Wednesday, 9 November 2011

Obscurity and PII

PII is Personally Identifiable Information. Right now, I see and hear many people talking about just how easy it is to take and use PII. That it sells for cents in the dollar.


I mean honestly, if all you do to manage the security of your finances is hide your head in the sand and trust to obscurity, then you deserve all that this approach entails. I may seem uncaring and I may come across as cruel here, but really, it is a simple process to actually protect your information.


The most commonly missed issue in security is WHY. We commonly fail to investigate the cause and need. PII is not about privacy, it is about stoping unauthorised applications and changes to your credit file. This is, it is all about stopping people doing things such as applying for a credit card or a home loan in your name. The main issue being a credit card.

In this, the issue is not whether a criminal can buy your information, but if they can steal money from you.

So why are we looking at PII as the issue?

The big issue is (as is common) awareness (or rather a lack thereof). There are real controls that stop the problem and are not ones that can fail catastrophically as obscurity does. This is something such as credit monitoring.

I will first state, I an simply a client of Veda. I pay them money and they provide a service. I have not been approached to talk about their product. I am plugging it as I use it and like the service. It is a security solution to PII.

I use “MyCreditFile”, a service by Veda (

For a dollar a week, I have any changes to my credit file reported to me. I can stop applications cold. I have had three attempts to apply for loans under my name and I do not hide any information (privacy is dead). Each time I have been notified. I have lost nothing but the time to send an email with a dispute notification.

It is that simple. There are similar agencies in the US, UK etc. SO I have to ask WHY? Why care about PII. Like many security solutions, they address a problem that is a symptom and do not offer solutions at all.

It is about time we address the cause and implement solutions that actually solve the problem. Here, this is a simple solution to PII theft.


I use Quicken and I load my statements into it and check what I have spent. I scan my receipts and I reconcile my accounts. Not only is this good from a point of view of  managing my accounts, I also know when something has occurred and I can lodge a hold within days.

We only win when we actually find controls that solve the problem and not ones that look at the symptoms.

Tuesday, 8 November 2011

Viewing Email headers

An e-mail message is composed of a message header and the subject body. An investigation involving e-mail may hinge on successfully capturing the e-mail header. The e-mail header is imperative as it holds information detailing the e-mail’s origin. This will include the source IP address of where it came from (this can be spoofed but it is less likely),  the method used to send it and potentially who sent it. The subject body of the e-mail contains the message. Subsequent to copying the email message, the e-mail header can be retrieved. This process is different for each e-mail program.
Below we detail the process used to display the email headers in a number of common email clients.

Retrieving the Email Header (Microsoft Outlook)


1.      Open Outlook and open the copied email message.

2.      Right-click the message and click Options to open the dialog box.

3.      Select the header text and make a copy of it.

4.      Paste the header text in any text editor and save the file with as Filename.txt.

5.      Hit <Alt-P> and take a screen image of the header. Print this Image.

6.      Save a Copy of the E-mail message as message.msg

7.      Close the program.

Retrieving the Email Header (Outlook Express)

1.      Open Outlook Express.

2.      Right-click the message and click Properties.

3.      To view the header, click Details.

4.      Click Message Source to view the details.

5.      Select the message header text and copy it.

6.      Paste the text in any text editor and save the file as Filename.txt.

7.      Save a copy of the e-mail (with the header) to disk.

8.      Hit <Alt-P> and take a screen image of the header. Print this Image.

8.      Close the program.

Retrieving the Email Header (Eudora)

1.      Open Eudora.

2.      Select and go to the Inbox folder.

3.      Double-click the message to select and open it.

4.      Select the message header text and copy it.

5.      Paste the text in any text editor and save the file as Filename.txt.

6.      Save a copy of the e-mail (with the header) to disk.

9.      Hit <Alt-P> and take a screen image of the header. Print this Image.

7.      Close the program.

Retrieving the Email Header  (AOL)

1.      Open AOL.

2.      Open the e-mail message.

3.      Click the “DETAILS” link.

4.      Select the message header text and copy it.

5.      Select the message header text and save the file as Filename.htm. This may also be achieved from saving the “view source” data associated with the header.

6.      Hit <Alt-P> and take a screen image of the header. Print this Image.

7.      Close the program.

Retrieving the Email Header  (Hotmail)

1.      Go to Hotmail and login using your web browser.

2.      Open the relevant e-mail message.

3.      Go to Options and click Preferences. For version No.8 click Mail Display Settings.

4.      Click Advanced Header. For version No. 8 go to Message Headers and click Advanced option.

5.      Select the message header text and copy it.

6.      Select the message header text and save the file as Filename.htm. This may also be achieved from saving the “view source” data associated with the header.

