Saturday, 8 March 2008

Virtues

Ol' Ben Franklin set up a process where he mapped the 13 virtues and recorded how he is going against them and what progress he is making. These virtues are as follows:

  1. Temperance: Eat not to dullness; drink not to elevation.
  2. Silence: Speak not but what may benefit others or yourself; avoid trifling conversation.
  3. Order: Let all your things have their places; let each part of your business have its time.
  4. Resolution: Resolve to perform what you ought; perform without fail what you resolve.
  5. Frugality: Make no expense but to do good to others or yourself; i.e., waste nothing.
  6. Industry: Lose no time; be always employed in something useful; cut off all unnecessary actions.
  7. Sincerity: Use no hurtful deceit; think innocently and justly, and, if you speak, speak accordingly.
  8. Justice: Wrong none by doing injuries, or omitting the benefits that are your duty.
  9. Moderation: Avoid extremes; forbear resenting injuries so much as you think they deserve.
  10. Cleanliness: Tolerate no uncleanliness in body, cloths, or habitation.
  11. Tranquility: Be not disturbed at trifles, or at accidents common or unavoidable.
  12. Chastity: Rarely use venery but for health or offspring, never to dullness, weakness, or the injury of your own or another's peace or reputation.
  13. Humility: Imitate Jesus and Socrates.
This week I am on No. 4 (Resolution). I have 2 chapters of my book to complete. I plan to complete the reading of a book I an studying and also to read a chapter of "Modelling Longitudinal Data" by Weiss, Robert E. (2005) by Springer.

I have a prac. exam and also questions for SANS to check.

Microsoft Communications Protocol Program (MCPP)

Microsoft has released details on most of their proprietary protocols.

The Microsoft Communications Protocol Program (MCPP) technical documentation set provides detailed technical specifications for Microsoft proprietary protocols (including extensions to industry-standard or other published protocols) that are implemented and used in Windows client operating systems (namely Windows 2000 Professional and successors up to and including Windows Vista) to interoperate or communicate natively with Windows Server operating systems (namely Windows NT 3.1 up to and including Windows Server 2008). The documentation set includes a set of companion overview and reference documents that supplement the technical specifications with conceptual background, overviews of inter-protocol relationships and interactions, and technical reference information, such as common data types and error codes.

http://msdn2.microsoft.com/en-us/library/cc216513.aspx

Friday, 7 March 2008

Vicarious Liability and Extrusion Filters

I have taken and updated a little something based on responses I have received over the years. Liability against an Intermediary, whether in the traditional view of ISP and ICP as well as that of employers and other parties remains a risk.

Extrusion filters seem to be something that is not considered, not by most organisations and not unfortunately by many of the list. There is more than filtering for attacks. This is surprising as many standards and regulations require that specific information is filtered. PCI-DSS, HIPAA and a raft of legislation specifies that organisation setup the capability to monitor both incoming and outgoing traffic. This is not port based, but rather a capability to monitor and filter (or at the least act on) content.

I oversee the information gathering for many more companies than I actually audit myself (being an audit manager for an external audit firm). In 1,412 firms I have been to or reviewed information for, I have collected a number of statistics over the years.

  • 231 (or 16.4%) have some content management
  • 184 (13.0%) have NO egress filters - Nothing at all. No ports Nothing.
  • 734 (52.0% have a disclaimer on email that is barely adequate legally)
  • 210 (14.8% have a legally valid privacy policy/disclaimer on their web sites)
  • 15 (1.06% check google or other places for information on their refernces)

In Scheff v Bock (Susan Scheff and Parents Universal Experts, Inc. v. Carey Bock - Florida USA, 2006, Case No. CACE03022837) a Florida jury awarded Sue Scheff US$11.3 million costs and damages over recurrent blog postings. A former acquaintance accused her of being a crook, a con artist and a fraudster (as a side note the same laws apply in Au).
See http://www.citmedialaw.org/threats/scheff-v-bock

In principle, defamation consists of a false and unprivileged statement of fact that is harmful to the reputation o f another person which is published "with fault". That is means that it is published as a result of negligence or malice. Different laws define defamation in specific ways that differ slightly, but the gist of the matter is the same. Libel is a written defamation; slander is a verbal defamation.

Some examples:

Libellous (when false):

  • Charging someone with being a communist (in 1959)
  • Calling an attorney a "crook"
  • Describing a woman as a call girl
  • Accusing a minister of unethical conduct
  • Accusing a father of violating the confidence of son

Not-libellous:

  • Calling a political foe a "thief" and "liar" in chance encounter (as hyperbole in context)
  • Calling a TV show participant a "local loser," "chicken butt" and "big skank"
  • Calling someone a "bitch" or a "son of a bitch"
  • Changing product code name from "Carl Sagan" to "Butt Head Astronomer"

See http://w2.eff.org/bloggers/lg/faq-defamation.php for details and the source of this quote.

So let us do the Math. Let us take a case of 0.1% (or 1 in a thousand) employees (and the number is in reality higher then this) posting from their place of work a defamatory post. 83.6% of companies (based on figures above) will not detect or stop anything. Less check at all.

Let us take an average US litigation cost for defamation of $182,500 (taking cases won from 96 to current in Au, UK and US) Also see "Rethinking Defamation" by
DAVID A. ANDERSON of the University of Texas at Austin - School of Law. (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=976116#PaperDownload).

