who’s watching you?
TRANSCRIPT
feature
11
What is stalkingStalking is a form of harassment andcomes in many forms ranging from telephone calls, letters and unwantedgifts, to cyber-stalking, where email andthe Internet are used to persue a victim.The common factors are repeated threatsor harassment.
According to www.antistalking.com, 8%of American women and 2% of Americanmen will be stalked in their lifetime.
This becomes a business issue and inparticular a network security issue becausethe stalking often happens in the work-place. The person sitting next to you ordown the hall could well be a stalker, or
victim and this can lead to technological aswell as personnel problems.
Stalker characteristicsPsychologists used existing categories ofcriminals to build up stalker profiles.They found these three broad groups:• Partner stalkers, often ex-partners of
the victim who become obsessivewhen spurned;
• Delusional stalkers, who frequentlyseek out the famous or those they donot know, most of these have othermental health problems;
• Vengeful stalkers, those who stalkthrough anger at something the vic-tim has done, or they believe theyhave done.
Browne, 57, standing accused of threat-ening to disclose encryption codes unlessBarclays paid £25 million to himself and13 others.
The threats were made in emails sentby Browne to Barclays' chief executive,and there was also a demand that Barclaysset up a unit to improve security.
This last detail enabled Browne'sdefence to claim that the threats had nomalicious intent and were a ruse to drawattention to poor security at the bank.This is not the first time such a defencehas been made, and the prosecution cancertainly contend that supposedly altruis-tic motives cannot mitigate unlawfulactions.
The greater question though, as NeilJarvis, a security expert at De Loitte &Touche, pointed out, is how such situa-tions can be prevented from arising.
In this case, it appears that Brownebecame frustrated, whether with goodreason or not, at what he perceived wasthe bank's failure to recognise his skilland the value of his work. “There mustbe continuous vetting of such staff,” saidJarvis, who admitted that this was diffi-cult given the need to give staff freedomfrom overt intrusion, and also legal rightsto privacy. “To remain operational, youhave to give trust to your employees”.
HR issuesAccording to Logica's Smith, the vettingquestion also impinges on employmentlaw, given that there have to be reason-able grounds for dismissal, and even insome cases for blocking job applicationsfrom otherwise well qualified individuals.
It may be that an employer has reason tobelieve a particular individual has become asecurity risk, but cannot prove it. Equally,an employer might use its rights to sidelineor dismiss individuals on spurious securitygrounds when the real motive may be apersonality clash in the boardroom.
The whole issue is a thorny one, butwhat is certain is that employers need tobeef up on workplace psychology andbecame mores sensitive to signs of growingdisillusionment.
It is not uncommon for relativelysenior staff, who have been in the samejob for a while, to become disaffected,especially when they are nearing the endof their careers and becoming less attrac-tive to headhunters. The need for recog-nition appears to increase at such times,and so employers need a sensitive fadeout strategy towards perhaps a lucrativeand rewarding early retirement.
Strangely, this is not the only IT securityblackmail case involving Barclays this year.
In the other, totally unrelated, case,
Stuart Kearns, 24, was convicted inAugust 2001 of blackmail and faced threeyears in prison. His crime, committed inJanuary 2001, involved a threat in a type-written note to bring down the computersof the Barclays branch in Beckenham, UK,unless he was paid £200 000.
Who’s Watching You?Katherine Lang
A cold clammy feeling, your neck hair rising and an increased level of twitchiness.I’m sure most readers will have had this experience when they feel that inexplicably,and often illogically, someone is watching them. Unfortunately for some people thisis real — stalkers, both in the real and cyber-world do exist and you need to knowwhat to do if and when it happens to your company.
Top 10 Tips for Blackmailers
Tips are courtesy of ‘Count’ Victor Lustig,an infamous 20th Century embezzler.
1 Be a patient listener.
2 Never look bored.
3 Wait for the other person to revealany political opinions, then agreewith them.
4 The same with religious views.
5 Hint at sex talk, but don't follow it upunless the other fellow shows astrong interest.
6 Never discuss illness.
7 Never pry.
8 Never boast — just let your impor-tance be quietly obvious.
9 Never be untidy.
10 Never get drunk.
Source: Fakes, Frauds & Other Malarkey,by Kathryn Lindskoog, Grand Rapids, MI:Zondervan Publishing House, 1993.
NovNese.qxd 11/9/01 12:25 PM Page 11
feature
12
My stalker found me outside of work,on a email mailing list. He was a bit ofa troll chipping in with sarcastic com-ments, nothing of note, this list had itsfair share of pyromaniacs keen tocause trouble so I didn’t immediatelyidentify him as anything different.