7.      Hit <Alt-P> and take a screen image of the header. Print this Image.

8.      Close the program.

Retrieving the Email Header (Yahoo)

1.      Open Yahoo.

2.      Go to Mail Options on the right hand side.

3.      Go to the General Preferences link and click “Show All Headers On Incoming Messages” and save the message.

4.      Select the message header text and save the file as Filename.htm. This may also be achieved from saving the “view source” data associated with the header.

5.      Hit <Alt-P> and take a screen image of the header. Print this Image.

6.      Close the program.

Retrieving the Email Header  (Pine for UNIX)

1.      Start the e-mail client program by typing “pine” at the command prompt.

2.      For setup options press “S”.

3.      For the e-mail configuration press “C”.

4.      Exit the mode of configuration by pressing “E”.

5.      Save the changes by typing “Y”.

6.      After selecting the message using the arrow keys, select “O” from the lower screen.

7.      View the header by typing “H”.

8.      Close the program by typing “Q”.

Effective Enforcement in the Wild Wild Web

1 Introduction

Some time ago Hilary E Pearson (1996) noted that, “in many cases, liability will depend upon how a court faced with a case of first impression analogizes a particular Internet service provider to more conventional categories of information providers. For example, should the service provider be viewed as the equivalent of the telephone company, purely a conduit for information? This might be the right analogy for the telecommunications link provider, but clearly does not fit the publisher. On the other hand, if the provider is viewed as analogous to a publisher of a printed publication, there is a much greater exposure to liability[1].

Further, it was noted that the provider of a host computer for third party web pages could be compared to a printer or perhaps a distributor of printed publications. It could also be argued that a Usenet group or bulletin board is analogous to a library, so that the provider should be treated as the librarian.

The foremost dilemma with the study of electronic law is the complexity and difficulty in confining its study within simple parameters. Internet and e-commerce do not define a distinct area of law as with contract[2] and tort law. Electronic law crosses many legal disciplines, each of which can be studied individually. Examples of a range of areas of law that electronic, e-commerce, and Internet law touch upon can be seen in the following pages.

2 Remedy in Tort and Civil Suits

The availability of the Internet Intermediary as co-targets for actions makes them susceptible to the actions of both their clients and also uninterested third parties for passing off and misleading and deceptive conduct. An action for intentional interference with business by unlawful means may also be possible. The tort of intentional interference with business by unlawful means may be available where the use of the trade mark is unlawful.

The courts generally seem willing to apply conventional fault-based tort principles to weigh up the behaviour of intermediaries. The instances in which comparatively egregious conduct has ended in the liability of the intermediary are few,[3] and the majority of cases conclude with the absolution of the intermediaries from blame.[4] Those circumstances that have resulted in a decision by the court that in effect declare that the intermediaries hold considerable accountability for the behaviour of any primary malfeasors have mutually in the EU and the US Congress resulted in the respective parliaments acting to overrule the decision through the legislative conceding of expansive exemptions from liability to the intermediaries.[5]The paths share not only the reflexive and unreflective fear that recognition of liability for intermediaries might be catastrophic to internet commerce; they also share a myopic focus on the idea that the inherent passivity of internet intermediaries makes it normatively inappropriate to impose responsibility on them for conduct of primary malfeasors. That idea is flawed both in its generalization about the passivity of intermediaries and in its failure to consider the possibility that the intermediaries might be the most effective sources of regulatory enforcement, without regard to their blameworthiness[6].

In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the introduction of the Communications Decency Act[7]. In 47 U.S.C. §230, it is unambiguously positioned as regarding internet regulation[8] that the act introduced a series of “Good Samaritan provisions” as a part of the Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[9] in which the court found the defendant not liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the comments hosted on the website but did not allege that the defendant authored the comments on the website or that the defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined “the website posts alleged in the complaint must constitute information furnished by third party information content providers" and as a consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit.

The act, first passed in 1996[10] and subsequently amended in 1998,[11] has the apparent rationale of minimising Internet regulations in order to promote the development of the Internet and safeguard the market for Internet service. The internet has consequently become so essential to daily life that it is improbable that the addition of extra legislation would intimidate service providers away from the provision of services at a competitive rate.[12]

In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This statute would seem[13] to afford absolute immunity from any responsibility. Contrasting the DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness of the defamatory nature of material it is in fact hosting.[14] Notwithstanding the focal point of this legislation having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including eBay.[15]

Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be judgement proof.

