Thursday, June 25, 2009

Punishment Fitting The Crime

In the realm of computer security and ethics, it is important that criminals be punished as a deterrent to would-be-criminals everywhere. For example, if the SPAM KING goes to jail and pays millions of dollars in fines for filling our mail with junk mail, which he personally profited greatly from - that is reasonable.

In the news, we have two stories today. First, TJX (parent company of such chains as TJ Maxx) was fined $9.75 million for a huge breech of customer data. The Ukrainian hacker who masterminded the theft of 94 million credit card accounts from TJX has been sentenced to 30 years in jail. (Believe me, he is going to a Turkish prison for this crime and I can't imagine this will be a pleasant sentence. I think it makes our high-security prisons look like country clubs.) There were 11 people who were involved have convicted to date. Here is more, from SC Magazine:

TJX, which operates more than 2,500 outlets nationwide, agreed to pay $9.75 million to settle investigations by 41 state attorneys general, who were looking into the monster breach, announced in January 2007, that exposed as many as 94 million credit and debit card numbers.

Under the agreement, TJX will pay $5.5 million in settlement fees, plus $1.75 million to cover the cost of the states' investigations. In addition, the company will provide $2.5 million to establish a new Data Security Fund that states will use for a number of data security initiatives, including researching the benefits of technology, developing best practices or model laws, and establishing consumer outreach programs.

On the other hand, Jammie Thomas-Rasset, an unemployed, single mother from Minnesota, was fined $1.92M by a federal jury for reportedly downloading 24 songs. Is this proportionality? Is it at all befitting of the crime? These 24 songs could have been downloaded for $24.76 from iTunes - yet, she is attacked by the RIAA, and fined nearly two-million dollars. No, I don't think we have our priorities straight in this country. We are wasting the time of the courts and attacking our citizens, when there are real crimes to be dealt with.

(I understand her first lawyer had to back out, citing $130,000 in unpaid legal bills for defending her against the RIAA in the first case, which was declared a mistrial due to incorrect instructions given to the jury by the judge.)

Here is what Ms. Thomas-Rasset got for $1.92M:

  • Guns N Roses "Welcome to the Jungle"; "November Rain"

  • Vanessa Williams "Save the Best for Last"

  • Janet Jackson "Let’s What Awhile"

  • Gloria Estefan "Here We Are"; "Coming Out of the Heart"; "Rhythm is Gonna Get You"

  • Goo Goo Dolls "Iris"

  • Journey "Faithfully"; "Don’t Stop Believing"

  • Sara McLachlan "Possession"; "Building a Mystery"

  • Aerosmith "Cryin’"
  • Linkin Park "One Step Closer"

  • Def Leppard "Pour Some Sugar on Me"

  • Reba McEntire "One Honest Heart"

  • Bryan Adams "Somebody"

  • No Doubt "Bathwater"; "Hella Good"; "Different People"

  • Sheryl Crow "Run Baby Run"

  • Richard Marx "Now and Forever"

  • Destiny’s Child "Bills, Bills, Bills"

  • Green Day "Basket Case"

Well, I do love Journey, so I'll buy that is worth $160,000 for those two songs, but Reba McEntire?? Come on now!

Wednesday, June 10, 2009

Social Networking: Manageable With Good Enterprise Policy

The following article comes from Security Wire Daily:

A majority of attacks on the Internet depend upon the exploitation of human nature through the abuse of trust. It is human nature, for example, to feel comfortable with Web-based social networks that include our friends and family. We don't expect these people to be hosting anything on their pages that would "attack" us.

Likewise, most wikis are created by well-meaning people, typically subject matter experts, and we tend to trust experts. We don't expect a page full of useful information to contain anything that would be harmful. However, there is plenty of evidence that such Web pages are being used to distribute malware, almost always without the knowledge of the page owner or creator.

In November 2007, the MySpace profiles of Alicia Keys and a number of other recording artists were found to be serving up malicious code. McAfee Inc. also recently reported a malicious MySpace friend request which, when clicked, popped up an apparently legitimate "Automatic Update" window that, in fact, tries to download what McAfee described as a "malware cocktail" containing additional downloaders, several Trojans and a remote administration tool.

So, in addition to enterprise concerns over productivity losses to social networks and privacy issues arising from their use, particularly at work, there are now some direct security threats in play, including network compromise via infected pages. (To get a measure of just how much "drive-by" malware is being distributed by Web pages --including but not limited to social networks -- take a look at "The Ghost in the Browser" published last year by researchers at Google.)

Continued here...