Now, if I've paid hundreds or thousands of dollars for a software product, and it turns out that it has security holes in it, who is really liable for those security holes? I understand that patches are provided and they aren't that hard to apply, but are we ever going to hold the providers of these software products a little more liable? It's seems to me that it's all too easy these days to rush a product out the door and plan on patching it later, never mind the inconvenience it causes all our customers.
Bryan On Wed, 2003-02-12 at 10:08, Tim Blalock wrote: > > Anybody read this on SearchSecurity.com? I think that it's about time. I > spent the last two weeks patching computers from almost every business in my > home town. Apparently they think that it's ok that someone breaks into > their computer. They all told me "I don't have anything that they can > steal". Well, there's something, a zombie. > Tim Blalock > [EMAIL PROTECTED] > > <Beginning article> > > Patching negligence can get you sued > > By Michael S. Mimoso, News Editor > 12 Feb 2003, SearchSecurity.com > > MASHANTUCKET, Conn. -- Downstream liability sounds like a cable TV fishing > show gone awry. But it's something enterprises need to quickly become aware > of, especially in light of recent security incidents like the outbreak of > the SQL Slammer worm and the attack on the Internet's root DNS servers. > > Essentially, downstream liability is all about the liability an enterprise > could incur if its unsecured systems are used as part of a distributed > denial-of-service attack. > > The topic came up during this week's CyberCrime Conference & Exhibition, > where former Department of Justice cybercrime prosecutor Marc J. Zwillinger > of Sonnenschein, Nath & Rosenthal declared that, indeed, enterprises can be > liable for damages incurred during a DDoS attack. > > Zwillinger theorizes that breach of contract is no longer the only basis for > liability; now enterprises will be held accountable if they are negligent in > patching systems, for example. This is the commission of a tort, Zwillinger > said. Negligence is the crux of downstream liability, according to a paper > written by Scott C. Zimmerman, CISSP, a research associate with the Software > Engineering Institute at Carnegie Mellon University; Ron Plesco, director of > policy for the Pennsylvania state police; and Tim Rosenberg, president and > CEO of White Wolf Security. > > Negligence, meanwhile, consists of four parts, according to the law: duty, > breach, causation and harm. Zwillinger and Zimmerman said that all four are > closely linked and, in order to gain damages, a victim must demonstrate all > four. > > Duty, for example, is the reasonable expectation that an enterprise with IT > assets linked to the Internet keep its systems secure. "Does an owner of IT > assets on the Internet have a duty to keep his systems secure and not to be > used to hurt another? We believe the answer to this question is a resounding > yes," wrote Zimmerman, et al. > > A breach of duty is the failure to live up to that obligation. For example, > leaving unpatched systems exposed to the Internet and ripe for exploitation > would constitute a breach of duty. Next, a victim must prove this breach > caused the damages. Finally, the victim must demonstrate he suffered harm, > like loss of assets, loss of business opportunities, or damage to > reputation, Zwillinger said. > > Slammer took advantage of vulnerable Microsoft SQL Servers and generated > massive amounts of traffic that clogged Internet service providers and > backbones worldwide. Code Red and Nimda exploited holes in Microsoft > Internet Information Services (IIS) Web servers to bring the Internet to a > screeching halt in 2001. While Internet performance slowed to a crawl in all > three instances, businesses were also left inaccessible, at times resulting > in expensive downtime. > > Now that victims are justified in pursuing damages via lawsuits, they must > determine just who is liable, Zwillinger said. > > Zwillinger identified potential defendants: the perpetrator; the owners of > unsecured systems; Internet service providers; and the victim. > > The perpetrator, Zwillinger said, has violated the law [the Computer Fraud > and Abuse Act that covers DoS attacks, virus outbreaks, ping floods and > more]. But the difficulty in prosecuting the attacker is finding the person. > Often, the attacking computer does not belong to the attacker. > > That raises the specter of holding the owners of vulnerable systems liable. > They would not be liable under breach of contract because usually there is > no direct contact between this person and the victim. But they could be > guilty of committing a tort by being negligent in not patching systems. > Challenges here involve pursuing the owners of 100 systems involved in a > DDoS, for example. All 100 would have to be investigated, and a portion of > blame would have to be determined in each instance, Zwillinger said. "It's > daunting, but it's not a disincentive," he said. > > ISPs, on the other hand, would be liable by contract. There is a reasonable > expectation that service providers have measures in place to deny bad > traffic and keep customers online, Zwillinger said. > > Victims also could be held liable. In addition to pursuing damages, victims > could be forced to pay up if their systems are used to attack another. > > "It's time to recognize that this is a reality," Zwillinger said. > "Enterprises need to determine best practices, adhere to regulation [HIPAA, > Gramm-Leach-Bliley], hire consultants, adopt an incident response plan and > stay current on information security and evolve with it." > > > > > ____________________ > BYU Unix Users Group > http://uug.byu.edu/ > ___________________________________________________________________ > List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list > ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list
