SENECA COLLEGE, TORONTO

As Taught by Prof. Tim Richardson School of Marketing and e-Business, Faculty of Business

DETAILED OUTLINE©
.

4. Security Considerations

In dealing with a matter as serious as internet security issues it is prudent to issue a "disclaimer", namely:
It is not intended that the presentation of these topics will result in the participants learning everything they need to know about e-security; - but rather
1. create an awareness of the business and marketing consequence of these security considerations
2. identify resources they can access should they need to know a lot more

This section of IEC 719 will be delivered with some key guest speakers, in addition to lectures by the course professor and related reading material.

Security Considerations can be broadly categorized into three main areas (WTGR)

• National
• security of the country's border, property and assests from general external risk and threats
• protection and defense against the activities of hostile countries or organizations
• security and safety of the citizens
• Corporate
• security of the company's property and assests from general and unspecified external risk and threats
• protection and defense against the targeted activities of hostile competitive companies, organizations or individuals - which would negatively effect the company's ability to achieve profit and the prime corporate goals
• security and safety of the employees
• Personal
• security for your family and protection of property
• personal protection and defense against an attack specifically directed to you

• Copyright Protection Techniques
• Principles of competitor monitoring
• Competitor Intelligence, role in new product development
• Security monitoring services
• Policy and Procedures (SOP)
• Firewall and other hardware and software considerations
• Encryption, security of sending and receiving messages, and data
• Electronic sabotage, hacking vulnerabilities, viruses
• wireless security issues
• cookies
• National Government Involvement in internet crime and e-business security

In SAN's web page, which includes the listing "How To Eliminate The Ten Most Critical Internet Security Threats" their introduction serves to provide some important points we should consider in beginning this section of the IEC 719 course, namely:

The majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws.  Recent compromises of Windows NT-based web servers are typically traced to entry via a well-known vulnerability.  A few software vulnerabilities account for the majority of successful attacks because attackers are  opportunistic – taking the easiest and most convenient  route. They exploit the best-known flaws with the  most effective and widely available attack tools. They  count on organizations not fixing the problems, and  they often attack indiscriminately, by scanning the  Internet for vulnerable systems. System administrators report that they have not corrected these flaws because they simply do not know which of over 500 potential problems are the ones that are most dangerous, and they are too busy to correct them all

.

.

.

Electronic Commerce: Security, Risk Management and Control by Greenstein and Feinman.   http://www.mhhe.com/business/accounting/greenstein/ In the 4rth section of IEC 719, this book by Greenstein should be used more extensively than it was in Nov 2000. Ideally this section of the course should utilize the following chapters in Greenstein, Chapter 5, Risk of Insecure Systems Chapter 6, Risk Management Chapter 7, Internet Security Standards additionally Chapter 8, Cryptography and Authentification Chapter 9, Firewalls will be covered by Prof. David Bath's classes

 

E-commerce Security  Textbook Resources Chpt 6

Neal Hannon's book  The Business of the Internet  - Chpt 6 deals with business security issues - strongly recommended reading http://web.bryant.edu/~nhannon /Website/chapter6.html This chapter discusses how computer security gets more complicated when companies start using the Internet for business, and the additional measures  business must take to keep to protect their information.  Chapter begins with a very good example of how a system was hacked by focusing on the weakest link. The Chapter recounts how "Fortune magazine found a company named WheelGroup, a security company located in San Antonio, Texas. Run by  Tony Jennings, a former Air Force captain, WheelGroup also employs former National Security Agency employees. Armed with computers, modems, and phone lines, WheelGroup set its sights on a company  identified only as "Corp. XYZ". Its mission was to crack this company's  internal computer security system.  The WheelGroup began by locating the company in the public records of InterNIC, the Internet computer registry service. In doing so, WheelGroup determined all the addresses of company's computers that were actually connected to the Internet. Several hours later, the group encountered the company's firewall. The firewall had just been installed and contained all the latest security features.  No break-in through the firewall occurred. This could be the end of the story if  it were not for a device called a "dialer." A dialer is a program that automatically dials thousands of numbers looking for phones that are answered by modems. WheelGroup used such a program and found six  computers that not only answered the call with a modem, but also responded to a common account name and password for that kind of  computer. " Read Chpt 6 to find out how the story ended (WheelGroup no longer exists as an independent company, in April 1998 they were bought out by Cisco for $124 million)  http://www.cisco.com/warp/public/784/packet/april98/24.html

.

E-commerce Security  Textbook Resources         Chpt 5   Dan Janal's new book on  internet security

Chapter 5 in Schneider and Perry's book is titled "Security Threats to Electronic Commerce"  http://www.course.com/downloads/sites/ecommerce/ch05.html Chapter 6 is titled "Implementing Security for Electronic Commerce"  http://www.course.com/downloads/sites/ecommerce/ch06.html In Chapter 5 one of the key points noted at the beginning of the chapter is Security Policy and Integrated Security. Various experts agree that the most security situations in e-commerce are vulnerabilities caused by people either not having a sound security policy that sets out procedures, or they have a policy, but do not follow it. The rest of the material in the chapter is organized around three themes protecting client computers protecting the transmission of information on the Internet protecting the e-commerce server Dan Janal is the author of several books, and much of the content is helpfully available online. One of his books titled Risky Business: Protect Your Business from Being Stalked, Conned or Blackmailed on the Web is particularly helpful to this section. In an online excerpt from this book, Mr. Janal lists 30 practical ways to protect yourself and your organization from online attacks.  The list, which you should read through, is available at  http://www.janal.com/30ways.html items on the list include 5. If you sell products on the Internet, fight fraud by requiring customers to tell you where they live. Credit card companies call this "address verification" and it can cut your fraud rate down to next-to-nothing! 9. Check out your online image. Are people spreading  inaccurate information about your company via the Internet? This has happened to Tommy Hilfiger,  Snapple, Nieman Marcus and many other companies. Use search engines to check everything that's being  said about your company -- and notify the people  when they say misstatements!

.

The SANS Institute http://www.sans.org Bethesda, Maryland, USA in their own words "The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face. SANS was founded in 1989."

What products does SANS offer people interested in the most contemporary and reliable internet security information? SANS offers three different free electronic subscriptions:  Security Alert Consensus (SAC) - weekly One definitive weekly summary of new alerts and countermeasures week with announcements from: SANS, CERT, the Global Incident Analysis Center, the National Infrastructure Protection Center, the U.S.  Department of Defense, Security Portal, Sun, and several other vendors. SANS NewsBites - weekly  NewsBites keep up with everything going on in the computer security world. A dozen or two articles, each just one, two, or three sentences in length, elaborate a URL that points to the source of the  detailed information SANS Windows Security Newsletter - monthly  provides updates to NT Security: Step-by-Step and guidance on new Hotfixes and Service Packs that should and should not be implemented. It also summarizes new threats and bugs found in Windows and its services.

.

The ECRC Program is sponsored by the U.S. Department of Defense Joint Electronic Commerce Program Office (JECPO). The Bremerton ECRC is operated by Concurrent Technologies Corporation, EDC of Kitsap County and Olympic College for JECPO	Electronic Commerce Resource Center 'ECRC' Bremerton, WA  USA  The ECRC describes itself as a "clearinghouse and jumpstation for electronic commerce information and resources"
"The Security Resources page includes resources on a variety of security issues, including document transfers, financial transactions, firewalls, and virus information. The ECRC also offers a free Internet Security Issues seminar"	http://www.becrc.org/security.htm

.

Mr. Sean Rooney, President  www.coldstream.ca

Mr. Rooney is personally very knowledgable about the "hacker and cracker" side of the security industry and can provide some "nitty gritty" insights into what vulnerabilities can exist and why we should be concerned. Coldstream is a Canadian IT security service company that has many security services, some of which are: Security Assessment Teams small, specialised units, whose purpose is to assess the integrity of client systems Cryptographic Development The purpose of noting Mr. Ronney, is to allow you to know the existence of these specialized firms and how they can be useful to you when you are involved with client situations/employers that require "serious" IT security services.

.

Security  Considerations   Proper Procedures

"Security is a process, not a product" Bruce Schneier, CTO of Counterpane and Author of the book Applied Cryptography read the BusinessWeek article interviewing Bruce Schneier about "distributed denial-of-service attacks"  http://www.businessweek.com/2000/00_10/b3671089.htm " The nature of distance has also changed. In the world offline, your house only has to be secure from criminals within driving distance. On the Net, eBay (EBAY) and Yahoo! (YHOO) must be concerned about everyone on the planet. The hackers need not be in America. This is the death of distance: Crime is no longer based on proximity." "We are dealing with fact that software products are always buggy, and probably always will be. At the same time, systems are too complex to secure. We actually can't test security to the level we need to. We'll see three or four major bugs in each new version of Windows or Explorer or Java. New products are coming out faster and faster, so we keep losing ground. We've been finding and fixing security bugs in past years, but none of those fixes transfers forward. For all these programs, a new version comes out, the new version is more complex, and there are new bugs."

.
 

Security  Considerations   Proper Procedures

Aladdin Knowledge Systems Internet Security Unit is based in Seattle From their main web site  http://www.eAladdin.com you can also see a link to "Glossary of terms" on their main page Shimon Gruper is the Chief Technology Officer of  Aladdin's Internet Security Unit Gruper has had a list of Top 10 Security Tips on Aladdin's web site for quite some time and the list is quite valuable to refer to.  The point form list of the 10 tips is to the right. Was at  http://www.esafe.com/shimonsays/index.html#top10 but this link was not active November 2000 1. The Safe use of Email Attachments  2.Vandals in Word Documents?  3.Setting Browser Security Options  4.Buying Products over the Web  5.Protecting your Personal Information  6.What about Cookies?  7.Are Java and ActiveX Safe?  8.Are Plug-ins and Push Clients Safe?  9.What about Viruses?  10.How to handle Spam Mail

.
 

Security  Considerations   Proper Procedures

Matthew Friedman, writing in the Plesman publication e-Business, authored an article in April 2000 about Hackers in which he said that "Security Managers are confident in the security postures of their organizations.But a recent report suggests they might not be getting the whole picture"  http://www.plesman.com/eb/news.html ?CONTENT=news/eb020425a Friedman explains that in Feb 2000 the publicized stories of hackers overloading some well known sites like Yahoo raised awareness of security issues but Friedman goes on to cite some experts who say not enough is being done, and more importantly, key people don't understand the implications of security vulnerabilities. Friedman notes Steven Ross, Deloitte & Touche's director of e-business technologies and security - quoting Ross "there's a feeling among the security people themselves that management doesn't understand the issues  like they do."  Friedman's article is a very good report on the key issues and you are strongly encouraged to read it thoroughly.

.
 
 

Security  and  Cryptography Much of the material in this inset table (either in direct quotes or summary form) comes from e-Scotia.com's site. e-Scotia has a whole page on Security and Cryptography at  http://www.e-scotia.com/escotia/ escotia_security.html There are 5 key components of security in correspondence that business is trying to establish in e-commerce situations Confidentiality - the communication between two parties has not been seen by a third party and the material of the communication has remained secret Integrity - the communication has not been tampered with nor has the message been edited (or the amount of money been changed) and there is must be a way of matching the copy held by the receiver, to the original sent by the sender Authentification - the identity of the author/sender can be verified so that the receiver knows the message / information did indeed come from the proper source Non-repudiation - the sender cannot deny having sent the message nor can they have means to change any of the content (including currency amounts) within the message. This is critical to keeping agreements when time lag (between sending and receiving) sees market conditions change Access Control - only the authorized recipient can open the message. Usually to open it you need some sort of cyber key which will be a large unbreakable number hopefully difficult to hack in to. Digital Cryptography works on two levels Encryption Digital Signatures Data is scrambled or digitally encrypted and only parties who have the right key can unlock and decode the data.  Encryption allows communication to be confidential however it will not:    Provide proof that the originator has participated in the  transaction Authenticate the identity of the sender Protect the data from being intercepted and modified.  Digital signatures can be authenticated by third parties with credibility of the sender and receiver. In e-commerce, leading financial institutions and government authorities are positioning themselves to be "certification authorities". When the digital signature of the recipient is validated by a "certification authority", assurance can be provided that:   The sender of a message/transaction is who they claim to be The sender has participated in the transaction, meaning they are aware of the content and amounts if money is part of the message) The information details, (payee or payor) and any statement of money has not been changed in mid-transit.

.

Cryptography

In the on-line version of Chpt 6 of his book,  The Business of the Internet Neil Hannon, notes a link to an article about Netscape Communications Corp. white paper that deals with the issue of intranet security and some of its many challenges. "Cryptography Is The Key To Intranet Security Needs"  http://www.techweb.com/se/directlink.cgi?CRN19970630S0089 Copyright (c) 1997 CMP Media Inc. "What is cryptography? Cryptography comprises a family of technologies that include the following:   Encryption transforms data into some unreadable form to ensure privacy. Internet communication is like sending postcards in that anyone who is interested can read a particular message; encryption offers the digital equivalent of a sealed envelope.   Decryption is the reverse of encryption; it transforms encrypted data back into the original, intelligible form.   Authentication identifies an entity such as an individual, a machine on the network or an organization.   Digital signatures bind a document to the possessor of a particular key and are the digital equivalent of paper signatures. Signature verification is the inverse of a digital signature; it verifies that a particular signature is valid."

.

Users of Netscape Communicator version 4.7+ can now  surf their way to the SmartUpdate service and obtain a  significant encryption capability upgrade. The update  consists of a single file, which minimizes download time  dramatically.   The new security will give Netscape browser users a  major upgrade from international-grade encryption  (56-bit) to US-grade encryption (128-bit), significantly  increasing the safety of e-commerce and enabling online banking and bill-paying activities.

.

Encryption   Hackers Crackers and  security  breaches

"Why Cryptography Is Harder Than It Looks" by Bruce Schneier CTO and Founder, Counterpane Internet Security, Inc.(as cited by Neil Hannon)  http://www.counterpane.com/whycrypto.html WTGR notes this is a very very useful article to read thoroughly. Here is a snapshot of some of the points made by Schneier   "In the end, many security systems are broken by the people who use them. Most fraud against commerce systems is perpetrated by insiders. Honest users cause problems because they usually don't care about security. They want simplicity, convenience, and compatibility with existing (insecure) systems. They choose bad passwords, write them down, give friends and relatives their private keys, leave computers logged in, and so on. It's hard to sell door locks to people who don't want to be bothered with keys. A well-designed system must take people into account. Often the hardest part of cryptography is getting people to use it. ... It's hard to build a system that provides strong authentication on top of systems that can be penetrated by knowing someone's mother's maiden name." - a very long article explaining Echelon

.

Internal Threats and Problems

. As a former consultant on a specific aspect of international security related matters, the author of this course knows from experience that one of the biggest problems in implementing a successful security solution is the customer themselves. No amount of security hardware, software, systems and procedures can be successful if the customer  does not understand how to use it thoroughly will not use it effectively cannot get everybody in the organization to follow proper procedures has internal threats caused by disgruntled employees WTGR . Joaquim Menezes writing in a May issue of Computing Canada subtitled a May 26th article "Expert Says Ignorance, Internal Threats far more Problematic than Possible External Threats" There are a number of articles we could swamp you with reading in this area but suffice it to say that a good summary of the issues could be quoted from Richard Reiner "A disgruntled employee with access to corporate passwords can wrought much more damage than a hacker who has got into a system by exloiting a buffer overflow"     Reiner is Chief Executive Officer of FSC Internet Corp. of Toronto  www.fscinternet.com/

Internal Threats and Problems

"Investigators Root Out Elusive Internal Security Threats" Geoffrey Downey writing in the May 26th, 2000 isssue of Computing Canada  http://www.plesman.com/Archives/cc/2000/May/2611/cc261106a.html Downey's article carries the theme that companies shouldn't just be concerned about the outside world when trying to eliminate security threats. Downey quotes extensively from Scott Loveland, a former RCMP officer who works with other former Mounties at KPMG's security branch titled KPMG Investigation and Security Inc. Loveland is quoted by Downey as saying that in terms of real problems in security, "the threat from internal is larger than external in terms of frequency" - meaning, people who are going to cause security problems are most frequently going to be unhappy current employees who have access to the system - which makes it difficult to defend against. Loveland also cautions that sometimes, "some perceived security issues aren't attacks at all...For example, if you have a server that is getting 65,000 hits on the administrator password with failed log-ins, is that a penetration from the outside, ... or is that a misconfigured NT box somewhere in the testing lab?"

.