So if we take a decent sized company of 5,000 employees, we have an expectation of 4 incidents per annum that in coming years would be expected to make it to court. Employers are vicariously liable for many of these actions. In the past, employers and ICP's have not been targeted, but this is changing. The person doing the act is generally not one with the funds to pay out the losses. The employer is. Thus the ability to co-join employers will increase these types of actions.

Facebook, blogs and other accesses will only make this worse in coming years.

So what does this mean? Well in the case of our hypothetical employer, there is an expected annualised loss of $788,400 US in coming years. The maximum expected payout would be $50,000,000 US. It is unlikely that the individual making the claim will be able to pay the cost of losing, so the employer will more and more be added to be suit.

With the recent win in Scheff v Bock, this is only going to increase.

Thursday, 6 March 2008

Patching and Software Installation

A correctly secured and fully patched host is immune to over 90% of vulnerabilities immediately. As with all security controls though there needs to be a trade off. The efforts of monitoring every host individually are beyond all but the smallest of sites.
Most operating systems today have the ability to update patches themselves. This ranges from each host automatically going to the vendor’s site to centralized servers which an organization can configure to pull patches and issue internally when approved. There are two types of patches;

  • Security Patches
  • General updates
As a security auditor, our focus will of course lie primarily with security patches. This however does not mean that we can ignore general updates; rather we should focus on the details and reasons for the update. For instance, a patch to a financial application may not in itself be a security patch but may indeed have security implications. For instance the increased ability in a software package to provide auditing and enhance the segregation of duties capabilities of the software may be considered a general update but would have clear security implications. Like many things, we need to look at the system holistically. One of the main failings of the UNIX systems audit is to treat the system and application in isolation.

The Need for Patches
This is not to say that network security replaces the need for host security, rather that both have their place. Some hosts (for example web servers in public zones) are more critical than other and more likely to be attacked. In addition, a firewall does little to protect a web based application. For these and many other reasons it is essential to maintain a strong regime of system security.

Obtaining and Installing System Patches
It is crucial that both the UNIX administrator and auditor understand the difference between security and general patches. It is important that all patching be done in an organized manner. A risk management approach needs to be taken to patching systems. The auditor needs to remember that it is too late to patch a system after it is compromised. The only sure way to clean a compromised system is to rebuild it (from a system format).

The first thing to do is find out what patches are required. Nearly all UNIX vendors provide websites with comprehensive information concerning the nature of patches and some of the main risks associated with those patches.

1. Security Patches need to take precedence over other patches. First determine if the following conditions apply;
a) Is the patch required for an active service (i.e. a Bind patch for an Internet DNS Server)? If the service being patched is not installed on the system than it may not be necessary to patch the system,
b) Is the Service externally vulnerable? It is important to apply security patches for services that are not available externally as well, but the level of risk is lower,
c) Does the patch affect other services on the host? Has the patch been tested on a development or QA system and been found to function correctly in your organizations environment?

2. If the patch affects the system in a non-desirable manner (i.e. causes a servers to crash or otherwise suffer some performance hit) than it would be better to look at other alternatives based on the risk to the system and its value. It may be a better option to filter the service for example.
3. If the patch is determined to be required to ensure the security of the system than formal patch procedures should be followed for its implementation. Patch processes vary from vendor to vendor. It is essential to understand the methodology used and create a process to effectively implement this.

There are two main areas that a UNIX author needs to consider when auditing system patching. Firstly, does the organization have an effective patch process that is based on risk? Next, is the patch process adhered to? There are two issues here, each of which needs to be addressed. Good corporate governance requires that management implement a policy requiring effective controls. Any such policy is only effective if it leads to a strong process that can provide the desired outcome. To do this any process needs to be measurable. What a great difficulties in patch management is the allocation of metrics. It is not enough just to measure the number patches installed or not installed, but rather there needs to be a means of determining whether a patch should be applied or not.

At the least, any patch should be evaluated against existing applications to ensure that the patch will not negatively impact the system is meant to fix. This is another reason why there are clear benefits to minimizing the number of services and applications provided on any host. Additionally, many standards such as the PCI-DSS (the payment card industry security standards designed to protect credit and payment card information) require that systems are set up to host only individual services.

Although patching is to many people the greatest bugbear in IT, it is also one of the simplest means of demonstrating a base level due care. The combination of a patch management program and the proof that that program is being used together go a long way to demonstrating effective corporate governance. In the event that a system is compromised due to a software vulnerability, there are really two alternatives when an organization is facing a claim for negligence. Either the organization has patched the system and the compromise occurred due to an unknown or undisclosed attack (a zero day vulnerability) or the breach has occurred because of a control failure. In the first instance, negligence would come down to the necessity to demonstrate alternative controls but should have been in place. In this instance the onus of proof is on the party seeking to show that your company was negligent.

Alternatively, were control file you has occurred in either the system was misconfigured or unpatched proving that your organization was not negligent will come down to the controls and processes that have been implemented. In the case of patching, if the organization can demonstrate a risk-based approach and a methodology that provides valid justification for not applying the patch, it is unlikely that they will be found negligent even without applying the patch. Similarly, an effective patch process that has generally been followed but which has suffered some failure leading to the breach due to a miss-configuration also provides a good defense to either avoid or at the least minimize any action for negligence.