2. Cyber Negligence

Not acting to correct a vulnerability in a computer system may give rise to an action in negligence if another party suffers loss or damage as the result of a cyber-attack or employee fraud. Given proximity[16], a conception first established in Caparo Industries Plc. v. Dickman, [1990][17] and reasonable foreseeability as established in Anns v. Merton London Borough Council, [1978][18] A.C. 728, the question of whether there exists a positive duty on a party to act so as to prevent criminals causing harm or economic loss to others will be likely found to exist in the cyber world. The test of reasonable foreseeability has however been rendered to a preliminary factual enquiry not to be incorporated into the legal test.

The Australian High Court regarded a parallel scenario, whether a party has a duty to take reasonable steps to prevent criminals causing injury to others in Triangle Shopping Centre Pty Ltd v Anzil[19]. The judgment restated the principle established by Brennan CJ in Sutherland Shire Council v Heyman[20]. The capacity of a plaintiff to recover hinges on the plaintiff’s ability to demonstrate a satisfactory nexus (e.g. a dependence or assumption of responsibility) between the plaintiff and the defendant such that it gives rise to a duty on the defendant to take reasonable steps to prevent third parties causing loss to the plaintiff[21]. Consequently, if a plaintiff in a case involving a breach of computer security could both demonstrate that the defendant did not in fact take reasonable measures to ensure the security of their computer systems (as against both internal and external assault), and they show the act of the third person (e.g. an attacker/hacker or even a fraudulent employee) occurred as a direct consequence of the defendant's own fault or breach of duty, then an action in negligence is likely to succeed[22].

Many organisations state that current standards of corporate governance for IT systems pose a problem due to the large number of competing standards. However, it needs to be taken into account that all of these standards maintain a minimum set of analogous requirements that few companies presently meet. Most of these standards, such as the PCI-DSS[23] and COBIT[24], set a requirement to monitor systems. COBIT control ME2 (Monitor and Evaluate Internal Controls) is measured through recording the “number of major internal control breaches”. PCI-DSS at 10.5.5 states a minimum requirement to “use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)”. As a general minimum, it may be seen that an organisation needs to maintain a sufficiently rigorous monitoring regime to meet these standards.

Installation guidelines provided by the Centre for Internet Security (CIS)[25] openly provide system benchmarks and scoring tools that contain the “consensus minimum due care security configuration recommendations” for the most widely deployed operating systems and applications in use. The baseline templates will not themselves stop a determined attacker, but could be used to demonstrate minimum due care and diligence.

It is interesting to contrast this general proposition with a peculiar case where the plaintiff went to great lengths in an attempt to recover loss caused by its own negligence, namely loss suffered due to computer fraud perpetrated by its own employee in its own system.

In Mercedes Benz (NSW) v ANZ and National Mutual Royal Savings Bank Ltd[26] (unreported), the Supreme Court of New South Wales considered if a duty to avert fraud would occur in cases where there is an anticipated prospect of loss. The Mercedes Benz employee responsible for the payroll system fraudulently misappropriated nearly $1.5 million by circumventing controls in the payroll software. Mercedes Benz alleged that the defendants, ANZ and NMRB, were negligent in paying on cheques that where fraudulently procured by the employee and in following her direction. The plaintiff's claim was dismissed by the court. It was held that employers who are careless in their controls to prevent fraud using only very simple systems for the analysis of employee activities will be responsible for the losses that result as a consequence of deceitful acts committed by the organisations’ employees. It takes little deliberation to extend this finding to payment intermediaries.

The decision was founded on the judgment of Holt CJ in Hern v Nichols (1701)[27] that stated in "seeing somebody must be a loser by this deceit, it is more reason that he that employs and puts a trust and confidence in the deceiver should be a loser than a stranger"[28]. The question remains open as to the position that may result from unsound practices operated not by the plaintiff but by an organisation in supplying services under an outsourcing agreement. In either event, the requirement for an organisation to provide controls to ensure a minimum level of system security is clear.

The situation is further compounded in instances of cyber-attack that lead to a loss. An innocent third party that suffers an attack that originates from an inadequately secured system would be able to easily demonstrate a lack of reasonable care if the minimum consensus standards mentioned above are not achieved. Coupled with facts demonstrating that the attack originated from the defendant’s insecure system, the evidence would provide the requisite substantiation of both proximity and reasonable foreseeability.

