Search This Blog

Saturday, January 29, 2011

EM835 week VI Infosecurity Lawyers

     I have to begin with the fact that when first reading this chapter; I felt I was not going to like it. In fact, disdain it, the pages and even the ink on the pages. After all, in my former career, an attorney was involved in every transaction that we were involved with and compliance was a department that was locked away in a secret place. I have heard every attorney joke that exists. Basically, attorneys were a necessary evil.


     Then I did a search on security breaches and found a website from a non-profit organization called Privacy Rights Clearinghouse listing every U.S. security breach bought to litigation from 2005 until its updated date of today’s writing (January 29th, 2011). Up to this date, of all cases that were litigated, the total amount was 512,334,164. (Clearinghouse, 2011)It included items such as breaches of securities by doctors signing off on patient files that they never saw, billing them and leaving their files unsecure to a simple laptop stolen from a University that contained students information, including address and social security numbers.

     My idea on security breaches were mostly going to be in large corporations that were hacked and 40 million credit card numbers were stolen, or maybe a government server was attacked that contained vital U.S. security information. Ironically in local news, Wikileaks is which immediately came to mind. It actually was in fact started as a wiki but not longer accepts edits to its sites. (Editorial, 2011) This site has been blacklisted by most web hosting companies, banks and viewed as a national threat to many countries. Those are the major items that I believe most people think of, on this type of grand scale. It is staggering to think about the amount of money that is lost, or should I say not realized lost, due to security breaches.

     The chapter 12 of Beautiful Security lists a case that went before a judge in 1944 where a barge that was unmanned, broke loose in NY Harbor and caused damage. The judge came up with a formula to determine what the liability of this case would be. The formula B is less than P times L, where B is the burden, P is the probability and L is the injury. Therefore, the burden (B) would be based on if it is lower than P times L. The author translates this case to state that “the burden on an organization to prevent an information security breach or lapse is less than the probability of that breach multiplied by the damages that could result, that organization should seriously consider taking on that burden.” (Oram & Viega, 2009) They then go on to say on how should they determine the return on security investment (ROSI). Does the organizations security dollars match their potential liability? Without going into detail of the ensuing formula, my initial thoughts were how you determine the ROSI in 2009, when a new security breach possibility arises in 2010, then re-determining the ROSI in 2010 for a new breach to raise its ugly head in 2011 and so forth. I would expect that based upon the solution cost or the cost of mitigation, the ROSI will have to be re-visited on a regular basis.

     Does an organization take a pragmatic approach to their potential security breach exposure, or wait until there is an actual problem and attempt to mitigate the problem then? I believe that the latter was the norm in early technology years and the former is now the driving forces of both IT and compliance departments. An organization can follow all of the rules and guidelines so as to comply with their state and federal regulations and still be breached, just as a company that does not comply with the laws, and remain unscathed. It is apparent to me that if an organization is going to flourish in today’s changing worlds; IT and compliance have to be best friends, even if they are a necessary evil.

References

Clearinghouse, P. R. (2011). Chronology of Data Breaches Security Breaches 2005-Present

from Privacy Rights Clearinghouse: http://www.privacyrights.org/data-breach#CP

Editorial. (2011). Wikileaks. New York Daily News. Retrieved from http://www.nydailynews.com/topics/WikiLeaks.org

Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.










EM835 week V

     In the chapter Beautiful Log Handling, the author states “Today’s growing log standard efforts (such as MITRE’s Common Event Expression or CEE) will lead first to the creation of log standards and ultimately to their adoption.” (Oram & Viega, 2009) In fact, the author’s example of MITRE Corporation already currently provides and partners security efforts such as Malware (MAEC), Attack Patterns (CAPEC) and Vulnerabilities (CVE) among other standards that are partnered with and/ or co-sponsored by such agencies as the National Cyber Security Division of the U.S. Department of Homeland Security. (Mitre, 2011) In fact, if not for the threat of malicious attacks on the part of other countries (in regard to the security of the U.S.), attacks on retail competitors (as an example) and the important data that is stored, how the logs are handled is critical. In fact, an example that the author uses is the need to abide by laws such as the Health Insurance Portability and Accountability Act. (HIPPA, 2011)


     It might seem obvious to have log standards that would account for any deviations among items such as public servers of an organization that are placed in a DMZ so as to separate their Internet presence from their LAN, thereby not compromising the integrity of data within the rest of the organization. Then I began to think about why in today’s technology world, why would large companies have an issue with maintaining proper logs. Using a retail example as the author did in Beautiful Security, I thought of the merger in 2005 of Sears Roebuck and Kmart stores. Without having specific knowledge of their issues of combining the data into one source, I am sure that both of them operated on two very different legacy systems that had issues with converting the data, thereby making accurate logs virtually impossible.

