Security Incidents mailing list archives
RE: Who's liable?
From: "Dom Genzano" <dom () stigroup net>
Date: Sun, 14 Oct 2001 21:32:11 -0400
In most cases, someone would be required to have a conviction to pursue damages- if they try to sue without a conviction you can sue them right back for defamation of character. In order to get a conviction, the person(s) hacked, would have to contact county or federal authorities (depending on the jurisdiction of the case) and present sufficient evidence that a crime was committed before an investigation is pursued. The investigation then invariably becomes just as expensive and just as much of a nuisance to the victim as it does the hacker and convictions usually take a good long time unless the hacker cops a plea. By the time all this happens, if you have an employee agreement and/or security policy, and decent practices in place to prevent negligence on the part of your company, you can terminate the employee for being convicted of breaking state and/or federal law (hopefully this is a stated condition in the employment agreement) and avoid any corporate liability due to negligence. The key is to have policy and procedure in place that takes 'reasonable' measures to manage and monitor the use of your systems. If you've done this, and you haven't truly been negligent, the chances of winning the case won't be worth the trouble of the other party pursuing it (there are exceptions- especially when the 'victim' has a perceived loss of a great deal due to the hack and they have nothing to lose by pulling out all the stops). The best thing you can do is get a good corporate lawyer and do exactly as he says. When someone reports that they've traced a hack back to your organization, ask them to send you all the information/evidence they have and tell them that you'll "look into it and get right back to them"- do not offer information or 'theorize' with them as to what may have happened. If you find any substance to their accusation, your next call is to your corporate lawyer- once again, if you've taken all 'reasonable' steps to prevent the misuse of your systems, this does alot towards shifting any potential liability away from your company and towards the individual whose actions you 'did not condone'. When you get back to that someone, it should be with what your corporate lawyer told you to say- typically if there is substance to their accusation, the guilty party from your company is 'sent home while you look into the matter' (not terminated until you find sufficient evidence that they are in violation of corporate policy). Let HR be the bad guys- you just gather technical information and do what you're told with it. -----Original Message----- From: macdaddy () neo pittstate edu [mailto:macdaddy () neo pittstate edu] Sent: Sunday, October 14, 2001 2:56 AM To: hvdkooij () vanderkooij org Cc: incidents () securityfocus org Subject: Re: Who's liable? On Sun, 14 Oct 2001 hvdkooij () vanderkooij org wrote:
On Sat, 13 Oct 2001, Michael F. Bell wrote:Lets change the victim from a Goverment agency to a private one. Lets say that EBAY got hacked and they launched the same sort of investigation with the same findings.. What can be done from a legal /financial standpoint if an attack is detected from your company network and there is no proof on exactly who did it? Can the victims take legal action against you, or is there some sort of protocol from a legal standpoint that hinders this?We know (or should know) that IP addresses can and will be faked in case of a real attempt and are not enough to Anyone have trouble hiding his/hers IP number isn't more then a slight inconvinience. (Untill proper handling of spoofed IP's is done more seriously.)
I think something worth pointing out here is that it's unlikely that you'll encounter a "spoofed" IP in a true hack. Sure you'll get them in a DoS all day long but I find it highly unlikely that you'll find them in a true hack. For more than the basic hack, you'll need more than one packet and most likely an actual TCP conversation. Unless you've already hacked the router upstream of the target machine or jacked with the target machine's routing table, you can't use the spoofed IPs in the conversation. If this is really a hack like the poster said, spoofed IPs are most likely out the window. This isn't to say that you won't encounter spoofed IPs in background noise during the hack or that it's not possible to use spoofed IPs for a hack; it's just hard to carry on a conversation with a target if you're not giving it a real IP to talk to. My thoughts on the scenarios is that if they (the investigating party) can't ascertain who is really responsible, they won't find the company responsible because of lax logging. Say I'm ISP XYZ and a spammer gets one of dialups as a throw-away account and hack company or government server ABC and also that I don't log connections from our users (does any ISP?), am I responsible? I hope not. I can't be responsible for the actions of customers I've never met. Justin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
<<attachment: winmail.dat>>
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Who's liable? Michael F. Bell (Oct 13)
- Re: Who's liable? hvdkooij (Oct 13)
- Re: Who's liable? macdaddy (Oct 14)
- RE: Who's liable? Dom Genzano (Oct 14)
- Re: Who's liable? Kelly Martin (Oct 14)
- Re: Who's liable? macdaddy (Oct 14)
- Re: Who's liable? hvdkooij (Oct 13)
- Re: Who's liable? Jay D. Dyson (Oct 13)
- Re: Who's liable? - fbi Alvin Oga (Oct 13)
- Re: Who's liable? Alvin Oga (Oct 13)
- RE: Who's liable? Chris Mason (Oct 13)
- RE: Who's liable? Liam Burrow (Oct 13)
- RE: Who's liable? Russell Berry (Oct 13)
- RE: Who's liable? Brian Taylor (Oct 14)
- Re: Who's liable? Frank (Oct 14)
- RE: Who's liable? Michael Conlen (Oct 14)