3. Prevention is the key

The vast majority of illicit activity and fraud committed across the Internet could be averted at least curtailed if destination ISP and payment intermediaries implemented effective processes for monitoring and controlling access to, and use of, their networks. Denning (1999) expresses that, "even if an offensive operation is not prevented, monitoring might detect it while it is in progress, allowing the possibility of aborting it before any serious damage is done and enabling a timely response[29].

As is being noted above, there are a wide variety of commonly accepted practices, standards and means of ensuring that systems are secured. Many of the current economic arguments used by Internet intermediaries are short-sighted to say the best. The growing awareness of remedies that may be attained through litigation coupled with greater calls for corporate responsibility[30] have placed an ever growing burden on organisations that fail to implement a culture of strong corporate governance. In the short term the economic effects of implementing sound monitoring and security controls may seem high, but when compared to the increasing volume of litigation that is starting to incorporate Internet intermediaries, the option of not securing a system and implement in monitoring begins to pale.

The Internet remains the wild, wild, web not because of a lack of laws, but rather the difficulty surrounding enforcement. The Internet’s role is growing on a daily basis and has reached a point where it has become ubiquitous and an essential feature of daily life both from a personal perspective and due to its role in the international economy. If an ISP is to be held liable for authorisation as an intermediary, it must have knowledge, or otherwise deduce that infringements are proceeding.[31] Although, intermediaries commonly monitor their systems and have the means to suspect when infringements are occurring, Internet intermediaries also require the authority to prevent infringement if they are to be held liable for authorisation, a condition that entails an aspect of control.[32]


1. Barker, J. Cam, (2004) “Grossly Excessive Penalties in the Battle Against Illegal File-Sharing: The Troubling Effects of Aggregating Minimum Statutory Damages for Copyright Infringement”, 83 Texas L. Rev. 525

2. Bick, Jonathan D., (1998) “Why Should the Internet Be Any Different?” 19 Pace L. Rev. 41, 63

3. Bowne, A (1997) “Trade Marks and Copyright on the Internet” 2 Media and Arts Law Review 135

4. Collins M, (2000) “Liability of internet intermediaries in Australian defamation law” Media & Arts Law Review 209

5. Cooney, K (1997) “Liability for On-line Images: How an Ancient Right Protects the Latest in Net Functions” 16 Communications Law Bulletin 5

6. Demott, Deborah A. (2003) "When is a Principal Charged with an Agent's Knowledge?" 13 Duke Journal of Comparative & International Law. 291

7. Denning, Dorothy E. “Information Warfare and Security”, ACM Press, New York, 1999

8. Eisenberg J, (2000) “Safely out of site: the impact of the new online content legislation on defamation law” UNSW Law Journal

9. Gilchrist, Simon (1998) “Telstra v Apra –Implications for the Internet” [1998] CTLR 16.

10. Hare, Christopher (2004) “Identity Mistakes: A Missed Opportunity?” The Modern Law Review, Volume 67 Page 993 - November 2004 Volume 67 Issue 6

11. Harmon, Amy (2003) “Subpoenas Sent to File Sharers Prompt Anger and Remorse”, N.Y. Times, July 28, 2003, at C1.

12. Hazen, Thomas L. (1977) “Transfers of Corporate Control and Duties of Controlling Shareholders. Common Law, Tender Offers, Investment Companies. And a Proposal for Reform” University of Pennsylvania Law Review, Vol. 125, No. 5 (May, 1977), pp. 1023-1067

13. Kao, A. (2005) “RIAA v. Verizon: Applying the Subpoena Provision of the DMCA”, 19 Berkeley Tech. L.J. 405, 408.

14. Kraakman, Reinier H. (1984) “857 CORPORATE LIABILITY STRATEGIES AND THE COSTS OF LEGAL CONTROLS”, Yale Law Journal April, 1984 (93 Yale L.J. 857)

15. Landes, William & Lichtman, Douglas, (2003) “Indirect Liability for Copyright Infringement: An Economic Perspective”, 16 HARV. J.L. & TECH. 395.

16. Lemley Mark A. & Reese, R. A., (2004) “Reducing Digital Copyright Infringement without Restricting Innovation”, 56 STAN. L. REV. 1345.

17. Leroux, Olivier (2004) “Legal admissibility of electronic evidence 1”, International Review of Law, Computers & Technology; Volume 18, Number 2 / July 2004; Pp 193-220

18. Lichtman, Douglas Gary & Posner, Eric A., (July 2004). "Holding Internet Service Providers Accountable". U Chicago Law & Economics, Olin Working Paper No. 217. Available at SSRN: or DOI: 10.2139/ssrn.573502 (viewed 15 Jan 2008)

19. Lim, YF, (1997) “Internet Service Providers and Liability for Copyright Infringement through Authorisation” 8 Australian Intellectual Property Law Journal 192.

20. Loughnan, S., (1997) “Service Provider Liability for User Copyright Infringement on the Internet” 8 Australian Intellectual Property Law Journal 18

21. MacMillian, Blakeney “The Internet and Communications Carriers’ Copyright Liability” [1998] EIPR 52

22. Mann, Ronald J., (2004) “Regulating Internet Payment Intermediaries”, 82 Texas L. Rev. 681, 681

23. Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 <> at 27 July 2007]

24. Olovsson, Tomas, (1992) “A Structured Approach to Computer Security”, Department of Computer Engineering Chalmers University of Technology, Gothenburg SWEDEN, Technical Report No 122, 1992

25. Paynter, H & Foreman, R (1998) “Liability of Internet Service Providers for Copyright Infringement”, University of NSW Law Journal, [1998] UNSWLJ 61

26. Quimbo, Rodolfo Noel S (2003) “Legal Regulatory Issues in the Information Economy”, e-ASEAN Task Force, UNDP-APDIP (MAY 2003)

27. Reidenberg, J (2004) “States and Internet Enforcement”, 1 UNIV. OTTAWA L. & TECH. J. 1

28. Scandariato, R.; Knight, J.C. (2004) “The design and evaluation of a defense system for Internet worms” Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004. Volume, Issue, 18-20 Oct. 2004 Pp 164 - 173

29. 28Shapiro, Andrew L., (1998) “Digital Middlemen and the Architecture of Electronic Commerce”, 24 OHIO N.U. L. REV. 795

30. Slawotsky, Joel (2005) “Doing Business around the World: Corporate Liability under the Alien Tort Claims Act” 2005 MICH. ST. L. REV. 1065

31. 30Smith, Russell. (2000) “Confronting fraud in the digital age”, Presented at Fraud prevention and control conference, Gold Coast Australia 24-25 August 2000

32. Tickle, K. (1995) “The Vicarious Liability of Electronic Bulletin Board Operators for the Copyright Infringement Occurring on Their Bulletin Boards”, 80 Iowa Law Review 391 at 397

33. Williams, K. S. (2003) “Child Pornography and Regulation on the Internet in the United Kingdom: The Impact on Fundamental Rights and International Relations”, Child Abuse Review, Volume 14, Issue 6 , Pages 415 – 429 (Special Issue: New Technologies . Issue Edited by Bernard Gallagher). Published Online: 20 Dec 2005, John Wiley & Sons, Ltd.

34. Wu, Tim, (2003) “When Code Isn’t Law”, 89 Va. L. Rev. 679

35. Zittrain, Jonathan (2003) “Internet Points of Control”, 44 B.C. L. REV. 65

[1] The distributed nature of the Internet means that a publisher can reach far more people. A company with a web site in the UK for instance has direct access to the US, Canada, Australia and many other countries with the primary limitations being language.

[2] It has been argued that the digital contract may appear on the computer screen to consist of words in a written form but merely consist of a virtual representation . The Electronic Communications Act 2000 [ECA] has removed the uncertainty and doubt surrounding the question as to the nature of electronic form used in the construction of a contract. In this, the ECA specifies that the electronic form of a contract is to be accepted as equivalent to a contract in writing

[3].See A & M Records, Inc. v. Napster, Inc., 114 F. Supp. 2d 896 (N.D. Cal. 2000).

[4].For criticism of this perspective, see Landes & Lichtman.

[5].The most obvious example of this action can be found in the history of the Communications Decency Act. Congress directly responded to the ISP liability found in Stratton Oakmont, Inc. v. Prodigy Services, 23 Media L. Rep. (BNA) 1794 (N.Y. Sup. Ct. 1995), 1995 WL 323710, by including immunity for ISPs in the CDA, 47 U.S.C. § 230(c)(1) (2004) (exempting ISPs for liability as the “publisher or speaker of any information provided by another information content provider”), which was pending at the time of the case. Similarly, Title II of the Digital Millennium Copyright Act, codified at 17 U.S.C. § 512, settled tension over ISP liability for copyright infringement committed by their subscribers that had been created by the opposite approaches to the issue by courts. Compare Playboy Enters., Inc. v. Frena, 839 F. Supp. 1552, 1556 (M.D. Fla. 1993) (finding liability), with Religious Tech. Ctr. v. Netcom, Inc., 907 F. Supp. 1361, 1372 (N.D. Cal. 1995) (refusing to find liability).

[6] Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 <> at 27 July 2007]

[7] The Communications Decency Act of 1996 (CDA)

[8].47 U.S.C. § 230(b) (2004) (emphasis added)

It is the policy of the United States—

(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;

(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;

(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;

(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and

(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer”.

[9] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v., LLC , CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st Cir. Feb. 23, 2007)

[10].1996, Pub. L. 104-104, Title I, § 509.

[11].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a).

[12].There remains, however, the fear that additional regulation will stifle innovation in the industry. Would, for instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated? Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more unprofitable). For an article addressing regulation in this way, see Lemley & Reese.

[13].There is at least the possibility that the statute would permit a State to require intermediaries to act. See Doe v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) “would not pre-empt state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties”).

[14].Thus minimising the likelihood of a decision such as Godfrey in the United States. See supra note 102.

[15].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002)

[16] Proximity, a notion first established in Caparo Industries Plc. v. Dickman, [1990] 2 A.C. 605, is the initial phase of the assessment. The subsequent phase enquires as to whether there are policy considerations which would reduce or counteract the duty created under the initial stage. Mutually, the phases are to be met with reference to the facts of cases previously determined. The dearth of such cases would not however avert the courts from finding a duty of care.

[17] [1990] 2 A.C. 605

[18] [1978] A.C. 728

[19] Modbury Triangle Shopping Centre Pty Ltd v Anzil [2000] HCA 61.

[20] (1985) 157 CLR 424.

[21] Dixon J elucidated how a “special relationship” of this variety may occur in Smith v Leurs (1945) 70 CLR 256. This case was derived from an indication of occurrences that entail a special danger and the control or of actions or conduct of the third person; See also [2000] HCA 61, para 140.

[22] See: Clerk and Lindsell on Torts, 19th Edition (2006), Chapter 28, paragraph 28-05

[23] PCI-DSS (version 1.1) is the Payment Card Industry Data Security Standard and is contractually required to be adhered to by all merchants that process VISA, Mastercard and other payment card products. This requirement and standard is maintained by the PCI Standards Council at

[24] COBIT v 4.1 is the computer control objectives and standard maintained by ISACA at

[25] CIS benchmark and scoring tools are available from

[26] No. 50549 of 1990.

[27] (1701) 1 Salk 289

[28] Id., at 358.

[29] Dorothy E. Denning, Information Warfare and Security, ACM Press, New York, 1999

[30] See for instance Hazen (1977); Gagnon, Macklin & Simons (2003) and Slawotsky (2005)

[31] Ibid, Gibbs J at 12-13; cf Jacobs J at 21-2. See also Microsoft Corporation v Marks (1995) 33 IPR 15.

[32] Ibid, University of New South Wales v Moorhouse, supra, per Gibbs J at 12; WEA International Inc v Hanimex Corp Limited (1987) 10 IPR 349 at 362; Australasian Performing Right Association v Jain (1990) 18 IPR 663. See also Lim YF, 199-201; S Loughnan, See also BF Fitzgerald, “Internet Service Provider Liability” in Fitzgerald, A., Fitzgerald, B., Cook, P. & Cifuentes, C. (Eds.), Going Digital: Legal Issues for Electronic Commerce, Multimedia and the Internet, Prospect (1998) 153.

Monday, 7 November 2011

Lecture/Webinar–Reversing code.

This is a lecture series on code reversing. We start with MASM/NASM and work towards an analysis of Packed and crypt'd code in malware and software protection systems.

The free series is designed to start with little direct assembly knowledge and to lead to a detailed understanding of reversing code from machine language into a higher level language (such as C).

Register Now at:

This Lecture series/Webinar is held monthly on the fourth Thursday from:
Nov 24, 2011 to Nov, 2012 700 PM - 8:00 PM AEDT

Webinar Invitation: Join us for "Cyber (Crime / Espionage / Terror)"

The dates for the next few lectures are up. A few issues with GOTO Meeting have been sorted and these lectures are linked below:



      The links to the archived lectures will be up in a single post later this week.
          In this series of 24 lectures we discuss cyber-crime, cyber-terror and cyber-espionage as well as the links to state based players.