As with all controls, the key is to provide evidence. An ongoing audit program that is run on a regular basis over your UNIX systems will provide this evidence. Most modern operating systems, including UNIX, have a patch management system, some examples are;

Sun Solaris Patch Manager or PatchPro
http://wwws.sun.com/software/download/products/3f9d714b.html
System Reliability Manager for Sun Management Centre
http://www.sun.com/solaris/sunmanagementcenter.
Linux (red Hat) Up2date
RH tools - RHN proxy or satellite server
https://rhn.redhat.com/

Validating the Patch Process
In validating the patch process, the auditor first needs to download the latest patch information from the respective UNIX vendor and test that any security patches that recommended for the system had either been installed or alternatively that there is a formal and valid justification for why they have not been installed. The auditor should also always Note that some patches may re-enable default configurations on a service. For this reason, it is important to ensure that the administrator has created a backup for a system prior to installing a patch. A good change management process would require that a back-out path has been detailed prior to the implementation of the patch. The process for patching the system should maintain details on obtaining patches and how they need to be tested and installed. Ideally, any patches that are downloaded from the Internet must be validated such as through the use of a hashing algorithm.
This is that the system administrator should were possible always verify the digital signature of any signed files. If no digital signature is supplied but a checksum (e.g. md5) is supplied, then the administrator should verify the checksum information to confirm that may have retrieved a valid copy of the patch. If only a generic sum checksum is provided, then the process should require that they use this to check the file. Be aware that the sum checksum should not be considered secure. After the patch has been applied it is important to test the system. The administrator should test that the patch has been applied correctly and is operational (i.e. check the version of the software and that it functions correctly).

All this provides evidence in support of the process. This in itself will not make a system secure. What it will do is provide evidence that the organization cares about maintaining the security of its systems and data. This evidence will go a long way to demonstrating that the organization was not negligent in the event of a breach. What is important to remember here is not if a breach occurs, but when.

There have traditionally been a number of both commercial and non-commercial tools to check systems patching and vulnerabilities on UNIX systems. Though most of these do not focus specifically on Patch controls but rather scan for vulnerabilities in general they are none the less (and more so for this fact) an essential part of implementing and installing a secure Unix (or Linux) system. Some of the non-commercial products have been detailed below.

Tiger Analytical Research Assistant (TARA) is the next stage of the TAMU 'tiger' program. Output has been rationalized to provide a more readable report file. TARA has been tested under Red Hat Version 5.x, SGI IRIX, and Solaris.

"..tiger is a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. 'tiger' was originally developed to provide a check of UNIX systems on the A&M campus that want to be accessed from off campus (clearance through the packet filter). As such, we needed something that *anyone* could run if they could figure out how to get it down to their machine."[1]

COPS is a UNIX security status checker. Cops checks various files and software configurations to see if they have been compromised, and checks to see that files have the appropriate modes and permissions set to maintain the integrity of your security level. The current version makes a limited attempt to detect bugs that are posted in CERT advisories.

Additionally there are other packages to not only audit your system configuration, but also automatically change the configuration to improve security. These are generally focused towards a specific Operating System however. A couple examples are listed below;

Solaris - Titan Security Toolkit - http://www.trouble.org/titan/
Linux - Bastille Linux - http://www.bastille-linux.org/

Additionally scanning tools such as Nessus (http://www.nessus.org/ ) are able to find a number of unpatched network services. Coupled with the native patch management tools for the system, a comprehensive evidential trail may be created to prove that your organization was not negligent.

Failures to Patch
One of the biggest cases of security incidents is a result of unpatched systems. The failure to patch vulnerable systems in a timely manner results in major risk to the organization.
The vast majority of security attacks and compromises across the Internet today are only successful because of the number of unpatched systems. This is especially the case with Self propagating attacks (e.g. Worms) which rely on a combination of unpatched systems and poor Anti-Virus control processes to take hold initially and to subsequently propagate. Many of the Worms and Virus infections within organizations are still completed by “old” Malware which has had fixes associated with it for many years.

It is essential to develop patch deployment procedures that establish well defined processes within the organization to identify, test, and deploy patches as they are released. This step makes the patch maintenance process much more cost effective.

The patching of system vulnerabilities has become one of the most expensive and time-consuming recurring administrative tasks in the enterprise. The process is also prone to failure, as viruses and worms often use unpatched vulnerabilities as the initial entry point into a protected network, and then use other techniques for propagating once inside. Thus, any of the following factors could invalidate the process:
1. When a patches is not identified and installed in time to mitigate damage.
2. Vulnerable systems that were not patched when the patch was deployed.
3. Defective patches that do not properly close the vulnerability.
4. Defective patches.

Unpatched systems can result in other costs to the organization:
1. Costs connected with cleanup after a contamination or security violation.
2. Loss of revenue from system outages and production declines.
3. Loss due to loss of status and/or customer assurance.
4. Legal liabilities from contravention of sensitive records,
5. Loss or corruption of organizational data.
6. System downtime, inability to continue the activities of the business.
7. Theft of organizational resources.

When developing a patch maintenance process always ensure that the following points have been taken into account when patching security vulnerabilities;
1. Continuously Monitor systems for vulnerabilities
2. Identify vulnerable systems and determine severity based on a risk management process
3. Implement a work-around and create a response plan until a patch is available
4. Monitor and maintain a patch database for the organizations systems
5. Test patches for defects or adverse effects on your systems
6. For substandard patches, decide on an appropriate course of action
7. Recognize patch affects, such as a need to reboot systems.
8. Install patches in accord with a plan
9. Confirm patch effectiveness
10. Confirm patch does not create adverse situations
11. Review patch deployment

[1] From the original Tiger README file.

Lies, damned lies and statistics of defamation

I responded separately to a number of people yesterday, but due to volume and having to move office at work I will send a generalised response. I apologise to all those people who REALLY deserve an individual response for their heart felt replies.

First the statistics – I know stats junkie.
[1] 65% of responses where positive
[2] 23% wanted to know what this was about (I will add some detail subsequently)
[3] 8% Thought me a loon and a nut (to some extent true) and told me where to go
[4] 4% Were of the “what the hell” variety

First section [1], here I have to say that a few of you manage to bring a tear to the eyes of a grumpy old cynic. I can not thank you enough and will not attempt to do more than this (which is not to say that I am avoiding it – just that anything I state will undermine your replies).

Section [2]. I was alerted to a number of posts on blogs and peering websites. All of these posts have been removed. Here I have to thank the webmasters and others who manage these. I am extremely impressed by the speed these are taken down. I give a special thanks to the owner of a site: http://beifo.blogspot.com/. I also offer to him an apology – he has taken down his site. He is a masters student at one of my Universities and felt that he could not manage to stop people posting things on his site whilst studying. I am REALLY sorry that you decided you had remove your site because of others.

In stating that my credentials are not in order, this is an attack against not only myself, but SANS, the Universities I am with and my employer. So when people start to post that my qualifications are “proven to have inconsistencies” or that I have “lied and conned my way to those I seem to have” it is an attack against not only myself, but also others.

Section [3]. Well I am a loon a nut and many other things. I will respond to these replies in more detail (which is not to detract from [1]). I have not placed responses that are from section [1] but still state I am a loon in this part ;)
I believe in god, I do not believe in imaginary beings. There is a difference and a belief in god does not detract from technical qualifications. I do not evangelise and I respect the rights of others to have their belief.
Not watching TV does not make me a crack-pot. I am a crack-pot independent of TV. Also TV does not equal being able to follow news. I subscribe to ISN (http://www.isn.ethz.ch/news/) and read news online. I would state that not watching TV means that I am actually possessed of more knowledge not less of the state of world affairs. What I do not get is the latest news of Paris Hilton, Sports based intercessions etc.
All the info I posted is already available and if I am going to be the victim of identity theft it will not be a result of the former post alone.
A qualification in one subject does not mean that I am incapable of others.

Section [4]. If you do not like my posts – set up a filter and delete them. I am sending unsolicited email to a couple of you ALL the time as this is the purpose of an email list.

A generalised response to those who think (see [3]) that defamation has nothing to do with security.

In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the introduction of the Communications Decency Act[1]. In 47 U.S.C. §230, it is unambiguously positioned as regarding internet regulation[2] that the act introduced a series of “Good Samaritan provisions” as a part of the Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[3] in which the court found the defendant not liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the comments hosted on the website but did not allege that the defendant authored the comments on the website or that the defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined “the website posts alleged in the complaint must constitute information furnished by third party information content providers" and as a consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit.

The act, first passed in 1996[4] and subsequently amended in 1998,[5] has the apparent rationale of minimising Internet regulations in order to promote the development of the Internet and safeguard the market for Internet service. The internet has consequently become so essential to daily life that it is improbable that the addition of extra legislation would intimidate service providers away from the provision of services at a competitive rate.[6]
In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This statute would seem[7] to afford absolute immunity from any responsibility. Contrasting the DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness of the defamatory nature of material it is in fact hosting.[8] Notwithstanding the focal point of this legislation having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including eBay.[9]

Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be judgement proof.

Defamation
The first claims in the UK of defamation using e-mail as a means of distribution occurred in the mid 1990’s. In one, the Plaintiff alleged that the Defendant published a message using a computer system asserting that the Plaintiff had been sacked for incompetence. The case did not include the service provider as a defendant. In another case and more widely publicised case[10], a police officer on complaining to his local branch of a national supermarket chain about an allegedly bad joint of meat was dismayed to discover that the store had distributed an e-mail communication to other branches of the chain. The subject of the e-mail stated; “Refund fraud -- urgent, urgent urgent”. He settled with the chain for a substantial sum as damages and an apology in open court from the supermarket management.

This issue has also occurred in the US. Litigation was started against CompuServe[11], an intermediary, as a result of assertions made in an electronic newsletter[12]. CompuServe successfully argued that its responsibility was comparable to that of a library or a book seller. In Stratton-Oakmont, Inc. v Prodigy Service Co.[13], the plaintiff asserted that a communication distributed by an unidentified third party on Prodigy’s “Money Talk” anonymous feedback site damaged the plaintiff’s IPO due to the libellous nature of the message. It was asserted that this resulted in a substantial loss.

Prodigy filed a motion for summary judgment. It asserted that the decision in CompuServe[14] applied making them the simple distributor of the communication and hence not liable for the substance of the message. The court determined that Prodigy was a publisher as they implemented editorial control over the contents of the “Money Talk” site. As the editors used screening software to eliminate offensive and obscene postings and used a moderator to manage the site, they could be held accountable for the posting of a defamatory statement. Prodigy settled but subsequently unsuccessfully attempted to vacate the judgment. The Communications Decency Act (CDA)[15] was subsequently enacted in the US to present a defence to intermediaries that that screen or block offensive matter instigated by another. The CDA presents, inter alia, that the intermediary may not be determined to be the publisher of any matter presented by another. Further, an intermediary shall be liable for any deed engaged in “good faith” to limit the spread of “obscene, lewd, lascivious, filthy, excessively violent, harassing or otherwise objectionable” materials[16].


