RE: Who's liable?

[Rob Keown <Keown () MACDIRECT COM>]

The question is who is culpable?

If the site from which the attack is launched is ignorant of any criminal
activity then there is no *criminal* recourse. But let's also realize that
if there were no clear tracks to the perpetrator, everyone in Company X
would be interrogated, their backgrounds checked, and all sorts of other
investigative processes would take place. This type of process usually gets
the state or federal government closer to the perp.

Of course the nature of the attack also matters, is it someone who has
defaced the website to place a political message, or did they crack into
sensitive material that is a national security issue.

Under current law the first type of attack is different than the latter. The
latter is much more serious.

Here is another way of looking at it. If a perp. places a call on the
telephone to the White House switchboard with a terrorist threat does the
company from which he/she placed the call become culpable? No. The company's
phone records will be subpoenaed, but the officials can also find the same
dead end (depending on whether the company is recording phone logs).

Should this change? I don't think there is any legal precedent for someone
who is not "aware" of criminal intent to be held culpable. To place new
responsibility on organizations that hold them to some criminal level of
responsibility is most-likely unenforceable and unconstitutional.

I do believe that those of us in the corporate and academic world must make
sure that the leaders of our organizations realize they must have a high
level of audit granularity, and that includes your scenario, where a small
organization might not know that they need to say as frosty as everyone
else.

If the SOHO firewall and IDS vendors included these types of communications
in their literature we might accomplish our goals without sacrificing the
free conduct of the Internet. This could include default install
configurations and clear and visible communications about the threats that
smaller companies encounter and how they impact us all.

I don't know if this is the best forum for your question, but it is a very
good question

Rob Keown
MAC DIRECT







-----Original Message-----
From: Michael F. Bell [mailto:mike_b () rhinobyte com]
Sent: Saturday, October 13, 2001 6:12 PM
To: incidents () securityfocus org
Subject: Who's liable?


These are fictional scenarios that I am SURE that
other people would like to discuss.

Lets say you are a small realty agency, and you provide internet access
to your employees and one of your employees hacks into the Whitehouse
website from your internal network.  You do not have any logging going
on from your SOHO firewall and the FBI shows up at your door one day
with a warrant to search your computers for evidence of hacking into the
Whitehouse website.  The FBI searches all 10 computers in your network
and comes up without any hard evidence from these 10 machines linking
them to the the hack into the Whitehouse website.  Your company is not
doing  any firewall logging and you do not have any public servers that
could have been hacked so someone could have remotely launched the
attack?  All that the FBI has is your publicly NAT'ed firewall address.

Who is liable??  What can the FBI do at this point?

The above scenario is all fictional from my standpoint.  I could imagine
that this is someones reality though...

Lets change the victim from a Goverment agency to a private one.  Lets
say that EBAY got hacked and they launched the same sort of
investigation with the same findings..  What can be done from a legal
/financial standpoint if an attack is detected from your company network
and there is no proof on exactly who did it?  Can the victims take legal
action against you, or is there some sort of protocol from a legal
standpoint that hinders this?  

> Michael Bell
> mike_b () rhinobyte com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com