      Fraud covers an assortment of irregularities and illegal acts distinguished through intentional deception. The legal definition of fraud is defined as:

      • A representation about a material fact
      1. Which is false
      2. And made intentionally, knowingly, or recklessly so
      3. Which is believed
      4. And acted upon by the victim
      5. To the victim’s damage

      The stages of fraud can be exemplified by The Fraud Triangle (figure 1). People who commit fraud are normally able to do so due to a combination of opportunity, pressure, and a rationalization.

      The Fraud Triangle

      Most frauds, particularly the really large ones (WorldCom, Enron, etc.), could not have transpired lacking a combination of the right person with the right capabilities. Opportunity provides the possibility of a fraud occurring, and incentive and rationalization can move the individual toward committing a fraud. But the individual requires the ability to distinguish the “opportunity” and to derive benefit from the opportunity. This will then generally occur, not just once, but time and time again.

      Frauds are more often discovered due to repeated occurrences.


      Figure 1 The fraud Triangle[1]

      Opportunity is usually presented through a combination of events leading to a weakness in the internal controls. Some examples include inadequate (or non-existent):

      • Supervision and review,
      • Separation of duties,
      • Management approval, and
      • System controls (including monitoring).

      Pressure (or incentive) can face an individual due to a combination of factors such as:

      • Financial problems,
      • Family breakdowns,
      • Personal vices (gambling, drugs, prostitution, extensive debt, etc.), and
      • Unrealistic deadlines and performance goals being set by the organization.

      Rationalization transpires when a person learns to justify their activities. They start to see their fraud as being acceptable. The process of rationalizing fraud varies by circumstance and the personality of the individual. Some examples of justifications that have been stated in fraud cases include:

      • I really needed the money and I did intend to return it I got my pay check”,
      • I’d rather have the company on my back than the IRS”,
      • The company has more money than they know what to do with. My little bit should not have been noticed”,
      • Those criminals in head office are bigger crooks than I am”, and
      • I just can’t afford to lose everything. I have worked too hard to get my home and my car. I could not stand to lose everything”.

      It is essential to consider controls that minimize the chances and effect of fraud in an organization.

      [1] See Occupational Fraud Abuse, by Joseph T. Wells, CPA, CFE (Obsidian Publishing Co., 1997) and

      Fraud Examination, by W. Steve Albrecht (Thomson South-Western Publishing, 2003).

      Sunday, 6 November 2011

      Security News and Views Podcast

      Security Podcast is now up for the weekend.

      Individual Accountability

      Individual accountability is the measurement of whether or not each group member has achieved the groups’ goal. Assessing the quality and quantity of each member’s contributions and giving the results to all group members[1].

      Individual accountability is the factor that shows that the organization is acting cooperatively and also demonstrates due diligence and effective governance. “The purpose of cooperative groups is to make each member a stronger individual in his or her own right[2].

      There are numerous methods that may be used to structure and increase individual accountability. Some of these include:

      • Periodically testing staff to see if they understand the policies of the organization,
      • Ensuring that controls are enforced fairly throughout the organization.

      Individual accountability reduces fraud. By instilling a level of personal accountability and ethical responsibility within the organization’s staff, lower rates of incidents can be expected.

      Group vs. Individual Accountability

      Groups perform as groups when they are treated as groups. If we treat individuals only as individuals, they will not perform as a group.

      Controls over accountability need to apply both of the individual and group level. It is common to blame an individual for the failings of a control without looking at the root cause.

      Privileged Users

      Controls need to be implemented to ensure that a level of accountability and monitoring are assigned to privileged users (such as the root account on UNIX and Administrator accounts in Windows).

      Privileged users consist of more than just the administrative user. When setting controls over privileged users consider operator accounts (such as backup operators and those personnel who issue user accounts) and implement both preventative and detective controls at a minimum.

      One of the most frequently overlooked areas when considering privileged users is that of network and peripheral equipment. It is common for routers and other network devices to be poorly configured and use insecure access and accounting controls.

      [1] Johnson, D., Johnson, R.& Holubec, E. (1998). Cooperation in the classroom. Boston, US: Allyn and Bacon.

      [2] Johnson, Johnson, & Holubec, 1998, p. 4:17


      There is a definitional distinction between the legal use of the term "non-repudiation" and the common use that has taken hold within IT. In legal terminology an alleged signatory to a document is at all times able to repudiate a signature that has been attributed to him or her. The basis for a repudiation of a traditional signature may include:

      • The signature is a forgery;
      • The signature is not a forgery, but was obtained via:
      • Unconscionable conduct by a party to a transaction;
      • Fraud instigated by a third party;
      • Undue influence exerted by a third party.