     There is a very large Healthcare facility in the town that I live in with over 100 doctors of various practices. This facility is owned and operated by a larger corporation, which owns other such facilities. They grew this large by acquisition of other practices and like facilities. There is no doubt that there had to be a major undertaking to have all of the data merged into one system so as to abide by the HIPPA law. I tried to find an example of a major intrusion of a corporation due to improper log information, but that data seemed to be too vague since I wasn’t exactly sure what I was looking for. So, in the case of the local healthcare facility, I am sure that their IT staff is highly trained in the conversion of data and the challenges with keeping accurate logs.

     In any case, world governments and Fortune 100 companies realize the need to rid themselves of the legacy systems of their past, and get the data onto one platform so that proper logging can take place to not only prevent an invasion, abide by certain laws but to also perform due diligence in identifying the culprit of the attack.

References

HIPPA. (2011). Health Information Privacy. 2011, from http://www.hhs.gov/ocr/privacy/

Mitre. (2011). A Standardized Common Event Expression (CEE) for Event Interoperability. 2011, from http://cee.mitre.org/

Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.





Friday, January 28, 2011

Wireless Networking


I recently saw a movie where a safecracker worked for a company that in fact, manufactured safes. Their reasoning was simple, if this safecracker could bypass the security of their safes, or any other safe for that matter, then that flaw must be remedied. In Beautiful Security, the author discusses how part of his job is to do just that, find flaws with wireless systems. (Oram & Viega, 2009) Never thinking of this as a solution to avoid hackers, it makes a lot of sense to have someone that can find the flaws in wireless security systems.

After all, it is widely known what is at stake by having a wireless network attacked. Companies in all of the modern business era have sought out personal data so that they could more readily market to them. What is at stake here is much greater as the “pirate” is seeking the information for personal financial gain.

One major issue that needs to be addressed is the security issues that exist in Third World countries where they do not have the technology or resources to crack down on this pirate access. It was estimated that in 2000, over $2 billion was lost due to pirated software. (Bhasin, 2002) Where the tide is now shifting to mostly Internet downloaded software, the case of increased security and awareness is much greater. Bhasin talks about software; very few were concerned because, after all, did it matter to you or me if Microsoft, Oracle or Sun lost a few dollars? Now with the advent of the new age of Internet users, people have become more familiar and comfortable with purchasing items online. This means placing orders with a credit card. Sure, any merchant that is worth anything will have the check out cart secured and the data encrypted when sent, but what can be encrypted can be unencrypted.

I remember reading about how having open source software to prevent a lot of software privacy, this may be true, however there are still dangers with this as well in regard to wireless connections. Android, who is owned by Google, is an operating system that is based largely on a Java platform. Java in itself is largely open sourced; therefore does it mean that apps can be written and utilized to capture important data from Smartphone’s? In addition, Google owns Android; does this mean that Google can capture the data transmitted on Smartphone’s? Microsoft, after an unsuccessful bid to purchase Yahoo! created a 10 year agreement to allow Microsoft to use its vast presence to advertise in exchange for a 12% profit of the revenue associated with its advertising efforts. (Oreskovic, 2011) EBay owns PayPal; the list is staggering of the sharing of the information among companies and their holdings.

Every time a hacker comes up with a new virus or worm, Norton, McAfee, et al come up with a cure for it, only to turn around and find out another malicious individual creating chaos. With the advent and extreme popularity among Smartphone owners (many of which are NOT tech savvy), how many cures are there going to be in the future for the prevention of hacking a wireless communication device?

The twists on the legal issues surrounding wireless and the Internet are mind boggling. When a user signs on to Facebook, they are doing so with their private logon and password. Recently, a Federal judge ordered it legal to subpoena Facebook, MySpace, Twitter and other social networks information that may be relevant in a criminal proceeding. (Grow, 2011) Many cases have been won on this decision. How many people access their favorite social network site via their Smartphone? Does that in fact now become part of the same legal decision? Cell phones for years have, if believed to have been involved in a crime, are admissible as evidence. What happens if a hacker accesses a person’s status page and creates a situation whereas they could potentially incriminate innocent people?

Wireless networking is inevitable and is here to stay. As technology develops, it is obvious that any and all flaws be realized in their research and development and creates a fix for them prior to their release. Maybe it even makes sense for Google and PayPal and Microsoft to hire some of the convicted pirate criminals to find if they can in fact, hack their network.



References



Bhasin, S. (2002). Software Piracy- A challenge to E-world. SANS Institute InfoSec Reading Room.

Grow, B. (2011). In U.S. courts, Facebook posts become less private. Reuters.

Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.

Oreskovic, A. (2011). Yahoo warns of weak Q1, more cost cuts planned. Reuters,







Wednesday, January 19, 2011

No books

Well here I am, Wednesday morning and no books. Although the groups have changed, I still only have access to wiki/ group A and not B that was re-assigned to. If I even knew what the topic was, I could write on it outside of the text, but the title does not disclose its contents. Hopefully, Fed Ex dude, or UPS guy will be here today bearing presents with bindings of joy from the skytop of Colorado Springs.