Users view the Internet as if it was a telephone service with no enduring record. E-mails frequently contain imprudent declarations and japes. These communications offer an evidential confirmation absent in a telephone exchange. Deleted e-mail can persist in a variety of locations and forms, including back-up tape or disk, on the ISP and may have been forwarded to any number of other people. Any of these are subject to disclosure in litigation[17].

Western Provident v Norwich Union[18] concerned a libel by e-mail. Communications exchanged within Norwich Union by its staff libellously concerned Western Provident’s financial strength. The case settled at a cost of £450,000 in damages and costs. For electronic distributions, the moderators of bulletin boards and Internet service providers are implicated only if they exercise editorial control or otherwise know directly of a libellous communication. In Godfrey v. Demon Internet[19], Godfrey informed the ISP of the existence of a libellous communication on a site managed by Demon. Demon did not act to remove the communication for the period of two weeks that such communications were made available on the site. The court asserted that as soon as Demon was alerted to the communication they ought to have acted. It was held that:
“The transmission of a defamatory posting from the storage of a news server constituted a publication of that posting to any subscriber who accessed the newsgroup containing that posting. Such a situation was analogous to that of a bookseller who sold a book defamatory of a plaintiff, to that of a circulating library which provided books to subscribers and to that of distributors. Thus in the instant case D Ltd was not merely the owner of an electronic device through which postings had been transmitted, but rather had published the posting whenever one of its subscribers accessed the newsgroup and saw that posting”.[20]

Shevill v Presse Alliance[21] established that in the European Union where an international libel is committed, an action for libel may be initiated against the publisher. This may be commenced either in the country that the publisher is based or in any other country where the publication was disseminated and where the Plaintiff had experienced damaged reputation. There is little reason to doubt that principles applicable to libel through the press will apply equally to computer libel.

Australian defamation laws are complicated by a state based nature in that they differ across each jurisdiction in content and available defences. Various Australian state laws include offence provisions for both civil defamation and criminal defamation. Civil liability transpires as a consequence of publications that are expected to harm a person's reputation and the penalties are monetary. Criminal liability transpires as a consequence of publications that concern society, including those with a propensity to imperil the public peace, and penalties in the majority of jurisdictions incorporate incarceration. Significant distinctions exist between civil and criminal defamation law in relation to both liability and defences.

The Western Australian Supreme Court decided in Rindos v. Hardwick[22] that statements distributed in a discussion list can be defamatory and lead to an action. The court thought that it was inappropriate to apply the rules differently to the Internet from other means of communications. The court acknowledged the instigator’s accountability for defamatory proclamations broadcast across a discussion group[23]. The matter of the liability of other participants on the list was not considered during the trial.

It is considered unlikely that an ISP would scrutinize all material presented across its network[24] and this may not be economically feasible[25]. Mann & Belzley address this through “targeting specific types of misconduct with tailored legal regimes”[26]. These regimes would leave the ISP responsible for the defamatory publications of its users where they have failed to take reasonable action to mitigate these infringements. The existing law in Australia leaves all parties considered to be a “publisher” liable[27]. Cases do exist[28] where ISPs have removed content proactively.

The common law defence of innocent dissemination exists in Australia. Thompson v Australian Capital Television[29] demonstrated this when Channel 7 asserted that transmission of a “live” show to the ACT retransmitted from Channel 9 NSW in effect placed it as a subordinate publisher that disseminated the material of the real publisher devoid of any material awareness or influence over the content of the show. They argued that this was analogous to a printer or newspaper vendor.

The High Court held that the defence of innocent dissemination is available to television broadcasts as well as printed works. In this instance it was held that the facts demonstrated Channel 7 maintained the capacity to direct and oversee the material it simulcasts. The show was broadcast as a live program through Channel 7's choice. They chose this format in full knowledge that a diffusion of the show would be next to instantaneous. The where further conscious of the nature of the show, a “live-to-air current affairs programme”[30] and understood that this program conceded an elevated risk of transmitting defamatory material. It was decided by the facts that Channel 7 was not a subordinate publisher on this occasion.
The Federal Broadcasting Services Act 1992[31] affords a legislative defence to an ISP or Internet Content Host (ICH) that transmits or hosts Internet based content in Australia if they can demonstrate that they were reasonably unaware of the defamatory publication. s.91(1) of Schedule 5 to the Broadcasting Services Act[32] grants that a law of a State or Territory, or a rule of common law or equity, has no effect to the extent to which the ISP “was not aware of the nature of the internet content”.

The BSA[33] defines "internet content" to exclude "ordinary electronic mail". This is a communication conveyed using a broadcasting service where the communication is not "kept on a data storage device". Consequently, the s.91 defence will not be offered in cases concerning such material. In such cases, an ISP or ICH may be still attempt to rely on the defence of innocent dissemination. The applicability of the common law defence of innocent dissemination remains to be determined by the Australian courts.[34] As a consequence, any reliance on these provisions by an ISP or ICHs carries a measure of risk.

Harassment
Harassment may occur through all forms of media, the Internet is no exception. Junk mail, sexually offensive e-mails and threats delivered through online means (including both e-mail and instant messaging) are all forms of harassment. The inappropriate accessing of sexually explicit, racist or otherwise offensive material at the workplace is another form of harassment. This includes the sending of unwelcome messages that may contain offensive material to another co-worker.

