Many of our readers have traveled with laptops, often crossing borders, and sometimes being subjected to a border search by customs agents. For most of us, crossing a border with a laptop is a no-brainer and we don’t really think of the implications.

The truth is, law enforcement and border control officials may seize and search laptops and electronic storage devices when travelers, regardless of their citizenship, enter or exit the United States. This right has been established and upheld by U.S. courts, mainly under anti-terrorism measures. Earlier this year, in July, in United States v. Romm, 455 F. 3d 990, the Court of Appeals for the Ninth Circuit upheld the right of U.S. officials to conduct an allegedly intrusive warrantless search of a laptop computer carried by a traveler entering the United States from Canada, and allowed evidence recovered during the search to be used in prosecuting the traveler for possession of child pornography.

The Association of Corporate Travel Executives (ACTE) (yes, there is such association, apparently) has sought guidance from the federal government on the data security and privacy protection policies when U.S. border officials seize and review contents of travelers’ laptop computers. Many executives are naturally worried, as they often carry valuable and sensitive company (or private) information on their laptops. ACTE claims that most of its executives members (94%) were surprised to learn of the broad rights U.S. government officials have to inspect, download, or even seize information.

The good news is that ACTE reports that its members, upon learning that their laptops are subject to intrusive warrantless searches at the airport, have indicated an overwhelming desire to limit the kind of proprietary information typically carried in an executive’s computer. This is good. Even if the ACTE doesn’t get an answer and guidance from the federal government, at least it should educate its members to limit what kind of information they carry on their laptops.

Is it just me, or these results are scary (pardon the Halloween-theme lead)? A study commissioned by Cisco Systems on the habits of workers who telecommute (and this access company systems remotely) interviewed 1,000 teleworkers in 10 countries and resulted in some interesting results. My favorite,

One in 10 users noted that they have used, without permission, their neighbor’s wireless Internet connection when working remotely.

Ten percent of telecommuters putting their company accounts and most likely extremely sensitive company information out in the open in plain text for anybody to see? This is troubling, especially for IT managers who support a growing number of telecommuters. Although the survey doesn’t detail how many users use secondary encryption such as VPN tunnel or a secure proxy, my feel is that this number is close to zero. Thus, after spending millions to secure your corporate network from intruders, your company information is flowing in a distant neighborhood’s airwaves for anybody to see in plain text. Scary.

Other results from the survey,

• nearly 40 percent of remote workers stated that they use their work computers for Internet shopping;
• some 21 percent of remote workers admit that they allow friends and family members to use their work computers because "they don’t see anything wrong with it";
• almost 50 percent of remote workers said they used their own personal electronic devices, even when they did not have anti-virus or security software on the devices, to access corporate resources; and
• 38 percent of remote workers report that they click on e-mail messages of unknown origin.

Scary stuff. Happy Halloween!

A recent case from the U.S. District Court for the District of Columbia held that a company cannot be held liable for an employee’s violation of the Computer Fraud and Abuse Act in a case where the emploee acted on its own volition and without the company’s knowledge. The court said that the CFAA required intentional conduct on the part of the defendant, and that neither the fact that the alleged CFAA violation was committed with company assets nor the fact that the alleged hacker was a company employee supplied requisite intent on the part of the company.

The Facts

A law firm, Butera & Andrews, claimed that it was subjected to 42,000 attacks on its e-mail server from 80 different IP addresses, all controlled or belonging to defendant IBM. Butera & Andrews alleged that the attacks were made with IBM-owned equipment and were directed by IBM employees or agents. IBM denied knowledge of the attacks and moved to dismiss claiming that the complaint failed to allege intentional conduct on IBM’s part as CFAA allows action against somebody who "intentionally accesses" a computer without authorization. See 18 U.S.C. 1030(a).

The Reasoning

The court said that the CFAA’s intent requirement is narrower than the common-language dictionary definition. The court further said that CFAA’s "intentional" means knowing and conscious activity and that there is a distinction between use of company assets of a company’s assets to commit a crime and that company’s endorsement or even knowledge of the activity. Absent something more than an employer-employee relationship, "there are no grounds whatsoever for bringing an action against IBM under any of the statutes relied on, … as each requires ‘intentional’ conduct."

Also, under District of Columbia law, IBM cannot be held liable under respondeat superior doctrine for an employee’s intentional conduct, "[t]here is no basis to hold IBM liable under theories of respondeat superior or vicarious liability for the actions of the John Doe defendant, even if the attacks were actually carried out by an IBM employee or agent."

The Outcome

With the reasoning above, the court dismissed the CFAA cause of action without prejudice. Full opinion in Butera & Andrews v. IBM Inc. can be found here.

With the United States Congress ratifying the Cybercrime Convention and President Bush signing it into law, the Council of Europe has officially adopted it and has announced January 1, 2007, as the official effective date for the international treaty.

In addition, the 46-nation Council of Europe announced that a $250,000 donation from Microsoft will help launch a program designed at helping member states to implement the Cybercrime Convention. The program will help states enact national legislation in line with the Convention and support training of judges, prosecutors, and law enforcement agents in the detection, investigation, and prosecution of cybercrimes.

The educational program budget is 1.7 million euro ($2.1 million) over 30 months, and having received the Microsoft donation, the Council can give the green light to the initial phases. Additional private donations may be accepted in the future to help offset the cost of the program.

According to CoE statement, assistance from the new program will be available to CoE member states and to non-European countries that are prepared to bring their legislation in line with the Cybercrime Convention.

The text of the convention and more information can be found here.

This should make you think twice.

According to a study, disclosed breaches affect stock price (negatively) for up to a year. According to the study, conducted by an Australian analyst company and a US research company, disclosure of data security breaches can have a significant impact on share prices of publicly traded companies. The study looked at six companies that admitted security breaches and found that the stock prices of those companies fell an average of 5% within the first month following disclosure, and remained between 2.4 and 8.5 percent below after eight months.

These results should not be news. However, they illustrate the need for improved data security, especially when large amounts of sensitive information is stored. In light of pending legislation requiring disclosure of data breaches, companies should think hard about leaving sensitive data unprotected. Unfortunately the study does not conduct a full-scale (and more scientifically-defendable) research with control groups, etc., it suggests that companies (and their officers) may even be liable for breach of corporate duties in failing to prevent breaches and for shareholders’ loss.

Interesting read. More here.

As election day in the US draws closer, the heat of the political debate takes strange turns. In a plea deal entered on September 28, the alleged ringleader of a hacking crew called the "Internet Liberation Front" pleaded guilty to federal charges stemming from his attack on a conservative political organization’s website and theft of information, including members’ credit card numbers and addresses. The case is United States v. Hammond, No. 06-CR-0380, N.D. Ill.

The defendant, Jeremy Hammond, entered a guilty plea for illegally entering a server operated by "ProtestWarrior.com" and stealing sensitive financial and personal information from the server. Hammond is the administrator of "hackthissite.org" which labels itself as an "online movement of artists, activists, hackers and anarchists who are organizing to create new worlds." Allegedly, Hammond hacked into ProtestWarrior.com server because he aimed to "arm the liberty-loving silent majority with ammo–ammo that strikes at the intellectual solar plexus of the left."

According to the victims, Hammond intended to use the stolen credit cards to make donations to various left-wing organizations.  According to the Office of the U.S. Attorney for the Northern District of Illinois, Hammond faces a prison sentence of between 57 and 71 months with sentencing hearing scheduled for December 7th, 2006.

President Bush signed on Wednesday (Oct. 4) the fiscal year 2007 appropriations bill for the Department of Homeland Security. The bill provides a total of $542 million for infrastructure protection and information security, including $87 million for cybersecurity.

Earlier this year the Bush administration requested an increase of $14 million (or 17%). Unfortunately, the increase over FY’2006 is only $8 million, or %10 ($79 million budget for FY’2006.)

What message does this send to cyberterrorists, and even criminally-minded hackers? I am not sure if it is a normal practice in Congress to undercut the administration’s budget request, but even if it is, underfunding the budget for protecting a critical aspect of the nation’s economy seems unwise.

Before you wipe clean your hard drive, and especially if you are in Texas, read this! A file-sharing defendant in Texas decided to "wipe" the computer hard drive containing allegedly incriminating evidence in a pending case. The U.S. District Court for the Western District of Texas held in Arista Records LLC v. Tschirhart, SA-05-CA-372 (8/21/06), that the defendant is subject to default judgment by "destroying the best evidence relating to the central issue in the case" and "inflict[ing] the ultimate prejudice upon plaintiffs."

During a forensic analysis it was discovered that the defendant, Delina Tschirhart, erased data on at least two occasions: once in December 2006 after the recording industry had served a complaint, and again on January 26, 2007, the day after the court issued an order for the hard drive to be imaged (presumably to create a "snapshot" to be examined forensically.) During the analysis some residual data was discernible, such as the presence of iMesh, a file-sharing program, and the presence of the same username that investigators had linked to illegal file-sharing on the iMesh network.

Under the Federal Rules of Civil Procedure, a court may impose the most severe sanctions available under the Rule 37(b) — striking pleadings or dismissing a case — upon finding of bad faith or willful conduct. The court found that Tschirhart’s conduct was both willful and in bad faith and "substantially prejudiced" the plaintiff, the recording industry, in its case.

In this case, defendant’s conduct shows such blatant contempt for this Court and a fundamental disregard for the judicial process that her behavior can only be adequately sanctioned with a default judgment. No lesser sanction will adequately punish this behavior and adequately deter its repetition in other cases.

The bottom line of the story is - do not wipe your hard drive right after you are served as defendant where you know that what is on your hard drive will be material to the case, and again, after the court has ordered you to produce the hardware for forensic inspection. This would not sit well with the court. And by all means - if you wipe your drive, wipe it well and don’t leave traces behind.

The court order can be read here.