[SecurityRatty] tag: civil

Bill allows victims of identity theft to obtain restitution

Wed, 17 Sep 2008 19:28:07 +0000

Finally, criminals can be held responsible for the theft of our personal data.

Congress Approves Computer Fraud Bill

The bill amends the federal criminal code to expand
interstate and foreign jurisdiction for prosecution of computer fraud offenses
and imposes criminal and civil forfeitures of property used to commit computer
fraud offenses. In addition, the legislation makes it a felony to damage 10 or
more protected computers used by or for the federal government or a financial
institution.

The legislation also expands the federal definition of
cyber extortion to include a demand for money in relation to damage to a
protected computer, where such damage was caused to facilitate the extortion.
It also allows victims of identity theft to obtain restitution for time and
money spent to restore credit and imposes a fine and imprisonment for
installing spyware on a computer.

Whos got your Laptop?

Wed, 17 Sep 2008 12:05:17 +0000

I’d like a receipt for you taking my lappie please.
Sure.

clipped from arstechnica.com

New bill would tighten rules for DHS border laptop searches

Sanchez’s bill would bring more routine to the search process. The bill requires the government to draft additional rules regarding information security, the number of days a device can be retained, receipts that must be issued when devices are taken, ways to report abuses, and it requires the completion of both a privacy impact study and a civil liberties impact study. Travelers would also have the explicit right to watch as the search is conducted.

ITU plan to stop DoS attacks could end Net anonymity too

Thu, 11 Sep 2008 20:00:00 +0000

Finding ways to limit DoS attacks and SMS spam by making it harder to spoof the origin of electronic communications is on the agenda at a telecommunications standards meeting next week -- but civil rights advocates worry it could put an end to anonymity on the Internet.

Libertarian Barr, EPIC outline privacy agenda

Thu, 04 Sep 2008 20:00:00 +0000

The Democratic and Republican candidates for U.S. president aren't giving enough emphasis to privacy and civil rights issues, the Electronic Privacy Information Center (EPIC) and Bob Barr, the Libertarian candidate for president, said Friday.

Target Web Sites Sued for Being Inaccessible to Blind Students

Thu, 28 Aug 2008 09:33:49 +0000

I fully support people’s civil rights and freedoms, and regulations that help people with disabilities survive and succeed in society. Still, I sometimes wonder if certain things can go a bit too far. Recently, a blind student sued the retailer giant Target for having a web site that couldn’t be parsed by his special reader…and won, even though no regulations actually exist to control the accessibility of web site content…

Target has settled a class action lawsuit with the National Federation of the Blind over accessibility complaints with Target.com. Despite the law being unclear as to whether the Americans with Disabilities Act (ADA) applies to websites, the company will pay a substantial fee and update its web site to make it accessible to the blind.

In February 2006, Bruce Sexton Jr., a student at the University of California-Berkeley and president of the California Association of Blind Students, sued Target because its web site was inaccessible to the blind. Filed in conjunction with the National Federation of the Blind, the suit was used as to spotlight many corporate sites that don’t play well—if at all—with screen reading technology.

Read the full article here.

UK National Risk Register

Wed, 13 Aug 2008 07:05:09 +0000

The UK has made public its previously classified National Risk Register.

The National Risk Register is intended to capture the range of emergencies that might have a major impact on all, or significant parts of, the UK. It provides a national picture of the risks we face, and is designed to complement Community Risk Registers, already produced and published locally by emergency planners. The driver for this work is the Civil Contingencies Act 2004, which also defines what we mean by emergencies, and what responsibilities are placed on emergency responders in order to prepare for them. Further information about the Act can be found on the UK Resilience website.

Seems like the greatest threat to national security is a flu pandemic.

Apptis and USNS Mercy Monitoring on the High Seas

Thu, 07 Aug 2008 11:59:40 +0000

Meet Mike Lawson, Pre-Sales Engineer at Apptis, a leading system integrator and ScienceLogic partner that has deployed EM7 to meet the network, systems and application management needs of several customers. We thought Mike would have an interesting perspective to share on EM7, having recently come from the “customer side” and already with a few deployments under his belt.

ScienceLogic: Mike, what’s your background working with network and management system tools?

Mike Lawson: Before joining Apptis, I worked for the Air Force, mainly in satellite communications for almost nine years. I’m probably most familiar with HP OpenView and BMC Remedy. I managed a team that used them but wasn’t involved in tool selection; like many other federal IT workers, we didn’t have a choice of tools because there were existing enterprise licenses and maintenance contracts.

I also saw a large systems integrator do a full Remedy/Crystal Systems/OpenView installation. It took 6 weeks to stand up and customize to meet just the basic monitoring requirements, and it cost something like half a million dollars. At the time, I thought that wasn’t bad and was a pretty typical experience.

