Companies May Be Held Liable for Spreading Viruses
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Companies May Be Held Liable for Spreading Viruses

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002

    Companies May Be Held Liable for Spreading Viruses

    Unpatched Virus Spreaders Could Be Liable

    I can see this coming down the pipeline in the United States as well. The problem becomes how do you measure what "adequate" preventive measures are?

    If a patch like the one for MS03-026 becomes available one week and the worm comes out the next week (as its expected to be)- can you fault companies for not having patched yet? I mean enterprise organizations need to testing and allocate resources to roll out a patch to the whole infrastructure- 1 week is probably not enough time and I don't think you could hold them responsible.

    However, the patch for SQL Slammer had been out for more than 6 months before the worm and I think you can hold a company responsible for not having patched in that timeframe.

    Thoughts from the field??

  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    This has been a sticky subject for years. IMHO this is long overdue but it is going to be a nightmare to initiate.

    Several questions which need to be addressed BEFORE such legislation is written but will probably only come about during litigation which sets the foundation.

    . Would something like this apply to home users

    . How liable would ISPs be held, as the exploits pass through their systems

    . In the case of a corporation, who would the lawyers go after? the company, the CIO, the administrator, the tech, ... the vendor?

    . Could a company isolate themselves by contracting out the services and just pointing the finger in another direction.

    Most disturbing of all, from the article above Unpatched virus spreaders could be liable
    Some businesses who passed on the Slammer virus (exploiting a hole in Microsoft SQL Server patched six months before) were not even aware they had SQL Server on their systems, says Wigley. “It’s an undocumented feature of many applications”
    . Both for home users and corporations, in a case like that above who is responsible? Would software companies now be held for their failure to document the services used, or by releasing an insecure system or service by default, or should the administrator have known that the systems had to use SOME sort of SQL in order to function?

    . And again as tonybradley pointed out, what is a reasonable time frame to patch? Does it depend on how many systems need patching ( i.e. will an administrator with 2000 systems be held to the same time constraints as one with 20 ? ) or on how long it takes to test a particular patch before putting it on a production machine?

    Most of these issues have been addressed in the past but I haven’t heard any clear answers as of yet. But if the industry in general took it more seriously AO would have a lot more members!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Whose fault is it to start with ?
    The Virus writer ? For exploiting a vulnerability
    The End User ? For not patching the vulnerability
    The OS writer ? For creating the vulnerability

  4. #4
    AO Part Timer
    Join Date
    Feb 2003
    Let me see.
    I personally believe that any good admin will want to lock down his boxes.
    I think this is a bad idea. What sense does it make to punish an Admin, and completly overstep the problem? What are we just gonna give up on stopping the malicious coders? Give me a break. Then on top of that, who is to enforce it? The government? That'll be the day. Let's just give them more reasons to stick their noses where they don't belong. They do not own the internet. They also realize this. Why else have they made so many attempts in the past to spy on us in any manner possible. They will use this as yet another reason to rape, pillage, and plunder anything they note worthy. Yet I'd be the criminal, for not patching my box.

    On a final note. NO, NO, NO.

    Allowing the government to monitor such a thing is insane. I personally wouldn't trust them with a toothpick and a plastic spoon.
    Your heart was talking, not your mind.
    -Tiger Shark

  5. #5
    Ninja Code Monkey
    Join Date
    Nov 2001
    Washington State
    Actually this is already happening. Verizon got nailed for not sufficiently maintaining their boxes when the sql slammer worm was taking out peoples machines. Other companies have been held accountable as well when their machines were hacked and used for other nefarious purposes.

    Admins and companies are getting hit for not doing their due dilligence in maintaining their boxes. When it comes to what is who's fault....that depends on who is involved in the case and what each side is trying to prove. While you can claim that you were innocent when it comes to doing the actual attack (did not actively and knowingly participate) you can still get nailed for not doing your job properly or not documenting it well enough to prove that you did all you could to prevent it from happening.

    The verizon case happened because they were sued for not giving their customers the agreed upon quality of service while their networks were having issues relating to the sql slammer worm -
    I believe there were other cases as well...but I can't remember them off the top of my head. I'll post some more when my boss gives me back my book from the business law and comp security class I took.

    The easiest way to avoid liability in these matters is to simply keep an updated written process for maintaining the security of your system and follow that process consistently with written documentation to prove it.

    I think it's a good thing in the end that companies are being held accountable for their machines and [lack of] maintenance and procedures.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  6. #6
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    They do not own the internet.
    Who owns it? Who invented the internet??

    see snickers

    guess the donkey owns it

    ( This was an actual commercial that aired just before the Bush / Gore presidential election
    had to search for that one! )
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  7. #7
    Junior Member
    Join Date
    Jan 2003

    Exclamation A Quick Daily Fix for Users

    One thing I have instituted is a quick reference to our intranet using's parasite detector. This has been a wonderful way to keep bandwidth under control, as well as keeping the users aware that things they think are "cool" or "neat" have a dark underbelly. I know this isn't viral in narure, but I would assume this would be a nice addition to anyone's processes, with a minimum of work by the admins on the network. Check it out.

    Parasite Javascript detector

    For information about it

  8. #8
    Senior Member
    Join Date
    Mar 2003
    imagine this:

    a network admin goes on maternity leave to have her baby. a semi-intelligent power user is filling in to cover her butt for tape backups and virus updates, but does no system patches. She comes back 6 or 8 weeks later (however long her company's maternity leave plan is) and she gets fined for having unpatched servers....

    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003


    This argument has some valid points, as to what time frame that patches should be applied. Etc. A Cisco vulnerability in WorldCom’s backbone could take weeks or months to apply because of the sheer number of routers. And also to prove someone liable of something, you have to prove malicious intent or serious oversight...

    However, I think the entire argument is not logical. If Company A gets infected by company B, because company B did not accurately patch their vulnerable system. Is not Company A guilty also of not patching and taking reasonable steps to secure themselves, and if so - how can they hold another company liable when they too are not in compliance with law?? That is an oversimplified example but a valid point of view.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    sickyourIT: your point could definatly be added to my list as it was not all inclusive.

    RoadClosed: What if company A is effectively shut down because of a DoS coming over company B’s twin T-3 lines ??
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts