Yesterday, May 12th, the Federal Trade Commission (FTC) released a new rule under the CAN-SPAM Act.  The new rule seeks to clarify some of the requirements CAN-SPAM imposes on senders of bulk email. 

• First, an E-mail recipient cannot be required by the sender to pay a fee, supply any information other E-mail address and opt-out  preference, or take any steps other than sending a reply E-mail  or visiting a single Web page to opt out.  From personal experience, many commercial websites add you automatically to their mailing list if you purchase something from them. This is fine; however, if you want to unsubscribe, often you have to click on a link in the email, go to a web page, enter your account information, or if you do not have an account - your order number, then find out where the email preferences menu is hidden, and finally fill out a couple of forms to submit an opt-out request.  All of this is gone - there must be a single web page.
• The definition of “sender” has been changed to make it easier  to determine which of multiple entities advertising in a single E-mail  message is responsible for complying with the Act’s opt-out requirements;
• A “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement  that a commercial e-mail display a “valid physical postal address.” 

The new changes provide small, but helpful to the Internet users, tweaks.  Kudos to the FTC for staying on top of the CAN-SPAM to make it more effective and user-friendly regulation.  It is unfortunately, however, that it takes so long to implement some of the more obvious changes.

A decision from the U.S. District Court for the Northern District of California held that the costs associated with the tracking and discovery of the identity of the person who stole proprietary information from a company does constitute "loss" for the purposes of calculation of damages under the Computer Fraud and Abuse Act (CFAA).

The dispute in the case was between a company and its competitor.  Plaintiff alleged that the defendant competitor company accessed privileged parts of plaintiff’s computer information system to, among other things, create a disparaging PowerPoint slide show.  Plaintiff based its claim under CFAA which prohibits unauthorized access to a protected computer and any person who suffers damage or loss in excess of $5,000 due to another’s misuse may maintain a civil action. 

Plaintiff relied on CFAA and its $5,000 threshold by arguing that the costs to identify that it was the competitor company who broke into its systems should be counted towards the $5,000 threshold. Defendant disagreed and moved for summary judgment, in reliance of Tyco Int’l v. Does, which holds that CFAA allows recovery for losses beyond mere physical damage to property but additional types of damages have generally been limited to accessing the damage caused to the system or to resecure the system following the attack.

The court distinguished the Tyco case on the facts and held that the costs of "responding to [the] offense" should include the costs, as in this case, of determining that defendant was one of the hackers who did access the computer system without authorization.

 

Data breaches happen every day and, unfortunately, we are getting so used to hearing news about the most recent breach that it no longer creates an interesting report.  Most businesses of any significance will, soon or later, become a victim of some sort of breach.  So the question becomes not whether you will suffer a data breach, but how are you going to respond to one when it happens.

The Wall Street Journal Business Technology Blog (WSJ) writes about the University of Miami’s (UM) response to their recent breach when thieves stole backup tapes containing two million medical records belonging to the University out of the back of a van last month.  WSJ notes that although the breach is nothing to be proud about, the response by University of Miami is pretty impressive.

What made UM’s response so good? The university provided a detailed, but clear, response to what exactly happened and why the breach poses low risk.  UM hired outside consultants to conduct testing and to determine the likelihood of successful access to the data.  After the consultants reported that such likelihood was low, UM released the notification with clear and common sense explanation.

Hopefully this practice should become the model to responding to security breaches.

We have written in the past about the freedom of border agents to search laptops at the border crossing points.

A new opinion (PDF) in United States v. Arnold by the Ninth Circuit Court of Appeals dated April 21, 2008, confirms this trend by holding that customs officers may examine electronic contents of a passenger’s laptop without reasonable suspicion. 

The Facts.  Arnold, a 43-year old arrived at Los Angeles International airport from the Philippines.  At Customs, he was asked for secondary inspection, where the officer asked him to turn on his laptop to determine whether it was functioning.  Once the computer booted up, the desktop showed folders named "Kodak Pictures" and "Kodak Memories."  The agents opened the folders and noticed pictures of nude women.  The agents then questioned Arnold about his computer, his trip, and upon review of the images, determined that there are several images which the agents believed were child pornography. 

The Opinion.  After a district court granted Arnold’s motion to suppress evidence, the Ninth Circuit reversed.  The Ninth Circuit based its opinion on Supreme Court precedent which held that the right of the United States to protect its border is paramount; however, such authority is not unlimited.  The two major exceptions for border searches without reasonable suspicion are searches  which cause "exceptional damage to property" or if the search was conducted in a "particularly offensive manner."  The Ninth Circuit held that the record did not support finding on either of the two exceptions and therefore the search was proper.

Many emails happily reach their final and intended destination.  But there are some emails which arrive where they are not intended to. There are two recent stories which suggest not only how people should be careful what the "TO:" field in their email says, but also use some common sense. 

The first story is about the "donotreply.com" domain, whose owner admitted that he receives millions of unintended emails each week, many with substantially sensitive information.   Many senders of bulk email do not want to have each recipient to be able to hit ‘Reply’ and send a return message.  As a result, they just type something that is intended to remind the recipient not to email back, for example, "please@donotreply.com."  However, there are people who send emails back, and according to the owner of the donotreply.com domain, there are some very sensitive wayward emails.  For example, a bank sent to a donotreply.com email address a PDF with a list of all computers within the bank which are not properly patched with up-to-date security settings. 

The second story is about a website promoting Mildenhall, a small town in Suffolk, UK, which owned the domain www.mildenhall.com.  However, Mildenhall also hosted a U.S. Air Force base with 2,500 servicemen and women. As a result, the mildenhall.com started receiving hundreds of emails, intended for the US Air Force personnel at Mildenhall.  Among the emails received, future flight paths for Air Force One.  The domain’s owner tried to warn the US base, but the emails kept coming.  Finally, the domain owner decided to shut down the site as to avoid confusion and leak of potentially sensitive information.

These two stories highlight some of the biggest problems with email as a communication tool, especially for sensitive and unencrypted information.  First is the trend of domain owners turning on their "catch all" email setting whereby all email directed to a particular domain, even if the email address does not exist, is captured and treated as "received" as opposed to being returned as "undeliverable."  The second is the casual approach towards email.  There are plenty of stories about major litigation blunders, competitive information disclosures, or simply embarassing personal stories which have been sent to the wrong party and subsequently leaked to the world.  Email users, especially users dealing with sensitive information, should create a habit, if not a procedure, of checking every outgoing email for accuracy of the recipient, at the least.  Finally, the use of email for transmission of sensitive information without encryption is troubling.  What is the appropriate treshold level for encrypting email - that depends on the organization and the documents being transmitted, but the senders of the list of vulnerable PCs on the network or of the flight path of Air Force One should have known better to use encryption.

I resisted writing about the British Tax Authorities’ blunder disclosed last week when they lost two CDs full of sensitive information (bank accounts and social benefits information) of 25 million UK families.  The story received enough mainstream press attention and I was afraid that many of our readers are starting to suffer from "breach fatigue" - hearing all too often about security breaches and missing personal information.

The fundamental reason why the breach occurred are all too common these days - e-mails released by the U.K.’s National Audit Office have confirmed that officials at the Revenue and Customs, did not want to remove sensitive information from child benefit data sent to the auditors because doing so would cost extra (although some experts have said that the cost of "sanitizing" the data could have cost less than the equivalent of $10,000).

Anyway, I could not resist writing about the recent development from the UK for a different reason.  As a response to the initial breach, the Revenue & Customs decided that it owed an apology to the families affected by the breach.  So it decided to mail them a personalized apology letter.  The letter, however, was too personalized - it included name, address, national insurance and child benefit numbers.  The information contained in this letter is all that is needed by identity thieves to open bank accounts, claim benefits or even apply for passports on behalf of somebody else. 

The UK authorities urge people who received the letters to destroy them after they receive them and read them.  But there are a large number of families who will never receive their - either because they moved or because somebody ‘conveniently’ picked the letter out of their mailbox on their behalf. 

So what follows next? A second apology letter to apologize for the loss of the CDs and the first apology letter? No, instead the Revenue & Customs authorities are shifting the blame to the concerned citizens who did not receive the letter by saying that they should have updated their mailing address.

James Paulick, currently pursuing a Juris Doctor decree at Duquesne University in Pittsburgh, Pennsylvania, will be joining us in writing and contributing to this site.  James received his Bachelor of Science in Computer Science from Wheeling Jesuit University and his interests include digital evidence reliability in cybercrimes and property rights in virtual words. 

We are happy to welcome James onboard and we are looking forward to his contributions.

We wrote in May, under the title "Cost of Insecurity" about TJX Companies’ costs in connection with the security breach suffered in 2003/2004.  In a footnote in its November 13 earnings announcement (Edgar report), TXJ increased its estimate of pre-tax charges for the credit card breach to $216 million (compare with the August estimate of $168 million) for the 9-months ending on October 27, 2007.

This charge equals to $0.28 per share.  TJX’s earnings per share are $1.43 and the total divident for the past year was $0.34.  When the charge related to a security breach equals  one-fifth of the EPS and  four-fifths of the annual divident, it should raise a big red flag to other companies to make sure that their data is secure. 

Many of our readers know that the principal cybercrime statute in the United States is the Computer Fraud and Abuse Act, 18 U.S.C. 1030.  It has served well over the years since enaction but some prosecutors (and civil plaintiffs to which it also applies) have complained that it does not keep up with newer types of cybercrime. Possibly in response to these critics, Senators Hatch (UT), Biden (DE), and Cochran (MS) have introduced an amendment to Section 1030.

The new bill, "Cyber-Crime Act of 2007" (S. 2213) (Thomas tracker) would make three substantial amendments:

First, it would prohibit "conspiracy to commit an offense" as well as the offenses actually committed. Currently Section 1030 does not cover explicitly "conspiracy" to commit any of its prohibited offenses, although prosecution was possible under other "conspiracy" provisions of Title 18. This makes it explicit now.

Second, the bill seeks to expand the required damage to protected computers threshold from $5,000 in a one-year period to "damage affecting 10 or more protected computers during any one-year period."  Currently, in order to be able to prosecute a cybercriminal under some provisions of 1030, there must have been a minimum threshold of $5,000 in damages caused by the alleged cybercrime.  In many cases this was not an issue, for example where the cybercrime had a direct financial loss of $5,000. However, other cases may not be so clear-cut. For example, if a small company’s computer is breached and the company expends some time and effort to investigate and fix the problem, the question becomes whether the expenses that the company incurred meet the $5,000 threshold.  Should full-time employees’ time be calculated on a per-hour basis to determine damages? How should loss of good will be calculated if the breach becomes public? In some cases these questions have created difficult questions.

Other reasons to introduce the damages to 10 computers requiremens are a couple of relatively new types of crime - Distributed Denial of Service (DDoS) and botnets. Both are very closely interrelated in that the cybercriminal obtains control of a high number of computers (sometimes called ‘zombies’ and almost always substantially more than 10) which they use to disable Internet resources, send spam or phish emails, or use the substantial aggregate computing and network power of these botnets for other evil purposes.  Because by definition the owners of the zombie computers would not know that they are part of the botnet, they would not be able to assert damages and meet the $5,000 threshold.  Creating a 10 or more damaged computers provision would allow prosecution of botnet operators under Section 1030 without having to show monetary damages to a particular zombie machine. 

The reality is that botnet operators can possibly be targeted under Section 1030 for the damages they do as a result of using the botnet to commit a specific act (e.g. spam, phish, DDoS); however, the new proposed provision would allow prosecution before the cybercriminals strike, not after.  Kudos for giving tools for proactive legal measures against such acts.

The third of the proposed substantial amendments adds cyber-extortion and threats to reveal confidential information illegally obtained from computer to be computer damage and thus eligible for prosecution under 1030. This provision also aims to deal with a frequent type of cybercrime where there is no verifiable damage.  Cyber-extortion can take many forms, but most often the cybercriminals seek to obtain money or something of value in exchange of either i) not attacking or disabling a certain computer or network resource or ii) not releasing confidential information obtained in an illegal way.  The new provision covers these and similar situations.

The proposed amendments to Section 1030 are a good step towards catching up with cybercriminals. Senator Biden’s statement in connection with the proposed bill says that, the "[c]urrent law hasn’t kept up with the fast pace of new criminal technologies–right now there are holes in the law that cyber-criminals can readily exploit. The Cyber-Crime Act will fix this, update the law and put us one step ahead of the cyber-criminals, instead of one step behind."

The challenge in the information security field today does not usually lie in the transmission; instead, it lies in securing the end points. There is a lot of mainstream press about Switzerland’s approach to securing their electronic elections by using quantum cryptography.  Most of the press touts the Swiss’ decision to "use ‘unbreakable’ encryption method in upcoming elections" as the solution to all of the recent woes in securing electronic elections.  The Swiss will use individual particles of light — or quantum technology — to encrypt election results as they are sent for central processing.

That sounds great, and many of the news stories seem to suggest that the Swiss have found the silver bullet to having secure elections. This cannot be further from the truth and many of the news accounts are misleading at best.  What the Swiss did was to find another (fancy-sounding) way of transmitting data securely. But this is not what bothers security researchers and governments wishing to conduct electronic elections. It is not the transmission, it is the endpoints that are causing the most security breaches. There are various (and pretty decent) solutions for securing traffic - PGP, SSL, SSH, VPN - but few good solutions of securing the actual voting machine. In fact, by writing about the ‘unbreakable’ security of the Swiss voting, the press does a disservice to anybody but the folks who are trying (and maybe succeed) to penetrate a voting machine.

The Swiss should be given credit for trying to strengthen the transmission security. But the press should tell the whole story.

« Previous entries