter 1 of "Clicking Through" details many of the questions and concerns that businesspeople should raise with hosting providers, but these recent events provide some additional guidance and raise new questions as well. You must remember to investigate the host's sophistication in dealing with computer security issues. Ask questions such as:

· On which operating system does the server run? The possible answers could include Windows NT/2000, some variant of Unix (such as Linux), or even MacOS. While each OS has security issues, some are more secure than others. · Have all upgrades and patches (both for security and stability) been installed? · What third-party software and hardware does the hosting company use to increase its security? · What physical security does the facility have? · Does the hosting company receive CERT risk and intrusion bulletins? · How quickly are CERT recommendations implemented? · Does the host have redundant connections in case one comes under cyberattack? · What is the provider's history regarding previous cyberattacks? How have they been handled? · What is the procedure to notify your company in the event your site or the hosting facility itself suffers a DOS attack or similar outage?

Similar questions should be asked of any transaction processing facility, if financial information is kept off the actual host server. In doing this research, you may wish to speak to the employee in charge of data security, rather than a sales representative who may not have updated or correct data. Remember to get as many of these answers as possible into your contract as affirmative commitments of the host and/or transaction processor.

Even if the hosting company or transaction processor is taking all reasonable precautions against cybervandalism, problems may still arise. In such event, you need to determine (and your contract needs to state) who bears the responsibility for outages, delays and loss caused by crackers and cybervandalism. Your contract should require the other party to indemnify you for damages for its negligence and failure to take proper precautions at the very least, and you may even be able to negotiate credits against fees or reimbursement from a hosting facility if your site goes down for technical reasons for more than a minimal amount of time.

On the user side, you’ll need to balance customer expectations with the possibility of cybervandalism. Make sure the terms and conditions of use of your site expressly state that you cannot guarantee your site will always be operating, and try to have alternate means (such as telephone access, e-mail or even fax) for your users who need to reach you when your site may not be fully functional. (This is of greater importance to sites offering time-sensitive commerce, such as auctions or brokerages). You should also anticipate some angry calls from users complaining of site outages when the problems are actually on the user end—make sure your customer service personnel know how to diagnose and help a user understand the cause of such problems. (A developer at an early online stock brokerage once stated that something like 70% of their customer support calls had nothing to do with their site, but were general Internet use questions.) Finally, examine your business interruption liability insurance, and make sure your policies cover cybervandalism as well as more common situations.

Just as you can’t absolutely prevent fires or earthquakes or vandalism from disrupting your brick-and-mortar business, cybervandalism such as DOS attacks is likely to be a fact of Internet business life for some time to come. The best approach is to share the risk with your hosting company, insurance carrier and other providers, and keep your customers informed when problems do arise.

-------------------------------- Archives of this list are available at <http://www.clickingthrough.com/Newsletter.html>

To subscribe to this list: send email to majordomo@clickingthrough.com and put this in the *body* of the message: subscribe clickingthroughlist

To unsubscribe: send email to majordomo@clickingthrough.com and put this in the *body* of the message: unsubscribe clickingthroughlist

THIS NEWSLETTER COPYRIGHT 2000 JONATHAN EZOR; ALL RIGHTS RESERVED. "CLICKING THROUGH" AND "CLICKINGTHROUGHLIST" ARE SERVICEMARKS OF JONATHAN EZOR.

THE CONTENTS OF THIS NEWSLETTER MAY BE FREELY RETRANSMITTED AND REPUBLISHED AS ELECTRONIC MAIL OR AS PART OF A WEB SITE IN FULL UNEDITED FORM ONLY, EXCEPT THAT THEY MAY NOT BE SENT AS PART OF UNSOLICITED COMMERCIAL E-MAIL.

FOR INFORMATION OR PERMISSION TO EXCERPT OR REPRINT IN OTHER MEDIA, PLEASE CONTACT JONATHAN EZOR AT jezor@panix.com.

THE INFORMATION CONTAINED IN THIS NEWSLETTER IS INFORMATIONAL IN NATURE. IT SHOULD NOT BE CONSIDERED LEGAL ADVICE, AND MAY NOT REFLECT THE OPINIONS OF JONATHAN EZOR'S EMPLOYER OR ITS CLIENTS.

For more information on "CLICKING THROUGH: A Survival Guide for Bringing Your Company Online" or Jonathan Ezor, see the Clicking Through Web site.

If you read and enjoyed CLICKING THROUGH, please post a review on Amazon.com or other Web site or recommend it to a friend or colleague. Thanks!

Copyright © 2000-2005 Jonathan Ezor. All rights reserved.