Professional Security Service Companies

KPMG Investigation and Security Inc. part of the large KMPG accounting and consulting group of companies  http://www.kpmg.ca/english/services Norman Inkster is the President of KPMG ISI and is best known for being the former Commissioner for the RCMP Many of the large professional service firms such as KPMG, Price Waterhouse Coopers, Ernst & Young have publications on their web sites re: e-commerce KPMG has e.fr@ud.survey.2000   http://www.kpmg.ca/english/services/fas/publications/efraudsurvey2000.html

.

Wireless Security

- scanned article re: Royal Bank buying Security First Network Bank "Royal Bank in Wireless Security Venture" is the title of a 13 June 2000 article written by Vito Pilieci for The National Post  http://www.nationalpost.com/search/story.html?f=/stories/000613/315694.html In August 2000, the online version of this story was still available at this link above Royal Bank formed a company with Baldhead Systems  www.baldhead.com/ to provide secure wireless banking and brokerage services. The new company will be named Sona Innovations. Royal Bank will own 20% and Baldhead will own 80% In August 2000, people viewing Baldhead's splash page can see the Royal Bank logo along with the words "Corporate partners with" and a click through to the royal bank web site. Pilieci quotes Jim Connor, Manager of Electronic Services Technologies for Royal Bank as saying "This gives us the opportunity to put a product out where we have end-to-end security between the palm unit and our back-end systems" On Baldhead's web site, they still have the digital version of the June 2000 press release. You can read all the points yourself at  http://www.baldhead.com/new/digeratis_sona1.htm This clearly indicates that Royal Bank considered more and more customers will be accessing banking services through mobile devices and they are building capability by buying into a company developing products for this market.

.

 

Why do sites use Cookies?   http://www.cookiecentral.com/faq/#1.3 "There are many reasons a given site would wish to use cookies. These range from the  ability to personalize information (like on My Yahoo or Excite), or to help with on-line  sales/services (like on Amazon Books or Microsoft), or simply for the purposes of tracking  popular links or demographics (like DoubleClick)." Cookies also provide programmers with a  quick and convenient means of keeping site content fresh and relevant to the user's  interests because the cookie tells them simple information about who has been hitting what part of the page

some cookie FAQs http://www.cookiecentral.com/faq/

"Many Netizens are concerned, "If I allow a Web 'cookie' to be set, someone can access my hard drive." However, cookies cannot be used to get data or view data off your hard drive. Cookies can only get data from what has been written to the cookie file. Are cookies dangerous to your computer? NO. The cookie is simply a text file saved in your browser's directory or folder. It cannot be used as a virus, and it cannot access your hard drive. MSN and Netscape use cookies to store information so you don't have to remember it (passwords, etc.). If you want to see what information is stored in your cookie file, use a word processor to open a file called cookies.txt or MagicCookie. Don't want to accept cookies? Configure your browser to warn you when one is about to be set or  refuse them all. It's your choice."

The text to the left was quoted from the page  http://www.becrc.org/ec/webdev/cookies.html

.

Virus Protection and busines risk                   Virus Protection and busines risk

"IT's Battleground: The Quest for Virus Protection" is the title of an August 4th, 2000 in Computing Canada  www.plesman.com/Archives/cc/2000/Aug/2616/cc261614a.html   . It is not the intention of this part of the course to be able to adequately cover all the various types of viruses that may effect e-commerce since do not have the time not resources to do that satisfactorly - but, it is important to have some understanding of the business risk at stake here and try to evaluate if it is a serious problem, because - if it is a serious problem, then every e-commerce professional needs to add to their portfolio of knowledge, some degree of understanding about viruses. WTGR . In this August 4rth article it is noted that "A recent survey estimated that viruses and other destructive acts will cost large businesses (over 1,000 employees) worldwide $US1.6 trillion this year and result in almost 40,000 person-years of lost productivity ...It's no wonder the anti-virus software market has hit almost $US70 million so far  this year [2000]"   . Is the problem getting worse? At this stage statistics on known virus attacks seem to indicate the problem is getting worse. For the most part, security experts believe the majority of virus attacks are made by unhappy employees and egotistical hackers and crackers - it does not appear to be something that companies are employing against each other to give themselves a competitive edge - but it may not be long before this happens since businesses large and small have been known to use very "illegal and immoral" tactics to gain advantage. WTGR . From the August 4rth article "Symantec,  publisher of the market-leading Norton Anti-Virus, has seen an average of 115 new viruses each month this year, up 30 per cent from 1999."