E-mail Crimes and Violations
In reality, e-mail crime is not new. Instead, the Internet has enabled many old crimes to be reborn. Many morally violating acts such as child pornography have become far more widespread and simpler due to the ease and reach of e-mail. Many traditional crimes such as threats and harassment, blackmail, fraud and criminal defamation have not changed in essence, but the ease of e-mail has made them more prevalent.

Chain letter
Chain letters are another form of abuse that are seamlessly migrated from the physical world to cyberspace. A chain letter is an e-mail that was sent progressively from e-mail user to e-mail user. It will generally instruct the recipient to circulate further copies of the e-mail and usually to multiple recipients. These chain letters often promise rewards or spiritual gain if the e-mail was sent and may also threaten loss or harm if the recipient does not forward it. Often the authenticity of a chain letter cannot be verified as the header information from the original sender has been lost in retransmission.

Mail bombing
Mail bombing is a simple attack that has been around for a long time. It involves the intentional sending of multiple copies of an e-mail to a recipient. The objective is simply to overload the e-mail server. This is achieved by either filling the user's inbox so that they cannot access any more mail or flooding the server connections. Flooding server connection would be aimed at the general infrastructure whereas flooding an inbox is aimed at an individual. Mail bombing is malicious and abusive. Even when aimed at an individual to prevent other users from accessing the mail server.

Mail storm
A mail storm is a condition that occurs when computers start communicating autonomously. This process results in a large volume of junk mail. This may happen innocently through the auto forwarding of e-mails when configured to a large number of mailing lists, through automated responses and by using multiple e-mail addresses. Additionally, malicious software including the Melissa and IloveYou viruses can result in mail storms. Mail storms interfere with the usual communication of e-mail systems.

Identity Fraud
Identity theft is becoming more widespread due to the ease and profitability. This action involves the stealing of someone's identity for fraudulent financial gain. It is in effect a larceny. The sending of offers e-mails that are too good to be true, fake websites and other forms of phishing are all used to capture an identity. Many groups specialize in the capture of information and make financial games by selling this information to groups who will make illegitimate purchases or financial transactions.

[1] The Communications Decency Act of 1996 (CDA)
[2].47 U.S.C. § 230(b) (2004) (emphasis added)
“It is the policy of the United States—
(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and
(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer”.
[3] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v. Roommates.com, LLC , CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st Cir. Feb. 23, 2007)
[4].1996, Pub. L. 104-104, Title I, § 509.
[5].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a).
[6].There remains, however, the fear that additional regulation will stifle innovation in the industry. Would, for instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated? Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more unprofitable). For an article addressing regulation in this way, see Lemley & Reese.
[7].There is at least the possibility that the statute would permit a State to require intermediaries to act. See Doe v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) “would not pre-empt state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties”).
[8].Thus minimising the likelihood of a decision such as Godfrey in the United States. See supra note 102.
[9].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002)
[10] As reported in the UK Telegraph by Kathy Marks on the 20th Apr 95. The policeman is quoted: "...If this had got out unchecked it could have done me serious professional harm. I am in a position of extreme trust and there has got to be no doubt...that I am 100 percent trustworthy".
[11] Cubby v CompuServe, 776 F.Supp.135 (S.D.N.Y. 1991). Another case, this time involving AOL was that of Kenneth Zeran v America On-line Incorporated heard by the United States Court of Appeals for the 4th Circuit (No. 97-1523 which was decided in November 1997). This was a case against AOL for unreasonably delaying in removing defamatory messages. The Court in 1st Instance and the Court of Appeal found for AOL.
[12] Compuserve offered an electronic news service named “Rumorville”. This was prepared and published by a third party and distributed over the CompuServe network.
[13] (NY Sup Ct May 24,1995)
[14] Ibid
[15] Communications Decency Act
[16] The was first made to include those postings even when that material is protected under the US Constitution. This has been subsequently amended.
[17] The EU Electronic Commerce Directive (No. 2000/31/EC) has now specifically limited the liability of an ISP to where it has been informed of a defamatory posting and has failed to remove it promptly as was the situation in Demon Internet. Lawrence Godfrey v Demon Internet Limited (unreported Queens Bench Division - 26th March, 1999)
[18] Western Provident v. Norwich Union (The Times Law Report, 1997).
[19] Godfrey v Demon Internet Ltd, QBD, [1999] 4 All ER 342, [2000] 3 WLR 1020; [2001] QB 201; Byrne v Deane [1937] 2 All ER 204 was stated to apply.
[20] Godfrey v Demon Internet Limited [1999] 4 All.E.R.342
[21] C.68/93
[22] Rindos v. Hardwicke No. 940164, March 25, 1994 (Supreme Ct. of West Australia) (Unreported); See also Gareth Sansom, Illegal and Offensive Content on the Information Highway (Ottawa: Industry Canada, 1995) .
[23] Ibid, it was the decision of the court that no difference in the context of the Internet News groups and bulletin boards should be held to exist when compared to conventional media. Thus, any action against a publisher is valid in the context of the Internet to the same extent as it would be should the defamatory remark been published in say a newspaper.
[24] RECORDING INDUSTRY ASSOCIATION OF AMERICA, INC., (RIAA) v. Verizon Internet Services, 351 F.3d 1229 (DC Cir. 2003); See also Godfrey v Demon Internet
[25] ; Further, in the US, the Digital Millennium Copyright Act’s (DMCA’s) “good faith” requirement may not require “due diligence” or affirmative considerations of whether the activity is protected under the fair-use doctrine. In contrast, FRCP 11 requires “best of the signer’s knowledge, information and belief formed after reasonable inquiry, it is well grounded in fact and is warranted by existing law…”. Additionally, with the DMCA, penalties attach only if the copyright owner “knowingly, materially” misrepresents an infringement, so the copyright owner is motivated to not carefully investigate a claim before seeking to enforce a DMCA right.
[26] Brown & Lehman (1995) (The paper considers the arguments to creating an exception to the general rule of vicarious liability in copyright infringement for ISPs and those that reject this approach), available at http://www.uspto.gov/web/offices/com/doc/ipnii/ipnii.pdf.
[27] Thompson v Australian Capital Television, (1996) 71 ALJR 131
[28] See also “Google pulls anti-scientology links”, March 21, 2002, Matt Loney & Evan Hansen , www.News.com, Cnet, http://news.com.com/2100-1023-865936.html; “Google Yanks Anti-Church Site”, March 21, 2002, Declan McCullagh, Wired News, http://wired.com/news/politics/0,1283,51233,00.html; “Church v. Google How the Church of Scientology is forcing Google to censor its critics”, John Hiler, Microcontent News, March 21, 2002, http://www.microcontentnews.com/articles/googlechurch.htm; Lawyers Keep Barney Pure, July 4, 2001, Declan McCullagh, Wired News, http://www.wired.com/news/digiwood/0,1412,44998,00.html.
[29] See Reidenberg, J (2004) “States and Internet Enforcement”, 1 UNIV. OTTAWA L. & TECH. J. 1
[30] Ibid.
[31]
[32] s.91(1) of Schedule 5 to the Broadcasting Services Act states:
(i) subjects, or would have the effect (whether direct or indirect) of subjecting, an internet content host/internet service provider to liability (whether criminal or civil) in respect of hosting/carrying particular internet content in a case where the host/provider was not aware of the nature of the internet content; or
(ii) requires, or would have the effect (whether direct or indirect) of requiring, an internet content host/internet service provider to monitor, make inquiries about, or keep records of, internet content hosted/carried by the host/provider.
[33] The Broadcasting Services Act specifically excludes e-mail, certain video and radio streaming, voice telephony and discourages ISP's and ICH's from monitoring content by the nature of the defense. See also, Eisenberg J, 'Safely out of site: the impact of the new online content legislation on defamation law' (2000) 23 UNSW Law Journal; Collins M, 'Liability of internet intermediaries in Australian defamation law' (2000) Media & Arts Law Review 209.
[34] See also EFA, Defamation Laws & the Internet

