Be Wary of E-Mail Spoofs: Hoax Statements Expand to Include Reid
The e-mails started flowing into media outlets’ inboxes over the weekend: First one Senator had died, then another, then another.
It seemed outlandish. Sen. Robert Byrd had just died June 28. Could it be that the West Virginia Democrat’s colleagues followed him so quickly?
Reporters called Senate offices, and press secretaries worked overtime to debunk the rumors.
Senate Majority Leader Harry Reid became the fourth victim of the death hoaxes Wednesday, and Senate administrators and media professionals are discussing how to inoculate themselves in the foggy intersection of politics, technology and journalism.
The unidentified Internet prankster, or group of pranksters, has been sending e-mails announcing that Democratic Sens. Reid (Nev.), Patrick Leahy (Vt.), Dianne Feinstein (Calif.) and Frank Lautenberg (N.J.) have died of cancer.
Senate Sergeant-at-Arms Terrance Gainer confirmed Wednesday that Reid is the latest target. “Following the death of Sen. Byrd, we’re all a little bit sensitive about this,” he said. “It’s in poor taste.”
While the e-mails appear to come from Senate offices’ domain names, they were sent by a technique called spoofing, whereby a computer program cloaks the actual e-mail address with a mimic address.
“This happens in all kinds of attacks,” said Jeffrey Carpenter, technical manager of the CERT Coordination Center at the Carnegie Mellon Software Engineering Institute. “People who are involved in criminal activity … will frequently do that to send e-mail to someone to make it seem like it’s coming from someone they know.”
The Capitol Police are investigating, but Carpenter said it is unlikely they will come up with much. Although it is illegal to send unsolicited e-mail with a false header, the police may never find the perpetrator. “It’s really hard to do that,” Carpenter said. “In some cases, they’ve covered their tracks too well.”
Gainer said he does not know of a way to entirely ward off such e-mails, particularly because they are sent from outside the Senate’s technological infrastructure — a point with which Carpenter agreed. But Gainer said he has asked his information technology staff to look into it.
In the meantime, Gainer said he will host a meeting with Senate staffers Thursday to brush up on their IT knowledge.
He will point out that each e-mail header lists an individual Internet protocol address that can be authenticated and matched to a specific domain name. Reporters or staffers can use these to make sure the e-mails actually come from where they say they do.
“There is software available,” Gainer said. “It allows our Senate.gov domain to say whether the message originated from our server or from someplace else.”
Carpenter said the cybersecurity community uses an encrypted certificate attached to each e-mail to verify its authenticity, a practice that he said is not out of the reach of government. But, he added, the e-mail recipient would have to know how to authenticate the message.
“A lot of the impediment to widespread adoption of this technology is that it’s not easy for non-technology users,” he said. “The technology producers haven’t done as good of a job making this technology easy for consumers to use.”
Gainer said reporters should read e-mail with caution. Look for clues, such as whether it includes a press contact, an official office stationery header and a valid Internet protocol address.
“If somehow it slips through the cracks … then the burden is on the press office to refute it,” he said. “That’s kind of the price of the free press and technology.”
It is not inconceivable, especially in an age when an e-mailed statement is sometimes as good as the word from a Senator’s mouth, that reporters could be fooled by a hoax e-mail, said Albert May, associate professor of media and public affairs at George Washington University.
“There have been hoaxes that go back into journalism for years. This isn’t the first, but now it’s just so easy to do,” he said. “I’m surprised more of this doesn’t happen, to tell you the truth. I do think this is a good lesson for everyone. In this electronic age, there’s still good old shoe-leather reporting needed.”