Eric Goldman alerts us to a new bill pending in New York which would make it a crime to sell domain names to terrorist organizations. The relevant portion of the proposed bill is,

A person is guilty of criminal sale of an internet domain name to a terrorist group when he or she knowingly sells or provides without charge an internet domain name to any organization included on the list of organizations engaged in terrorist activities or who pose a terrorist threat compiled, maintained and updated by the state office of homeland security pursuant to paragraph (t) of subdivision two of section seven hundred nine of the executive law. Criminal sale of an internet domain name to a terrorist group is a class A misdemeanor.

Read the full text at New York State Legislature, search for bill A5026/S63 (direct linking not possible)

I do not doubt that the bill honestly aims to prevent terrorism by making it difficult for terrorist organizations to obtain web domain registrations, at least in the State of New York. But is this a practical solution? Let’s say that a domain name registrar who is located in New York has to comply with this law. What would they do? They would have to constantly update the list of terrorist organizations maintained by the local DHS office, then for each new domain registration compare against the list. Arguably, this can be automated to some degree.

The problem comes from the fact that the domain name registration system does not require a shred of verification as to the identity of the domain name registrant. In fact, many registrants, among them spammers, phishers, and terrorists, would not even bother putting the name and address information in proper format. The falsity and unreliability of the whois domain records are notorious. So why does the New York legislature think that registrants would start using their real information especially when they try to obtain a domain name for hostile purposes?

The law, if passed, would do no more than create some additional requirements on domain registrants who are subject to the law and not much else. Other than raising the cost of doing business to domain registrars with little effect, the legislature may think about how it can improve the reliability of the information provided by registrants in the first place.

Korea shows in the top of many statistics tracking spam, phish, zombies, or other various kinds of cybercrimes. Why is this?

There are few apparent reasons - the dominance of the Windows OS in Korea, anecdotal lack of interest in cybersecurity, and state-of-the-art Internet infrastructure make Korea a top choice for cybercriminals. The numbers showing Korea as one of the top producers of Internet threats is not due to Koreans’ bad manners or nature. In fact, most of the attacks originating from Korea are not even caused by Koreans - instead, criminals from all over the world target Korean computers and try to create zombie networks with Korean computers just because they are guaranteed high throughput and efficiency of their attacks.

Because roughly 14 million of the nation’s 15.5 households are connected to always-on high-speed Internet, Korea makes a prime target for virus and worm viruses. The Korean government even plans to increase the speed of the Internet to 100 megabits per second by 2010, about 50 times faster than the current speed.

The February 6 DDoS attack on critical DNS servers was attributed partially to a large number of Korean computers. Attackers tried to bring the Internet infrastructure by using zombie computers with high-speed Internet connection to send a flood of packets. The February 6 attacks were largely unsuccessful but it shows that in the future, with a larger number of PCs connected to a faster Internet service, such attacks may be successful.

Korea has done a great job in creating an exemplary Internet infrastructure and has achieved the highest broadband penetration in the world. But with success comes responsibility, and the Korean government should take steps to educate and protect technologically the network they have created.

The Wall Street Journal has an interesting article ($ reg. required) (and WSJ Law Blog commentary) about Department of Justice’ patterns of bringing cybercrime cases in, sometimes, distant to the defendants forums.

Cybercrimes give the feds enormous leeway to pick jurisdictions where they brings cases, reports today’s WSJ. The Sixth Amendment holds that federal criminal cases should be tried in the state and district in which an offense was committed, but some critics say that the government is “forum shopping” when it comes to prosecuting alleged Internet offenses such as online child pornography or gambling.

The government denies it is seeking a home-court advantage. Prosecutors may pick venues based on the locale of the FBI office that initiates a case, says an FBI spokesman.

The article points to a recent case where DOJ brought a suit against a Connecticut defendant in Alexandria, VA on the ground that the SEC’ Edgar system, which is located in Alexandria, VA, allows the case to be brought in Alexandria. The federal district court in Alexandria, known as the “rocket docket” for its speedy case management, granted defendants’ request to transfer the case because of inconvenience.

A recent interpretation of Section 230 of the Communication Decency Act by a California Court of Appeals held that an employer is immune from liability based on an employee’s use of its communication networks and systems to send threatening messages. The case is Delfino v. Agilent Technologies, Inc., 06 C.D.O.S. 11380 (Cal. App. December 14, 2006)

The facts are as follows. Plaintiff Delfino was subject to a number of threatening messages sent anonymously over email and posted on Yahoo bulletin boards. The plaintiff contacted the FBI which was able to find out that the source was an employee of defendant Agilent. Eventually the employee admitted that he sent the threatening messages and that he used his work computer to do so. Agilent terminated the employee shortly after.

Plaintiff then sued Agilent under tort law for intentional and negligent infliction of emotional distress. They claimed that Agilent was liable under the respondeat superior doctrine and argued that Agilent was aware that the empoyee was using its computer systems to send the threats and took no action to prevent him from doing so.

Agilent claimed immunity under Section 230 of the CDA. The relevant portion states in part that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” and “No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.” 47 U.S.C. § 230, subds. (c)(1) & (e)(3). Trial court agreed with Agilent and dismissed the case.

On appeal the Court of Appeals affirmed the lower court holding that Agilent was an interactive computer service provider immune under CDA from liability. The court’s reasoning was that one of Section 230’s rationales was to encourage Internet service providers to self-regulate and prevent chilling of speech that would result from imposing liability on companies for speech which merely “flows” through the company network regardless of whether it is authorized or not. Subsequently, the court held that Agilent provided Internet access through its computer servers and is therefore provides “interactive computer services.” The court also noted that Agilent was not on notice of its employee’s cyberthreats and that applying Section 230 immunity in the case would not be inconsistent with CDA.

As a result, employees may be successfully able to claim immunity under Section 230 in circumstances where employees are vigilant in developing and disseminating acceptable use of electronic resources policies and are proactive in detecting and acting on reports of misuse of its electronic assets.

In case you need to track who printed a particular page - EFF has done some good work in cracking the “tracking dot” code some printers secretly print on every page.

The DocuColor series prints a rectangular grid of 15 by 8 miniscule yellow dots on every color page. The same grid is printed repeatedly over the entire page, but the repetitions of the grid are offset slightly from one another so that each grid is separated from the others. The grid is printed parallel to the edges of the page, and the offset of the grid from the edges of the page seems to vary. These dots encode up to 14 7-bit bytes of tracking information, plus row and column parity for error correction. Typically, about four of these bytes were unused (depending on printer model), giving 10 bytes of useful data. Below, we explain how to extract serial number, date, and time from these dots.

More.

Many organizations place a very strong emphasis on external security - firewalls, VPN, special network routing, etc. However, a substantial portion of the information security risk comes from within the organization - the “insider threats.” A 2005 survey conducted by US Secret Service, CERT, and CSO magazine showed that where respondents to the survey could identify the attacker, 20% of the attacks were committed by insiders. The impact may be as small as few hours of lost productivity to as much as $700 million in a complex financial fraud case.

A report by the Carnegie Mellon’s CyLab entitled “Common Sense Guide to Prevention and Detection of Insider Threats” released in July 2006 is a very good multi-step approach on improving accountability and decreasing the chance of insider attacks. The full report, of about 45 pages, can be found here.

Here are some of the major points outlined in the report. First and foremost, insiders are a threat to any organization which has anything to protect. Regardless of whether this is confidential client information, proprietary software code, trade secrets, or information which is of value to a third party, an organization is at risk. There are some ways to decrease the risk of insider threats, however, the nature of the relationship between the parties poses some difficulties.

Areas of Insider Threats

Generally, there are three areas of insider threats. Insider IT sabotage, fraud, and theft of information.

