RE: Who's liable?

["Dom Genzano" <dom () stigroup net>]

In most cases, someone would be required to have a conviction to pursue
damages- if they try to sue without a conviction you can sue them right back
for defamation of character.  In order to get a conviction, the person(s)
hacked, would have to contact county or federal authorities (depending on
the jurisdiction of the case) and present sufficient evidence that a crime
was committed before an investigation is pursued.  The investigation then
invariably becomes just as expensive and just as much of a nuisance to the
victim as it does the hacker and convictions usually take a good long time
unless the hacker cops a plea.  By the time all this happens, if you have an
employee agreement and/or security policy, and decent practices in place to
prevent negligence on the part of your company, you can terminate the
employee for being convicted of breaking state and/or federal law (hopefully
this is a stated condition in the employment agreement) and avoid any
corporate liability due to negligence.

The key is to have policy and procedure in place that takes 'reasonable'
measures to manage and monitor the use of your systems.  If you've done
this, and you haven't truly been negligent, the chances of winning the case
won't be worth the trouble of the other party pursuing it (there are
exceptions- especially when the 'victim' has a perceived loss of a great
deal due to the hack and they have nothing to lose by pulling out all the
stops).  

The best thing you can do is get a good corporate lawyer and do exactly as
he says.  When someone reports that they've traced a hack back to your
organization, ask them to send you all the information/evidence they have
and tell them that you'll "look into it and get right back to them"- do not
offer information or 'theorize' with them as to what may have happened.  If
you find any substance to their accusation, your next call is to your
corporate lawyer- once again, if you've taken all 'reasonable' steps to
prevent the misuse of your systems, this does alot towards shifting any
potential liability away from your company and towards the individual whose
actions you 'did not condone'.  When you get back to that someone, it should
be with what your corporate lawyer told you to say- typically if there is
substance to their accusation, the guilty party from your company is 'sent
home while you look into the matter'  (not terminated until you find
sufficient evidence that they are in violation of corporate policy).  Let HR
be the bad guys- you just gather technical information and do what you're
told with it.

-----Original Message-----
From: macdaddy () neo pittstate edu [mailto:macdaddy () neo pittstate edu]
Sent: Sunday, October 14, 2001 2:56 AM
To: hvdkooij () vanderkooij org
Cc: incidents () securityfocus org
Subject: Re: Who's liable?


On Sun, 14 Oct 2001 hvdkooij () vanderkooij org wrote:

> On Sat, 13 Oct 2001, Michael F. Bell wrote:
>
> > Lets change the victim from a Goverment agency to a private one.  Lets
> > say that EBAY got hacked and they launched the same sort of
> > investigation with the same findings..  What can be done from a legal
> > /financial standpoint if an attack is detected from your company network
> > and there is no proof on exactly who did it?  Can the victims take legal
> > action against you, or is there some sort of protocol from a legal
> > standpoint that hinders this?
>
> We know (or should know) that IP addresses can and will be faked in case
> of a real attempt and are not enough to
>
> Anyone have trouble hiding his/hers IP number isn't more then a slight
> inconvinience. (Untill proper handling of spoofed IP's is done more
> seriously.)

I think something worth pointing out here is that it's unlikely that
you'll encounter a "spoofed" IP in a true hack.  Sure you'll get them in a
DoS all day long but I find it highly unlikely that you'll find them in a
true hack.  For more than the basic hack, you'll need more than one packet
and most likely an actual TCP conversation.  Unless you've already hacked
the router upstream of the target machine or jacked with the target
machine's routing table, you can't use the spoofed IPs in the
conversation.  If this is really a hack like the poster said, spoofed IPs
are most likely out the window.  This isn't to say that you won't
encounter spoofed IPs in background noise during the hack or that it's not
possible to use spoofed IPs for a hack; it's just hard to carry on a
conversation with a target if you're not giving it a real IP to talk to.

My thoughts on the scenarios is that if they (the investigating party)
can't ascertain who is really responsible, they won't find the company
responsible because of lax logging.  Say I'm ISP XYZ and a spammer gets
one of dialups as a throw-away account and hack company or government
server ABC and also that I don't log connections from our users (does any
ISP?), am I responsible?  I hope not.  I can't be responsible for the
actions of customers I've never met.

Justin



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

<<attachment: winmail.dat>>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com