Wednesday, 5 March 2008

Defamation and the difficulties of law on the Internet.

This post goes to those cowards who sit behind anonymity on the web and cast doubt and aspersions about people whilst hiding. I note that most defamatory comments are anonymous. Cowards!

An anonymous poster stated that there are doubts with my qualifications. Anonymity is the shield of cowards, it is the cover used to defend their lies. My life is open and I have little care for my privacy - so in my case this is an easy charge to defend.

SANS GIAC
This is the daftest and easiest to contest.

http://www.giac.org/certifications/gse-compliance.php or go to http://www.giac.org/certified_professionals/and type in "Craig Wright" It is not difficult to check.

As I am the ONLY GSE-Compliance (verify if you like) it is an EASY validation.
I do not use it on my title - long enough, but I am a SANS/GIAC Technical Director as well. This is harder to check, but email Stephen Northcutt if you like.

I have about 25 GIAC Certs - so please pick on them all you like.

ISACA
I do not know the process to validate with ISACA. However I have a CISA and CISM.

My ISACA ID is 187312

  • CISA No. 0542911
  • CISM No. 0300803

ISC2

I am CISSP/ISSMP/ISSAP # 47304. This is also easy to check on the ISC2 site.

https://webportal.isc2.org/custom/certificationverification.aspx (Though I have misspelled my home address with Lasarow - not Lisarow Doh).

ISFCE

I am a CCE - see the site for verification. http://www.certified-computer-examiner.com/list.htm

University

I also have a writeup on: http://www.infoage.idg.com.au/index.php/id;1151410747;fp;32768;fpid;597320227

My CSU (Charles Stuart University) student number is 11293457 (and was as I am on my 3rd masters and starting Psych) http://www.csu.edu.au/. I have a Masters Degree in Management, but I try not to be too pointy haired. I also have IT degrees from here as well.

Yes - a small University, but accredited all the same.

May be it is my Statistics study at the University of Newcastle.

Student No. 3047661.

Newcastle is considered one of Australia's primary research universities.

I have just completed my LLM (International Commercial Law) with the submission of my dissertation on "Internet Intermediary Liability". This was with the University of Northumbria (UK). Student Number: 05024288

There are others, but these are the latest 3 Universities where I have been doing the last 5 post graduate degrees in my collection.

Am I to admit that my Associate degree in Science saw more drinking then study? Well this is true, I drank like a fish and turned up drunk to a couple exams. I just passed them - but there is the point. I also do not use these any longer as with several post graduate degrees - who cases what I did at the undergrad level?

