We have written in the past of the dangers of file sharing not so much from copyright prosecution point (although the dangers are real) but so much from having the file sharing software "incidentally" share files located on the networked computer.   A high-profile data breach from the Washington, DC area confirms the dangers.  The case is about having investment and personal information of high-powered Washington, DC figures, including Supreme Court justices, shared to anybody in the world.

From the article which appeared this morning in the Washington Post:

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer. In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm’s clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.

It is very difficult to protect against this type of breach, as it is due to human error.  Many companies have IT policies which prohibit file sharing software.  Many IT departments are successfully able to block "some" of the file sharing P2P traffic.  But there are always some who download, install, and run the file sharing software on company hardware containing sensitive information without much regard of the consequences.

A decision from the U.S. District Court for the Northern District of California held that the costs associated with the tracking and discovery of the identity of the person who stole proprietary information from a company does constitute "loss" for the purposes of calculation of damages under the Computer Fraud and Abuse Act (CFAA).

The dispute in the case was between a company and its competitor.  Plaintiff alleged that the defendant competitor company accessed privileged parts of plaintiff’s computer information system to, among other things, create a disparaging PowerPoint slide show.  Plaintiff based its claim under CFAA which prohibits unauthorized access to a protected computer and any person who suffers damage or loss in excess of $5,000 due to another’s misuse may maintain a civil action. 

Plaintiff relied on CFAA and its $5,000 threshold by arguing that the costs to identify that it was the competitor company who broke into its systems should be counted towards the $5,000 threshold. Defendant disagreed and moved for summary judgment, in reliance of Tyco Int’l v. Does, which holds that CFAA allows recovery for losses beyond mere physical damage to property but additional types of damages have generally been limited to accessing the damage caused to the system or to resecure the system following the attack.

The court distinguished the Tyco case on the facts and held that the costs of "responding to [the] offense" should include the costs, as in this case, of determining that defendant was one of the hackers who did access the computer system without authorization.

 

Data breaches happen every day and, unfortunately, we are getting so used to hearing news about the most recent breach that it no longer creates an interesting report.  Most businesses of any significance will, soon or later, become a victim of some sort of breach.  So the question becomes not whether you will suffer a data breach, but how are you going to respond to one when it happens.

The Wall Street Journal Business Technology Blog (WSJ) writes about the University of Miami’s (UM) response to their recent breach when thieves stole backup tapes containing two million medical records belonging to the University out of the back of a van last month.  WSJ notes that although the breach is nothing to be proud about, the response by University of Miami is pretty impressive.

What made UM’s response so good? The university provided a detailed, but clear, response to what exactly happened and why the breach poses low risk.  UM hired outside consultants to conduct testing and to determine the likelihood of successful access to the data.  After the consultants reported that such likelihood was low, UM released the notification with clear and common sense explanation.

Hopefully this practice should become the model to responding to security breaches.

Many emails happily reach their final and intended destination.  But there are some emails which arrive where they are not intended to. There are two recent stories which suggest not only how people should be careful what the "TO:" field in their email says, but also use some common sense. 

The first story is about the "donotreply.com" domain, whose owner admitted that he receives millions of unintended emails each week, many with substantially sensitive information.   Many senders of bulk email do not want to have each recipient to be able to hit ‘Reply’ and send a return message.  As a result, they just type something that is intended to remind the recipient not to email back, for example, "please@donotreply.com."  However, there are people who send emails back, and according to the owner of the donotreply.com domain, there are some very sensitive wayward emails.  For example, a bank sent to a donotreply.com email address a PDF with a list of all computers within the bank which are not properly patched with up-to-date security settings. 

The second story is about a website promoting Mildenhall, a small town in Suffolk, UK, which owned the domain www.mildenhall.com.  However, Mildenhall also hosted a U.S. Air Force base with 2,500 servicemen and women. As a result, the mildenhall.com started receiving hundreds of emails, intended for the US Air Force personnel at Mildenhall.  Among the emails received, future flight paths for Air Force One.  The domain’s owner tried to warn the US base, but the emails kept coming.  Finally, the domain owner decided to shut down the site as to avoid confusion and leak of potentially sensitive information.

These two stories highlight some of the biggest problems with email as a communication tool, especially for sensitive and unencrypted information.  First is the trend of domain owners turning on their "catch all" email setting whereby all email directed to a particular domain, even if the email address does not exist, is captured and treated as "received" as opposed to being returned as "undeliverable."  The second is the casual approach towards email.  There are plenty of stories about major litigation blunders, competitive information disclosures, or simply embarassing personal stories which have been sent to the wrong party and subsequently leaked to the world.  Email users, especially users dealing with sensitive information, should create a habit, if not a procedure, of checking every outgoing email for accuracy of the recipient, at the least.  Finally, the use of email for transmission of sensitive information without encryption is troubling.  What is the appropriate treshold level for encrypting email - that depends on the organization and the documents being transmitted, but the senders of the list of vulnerable PCs on the network or of the flight path of Air Force One should have known better to use encryption.

We wrote in May, under the title "Cost of Insecurity" about TJX Companies’ costs in connection with the security breach suffered in 2003/2004.  In a footnote in its November 13 earnings announcement (Edgar report), TXJ increased its estimate of pre-tax charges for the credit card breach to $216 million (compare with the August estimate of $168 million) for the 9-months ending on October 27, 2007.

This charge equals to $0.28 per share.  TJX’s earnings per share are $1.43 and the total divident for the past year was $0.34.  When the charge related to a security breach equals  one-fifth of the EPS and  four-fifths of the annual divident, it should raise a big red flag to other companies to make sure that their data is secure. 

