Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] The coming Web security woes

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] The coming Web security woes
Date: Tue, 5 Jul 2005 02:19:27 -0500 (CDT) 
http://news.com.com/The+coming+Web+security+woes/2010-1071_3-5772012.html

By Declan McCullagh
July 4, 2005

Our esteemed leaders in the U.S. Congress are vowing to enact new laws
targeting data thieves, backup-tape burglars and other information-age
miscreants.

We should be worried.

Any reasonable person, of course, should agree that such thefts must
be punished and data warehouses should let us know if our information
falls into the hands of criminals.

But a bill announced last week by Sens. Arlen Specter, R-Penn., and
Patrick Leahy, D-Vt., goes far beyond reasonable data security
precautions. It amounts to a crackdown on individuals, bloggers and
legitimate e-mail list moderators.

Anyone who runs a Web site with registered users and receives income
from it (Blogads and Google Ads count) should be concerned. The
Specter-Leahy bill says that if that site's list of user IDs or e-mail
addresses is compromised, each registered user must be notified via
U.S. mail or telephone. Refusal to do so can be punished with
$55,000-a-day fines and prison time of up to five years.

That's remarkable but not as extreme as the second requirement: The
Web master or mailing list operator might have to "cover the cost" of
12 monthly credit reports of each person whose e-mail addresses was
lost or purloined.

For a popular site with 10,000 registered users, that would be a
princely sum. If monthly credit reports cost $15 a person, that's $1.8
million over a year.

Sure, it's annoying if your e-mail address ends up in the hands of a
spammer, but there's no connection to identity fraud. Independent Web
site owners should not be bankrupted by making them cough up that kind
of cash: The penalty is unrelated to any harm.
 
Previous Next James Maule, who maintains the Maule family genealogy
site, worries he might be at risk of hefty fines. Maule, a law
professor at Villanova University, says he hasn't found an exception
in the bill to let his genealogy database off the hook: "I have more
than 10,000 names, of whom many are dead."

Other sections of the proposed law, called the Personal Data Privacy
and Security Act, are highly rigid.

For example, anyone running an ad-supported Web site or mailing list
with 10,000 or more registered users must "implement a comprehensive
personal data privacy and security program," create a "risk
assessment" to "identify reasonably foreseeable" vulnerabilities,
"assess the likelihood" of security breaches, "assess the sufficiency"  
of policies to protect against them, publish the "terms of such
program," do "regular testing of key controls" to test security,
select only superior "service providers" after doing "due diligence,"  
and regularly "monitor, evaluate and adjust" security policies.


Law of unintended consequences

Specter and Leahy probably intended to target large businesses that
employ teams of corporate lawyers and would view this as just more
government paperwork. Unfortunately, though, that's not what their
proposed law actually says.

Tracy Schmaler, a Leahy spokeswoman, said that the bill could be
changed before a final vote. "We don't want to place any undue
limitations on mailing lists, Web sites, and so on," Schmaler said.  
"The intent of this is not to make listservs or bloggers pay for
credit reports."

Perhaps the problems with this bill can be fixed. But I'm starting to
think that any similar effort will suffer from similar problems--it'll
be overly regulatory and not aimed at actual wrongdoing. Many state
proposals fall into that trap.

Politicians don't like to admit this because it makes for fewer press
conferences, but sometimes new laws aren't the answer. Take Bank of
America's embarrassing loss of a backup tape--which happened even
though the company was subject to the detailed security regulations of
the Gramm-Leach Bliley Act.

An alternative might be to rely on a general-purpose rule that
punishes negligence. Courts are already moving in that direction--at
least if appellate decisions in New Hampshire and Michigan are any
indications.

That approach would make for fewer Senate press conferences, true, but
the end result might make a lot more sense.

-=-
 
Declan McCullagh is CNET News.com's Washington, D.C., correspondent.  
He chronicles the busy intersection between technology and politics.  
Before that, he worked for several years as Washington bureau chief
for Wired News. He has also worked as a reporter for The Netly News,
Time magazine and HotWired.



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] The coming Web security woes, InfoSec News <=
Previous by Date:  Re: [ISN] Cybersecurity group looks to Europe for help, InfoSec News
Next by Date:  Re: [ISN] Senators propose sweeping data-security bill, InfoSec News
Previous by Thread:  Re: [ISN] Cybersecurity group looks to Europe for help, InfoSec News
Next by Thread:  [ISN] Hackers attack Mashreqbank, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]