Chey Cobb web site

 

Index for Chey Cobb
Articles and books by Chey Cobb
Hobbies of Chey Cobb's
Pictures from Chey Cobb
Contact for Chey Cobb

   
 
Chey Cobb
  
   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

Newsscan Computer Security Column
Stephen Cobb, CISSP and Chey Cobb, CISSP

The Three Biggest Computer Security Problems of 2002
As 2002 winds to a close we thought we would highlight the three biggest things to happen in computer security this year, things that will shape the security landscape next year, and possibly beyond.


We begin with the Federal Trade Commission¹s action in two cases: Eli Lilly and Microsoft Passport. The Eli Lilly matter involved the inadvertent exposure of personally identifiable information (PII) due to what the FTC concluded was a lack of adequate security. The FTC also concluded that, because Eli Lilly had made a promise to protect the privacy of the persons whose information was exposed, the failure to keep that promise constituted a deceptive business practice (a category of conduct made illegal under the 1938 revision of the original 1914 act that created the FTC).


The actual incident occurred in the summer of 2001 and involved a coding error in a mailing program used to notify 600 subscribers to an e-mail reminder service that it was being discontinued. The error resulted in all subscribers seeing the e-mail addresses of all the other subscribers. This would probably have been dismissed as nothing more than an embarrassing snafu if the e-mail was from giantsfans.com. But it was from prozac.com and, not surprisingly, some of the exposed recipients were upset. Thy complained to the ACLU which urged the FTC to investigate.


The settlement was announced in January and mandated an extensive corporate computer security program, with government oversight, for a period of 20 years. A similar mandate appeared in the settlement that the FTC reached with Microsoft over privacy promises made in connection with the Passport product. Those promises were deemed to be deceptive, not because any PII was exposed, but because the product was plagued by security vulnerabilities. Corporate IT departments across America would do well to place on their walls the words of FTC Chairman Timothy Muris announcing the settlement this August: "Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It is not only good business, it's the law. Even absent known security breaches, we will not wait to act."


The next big thing in security this year was the continued spread of truly malicious code, with names like Klez, Nimbda and Bugbear. Apart from being highly infectious -- using both e-mail and local network shares to spread -- they are a serious threat to confidentiality, one of the three pillars of computer security (the other two being integrity and availability).

We have grown accustomed to thinking of viruses as a threat to system and data integrity and availability, corrupting files, clogging and crashing systems, and so on. But these new strains expose PII and other data. Some e- mail a random selection of your -- quite possibly confidential -- documents to random recipients. BugBear actually installs a backdoor on infected computers, allowing outsiders to get in at some later date, for whatever purpose. On top of that, it installs a keystroke logging program, recording things like account names, numbers, and passwords. Painful as it might be, we should all take some time to think about the implications of millions of Trojanized machines spilling data and launching attacks.


The third big thing is the rise of identity theft, a crime we highlighted in last week's column. Identity theft is not a new crime, so some people have dismissed news coverage of recent cases such as Cummings-Teledata as sensationalism. We think this is a mistake. As that case clearly indicates, identity theft has entered a new phase. A black market now exists for PII plundered from computer records (which can fetch $60 per record on the street). The implications for those tasked with protecting information systems is clear: you face motivated enemies, and they could be on your payroll. The scale of these crimes, and their high cost to victims, in both monetary and non-monetary terms, is likely to fuel consumer demand for more convincing privacy promises, and even tougher penalties for those who break them.

 

  


©2003 Chey Cobb. All rights reserved.
chey@patriot.net
FAQs Contact Us