The challenge in the information security field today does not usually lie in the transmission; instead, it lies in securing the end points. There is a lot of mainstream press about Switzerland’s approach to securing their electronic elections by using quantum cryptography.  Most of the press touts the Swiss’ decision to "use ‘unbreakable’ encryption method in upcoming elections" as the solution to all of the recent woes in securing electronic elections.  The Swiss will use individual particles of light — or quantum technology — to encrypt election results as they are sent for central processing.

That sounds great, and many of the news stories seem to suggest that the Swiss have found the silver bullet to having secure elections. This cannot be further from the truth and many of the news accounts are misleading at best.  What the Swiss did was to find another (fancy-sounding) way of transmitting data securely. But this is not what bothers security researchers and governments wishing to conduct electronic elections. It is not the transmission, it is the endpoints that are causing the most security breaches. There are various (and pretty decent) solutions for securing traffic - PGP, SSL, SSH, VPN - but few good solutions of securing the actual voting machine. In fact, by writing about the ‘unbreakable’ security of the Swiss voting, the press does a disservice to anybody but the folks who are trying (and maybe succeed) to penetrate a voting machine.

The Swiss should be given credit for trying to strengthen the transmission security. But the press should tell the whole story.

The Wall Street Journal reports on a troubling new vector of cyber attacks - emails carrying Trojan-infected Microsoft Word attachments directed to senior executives in major corporations. The emails purported to be from an employment service and offered attachments supposedly containing information on potential job candidates. Luckily for these executives, the emails were captured by MessageLabs, an email security company, which monitors the incoming email traffic of its clients for spam and viruses.

According to MessageLabs, during a two-hour period on June 24, 514 messages tailored to senoir executives were captured. On Sep. 12 and 13, the company captured 1,100 messages in a 16-hour period. Although email security experts are well familiar with phishing, this form of attack seems to go beyond the mass-scale fraudulent emailing with the hope that even a very low response rate would yield some personal information. The new email attack has been seen in the past but in smaller numbers and mainly directed to sensitive personnel in government or military. The new attacks suggest that a fairly low-tech attack can yield an open-door access to a major executive’s computer and all the information stored on it. This potentially places high-value information, such as incoming deals, regulatory or other action, at the hands of criminals who can abuse it directly or profit from it by trading securities before the news reaches the public.

All major news sources this morning are running the story of Jammie Thomas, the Minnesota woman who was the first to take the RIAA illegal file sharing accusations to court, and the jury judgment of $220,000 against her and in favor of the recording industry. [WaPo]

I will not comment on the merits of this lawsuit. Instead, I will mention one of Ms. Thomas’ defenses and its merits. During trial, Thomas defended on the ground that someone else was using her Internet connection. Her lawyer suggested in his questioning that someone other than Thomas — someone outside her window, or a neighbor — could have been responsible if she used a wireless router. That could have allowed anyone nearby to utilize her Internet connection, using the same IP address that led the record companies to Thomas.

If the jury had believed this possibility, they would not have found against Thomas. And this may be because of the specifics of this case - Thomas used the same login name in her P2P file sharing software as she used to login to her computer and myspace. If you are a neighbor stealing bandwidth, would you still use your neighbor’s unique login name to connect to file sharing services? Would you even know what the login name is? In theory, this information should be easily obtainable but I cannot think of a good motive to use such login name except maybe malice.

Seems like the "open wireless" defense becomes a staple for all cybercrime defense lawyers - it casts a shadow of a doubt on whether the defendant was the one actually using the connection at the time of the alleged wrongdoing. Almost every home now has a wireless router and there are statistics out there suggesting that a large portion of them have no or weak protection at all. (See more on wireless protection here.) But the Minnesota case shows that not every case is appropriate for this defense. In addition, at some point courts and juries may decide that if it is your wireless access point, you are responsible for what goes through it, with or without your knowledge. Currently the state of law is such that we are far from wireless point strict liability, but after a sufficient number of cases where such this defense is rejected, its usefulness may be zero.

Personal information on a few thousand ABM Amro Mortgage Group (unit of Citigroup) customers has been leaked out to anybody in the world through a peer-to-peer (P2P) software. The names, Social Security numbers, and mortgage information of some 5,200 people which was stored on an employee laptop was shared via the LimeWire P2P software.

While it is unclear how many times the information has been downloaded over the P2P network, the fact that a computer containing a large amount of personal information was allowed to run P2P software is inexcusable. In all likelihood, Citigroup (or ABM Amro Mortgage) have some sort of restrictions (administrative policy or an IT set of software restrictions) which prohibit P2P sharing in general and in all likelihood the employee who used the laptop in question did so without authorization. Even so, the problem remains at Citi and their IT security personnel for failing to prevent or detect such software earlier. Placing the blame on the individual user is not an excuse as it is Citi’s reputation (and possibly checkbook after claims by these 5,200 affected people are filed) on the line.

According to Pike & Fischer, in testimony at a July House subcommittee hearing on P2P risks, LimeWire Chairman Mark Gorton said that a "small fraction" of users override safe default settings that come with the program, despite the company’s warnings and precautions. The company is working on a "new generation of user interfaces and tools designed with neophyte users in mind," making it "even easier for users to see which files they are sharing and to intuitively understand the controls available to them," he said.

Even if LimeWire is successful in preventing users from ‘inadvertently’ sharing their business documents folders, a company which takes its intellectual property and information security and privacy seriously should, in most cases, take proactive steps to weed out P2P software from its networks.