The Wall Street Journal has an interesting article ($ reg. required) (and WSJ Law Blog commentary) about Department of Justice’ patterns of bringing cybercrime cases in, sometimes, distant to the defendants forums.

Cybercrimes give the feds enormous leeway to pick jurisdictions where they brings cases, reports today’s WSJ. The Sixth Amendment holds that federal criminal cases should be tried in the state and district in which an offense was committed, but some critics say that the government is “forum shopping” when it comes to prosecuting alleged Internet offenses such as online child pornography or gambling.

The government denies it is seeking a home-court advantage. Prosecutors may pick venues based on the locale of the FBI office that initiates a case, says an FBI spokesman.

The article points to a recent case where DOJ brought a suit against a Connecticut defendant in Alexandria, VA on the ground that the SEC’ Edgar system, which is located in Alexandria, VA, allows the case to be brought in Alexandria. The federal district court in Alexandria, known as the “rocket docket” for its speedy case management, granted defendants’ request to transfer the case because of inconvenience.

A recent interpretation of Section 230 of the Communication Decency Act by a California Court of Appeals held that an employer is immune from liability based on an employee’s use of its communication networks and systems to send threatening messages. The case is Delfino v. Agilent Technologies, Inc., 06 C.D.O.S. 11380 (Cal. App. December 14, 2006)

The facts are as follows. Plaintiff Delfino was subject to a number of threatening messages sent anonymously over email and posted on Yahoo bulletin boards. The plaintiff contacted the FBI which was able to find out that the source was an employee of defendant Agilent. Eventually the employee admitted that he sent the threatening messages and that he used his work computer to do so. Agilent terminated the employee shortly after.

Plaintiff then sued Agilent under tort law for intentional and negligent infliction of emotional distress. They claimed that Agilent was liable under the respondeat superior doctrine and argued that Agilent was aware that the empoyee was using its computer systems to send the threats and took no action to prevent him from doing so.

Agilent claimed immunity under Section 230 of the CDA. The relevant portion states in part that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider,” and “No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.” 47 U.S.C. § 230, subds. (c)(1) & (e)(3). Trial court agreed with Agilent and dismissed the case.

On appeal the Court of Appeals affirmed the lower court holding that Agilent was an interactive computer service provider immune under CDA from liability. The court’s reasoning was that one of Section 230’s rationales was to encourage Internet service providers to self-regulate and prevent chilling of speech that would result from imposing liability on companies for speech which merely “flows” through the company network regardless of whether it is authorized or not. Subsequently, the court held that Agilent provided Internet access through its computer servers and is therefore provides “interactive computer services.” The court also noted that Agilent was not on notice of its employee’s cyberthreats and that applying Section 230 immunity in the case would not be inconsistent with CDA.

As a result, employees may be successfully able to claim immunity under Section 230 in circumstances where employees are vigilant in developing and disseminating acceptable use of electronic resources policies and are proactive in detecting and acting on reports of misuse of its electronic assets.

Many organizations place a very strong emphasis on external security - firewalls, VPN, special network routing, etc. However, a substantial portion of the information security risk comes from within the organization - the “insider threats.” A 2005 survey conducted by US Secret Service, CERT, and CSO magazine showed that where respondents to the survey could identify the attacker, 20% of the attacks were committed by insiders. The impact may be as small as few hours of lost productivity to as much as $700 million in a complex financial fraud case.

A report by the Carnegie Mellon’s CyLab entitled “Common Sense Guide to Prevention and Detection of Insider Threats” released in July 2006 is a very good multi-step approach on improving accountability and decreasing the chance of insider attacks. The full report, of about 45 pages, can be found here.

Here are some of the major points outlined in the report. First and foremost, insiders are a threat to any organization which has anything to protect. Regardless of whether this is confidential client information, proprietary software code, trade secrets, or information which is of value to a third party, an organization is at risk. There are some ways to decrease the risk of insider threats, however, the nature of the relationship between the parties poses some difficulties.

Areas of Insider Threats

Generally, there are three areas of insider threats. Insider IT sabotage, fraud, and theft of information.

With insider IT sabotage the threats come most often from disgruntled current or former employees or clients who intentionally misuse their account permissions to cause damage. Most of these insiders act out of revenge for some negative event in the past such as termination, demotion, dissatisfaction with job or salary and others. Using somebody else’s account (by knowledge or by compromising it) is usually the most often used method to gain access to information; however, creating backdoors or misusing accounts which were not eliminated upon employee’s departure are also common.