ScienceLogic: Coming from where you did, what’s your take on EM7?

Mike Lawson: Honestly, I didn’t believe that EM7 could really do all that it claimed. In many ways, it was the complete opposite of what I had seen first-hand with other monitoring solutions. Could it really cover that much functionality? At relatively much lower cost to the customer and without the licensing nightmare?

That quickly changed when I needed to understand the system enough to run it at a customer’s site. I went back over the training docs I received during my initial training class and jumped in; now, 6 months later, I’m the EM7 expert and can tell you that it delivers on all those promises. (But I still need to show people to get them to believe it too)

I preach the “EM7 gospel” and when anyone wants to talk monitoring, I ask about the universal pain points: cost, maintenance contracts and licensing, and then I explain EM7. The cost difference is real; the solution is based on capacity, so there’s no licensing and it’s easy to use. They are shocked to learn that they can buy multiple EM7 appliances and years of maintenance for what they paid for most other tools.

ScienceLogic: Apptis won the contract for monitoring aboard the USNS Mercy. We love that you’re using EM7 for one of the Navy’s hospital ships. Can you tell us more?

Mike Lawson: The USNS Mercy is a Military Sealift Command hospital ship. Some stats:

849 feet long (nearly the size of a football field)
12 fully-equipped operating rooms, a 1,000 bed hospital facility, digital radiological services, a diagnostic and clinical laboratory, a pharmacy, an optometry lab, a CAT scan and two oxygen producing plants
Crew: 61 civilian mariners, 956 Naval medical staff, and 259 Naval support staff

The USNS recently departed on a five-month humanitarian mission in the Western Pacific and Southeast Asia in support of Pacific Partnership 2008. The partnership provides international medical, dental and engineering teams this summer to provide humanitarian support and conduct joint, combined, and cooperative Civil-Military Operations in order to improve regional stability and build partner capacity to respond to natural disasters and pandemic.

For the most part, the ship’s network is self-contained, but can also use a landline when docked. The network covers 400 devices, including Windows/Exchange servers and VMware for server virtualization. Prior to using EM7, none of the monitoring was integrated; each system was independently monitored through individual vendor-specific consoles.

Out of the box, EM7 provided integrated systems, application and network management for all network gear, applications and virtual machines in one solution. We didn’t have to do a lot of customization – EM7 includes best-practice based thresholds, event and monitoring templates and this covered what USNS Mercy needed to monitor.

ScienceLogic: You’re a systems integrator with a very useful “customer point of view” when it comes to looking at tools. From that perspective, can you share what you think are the biggest benefits that EM7 provides?

Mike Lawson: First of all, EM7 stands up right away. We’re talking days, not weeks. In contrast to the lengthy installation of OpenView and Remedy I witnessed during my military career, I was able to configure, customize, and implement the EM7 solution for the USNS Mercy in three days.

Second, it’s easy to train people on and the support is outstanding. This judgment is from first-hand experience. Right before the USNS Mercy departed on its latest voyage, the system administrator I had trained on EM7 left, so I had all of a day to train some new EM7 admins. I prepared a seven-page “cheat sheet” and over a 3-hour conference call, we walked through the entire EM7 solution; I haven’t gotten a support call since.

And when a problem did crop up with a device being discovered incorrectly, ScienceLogic was very responsive. We contacted ScienceLogic support on a Saturday and they created and emailed us a video to help troubleshoot the same day. Within 30 seconds of watching the video, the problem was resolved.

Finally, EM7 helps us be good stewards of the government’s money. This is very important to me personally and to Apptis as a company. Because EM7 is cheaper and deploys so quickly and easily, you might think that it’s just the opposite of what a system integrator would want to use. But that’s short-term thinking. We believe in deliver the most value for customers every time. It’s what creates trust and long-term relationships with our customers. Instead of that half million spent on standing up the solution and basic setup, I’d much rather (and I know the customer would rather) spend that on fine-tuning or extending the solution to do much, much more.

As a former government employee, I know what it’s like to use a tool that doesn’t fit my needs. EM7 proves that the best solution can totally break the old model of costly, lengthy installations. EM7 has the right model: the right solution and the right price delivered as an appliance that is easy to deploy, train on and use.

ShareThis

Nigerian IT group pushes forensic training

Wed, 06 Aug 2008 20:00:00 +0000

The Nigeria Computer Society (NCS) has called on the country's government to train civil servants in computer forensic technology as a way to fight e-commerce fraud in the country.

Think "liability" if you want to stay out of trouble.

Sun, 03 Aug 2008 21:12:00 +0000

I speak a lot about liability, but not everyone gets it.

I have seen medical doctors, dentists, business people of all walks of life and lawyers (it is surprising how many lawyers disregard liability)pay little attention to potential lawsuits. The latest category to leave themselves open, have been auctioneers.

