Was Julie Amero wrongly convicted?
This case is an object lesson not only to users, but to their employers as well. First of all, I want to point out that companies have a fiduciary obligation to their employees to take efforts necessary to prevent them from being unfairly and unjustly implicated in criminal activity – to have strong authentication systems, and decent policies and practices.
Now I am generally sympathetic to public schools, which depend on taxpayers to pony up funds for everything from books, pens, pencils, and computers to teacher salaries, physical plant, and softballs. They have tight budgets, high expectations, and usually very little support. So its not unusual that they might have outdated equipment, unpatched systems, untrained users (particularly substitute teachers), outmoded or non-existent firewalls, no anti viral or anti spyware systems, and little access control. While this neighborhood in Connecticut is by no means low income, I am sure that budgets are tight there, like everywhere else. Computer security just isn't a high priority, especially when they are seeking $40m to renovate the school itself.
To help schools acquire new computer hardware and wire or rewire their schools, Congress in 2000 passed the Children's Internet Protection Act (CIPA). CIPA imposes certain types of requirements on any school or library that receives funding support for Internet access or internal connections from the "E-rate" program - a program that makes certain technology more affordable for eligible schools and libraries. In early 2001, the Federal Communications Commission (FCC) issued rules implementing CIPA. It requires schools that participate in the E-rate program to certify that they have an Internet safety policy and technology protection measures in place. This policy must include technology protection measures to block or filter Internet access to pictures that: (a) are obscene, (b) are child pornography, or (c) are harmful to minors, for computers that are accessed by minors. They also must adopt and enforce a policy to monitor online activities of minors including (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called "hacking," and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) restricting minors access to materials harmful to them.
It is not clear whether the Norwich, Connecticut school district received e-Rate funds, although many other Connecticut schools did, and a 2005 report by the Connecticut Department of Information Technolgy suggests that Norwich received e-Rate funds and that they had "upgraded" their internet filtering in 2004 to the N2H2 Sentient filtering system. A report issued the day after the conviction by the Connecticut Education Network (CEN) confirms this.
Thus, Norwich was mandated to have measures in place to block access to pornographic sites. Would the failure to update blocking software take the school district out of compliance? It certainly would implicate the annual certification that they had blocking protection in place – or at least that they had effective blocking in place.
This points out that there are a host of laws and regulations that mandate levels of protection and security. These may include legal requirements to keep spyware, malware and anti-virus protections active and updated, to use appropriate filtering software, to monitor activities, and take appropriate remedial efforts. Oh yeah, and to have an effective incident response program that includes computer forensics that will actually tell when and how someone may have violated these rules. Or when they simply appear to have violated the rules.
Indeed, several years ago I was involved in an incident where an employee was almost terminated for attempting to repeatedly hack into a series of computers located in Eastern Europe – pinging one IP address after another sequentially and repeatedly. Looked like a hack. A forensic examination of his computer indicated that he had inadvertently downloaded malware, which was unsuccessfully attempting to register itself at its home base.
Similarly, the February 2000 Distributed Denial of Service Attack launched by the infamous mafiaboy involved bots that infected thousands of computers located mainly in academic environments. While these unpatched systems became the vehicles for attacks on others, a cursory forensic exam would have indicated that the colleges and universities were the source of, rather than the victims of these attacks. The same thing is obviously true for spam bots, file parking, and other methods used by hackers to divert attention from themselves and on to other innocent people or systems.
An incomplete forensic examination can lead to the creation of an "airtight" criminal case against the wrong person. Next time it could be a senior corporate executive who could face some jail time. Maybe then we will do something about it.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus