Security Incidents mailing list archives

RE: Who's liable?

From: "Kelley, John" <john.kelley () nmci-isf com>
Date: Sat, 13 Oct 2001 19:05:07 -0400

This is an interesting quandary...
1. Currently there are little to no statues that cover international
malicious actions.
        + Where is the point of origin for the attack?
        + If within the US, there is legal culpability on the owner of
the source IP.
2. What was the action taken by the alleged?
        + Some action may or may not be illegal
3. Get logging to CYA!
        + there are a ton of free loggers...
4. If someone is spoofing your IP address, yes you will have to prove
your case... Prima Facia rules.

Comments ?

-Grep

-----Original Message-----
From: Michael F. Bell [mailto:mike_b () rhinobyte com]
Sent: Saturday, October 13, 2001 6:12 PM
To: incidents () securityfocus org
Subject: Who's liable?


These are fictional scenarios that I am SURE that
other people would like to discuss.

Lets say you are a small realty agency, and you provide internet access
to your employees and one of your employees hacks into the Whitehouse
website from your internal network.  You do not have any logging going
on from your SOHO firewall and the FBI shows up at your door one day
with a warrant to search your computers for evidence of hacking into the
Whitehouse website.  The FBI searches all 10 computers in your network
and comes up without any hard evidence from these 10 machines linking
them to the the hack into the Whitehouse website.  Your company is not
doing  any firewall logging and you do not have any public servers that
could have been hacked so someone could have remotely launched the
attack?  All that the FBI has is your publicly NAT'ed firewall address.

Who is liable??  What can the FBI do at this point?

The above scenario is all fictional from my standpoint.  I could imagine
that this is someones reality though...

Lets change the victim from a Goverment agency to a private one.  Lets
say that EBAY got hacked and they launched the same sort of
investigation with the same findings..  What can be done from a legal
/financial standpoint if an attack is detected from your company network
and there is no proof on exactly who did it?  Can the victims take legal
action against you, or is there some sort of protocol from a legal
standpoint that hinders this?

Michael Bell
mike_b () rhinobyte com


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Who's liable?, (continued)
- Re: Who's liable? Frank (Oct 14)
- RE: Who's liable? Michael Conlen (Oct 14)
- RE: Who's liable? Rob Keown (Oct 13)
  - Re: Who's liable? Kelly Martin (Oct 13)
    - Re: Who's liable? Doug Foster (Oct 14)
    - Re: Who's liable? Kelly Martin (Oct 14)
    - RE: Who's liable? Shashi Dookhee (Oct 14)
    - Re: Who's liable? HarryM (Oct 14)
    - Re: Who's liable? macdaddy (Oct 14)
    - Message not available
    - Re: Who's liable? Jason Giglio (Oct 14)
- RE: Who's liable? Kelley, John (Oct 13)
- RE: Who's liable? Kelley, John (Oct 13)
- RE: Who's liable? Rob Keown (Oct 14)
- RE: Who's liable? Bullock, Steve (ISS Helsingborg) (Oct 14)