The current foreclosure crisis has meant that many properties are being auctioned off. We have been providing security officers at some of the properties in order to make sure that people do not try to steal or commit vandalism when viewing the houses. There was an incident recently in which a bidder decided to withdraw his offer after his bid became the winning bid. He probaly got cold feet.

While he should not have reneged on his offer to buy the property, it was a civil matter best left to civil remedy. Unfortunately, the auctioneers involved decided to take the law into their own hands and would not let the man leave the property. The man became anxious and informed them that he was having difficulty breathing and needed to go to his car for his asthma medication.

Was this true? Maybe, maybe not - but would it be wise to gamble with a person's health when you already had their personal details and you could easily have obtained his vehicle registration if he decided to leave?
Thankfully, our security officer knew better that to get involved with blocking the man's way. The auctioneers stood in front of his vehicle and yelled at him. Eventually the man drove off.

If you represent a financial institution, a law firm or an auctioneering firm, you need to think twice before you act inappropriately. I have no doubt that had that man had a serious attack and if he died as a result, his next of kin would have sued for umpteen millions. When it comes to situations like this, you need to think rationally and realize what is involved. What was the worse thing that could have happened when the person decided to renege on his offer?

Apparently, he would have signed forms and the like and most probably he could be sued civilly for not fulfilling his obligations after delivering the winning bid. At the end of the day, the note holder would be in a strong position. Even if the person had given false information and could not be subsequently located, all they had to do was to put the property back on the market. What could that have cost, a couple of thousand in extra advertising and the like? That would have been much better than having to pay the next of kin many millions - not to mention the bad publicity.

We talk a lot about liability because it is a very real threat. Think "threat mitigation". Those who do not, may pay a very high price.

Do You Speak E-Discovery? You Should, Even in Europe

Thu, 24 Jul 2008 08:05:25 +0000

How often have you watched the news on television and seen people carrying boxes full of electronic media and digital files out of some well-known company's headquarters? It's a familiar scene in the United States, because of the number of companies subject to e-discovery actions. But even though this subject is disturbing the sleep of CIOs in companies large and small in the U.S. - and even though vendors of tools supporting e-discovery are all looking for the next "killer app" - most Europeans just look on and say, "What on earth is this 'e-discovery'?"

The concept of legal discovery (called "e-discovery" when electronic information is involved) is unique to the "common law" countries - notably the U.S., the U.K., Canada, Australia and New Zealand. Discovery in common-law civil litigation is a form of interrogatory in which both parties agree to the pretrial exchange of information, so that the plaintiff can prosecute a cause for action and the defendant can build a defense. By contrast, in countries with legal systems based on the Roman or Napoleonic traditions - which is to say, most of continental Europe - the obligation to produce information that is relevant to the cause for action is nowhere as comprehensive as the obligation attached to discovery in common law.

There is an important difference between criminal and civil litigation, irrespective of a country's legal system. In a criminal case, if the authorities have a warrant or an indictment, the subject is obligated to produce relevant information, and this is true both in common-law countries and in continental Europe. In civil litigation, however, only common law requires the pretrial production of information and its exchange between affected parties. In non-common-law civil litigation, the relevant information is produced before the judge for consideration and evaluation.

Despite these differences, there are some important lessons for all Europeans about e-discovery and about legal discovery in general. The first is that if an external party demands information, whether during civil or criminal proceedings, it pays to deliver that information quickly. Gartner has seen many cases where enterprises simply didn't know how to find the requested information or couldn't produce it for several days - just long enough to generate some damaging media coverage.

The second lesson: It also pays to be able to deliver precisely the information requested. Law enforcement officers may seize folders and binders, disks and tapes, files and e-mails, reports and logs - anything they can get their hands on, really. This may include information that is not relevant to the case, and it may include information that is highly sensitive. This information will be reviewed, processed and analyzed, and some of this sensitive information might leak to the public or to competitors. It's much better to be prepared to hand over just the requested and required information.

The e-discovery landscape is made even more confusing by international jurisdictional differences. In the global economy, a business relationship with an entity in the U.S. is becoming more the rule than the exception. But a company's duty to release information following a U.S. legal discovery claim - for example, for a European subsidiary - and how that would be seen in relation with European privacy legislation remain unclear at best. E-discovery rules require quick delivery of information that has not been tampered with, but privacy protection requires that personal data be removed first.

E-discovery simply does not exist in most European legal systems, but European companies would be well-advised to familiarize themselves with the concept, in case an e-discovery claim originates elsewhere. Companies that have processes and automation for information archiving and retrieval, document and records management, and a retention policy (including disposal when information is no longer needed) will be well-prepared for any e-discovery claims that arise.