With insider IT sabotage the threats come most often from disgruntled current or former employees or clients who intentionally misuse their account permissions to cause damage. Most of these insiders act out of revenge for some negative event in the past such as termination, demotion, dissatisfaction with job or salary and others. Using somebody else’s account (by knowledge or by compromising it) is usually the most often used method to gain access to information; however, creating backdoors or misusing accounts which were not eliminated upon employee’s departure are also common.

With fraud the threats come from current employees, very often in positions such as data entry which require access to sensitive or valuable information. Almost all of the cases of fraud committed by insiders were done by using legitimate user commands, most of the insiders used their own username and password, and most committed the fraud from their workplace. Such frauds are most commonly detected by system irregularities or by complaints by clients or law enforcement.

With theft of proprietary information the threats come mainly from current employees. Most of them are financially motivated while most feel that they are entitled to the information. Most of the insiders under this category had access to the information they took and most used their own username and password to commit the acts. Theft of information is generally hard to detect and when it is detected, most often it is because of notification by a third party.

Among the above observations, it is important to add that according to the research, almost half ot eh employees who stole information while still employed had already accepted other job offers. This shows that extra caution should be exercised once the organization becomes aware of this type of information, either formally or via rumor.

Best Practices for Prevention and Detection of Insider Threats

The paper proposes thirteen practices that should help an organization decrease its risk of insider threats. A brief summary of the proposed practices follows.

Practice 1. Institute periodic enterprise-wide risk assessments. Similar to any effort in preventing security breaches, a risk assessment should be done to evaluate what the organization’s needs, strengths, and weaknesses are. The results of this analysis should dictate many of the other practices.

Practice 2. Institute periodic security awareness training for all employees. This should be already in place - not only to prevent insider threats, but to raise the general security awareness of employees and stop external attacks, such as phishing, as well.

Practice 3. Enforce separation of duties and least privilege. No employee should be responsible along for a critical system and an employee should have exactly as much privileges as necessary to do his or her job.

Practice 4. Implement strict password and account management policies. Similar to the security awareness practice, this should be in place regardless of the threat being addressed. Strict password and account management policies prevent from both insider and external threats.

Practice 5. Log, monitor, and audit employee online actions. This is not to say that you should spy on your employees. But appropriate logging and monitoring should be conducted after employees are made aware.

Practice 6. Use extra caution with system administrators and privileged users. Because system administrators in many cases perform the logging and monitoring, special attention should be paid to persons with heightened privileges.

Practice 7. Actively defend against malicious code. Logic bombs and stealth code can be very hard to detect; therefore extra effort should be made for early detection.

Practice 8. Use layered defense against remote attacks. If employees are trained and vigilant and if they know that their actions are being monitored then they are less likely to attack their systems.

Practice 9. Monitor and respond to suspicious and disruptive behavior. Suspicious behavior should be investigated closely instead of being dismissed. Follow-up by management is necessary.

Practice 10. Deactivate computer access following termination. It may sound like the best and most important practice out of this list; however, according to the research, many insiders (especially system administrators) do not use their own accounts to commit an illegal act. Thus, deactivating access following termination is important, but is not the silver bullet many organizations think it is.

Practice 11. Collect and save data for use in investigations. Proper log files and audit trails should be preserved, secured, and authenticated well. If criminal prosecution (or for that matter civil litigation as well) is to follow, evidence to be used at trial should be properly kept and authenticated. Also, special problems are raised by logging system administrators’ activities because they may be in a position to easily modify the log trail.

Practice 12. Implement secure backup and recovery process. Many of the sabotage acts done by insiders involved destroying valuable information on site and on backup tapes. Backup tapes (especially containing valuable information) should be properly secured and access should be separated among at least two people.

Practice 13. Clearly document insider threat controls. This would help in subsequent policy reviews, will create a better understanding of the policies, and will provide for fewer misconceptions that the organization is acting in a discriminatory manner.