.

National Government Involvement in internet crime and e-business Security                                 National Government Involvement in internet crime and e-business Security

. In this section, which we may not have time to discuss in class, there will be provided some links to web sites from various security and police agencies of national governments. It is hoped that you will be able to read a couple of these articles to get some idea of the degree to which the FBI, CIA, RCMP, CSIS etc. may or may not, be understanding of, and contributing to, a more safe environment for business on the Web. WTGR . It was announced in August 2000 that The Federal Bureau of Investigation (FBI) will head up this year's World E-Commerce  Forum, at which global Internet security will be an issue for the first time. The full story announcing this event, written by Jennifer Hampton, was in the E-commerce Times in August.  www.ecommercetimes.com/news/articles2000/000804-7.shtml The reason why you would read this article is because it mentions that Michael Vatis, director of the FBI's  computer crime investigation unit "the goal of the summit ... is to identify how a global Internet security agency can be established, and how international law can be utilized to develop and enforce penalties against hackers and virus-mongers" The FBI and "Carnivore" "Carnivore attaches a combination of hardware and software  applications to the network of an Internet Service Provider  (ISP) and scans all of the e-mail and other transmissions to  locate a "target" piece of e-mail or communication from a  specific person or suspect. Carnivore can analyze millions of  messages per second while it searches for the specific  messages that it wants.   The FBI is developing Carnivore to help the agency police  cyberspace. Law enforcement officials have expressed  increasing concern over how the Internet is used illegally for  those who would anonymously distribute child pornography,  steal confidential proprietary information or wreak havoc on  e-commerce giants by hacking into their systems".  by Dan Gebler  E-Commerce Times  August 3, 2000  full online article at  www.ecommercetimes.com/news/articles2000/000803-2.shtml The FBI's own statement on their web site about using "Carnivore"  www.fbi.gov/pressrm/congress/congress00/kerr072400.htm "The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity." Recommended by Mr. Sean Rooney  http://www.nipc.gov/warnings/advisories/2000/00-060.htm in this particular document "... the NIPC has observed that there has recently been an increase [December 2000]  in hacker activity specifically targeting U.S. systems associated with e-commerce and other internet-hosted sites. The majority of the intrusions have occurred on Microsoft Windows NT systems, although Unix based operating systems have been victimized as well. The hackers are exploiting at least three known system vulnerabilities to gain unauthorized access and download propriety information. Although these vulnerabilities are not new, this recent activity warrants additional attention by system administrators. In most cases, the hacker activity had been ongoing for several months before the victim became aware of the intrusion."

.
 

National Government Involvement in internet crime and e-business Security             National Government Involvement in internet crime and e-business Security

The RCMP's  Computer Crime Prevention webpage with sections on Steps to establish and maintain an adequate computer security program Common Methods to Commit Computer Related Crime Computer Virus  www.rcmp-grc.gc.ca/html/ccprev.htm This section of the RCMP web site is not very extensive but it does include a small section on the basics of PKI - Public Key Infrastructure "Emerging Internet-related crimes include piracy, copyright infringement, currency and document counterfeiting, smuggling, hate- and sex-related offences, stalking, extortion, mischief, conspiracy, theft, fraud, and gambling." from an article on the RCMP web site titled "Business in Internet-related crime is booming"  www.rcmp-grc.gc.ca/html/online000128a.htm Maclean's online magazine had a story June 12th, 2000,  "Canada's police are only starting to catch up with hackers and other criminals who target online computer users" The article mentions a number of well known internet security situations that have happened and says that "Canada's response has been relatively low-key"  www.macleans.ca/pub-doc/2000/06/12/Technology/35694.shtml written by Chris Wood with Brenda Ranswell in Montreal and Robert Scott in  Toronto RCMP involvement with e-businesses that have been hit by cyber crime. A recent example (Feb 2000) is what happened to the HMV website. Basically, it was a denial of service attack.  HMV's site went offline for an hour Feb. 7 after being flooded with bogus information.  Full story was available on the Toronto Star's web site