According to documents obtained by WTOP through the Freedom of Information Act request, between 2002 and 2006, the IRS had 478 laptops either stolen or lost.

Of those, 112 computers contained sensitive data, including personal information, such as social security numbers, for U.S. taxpayers. It is unclear how many people could be at risk of identify theft.  

IRS’ response:

We will be installing an automatic encryption system that will encrypt all information on the hard drives, so that the employee does not specifically need to choose individual files to encrypt. This will start in January. A physical security locking cable is also being provided to all employees with laptops, so that they can physically secure their laptops and help prevent the laptops from being stolen.

Also, the IRS has focused on providing security education, training, and awareness of our employees to ensure they recognize the need to protect sensitive information, and how to use the current encryption capabilities that are available on all IRS computers.

Let’s hope they don’t lose many laptops between now and January, assuming they will get the encryption plan working by then.

It is not fiction – you can securely delete information. However, there are many caveats.

First of all, if you know or have a reason to know that the information in question is or will be involved in litigation – securely deleting (or just deleting) any information that may be needed will adverse your position very negatively. This point cannot be stressed enough.

Second, unless you use tools that overwrite the deleted information multiple times (30, for instance), there is always a pretty good chance that a skilled forensics expert would restore at least some of what you have erased. Anecdotal evidence shows that some government agencies can restore information overwritten many times by using sophisticated magnetic analysis on a particular disk sector. This is probably difficult and expensive to do, but it may be possible.

Third, mind the information that you did not intentionally create. Memory swap files, printer spool files, or Windows hibernation swap files – all of these files contain information that, on its face, resides in memory, but is stored (often unencrypted) on disk. For instance, if you typed a secret document on your computer, printed it, and then discarded the document without saving it, chances are that there is a copy of the document (printer spool file) somewhere on your hard drive that is waiting to be recovered and read. Also, if you use an encryption program and you ‘Hibernate’ your computer, chances are that your encryption password is stored in plain text in the hibernation swap file.

Finally, see #1 again.

A more detailed report can be found here.

Sophos has produced its latest report on the top twelve spam relaying countries over the third quarter of 2006. As the chart below shows, the US is by far the largest spam relay with almost 1/4 of all the world’s spam originating from the US computers. Some experts believe this lead is due to the emergence of over 300 strains of the mass-spammed Stratio worm.

Top Twelve Spam Relaying Countries in July-September 2006 Chart

In the Seventh Circuit, damages attributed to lost productivity can be counted against the $5,000 requirement which allows prosecution under the Computer Fraud and Abuse Act.

The Facts

The defendant appealed his sentence following a guilty plea to accessing a computer without authorization and recklessly causing damage of at least $5,000, contrary to 18 U.S.C. §1030(a)(5)(A)(ii). The record indicated that the defendant, who had been recently terminated from his job as a computer technician, made unauthorized access on several occasions to the victim’s wireless Internet access account–conduct that had the effect of preventing the victim, a small business, from accessing the Internet at the same time. The trial court determined that the victim had suffered $6,014 in losses for "lost productivity" due to conduct by the defendant that "adversely affected" their productivity.

The Court’s Holding

In an opinion by Judge Bauer, the Seventh Circuit upheld that a trial court’s consideration of lost productivity is proper, however, expenses incurred by the victim assisting the government should be excluded from this calculation. The court stressed that costs incurred by victims primarily to aid the government in the prosecution and criminal investigation of an offense should be excluded. United States v. Schuster, 7th Cir., No. 05-4244, 10/27/06

Commentary

Note that the trial court found $6,041 in losses. This is not much beyond the $5,000 statutory requirement. And, based on the court’s holding, most of it probably comes from lost productivity. It is not hard to reach the statutory minimum of damages when you include lost productivity. Imagine you send spam to a CEO’s computer. The CEO loses 2 hours trying to contact the IT helpdesk, have the spam cleaned, and the computer restored. This all counts as lost productivity and at the high billing rate of a high-level executive, the $5,000 damages cap can be reached very quickly.

My point, after all of this, is that the statutory requirement of $5,000 is too low. Or the prosecutors should exercise more discretion in prosecuting cases that really strike at what the Computer Fraud and Abuse Act was aimed - hacking and unauthorized access to computers, as opposed to acts that affect computers and cause some incidental damage.

Not from the Bible of Information Security, but vey useful nonetheless. Comments in italics added by yours truly.

1. Patch early and often
   (or are you running fossil OS?)
2. Enforce (sane) password policies
   (or have your employees tattoo their 64-character password on their forearms)
3. Mind your VPN
   (or your home PC’s critters will teleVPN themselves onto your corporate network)
4. Watch your wireless
   (when you go wireless, go VPN. See also point #3.)
5. Never make promises you can’t keep
   (this doesn’t apply only to information security, does it?)
   
6. Hack yourself
   (but even if you do, patch yourself quickly afterwards)
7. Sequester sensitive data
   (and employees who have access to it)
8. Encrypt it
   (if in doubt whether you should encrypt it - do, or do not store it at all)
9. Collect only what you need (and delete what you don’t)
   (but when you delete, delete securely)
10. Phear the phishers
    (if your emails or other communications do not look legitimate, then your customers and employees wouldn’t know when they receive a non-legitimate email)

Original ideas by Business 2.0.

Cybercrime is a global problem and although we try to expand the reach and the scope of our comments to include international aspects of cybercrime law, we would like to hear from our international readers.

Are you familiar with the cybercrime law landscape of a particular country or geographic region? Would you like to use this forum to share your thoughts and engage cybercrime law experts around the world? We’d like to hear from you - please contact me at the address listed in my profile page.

I am attending a what turns out to be a wonderful conference so far, "Emerging Trends in Information Security and the Law: Plausible Deniability is Dead" organized by Georgetown CLE. The opening by Paul Kurtz of the Cyber Security Alliance was interesting and set the table for the conference - what information security legal frameworks are out there and what should companies do to protect themselves.

Thomas Smedinghoff of Wildman Harrold went through a great overview of the new developments and trends in the law of Information Security. It was interesting to see how the playing field is shifting from approaching information security and security breaches reactively to adopting security measures and proactively seeking to protect an organization from liability in case of a breach. Also, the balance between the increased push by law enforcement for increased data retention (for preventing counter-terrorism, online child abuse, etc.) on one hand and the security issues on the other hand is becoming very tricky. Many organizations find themselves under an affirmative duty to protect a piece of sensitive information they have, and at the same time there are requirements to preserve more.

Evidentiary Issues

An interesting case related to affirmative duties to properly protect information (especially within litigation context) is American Express v. Vinhnee, 9th Cir. (2005).   In this case, American Express sought to prevent Vinhnee’s debts’ cancellation under bankruptcy proceeding. During a hearing in front of the Bankruptcy Court, American Express brought an expert witness who introduced American Express computer records collected within the regular course of business about Vinhnee’s financial affairs. Vinhnee did not attend the proceeding and the court, after hearing AmEx’s witness, declined to admit the records under the business records exception to the hearsay rule because AmEx’s lawyers could not prove that the information was properly secured.

Although this is one of the rare cases where a party goes to court, unopposed, and still manages to lose, the holding is important in another important way - it shows that the you need to show not only that business records were collected and kept in the regular course of business, but also that they were properly secured. Granted, a corporation such as AmEx would most likely (we all hope) have proper security mechanisms and as long as its lawyers are on notice that they need to present evidence to the court, things should be ok. However, litigants who know that their records are not properly secured may need to do more if they want to prevail in court.