Was Julie Amero wrongly convicted?


The Power of One Brief: Top reasons to choose HP BladeSystem

Institutional liability

This case is an object lesson not only to users, but to their employers as well. First of all, I want to point out that companies have a fiduciary obligation to their employees to take efforts necessary to prevent them from being unfairly and unjustly implicated in criminal activity – to have strong authentication systems, and decent policies and practices.

Now I am generally sympathetic to public schools, which depend on taxpayers to pony up funds for everything from books, pens, pencils, and computers to teacher salaries, physical plant, and softballs. They have tight budgets, high expectations, and usually very little support. So its not unusual that they might have outdated equipment, unpatched systems, untrained users (particularly substitute teachers), outmoded or non-existent firewalls, no anti viral or anti spyware systems, and little access control. While this neighborhood in Connecticut is by no means low income, I am sure that budgets are tight there, like everywhere else. Computer security just isn't a high priority, especially when they are seeking $40m to renovate the school itself.

To help schools acquire new computer hardware and wire or rewire their schools, Congress in 2000 passed the Children's Internet Protection Act (CIPA). CIPA imposes certain types of requirements on any school or library that receives funding support for Internet access or internal connections from the "E-rate" program - a program that makes certain technology more affordable for eligible schools and libraries. In early 2001, the Federal Communications Commission (FCC) issued rules implementing CIPA. It requires schools that participate in the E-rate program to certify that they have an Internet safety policy and technology protection measures in place. This policy must include technology protection measures to block or filter Internet access to pictures that: (a) are obscene, (b) are child pornography, or (c) are harmful to minors, for computers that are accessed by minors. They also must adopt and enforce a policy to monitor online activities of minors including (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called "hacking," and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) restricting minors access to materials harmful to them.

It is not clear whether the Norwich, Connecticut school district received e-Rate funds, although many other Connecticut schools did, and a 2005 report by the Connecticut Department of Information Technolgy suggests that Norwich received e-Rate funds and that they had "upgraded" their internet filtering in 2004 to the N2H2 Sentient filtering system. A report issued the day after the conviction by the Connecticut Education Network (CEN) confirms this.

Thus, Norwich was mandated to have measures in place to block access to pornographic sites. Would the failure to update blocking software take the school district out of compliance? It certainly would implicate the annual certification that they had blocking protection in place – or at least that they had effective blocking in place.

This points out that there are a host of laws and regulations that mandate levels of protection and security. These may include legal requirements to keep spyware, malware and anti-virus protections active and updated, to use appropriate filtering software, to monitor activities, and take appropriate remedial efforts. Oh yeah, and to have an effective incident response program that includes computer forensics that will actually tell when and how someone may have violated these rules. Or when they simply appear to have violated the rules.

Indeed, several years ago I was involved in an incident where an employee was almost terminated for attempting to repeatedly hack into a series of computers located in Eastern Europe – pinging one IP address after another sequentially and repeatedly. Looked like a hack. A forensic examination of his computer indicated that he had inadvertently downloaded malware, which was unsuccessfully attempting to register itself at its home base.

Similarly, the February 2000 Distributed Denial of Service Attack launched by the infamous mafiaboy involved bots that infected thousands of computers located mainly in academic environments. While these unpatched systems became the vehicles for attacks on others, a cursory forensic exam would have indicated that the colleges and universities were the source of, rather than the victims of these attacks. The same thing is obviously true for spam bots, file parking, and other methods used by hackers to divert attention from themselves and on to other innocent people or systems.

An incomplete forensic examination can lead to the creation of an "airtight" criminal case against the wrong person. Next time it could be a senior corporate executive who could face some jail time. Maybe then we will do something about it.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Designing a Defense for Mobile Applications

More from The Register

next story
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.