With fraud the threats come from current employees, very often in positions such as data entry which require access to sensitive or valuable information. Almost all of the cases of fraud committed by insiders were done by using legitimate user commands, most of the insiders used their own username and password, and most committed the fraud from their workplace. Such frauds are most commonly detected by system irregularities or by complaints by clients or law enforcement.

With theft of proprietary information the threats come mainly from current employees. Most of them are financially motivated while most feel that they are entitled to the information. Most of the insiders under this category had access to the information they took and most used their own username and password to commit the acts. Theft of information is generally hard to detect and when it is detected, most often it is because of notification by a third party.

Among the above observations, it is important to add that according to the research, almost half ot eh employees who stole information while still employed had already accepted other job offers. This shows that extra caution should be exercised once the organization becomes aware of this type of information, either formally or via rumor.

Best Practices for Prevention and Detection of Insider Threats

The paper proposes thirteen practices that should help an organization decrease its risk of insider threats. A brief summary of the proposed practices follows.

Practice 1. Institute periodic enterprise-wide risk assessments. Similar to any effort in preventing security breaches, a risk assessment should be done to evaluate what the organization’s needs, strengths, and weaknesses are. The results of this analysis should dictate many of the other practices.

Practice 2. Institute periodic security awareness training for all employees. This should be already in place - not only to prevent insider threats, but to raise the general security awareness of employees and stop external attacks, such as phishing, as well.

Practice 3. Enforce separation of duties and least privilege. No employee should be responsible along for a critical system and an employee should have exactly as much privileges as necessary to do his or her job.

Practice 4. Implement strict password and account management policies. Similar to the security awareness practice, this should be in place regardless of the threat being addressed. Strict password and account management policies prevent from both insider and external threats.

Practice 5. Log, monitor, and audit employee online actions. This is not to say that you should spy on your employees. But appropriate logging and monitoring should be conducted after employees are made aware.

Practice 6. Use extra caution with system administrators and privileged users. Because system administrators in many cases perform the logging and monitoring, special attention should be paid to persons with heightened privileges.

Practice 7. Actively defend against malicious code. Logic bombs and stealth code can be very hard to detect; therefore extra effort should be made for early detection.

Practice 8. Use layered defense against remote attacks. If employees are trained and vigilant and if they know that their actions are being monitored then they are less likely to attack their systems.

Practice 9. Monitor and respond to suspicious and disruptive behavior. Suspicious behavior should be investigated closely instead of being dismissed. Follow-up by management is necessary.

Practice 10. Deactivate computer access following termination. It may sound like the best and most important practice out of this list; however, according to the research, many insiders (especially system administrators) do not use their own accounts to commit an illegal act. Thus, deactivating access following termination is important, but is not the silver bullet many organizations think it is.

Practice 11. Collect and save data for use in investigations. Proper log files and audit trails should be preserved, secured, and authenticated well. If criminal prosecution (or for that matter civil litigation as well) is to follow, evidence to be used at trial should be properly kept and authenticated. Also, special problems are raised by logging system administrators’ activities because they may be in a position to easily modify the log trail.

Practice 12. Implement secure backup and recovery process. Many of the sabotage acts done by insiders involved destroying valuable information on site and on backup tapes. Backup tapes (especially containing valuable information) should be properly secured and access should be separated among at least two people.

Practice 13. Clearly document insider threat controls. This would help in subsequent policy reviews, will create a better understanding of the policies, and will provide for fewer misconceptions that the organization is acting in a discriminatory manner.

An interesting story floats around many NBC stations and other major news outlets about a site that protects you from identity theft. It goes along the lines of, "Do you want to make sure your social security and credit card numbers are not stolen? Then come to this website, enter your social security number or your credit card number and we will check for you."

I will not name the site because in my opinion it does not deserve any additional traffic. The point is that although it may seem a great idea and would seem very appealing to the mainstream media in times of heightened sensitivity of identity theft, this kind of services pose more dangers than benefits. It may be also somewhat ironic - by trying to prevent your social security number from appearing on the Internet, you go on the Internet and you voluntarily type it into a search engine, which, in turn, searches some portion of the Internet to figure out whether there is a match. This just sounds wrong.

The site owners make a statement in their defense (and in attempt to appease people like me who feel this is not right),

Your credit card number or social security number alone has little value. These numbers can only be used to commit fraud when they are attached to an address, name, date of birth, expiration date, CVV2, etc. We never know any of this information; therefore, searching for a number with StolenID Search carries little risk of harming you, even in the worst case scenario.

Although true, this statement doesn’t tell the entire story. Having somebody’s social security or credit card by itself may not be enough, but it is the most essential piece of information in attempting to steal one’s identity or money. If criminals had the social security number and IP address of a person who searched for this social security they can easily either social engineer or IP-lookup the name and address of the user at a particular IP address. In many cases this will not work, but in many cases it would. In addition, motivated hackers can penetrate the machine at the originating IP and obtain the necessary name and address needed to steal somebody’s identity.

I hope that I am wrong and that this site provides more help than damage. But as of now I don’t feel right about it.

The Department of Justice has released a 137-page "Investigations Involving the Internet and Computer Networks" manual aimed at local (and unsophisticated in fighting cybercrime) law enforcement units. The DoJ’s concern seems to be that local law enforcement who lack the resources to train/employ forensic analysts may either miss entirely cybercrimes or wrongfully prosecute.

This manual comes after several local law enforcement agencies bungled  some high-tech investigations.  The Pennsylvania Supreme Court rejected prosecutors’ attempts to seize newspaper reporters’ hard drives, and the 8th Circuit Court of Appeals ruled that police illegally seized a computer in a methamphetamine investigation. A federal judge permitted an Internet service provider to sue police after it was raided because of Usenet posts its employees knew nothing about.  Also, in a dawn raid, Arizona police stormed into the house of a 16-year-old boy named Matthew Bandy and accused him of downloading child pornography–which carried a maximum penalty of 90 years in prison — only to later find out that his computer was thoroughly infected by malware.

The manual is not only aimed at local law enforcement agencies.It should also prove to be useful to small organizations, schools, or small IT departments who do not have the resources to hire a forensic analyst but want to get a very basic idea of what may be happening. Having said that, it is very important to understand that if you suspect you are a victim of cybercrime, it is imperative that you 1) report the crime to the appropriate law enforcement agency; and 2) do not touch the original media, do not boot the computer, or do anything that may otherwise affect the storage media which contains the possible evidence - failure to do so may render law enforcement unable to prosecute if they discover useful, but tampered with evidence.

Many information security officers (ISOs) share a complaint - "our users do not listen to us when we ask them to be security conscious; it is hard to motivate them to use good practices, etc."

The problem is large indeed. Most of the security incidents come from internal users, either purposefully or inadvertently, so focusing on the internal users makes sense to most ISOs. However, new security policies are often met with resentment - users complain that having to pick a stronger password is inconvenient, they do not want to password-lock their screensaver, or they are unwilling to spend two seconds typing a password in their blackberry before they check for email. All this leads to a constant tug-of-war between information security professionals and users. The balance is tricky indeed, but it is important to continue insisting on strong information security policies.

How to Justify a New Security Requirement

A new security requirement imposed by the information security officer in an organization will almost inevitably be challenged by management or by users. The good news is that many ISOs can easily justify a new security requirement by pointing to the negative consequences of a data breach (the headlines over the recent months provide plenty of material for this.)

Most often in the private commercial sector ISOs can point to the dangers of bad publicity of a data breach, the potential of million dollar lawsuits, and the negative impact on the business. Customers and vendors may take their business elsewhere, shareholders may dump their shares, even employees may quit the company. Of course, if the information breached involves third parties (which it almost always does) then lawsuits or regulatory fines are likely.

Government and education can similarly point to the danger of loss of reputation or the loss of public trust and funds to justify new security requirements — if a university, for example, suffers a serious information security breach then alumni and donors are less likely to donate money, thus negatively affecting the entire institution for years to come. Similarly, the government (local, state, federal) uses public money to conduct its affairs and negative publicity or massive security breaches undermine its credibility and its power.

Thus, suggesting that a new security policy or requirement has a direct impact on every member of management and the user base is important step in raising security awareness and gathering support for security initiatives. The battle does not end there, but it helps level the playing field.

Cybercrime is a global problem and although we try to expand the reach and the scope of our comments to include international aspects of cybercrime law, we would like to hear from our international readers.

Are you familiar with the cybercrime law landscape of a particular country or geographic region? Would you like to use this forum to share your thoughts and engage cybercrime law experts around the world? We’d like to hear from you - please contact me at the address listed in my profile page.

I am attending a what turns out to be a wonderful conference so far, "Emerging Trends in Information Security and the Law: Plausible Deniability is Dead" organized by Georgetown CLE. The opening by Paul Kurtz of the Cyber Security Alliance was interesting and set the table for the conference - what information security legal frameworks are out there and what should companies do to protect themselves.

Thomas Smedinghoff of Wildman Harrold went through a great overview of the new developments and trends in the law of Information Security. It was interesting to see how the playing field is shifting from approaching information security and security breaches reactively to adopting security measures and proactively seeking to protect an organization from liability in case of a breach. Also, the balance between the increased push by law enforcement for increased data retention (for preventing counter-terrorism, online child abuse, etc.) on one hand and the security issues on the other hand is becoming very tricky. Many organizations find themselves under an affirmative duty to protect a piece of sensitive information they have, and at the same time there are requirements to preserve more.

Evidentiary Issues

An interesting case related to affirmative duties to properly protect information (especially within litigation context) is American Express v. Vinhnee, 9th Cir. (2005).   In this case, American Express sought to prevent Vinhnee’s debts’ cancellation under bankruptcy proceeding. During a hearing in front of the Bankruptcy Court, American Express brought an expert witness who introduced American Express computer records collected within the regular course of business about Vinhnee’s financial affairs. Vinhnee did not attend the proceeding and the court, after hearing AmEx’s witness, declined to admit the records under the business records exception to the hearsay rule because AmEx’s lawyers could not prove that the information was properly secured.

Although this is one of the rare cases where a party goes to court, unopposed, and still manages to lose, the holding is important in another important way - it shows that the you need to show not only that business records were collected and kept in the regular course of business, but also that they were properly secured. Granted, a corporation such as AmEx would most likely (we all hope) have proper security mechanisms and as long as its lawyers are on notice that they need to present evidence to the court, things should be ok. However, litigants who know that their records are not properly secured may need to do more if they want to prevail in court.

Many of our readers have traveled with laptops, often crossing borders, and sometimes being subjected to a border search by customs agents. For most of us, crossing a border with a laptop is a no-brainer and we don’t really think of the implications.

The truth is, law enforcement and border control officials may seize and search laptops and electronic storage devices when travelers, regardless of their citizenship, enter or exit the United States. This right has been established and upheld by U.S. courts, mainly under anti-terrorism measures. Earlier this year, in July, in United States v. Romm, 455 F. 3d 990, the Court of Appeals for the Ninth Circuit upheld the right of U.S. officials to conduct an allegedly intrusive warrantless search of a laptop computer carried by a traveler entering the United States from Canada, and allowed evidence recovered during the search to be used in prosecuting the traveler for possession of child pornography.

The Association of Corporate Travel Executives (ACTE) (yes, there is such association, apparently) has sought guidance from the federal government on the data security and privacy protection policies when U.S. border officials seize and review contents of travelers’ laptop computers. Many executives are naturally worried, as they often carry valuable and sensitive company (or private) information on their laptops. ACTE claims that most of its executives members (94%) were surprised to learn of the broad rights U.S. government officials have to inspect, download, or even seize information.

The good news is that ACTE reports that its members, upon learning that their laptops are subject to intrusive warrantless searches at the airport, have indicated an overwhelming desire to limit the kind of proprietary information typically carried in an executive’s computer. This is good. Even if the ACTE doesn’t get an answer and guidance from the federal government, at least it should educate its members to limit what kind of information they carry on their laptops.

With the United States Congress ratifying the Cybercrime Convention and President Bush signing it into law, the Council of Europe has officially adopted it and has announced January 1, 2007, as the official effective date for the international treaty.

In addition, the 46-nation Council of Europe announced that a $250,000 donation from Microsoft will help launch a program designed at helping member states to implement the Cybercrime Convention. The program will help states enact national legislation in line with the Convention and support training of judges, prosecutors, and law enforcement agents in the detection, investigation, and prosecution of cybercrimes.

The educational program budget is 1.7 million euro ($2.1 million) over 30 months, and having received the Microsoft donation, the Council can give the green light to the initial phases. Additional private donations may be accepted in the future to help offset the cost of the program.

According to CoE statement, assistance from the new program will be available to CoE member states and to non-European countries that are prepared to bring their legislation in line with the Cybercrime Convention.

The text of the convention and more information can be found here.

« Previous entries Next entries »