Church and Religion

Or is the "bitch" that I am a member of the Uniting Church (and a trustee of the church) and also have qualifications in religion? Does being a casual pastor and planned deacon make it such that my IT degrees means less?

See: http://www.unitingfinancial.com.au/resource/summer07-08_Lr.pdf

Or: http://www.burnside.org.au/content/Caring%20newsletter%20summer%2005.pdf

Dropping Out

Maybe the issue is that I dropped out of my first degrees? In 1989 I started a B.Eng/BSci double degree. I dropped out of the University of Queensland in 1992 (after my 3rd year). I have a reason for this. I had cancer. I thought that it was better to go back to my studies after I knew I would live. Sorry, but we all have priorities.

Being that I returned to University when I knew I would live, I do not have an issue with this. I dropped out. What of it? I also went back.

Other
I am a member of the IEEE, AIMS (Associate Fellow), ACM (1842188) and MANY other things.

I do not watch TV. I study, write and work with the church. To those cowards who want to challenge my qualifications - come forward and do it!

Finally

Have I paid all my University bills on time? No. As you can see I was late on some. They are all paid as at the moment (and I owe nothing to UNN - all complete all paid). I owe UNN no more. I was up to my 3rd notice a couple time true, but I spend $35,000-65,000 on education and training EACH year/Every Year.


A final Note

I have several overlaps in my qualifications. I am doing several degrees at once. I am enrolled in the University of Newcastle, CSU and completing my LLM at UNN all at the same time. I know this is unusual, but I do multiple degrees at the same time.

Tuesday, 4 March 2008

Unnecessary Services

It is essential to always ensure that servers are hardened (i.e. patched and unused services removed) prior to having a system “go live”. The auditor’s role is to verify that any new system is configured against the baseline standard. A default install of nearly any Operating Systems leaves a vast number of services running which, at best, are feasible to never be used, or at worst, leave ports open to external break-ins. The first stage in removing unneeded services is to work out which services are running on a host and to decide which are essential services needed for the operation of the system. UNIX is no different. In fact, the primary difference with UNIX is that although it starts with many enabled services, it can be quite simple to turn these off and configure the host as a bastion running only a single service.

In many cases it is also possible to further restrict the individual services on the host. Many services are configurable with access control conditions or lists to further restrict the services needed on a host. A good example of this would be restricting access via SSH to an administrative LAN using the SSH server configuration directives. Client systems and desktops as well as Servers and network devices come installed with excessive services enabled by default. It is important to remember that this not only makes the system more secure but increases a systems efficiency and thus;

  1. Makes the systems better value for money (increases ROI),
  2. Makes administration and diagnostics on the host easier.
In this pursuit, netstat is one of the most effective tools available to the auditor. This tool lists all active connections in addition to the ports where programs are listening for connections. Simply use the command “netstat -p -a –inet” for a listing of this information. Note however that many versions of UNIX did not support the “netstat –p” option. Consequently on the systems it may be necessary to use other tools in order to find process information.

Monday, 3 March 2008

As a post script

I have had some interest in the research I do into farm automation. Expect something this weekend on this topic.

Some of what I have done in the past includes:

  • Wireless weather monitors and condition reporting (this includes dam levels and salinity)
  • RF and GPS cattle tagging
  • Remote (solar powered) padock gates
  • Voltage monitoring on electric fencing (or lack of with bulls)
  • Stock movement tracking
  • Stock control
  • Databases to corrleate, report and alert.

On top of this I am researching the mathmatics of digital images. The reason? Correlating group colour and paterns with vegetation. This includes weed, grass types and drought reporting. To this end I highly recomend:

  • Hoggar, S.G. (2006) "Mathematics of Digital Images, Creation, Compression, Restoration, Recognition" Cambridge University Press, UK

As a final note - no I have not secured all the farm systems. I know - naughty naughty. But as there is no Internet link (private VPN on a controlled and isolated network is all) and the closest neighbour at the farm is 1.5 kilometers away... (add hills and the nearest line of sight being space) - meaning that at the moment as an attacker has to get physical access I have not done more than 40bit Wep (and the RFID is worse).

Not a great amount tonight

I am working on completing Chapter 23 of my upcoming technical audit book, Auditing Unix and Linux. I have this and Web audit this week to complete and these chapters are a little more detailed then some of the others - so do not expect too much this week.

The material covered in the chapter includes;

Patching and Software Installation
· The Need for Patches
· Obtaining and Installing System Patches
· Validating the Patch Process
Minimizing System Services
· Guidance for Network Services
· Controlling Services at Boot Time
· inetd and xinetd
· Authentication Validation
Logging
· Syslog and Other Standard Logs
· System Accounting
· Process Accounting
Access Control
· Usernames, UIDS, the Superuser
· Blocking Accounts, Expiration, etc.
· Restricting Superuser Access
· Disabling .rhosts
Additional Security Configuration
· File System Access Control
· Kernel Tuning for Security
· Security for the cron System
Backups and Archives
· tar, dump, and dd
· Tricks and Techniques
Auditing to Create a Secure Configuration
· Building Your Own Auditing Toolkit
· File Integrity Assessment
· Fine Points of Find
Auditing to Maintain a Secure Configuration
· Reading Logfiles
· Password Assessment Tools
· Risk Assessment
· What Tools to Use
· How to Go About It
Auditing to Determine What Went Wrong
· Finding Hidden Disk Space
· Event Reconstruction
· Identifying Back Doors
· Anatomy of a Rootkit