Companies May Be Held Liable for Spreading Viruses

Unpatched Virus Spreaders Could Be Liable

I can see this coming down the pipeline in the United States as well. The problem becomes how do you measure what "adequate" preventive measures are?

If a patch like the one for MS03-026 becomes available one week and the worm comes out the next week (as its expected to be)- can you fault companies for not having patched yet? I mean enterprise organizations need to testing and allocate resources to roll out a patch to the whole infrastructure- 1 week is probably not enough time and I don't think you could hold them responsible.

However, the patch for SQL Slammer had been out for more than 6 months before the worm and I think you can hold a company responsible for not having patched in that timeframe.

Thoughts from the field??

This has been a sticky subject for years. IMHO this is long overdue but it is going to be a nightmare to initiate.

Several questions which need to be addressed BEFORE such legislation is written but will probably only come about during litigation which sets the foundation.

. Would something like this apply to home users

. How liable would ISPs be held, as the exploits pass through their systems

. In the case of a corporation, who would the lawyers go after? the company, the CIO, the administrator, the tech, ... the vendor?

. Could a company isolate themselves by contracting out the services and just pointing the finger in another direction.

Most disturbing of all, from the article above Unpatched virus spreaders could be liable

Quote:

---

Some businesses who passed on the Slammer virus (exploiting a hole in Microsoft SQL Server patched six months before) were not even aware they had SQL Server on their systems, says Wigley. “It’s an undocumented feature of many applications”

---

. Both for home users and corporations, in a case like that above who is responsible? Would software companies now be held for their failure to document the services used, or by releasing an insecure system or service by default, or should the administrator have known that the systems had to use SOME sort of SQL in order to function?

. And again as tonybradley pointed out, what is a reasonable time frame to patch? Does it depend on how many systems need patching ( i.e. will an administrator with 2000 systems be held to the same time constraints as one with 20 ? ) or on how long it takes to test a particular patch before putting it on a production machine?

Most of these issues have been addressed in the past but I haven’t heard any clear answers as of yet. But if the industry in general took it more seriously AO would have a lot more members!

Whose fault is it to start with ?
The Virus writer ? For exploiting a vulnerability
The End User ? For not patching the vulnerability
The OS writer ? For creating the vulnerability

Let me see.
I personally believe that any good admin will want to lock down his boxes.
I think this is a bad idea. What sense does it make to punish an Admin, and completly overstep the problem? What are we just gonna give up on stopping the malicious coders? Give me a break. Then on top of that, who is to enforce it? The government? That'll be the day. Let's just give them more reasons to stick their noses where they don't belong. They do not own the internet. They also realize this. Why else have they made so many attempts in the past to spy on us in any manner possible. They will use this as yet another reason to rape, pillage, and plunder anything they note worthy. Yet I'd be the criminal, for not patching my box.


On a final note. NO, NO, NO.

Allowing the government to monitor such a thing is insane. I personally wouldn't trust them with a toothpick and a plastic spoon.

Actually this is already happening. Verizon got nailed for not sufficiently maintaining their boxes when the sql slammer worm was taking out peoples machines. Other companies have been held accountable as well when their machines were hacked and used for other nefarious purposes.

Admins and companies are getting hit for not doing their due dilligence in maintaining their boxes. When it comes to what is who's fault....that depends on who is involved in the case and what each side is trying to prove. While you can claim that you were innocent when it comes to doing the actual attack (did not actively and knowingly participate) you can still get nailed for not doing your job properly or not documenting it well enough to prove that you did all you could to prevent it from happening.

The verizon case happened because they were sued for not giving their customers the agreed upon quality of service while their networks were having issues relating to the sql slammer worm - http://www.state.ma.us/dte/telecom/0...izon033103.pdf
.
I believe there were other cases as well...but I can't remember them off the top of my head. I'll post some more when my boss gives me back my book from the business law and comp security class I took.

The easiest way to avoid liability in these matters is to simply keep an updated written process for maintaining the security of your system and follow that process consistently with written documentation to prove it.

I think it's a good thing in the end that companies are being held accountable for their machines and [lack of] maintenance and procedures.

Quote:

---

They do not own the internet.

---

Who owns it? Who invented the internet??

see snickers

guess the donkey owns it :D

( This was an actual commercial that aired just before the Bush / Gore presidential election
had to search for that one! )

One thing I have instituted is a quick reference to our intranet using doxdesk.com's parasite detector. This has been a wonderful way to keep bandwidth under control, as well as keeping the users aware that things they think are "cool" or "neat" have a dark underbelly. I know this isn't viral in narure, but I would assume this would be a nice addition to anyone's processes, with a minimum of work by the admins on the network. Check it out.

Parasite Javascript detector

For information about it

imagine this:

a network admin goes on maternity leave to have her baby. a semi-intelligent power user is filling in to cover her butt for tape backups and virus updates, but does no system patches. She comes back 6 or 8 weeks later (however long her company's maternity leave plan is) and she gets fined for having unpatched servers....

booo.

This argument has some valid points, as to what time frame that patches should be applied. Etc. A Cisco vulnerability in WorldCom’s backbone could take weeks or months to apply because of the sheer number of routers. And also to prove someone liable of something, you have to prove malicious intent or serious oversight...

However, I think the entire argument is not logical. If Company A gets infected by company B, because company B did not accurately patch their vulnerable system. Is not Company A guilty also of not patching and taking reasonable steps to secure themselves, and if so - how can they hold another company liable when they too are not in compliance with law?? That is an oversimplified example but a valid point of view.

sickyourIT: your point could definatly be added to my list as it was not all inclusive.

RoadClosed: What if company A is effectively shut down because of a DoS coming over company B’s twin T-3 lines ??

Actually your point is not really valid. The company itself is most likely the one that any litigation would be against, not the admin. If the admin has done her job and properly documented it before going on maternity leave, then she can easily prove that it is not her fault to both the legal authorities and her superiors. It would however be up to the company to prove that the 'power user' was adequately trained, followed the processes laid down consistently, documented their activities, etc. in order to avoid any liability in the incident.

It's not a set of 'you didn't do this so you get a fine' type of ideals....modern litigation relating to this is trying to prove that the company did not follow through and do the server maintenance that they should have. The company simply has to prove that it did everything it could to keep it's systems safe (which it should be doing and documenting for liability reasons anyways).

It isn't incredibly difficult to keep logs of maintenance activities, audits, etc.

I think in the case of a something spreading from company A to company B. U cant hold company A liable bcos if company B had patched their system then they wouldnt have been infected. And then company A would have got it from somewhere else anyway and this would diasy chain the whole thing. It wouldnt be posssible or logical.

For the case of a DOS it would seem more likely to be able to sue company A. But isnt it the same as a bank robber using a stolen car to commit his crime. How can the bank sue the owner of the car whose car got stolen. Its the seems the same thing to me.

But then if you think about it and are considering this, then wouldnt it be the liability of the company that produces the OS to not have these loopholes when the OS is released. U might say that the patch is available for months. But then the OS company should be the one to inform you about it. Not thru the website but by coming down to your office and fixing the problem. Take a home security system that you purchase eg home alarm, if a bug is discovered in the system, the security company will normally come down and fix the bug. I know this is a little simplistic explanation but it highlights the problem where its very hard to place blame on these kinds of things when it happens.

There's too many things to cover with this kind of legislation that its better to let the market forces decide things. Maybe the govt could help bty offering tax incentives to companies that conduct external security audit checks regulary.