One weekend two events coincidedthat changed the situation. The firstwas that the troll made a very person-al insulting remark on the mailing listabout me, inviting people to flameme, to which I replied with a wittyremark about “somewhere out there,is this man’s trolley” (because clearlyhe wasn’t on it). Over the next hour I,and the other list recipients received,not one reply, but over 200
Unfortunately, in between sendingthis email and receiving the angryresponses, my partner misdirected anemail, meant to be a private off-listmessage to a friend, to the list. Itincluded our home phone number.
The troll waited a week before usingthis information. He called me, pre-tending to be a journalist researchingcomputer security and asked me somefairly odd questions. I was a little suspi-cious and after a few bland answershung up. But here’s the weird thing —he didn’t call me on the number givenout, he called me on my partner’smobile, which meant he had called myhouse and managed to get the num-ber from the answerphone. So, henow had three methods with which tocontact me.
This went on for about a week, withvarious friends shouting defencesover the Web to him and on the list.Each got flamed back and a numberof viruses suspiciously found theirway to my friend’s inboxes, eachspoofed so it looked like I’d sentthem. I spent a few weekends repair-ing their PCs and having reached theend of my patience contacted the ISP— my stalker and I shared the sameISP — and asked for their help.
The response was evasive: “We needproof he’s doing it and he says you’restalking him — we can’t see who is inthe wrong here. Keep records and letus know if it continues.”
Frustrated and feeling extremelyannoyed with the lack of support, Iemailed all my friends and told them Iwould be switching email accounts
and to ignore anything on my prima-ry account until further notice.
Somehow, my stalker found out thisnew address (it’s not uncommon forcyber-stalkers to create severalonline “personalities” to gain theirvictim’s trust). Pretty soon he wasspoofing email from the newaddress, although I was using pass-words, relayed by phone, to let peo-ple know I would be contactingthem, to ensure that his messageswere ignored by my friends.
Next he set up a total of 11 emailaddresses, using each to alternativelysend me messages of support, then toinsult me.
My credit cards all got cancelled at thispoint: “Your husband called madam,said you’d lost your wallet,” said thebank — I wasn’t married.
My job involves meeting with clientsat their place of business. One day,while out visiting a vendor the personI was travelling with got a call — Ihad abandoned mine to avoid abu-sive text messages — my boss calledand asked me to get back to theoffice immediately to talk to theDirectors.
I cancelled my meeting and returnedto meet a pale Boss and an even palerboard of Directors. They explainedthat they had received phone callsfrom my stalker claiming that I washarassing him and that I had boastedthat I’d hacked their system. I hadn’t— I’d actually written the securitypolicy and installed the firewallthough, so I was a prime suspect ifthey did get attacked.
They showed me emails — which app-eared to come from my home email,detailing the alleged hacks and boastsand luckily for me, I could prove I wasunable to be at home at the time tosend them. The company relieved meof security duties (“for the time being”)and asked me what help I needed.
Annoyed at being falsely accused butrealising I needed help, I asked the HRdepartment to contact the police, whoafter a few fruitless calls put me intouch with New Scotland Yard: “Theyhave some guys who will help.”
I made a report and they asked me tolog all calls and events. I was alsoadvised that it would take a great
deal of time to get something doneand the first course of action was toignore the stalker if at all possible. SoI ignored the emails, the phone calls,the threats to myself and my col-leagues.
Frustrated with the lack of supportand realising the impact this was mak-ing on my team I left the company andmoved house. Things got better, butbecause I still have my websites andemail addresses, two years later I’mstill ignoring my stalker.
He still pops up from time to time, mybank account has been accessed twicethis year and although no funds havebeen taken it does concern mebecause my whole life is on my bankstatement. You can see where I’vebeen and if you wanted to predict reg-ular events — I shop at a certain super-market twice a month on a Tuesday.
My stalker also still sends regular mailbombs to my, now redundant, mailaccount, I check it once every fewmonths and delete them all. He alsostill sends abusive email to my ex-bossand I receive a lot of “hang-up” calls.
I’m at a new job now and I have madethe decision not to tell anyone aboutall this. I do believe that they way itwas handled by my then-managersseriously set my career back. But theyhad never experienced the situationbefore so I can’t hold it against them.As a footnote, I took a call from one ofthe Directors a few weeks ago, theyhad a similar problem, except this timethe stalker was more vocal, using thephone to intimidate the victim andmaking professions of love. They sus-pected it was someone in the office.My advice then, as now, is this: trustand support your staff, increase securi-ty measures and get as much help andadvice as you can.