      The universal rule of evidence is that if an individual denies a signature (or the creation of a transaction), then it falls upon the party that is relying on the signature to prove that the signature is truly that of the person who has denied it. In legal terminology, the terms "deny" and "repudiate" are synonymous.

      The common law trust mechanism developed to prevail over a false claim of non-repudiation is known as witnessing. Witnessing occurs at the time the signature is being affixed. An independent witness to the signing of a document reduces the ability of the signatory to successfully deny the signature as a forgery at a later date through the provision of contradictory evidence.

      From organizational perspective the aim is not to remove the ability for an individual to deny a transaction, but rather to ensure that sufficient evidence exists to enable the organization to successfully prove that the transaction or signature was created by the party who were supposed to have created. In order to support non-repudiation, an organization needs to consider the following technical controls:

      • Digital signatures
      • Secure timestamps
      • Secure audit logs

      The Concepts of Organizational OPSEC (Operation Security)

      There are a number of specialist topics in organizational OPSEC and concepts that need to be defined before going into detail. These include:

      • Trusted Computer Base (TCB). The totality of protection mechanisms within a computer system including hardware, firmware, and software. The combination is responsible for enforcing a security policy.
      • Malware Management. Malware management is more than an Anti-Virus system. Any system that gives administrative control to a user allowing the loading or execution of any software has an increased vulnerability to malware (such as worms, viruses and trojans) and risk from unexpected software interactions. This can lead to the subversion of security controls.
      • Principle of Least Privilege. Never grant users more than the least level of access to a system that is needed for them to be able to complete their roles or jobs. That is, if a user needs Read only access to a file, set their permissions to only allow read access blocking write permissions such that they cannot modify the data.
      • Privileged operations. This type of operation includes the use of:
      1. operations system control commands,
      2. The ability to configure interfaces,
      3. Rights to access audit logs,
      4. The ability to manage user accounts,
      5. The ability to configure security mechanisms and controls,
      6. The privileges to back up and restore data, etc.
      • Privacy. The privacy of data involves the protection of personal information from disclosure to an unauthorized party (either being an individual or organization). This involves the maintenance of confidentiality.
      • Legal requirements. Adherence to the law and regulatory controls is the foundation or baseline upon which a security infrastructure can be built. At a minimum, it is necessary to adhere to the requirements imposed by law on the organization.
      • Illegal activities. This involves being able to identify both the criminal and tortuous (see the “Information Systems Legislation” chapter) An organization needs to be able to facilitate attribution. Attribution is the discovery of who is responsible and proving it through the use of evidence. The organization should also be able to support non-repudiation of transactions.
      • Record retention. The organization’s policy needs to define what information is collected, maintained and how long it is to be kept. This aspect of OPSEC is commonly driven by regulatory and legal requirements such as consent to monitoring, and financial controls (eg SEC filing or Tax rules).
      • Marking. Marking is the process of setting a classification on the data stored on media.
      • Handling. The transportation of media from one point or place to another securely is the realm of handling. This involves media control from purchase through to storage and lastly destruction.
      • Storage. Data needs to be stored in secured facilities. These should maintain the temperature and humidity within a controlled range.
      • MFFT. All media has a MTTF (mean time to failure). This is dictated by the number of times it can be re-used or a time based life.
      • Destruction. Any media that has reached or exceeded its MFFT needs to be replaced. When destroying the old media, it should first be purged before being destroyed. This process is commonly referred to as sanitation. This involves any number of processes that prepares the media for destruction. This could include wiping hard drives and other magnetic media or degaussing. The idea is to either return the media to its original pristine, unused state or render it permanently unusable and unrecoverable.
      • · PII. Personally Identifying Information (PII) is any information that may be used to identify an individual. This includes information such as a Social Security number (USA), TFN or Tax File Number (Australia), Credit Card and Banking details and other forms of ID.

      In addition, there are a number of legal terms associated with operations security. Good corporate governance (and as an offshoot, good IT governance) require that due care and due diligence

      • Due Care. This involved the use of a reasonable level of care in order to guard the interests of the organization from risk and consequently damage.
      • Due diligence. This is the practice of activities that are designed to maintain due care within the organization.

      Together due care and due diligence make the foundations of governance. Effective governance is often the only way to disprove negligence if an incident ends up as an action in a court of law.