Was Julie Amero wrongly convicted?


High performance access to file storage

Institutional liability

This case is an object lesson not only to users, but to their employers as well. First of all, I want to point out that companies have a fiduciary obligation to their employees to take efforts necessary to prevent them from being unfairly and unjustly implicated in criminal activity – to have strong authentication systems, and decent policies and practices.

Now I am generally sympathetic to public schools, which depend on taxpayers to pony up funds for everything from books, pens, pencils, and computers to teacher salaries, physical plant, and softballs. They have tight budgets, high expectations, and usually very little support. So its not unusual that they might have outdated equipment, unpatched systems, untrained users (particularly substitute teachers), outmoded or non-existent firewalls, no anti viral or anti spyware systems, and little access control. While this neighborhood in Connecticut is by no means low income, I am sure that budgets are tight there, like everywhere else. Computer security just isn't a high priority, especially when they are seeking $40m to renovate the school itself.

To help schools acquire new computer hardware and wire or rewire their schools, Congress in 2000 passed the Children's Internet Protection Act (CIPA). CIPA imposes certain types of requirements on any school or library that receives funding support for Internet access or internal connections from the "E-rate" program - a program that makes certain technology more affordable for eligible schools and libraries. In early 2001, the Federal Communications Commission (FCC) issued rules implementing CIPA. It requires schools that participate in the E-rate program to certify that they have an Internet safety policy and technology protection measures in place. This policy must include technology protection measures to block or filter Internet access to pictures that: (a) are obscene, (b) are child pornography, or (c) are harmful to minors, for computers that are accessed by minors. They also must adopt and enforce a policy to monitor online activities of minors including (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called "hacking," and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) restricting minors access to materials harmful to them.

It is not clear whether the Norwich, Connecticut school district received e-Rate funds, although many other Connecticut schools did, and a 2005 report by the Connecticut Department of Information Technolgy suggests that Norwich received e-Rate funds and that they had "upgraded" their internet filtering in 2004 to the N2H2 Sentient filtering system. A report issued the day after the conviction by the Connecticut Education Network (CEN) confirms this.

Thus, Norwich was mandated to have measures in place to block access to pornographic sites. Would the failure to update blocking software take the school district out of compliance? It certainly would implicate the annual certification that they had blocking protection in place – or at least that they had effective blocking in place.

This points out that there are a host of laws and regulations that mandate levels of protection and security. These may include legal requirements to keep spyware, malware and anti-virus protections active and updated, to use appropriate filtering software, to monitor activities, and take appropriate remedial efforts. Oh yeah, and to have an effective incident response program that includes computer forensics that will actually tell when and how someone may have violated these rules. Or when they simply appear to have violated the rules.

Indeed, several years ago I was involved in an incident where an employee was almost terminated for attempting to repeatedly hack into a series of computers located in Eastern Europe – pinging one IP address after another sequentially and repeatedly. Looked like a hack. A forensic examination of his computer indicated that he had inadvertently downloaded malware, which was unsuccessfully attempting to register itself at its home base.

Similarly, the February 2000 Distributed Denial of Service Attack launched by the infamous mafiaboy involved bots that infected thousands of computers located mainly in academic environments. While these unpatched systems became the vehicles for attacks on others, a cursory forensic exam would have indicated that the colleges and universities were the source of, rather than the victims of these attacks. The same thing is obviously true for spam bots, file parking, and other methods used by hackers to divert attention from themselves and on to other innocent people or systems.

An incomplete forensic examination can lead to the creation of an "airtight" criminal case against the wrong person. Next time it could be a senior corporate executive who could face some jail time. Maybe then we will do something about it.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.