title: Can someone please sue
one of them?
by: Scott Bradner
Sad to say it was not a
surprise. It did not surprise me
when CNN announced yet another case of credit card and other customer
information stolen from a hacked web site. The scale was a bit of a surprise though -- 40 US web sites
along with some yet unrevealed number of non-US sites had been broken into and
information on more than a million credit cards stolen. CNN pointed to an FBI advisory memo for
the details. The FBI advisory memo
(http://www.fbi.gov/pressrm/pressrel/pressrel01/nipc030801.htm) is a bit terse
but reveals that the breakins have been going on for a while, have all been on
Windows NT servers, and the perpetrators are not exploiting new security holes. They are using holes that Microsoft
fixed as long ago as 1998!
It is bad enough that more
and more web sites are using the same software -- it's almost as if there is a
concerted effort to ensure that the maximum number of sites will be vulnerable
when a new security hole is found -- it's even worse when the site operators
can not even keep the software up to date. In this case Microsoft even made the patches available for
free. Here are sites with tens or
hundreds of thousands of customer records on their servers, many doing millions
of dollars a year in e-commerce transactions and they can not get around to
applying free security fixes? (You
can find out if your site is one of the tardy ones by getting a free scanning
tool that will be put out in the near future by The Center for Internet
Security. -http://www.cisecurity.org/toolreq.html)
Where have the security
people at these sites been? Where have their auditors been? I've watched the Harvard internal
auditors in action reviewing web servers and one of the first things they do
(after checking to be sure there are no accounts on the server which do not
have passwords) is to verify that the software is fully up to date. It should not take someone with a lot
of clues to figure out that this should be done. There seems to be empirical evidence that the number of clues in the world about any
given topic is a constant and as the number of practitioners of that topic
rises the average clue density goes down. And e-commerce is a rather big thing
these days.
If we cannot depend on the
site operators having any idea how to run a web site securely what chance do we
have? The only one I can think of
is a court finding that web site operators who commit and their auditors who do
not find these sorts of lapses should be legally liable for the full cost of
everyone recovering from their stupidity along with substantial punitive
damages.
disclaimer: Harvard, an arms merchant for lawyers,
has not expressed an opinion on this situation.