I’m also glad to report that the lawenforcement agencies are much bet-ter at dealing with stalking casesnow, as are the courts, both in the UKand further afield. But the level ofinformation within companies is stillfar too low. As security professionals,I call upon you to educate yourDirectors, your HR department andyour staff. Like all other areas of secu-rity you can be a defender or a victimin protecting against attack — thechoice is yours.
It happened to me
NovNese.qxd 11/9/01 12:25 PM Page 12
13
feature
In terms of the workplace, the first andlast categories are likely. Disgruntledemployees, particularly those who haveleft the company unwillingly maybecome obsessive and decide wreakrevenge, by stalking their former boss orcollegues for a period after they have left.
Women are more likely to be stalkedthan men, who tend to be the prime per-petrators. Given the assumed profile of thehacker: young, male limited social skills,and the stalker: male, isolated, may havelimited social skills, it’s easy to see how theleap from one to the other can happen.
Using the law If you live in the USA or Europe, thereare laws in place which make stalking acriminal offence. However, where you livewill determine what your relative respon-sibilities are as an employee.
But, to put it simply, if you know anemployee is being stalked and you donothing, you will be on shaky legalground. If the stalking causes your com-pany’s security to be compromised and amember of the public or customer incursdamage you may be liable.
You may also be culpable for physical ormental injury to the employee if you do
nothing to reduce the risk at work oncethe problem is reported. For informationon the laws in your country, visit:www.cyberangels.com/stalking, or www.stalkingassistance.com/.
What companies can doCompanies can help prevent stalking byhaving a clear privacy policy and commu-nicating it to staff.
Encourage staff not to give out personalinformation in the workplace. For exam-ple, don’t ask them to leave home phonenumbers on contact sheets, make surethey have access to information about thesigns of stalking and make it clear thatany staff member that is being harassedwill be supported.
If you have a website, don’t include per-sonal information on it and considerwhether you need to have photographs ofstaff. Specifically, be cautious about thisfor your security staff because everyone inthe security industry will develop enemiesat one time or another, having a mugshoton the Web can only assist the criminal— it is just asking for trouble.
Companies should also train staff notto give out information on employeewhereabouts. How many times have youcalled a company to book a meeting andbeen told the worker’s itinerary for theweek? You can test this by phoning andasking to speak to yourself whenever youare out of the office.
Another important aspect of training isdeveloping awareness of the signs of stalker behaviour — which can changerapidly from friendly to malicious, oreven violent.
Factors to look out for:• Complaints from staff that a particu-
lar customer or colleague is sendingexcessive email;
• Continual hits to a biography page ona website or repeated searches on aperson’s name;
• Increase in virus attacks directed at aspecific individual;
• Staff reports of harassment or feelingunsafe;
• Defaced websites with declarations oflove or hate to a particular worker.
He’s one of us
Most companies have one or twomembers of staff who are a littlestrange. But for some companies,the outsider inside will developinto the stalker. There have beenmany reported cases where col-leagues are stalked by co-workersand being able to identify the cul-prit will help you avoid an expen-sive showdown.
If you suspect that a staff memberis using IT facilities to stalk anothermember of staff, and providing itis written into his or her contract,you may be able to monitor usage.Given this information, you mightchoose to dismiss the staff memberor reprimand him or her. However,be careful to gather evidence first.
Many stalkers confuse emotions,many may react angrily to yourinterventions. So, this must be han-dled carefully, involving HR, legalrepresentatives as well as the vic-tim. Again you may need to pro-vide services to the victim toensure that he/she is not put indanger while the matter isaddressed.
1. Educate staff so they know thevalue of personal information.
2. Write and enforce corporate poli-cies on information disclosure.
3. If an employee says they are beingstalked, make sure HR and securityare aware. It’s not uncommon forstalkers to try and discredit thecomplainant. Instruct employeesnot to respond to emails or calls;you may have to monitor emailand/or telephone calls for a period.
4. Pay careful attention to securitylogs to identify the source of theharassment. Record everythingthat happens clearly and objec-tively, remember to seal any evi-dence properly.
5. Inform the police and allow themto copy drives.
6. Contact lawyers and discuss thevarious ways to reduce contactbetween stalker and victim (e.g.restraining orders).
7. Offer practical help to the victim;alternative accommodation.Alternate working hours or taxishome may help the victim feelmore secure.
8. Under no circumstances respondto the stalkers demands.
9. Make sure that all data assets aresecured and that all systems areswept for vulnerabilities that maybe exploited.
10.When the stalker has been dealtwith, review practices that mayhave contributed and base further taff training on yourfindings.
Ten step plan to combat stalking
NovNese.qxd 11/9/01 12:25 PM Page 13