Monday, January 10, 2011

Chapter 3 summary

There was some confusion as to if I was in group A or B, therefore I summarized chapter 3 in addition to my previous post;

Copyrights on the Internet and Software



Definitions

Digital Millennium Copyright Act (DMCA) – statute that protects the copyrights of electronic media

Section 512(c) – otherwise known as “notice-and-take-down.” Section of the DMCA whereas if an infringement by the copyright holder is noticed, the individual (s) infringing must remove the content from their website. Without going into great detail, the ultimate question for a website owner to use 512 (c) as a defense against infringements lawsuits would be the proof “is there any financial gain by the website owner?”

EULA – end users license agreement – the user agrees to all terms and copyrights by the manufacturer of the software

International Copyright treaties –

• Berne Convention

• World Intellectual Property Organization (WPO)

Legality issues

Links – providing a link on ones webpage to another page – NOT illegal as the link is the just the address

Deep Linking – providing a link to other websites individual pages without showing who the destination content author is – LEGAL ONLY if it is clear as to the owner of the target page (s).

Peer to peer – file sharing among users. Legality depends. A landmark example of this is the company Napster. Enabling peer to peer file sharing is considered by the U.S. Supreme Court as intending that the technology of the company is being used for infringement of the music companies copyright and although did not sell the music, the inducing of the copying is considered as infringing. This case caused Napster to file for bankruptcy, which ultimately sold its name to another company that now sells music per downloaded or viewed content? Two companies in example of utilization of 512 (c) in peer to peer are YouTube and MySpace. (Landy & Mastrobattista, 2008)

Other issues

Free Internet Radio has been an area with much litigation and discussion regarding its legality. The largest online radio company, Pandora ("Pandora Radio," 2011) sought the “safe harbor” section of the DMCA. Their position was that the website did not profit directly from a copyrighted work. Even though Pandora won their legal battle, they changed their format so that their radio “stations,” are created by the user by user chosen genre. Pandora set it up so that the user does not get to choose individual songs. Furthermore, the user can skip songs, but they are limited to how many songs they can skip in an hour, thereby giving the user less choice. Pandora also made a concession to the record companies so as to abide by other countries rules, and as of 2009, if a user listens to more than 40 hours of music in any given month, they have the option of paying .99 cents for the remainder of the month, or $36 annually for a premium service known as Pandora One.(Dantes, 2009)

Landy says that an unknown exists in how far the “safe harbor” rules of the DMCA will go. In the case of Viacom vs. YouTube (owned by Google), they were currently battling in court at the time of printing The IT/ Digital Legal Companion. (Landy & Mastrobattista, 2008) The case was however settled on June 23, 2010. The DMCA is explicit: it shall not be construed to condition “safe harbor” protection on “a service provider monitoring its service or affirmatively seeking facts indicating infringing activity . . . .” (Diaz, 2010) YouTube’s defense was proving that Viacom notified YouTube of over 100,000 videos submitted by YouTube users to “take down” these videos. YouTube had them removed within one day, thereby complying with the “take down” rule.

Copyrights of Software and Computer Code

The major rule of copying software is simple as it is obvious. No software can be copied without the manufacturers consent except for one copy used, by the purchasing owner, for archive purposes.

It is difficult however, to find the copied software “pirates.” This is especially true in third world and other countries that do not have the means to police these pirates. It is estimated that in the year 2000 alone, $12 billion was lost to illegally copied software.(Bhasin, 2002)

A major characteristic of what is NOT considered an infringement are ideas and methods. Copying code is obviously in violation, but a software company that writes code for a program such as a spreadsheet is not in violation of copyright infringement for the concept as no one owns the rights to the idea of a spreadsheet.

Copyrighting technology has become an essentially important monetary issue as well as a huge legal section of the law, both domestically and internationally.

References

Bhasin, S. (2002). Software Piracy- A challenge to E-world. SANS Institute InfoSec Reading Room.

Dantes, D. (2009). Pandora charges listeners for internet radio. WalletPop.com. Retrieved from http://www.walletpop.com/2009/07/08/pandora-charges-listeners-for-internet-radio/

Diaz, S. (2010). Google prevails in Viacom-YouTube copyright lawsuits; appeals on deck. ZDnet.com, (Between the lines). Retrieved from http://www.zdnet.com/blog/btl/google-prevails-in-viacom-youtube-copyright-lawsuit-appeals-on-deck/36229

Landy, G. K., & Mastrobattista, A. J. (Eds.). (2008). The IT/ Digital Legal Companion: A comprehensive business guide to software, internet, and IP law Burlington: Syngress Publishing, Inc.

Pandora Radio. (2011). from www.pandora.com

Friday, January 7, 2011

The first chapter in this blog is to discuss digital copyright basics. In opening, I will attempt to align this discussion with my research focus, perception of online pedagogy by both educators and secondary age students.


I first will define the exclusive rights under Copyright Law. According to Landy, exclusive rights include reproduction or the right to make copies; distribution or the right to sell or rent those same copies; public performance which gives the copyright holder the right to display the copyrighted item in public and derivatives which is the basic right to create works based on a specific work. (Landy & Mastrobattista, 2008)

In virtual education, copyright laws would not apply on content as no author of any curriculum either owns the idea, concept or principle of both education and online education. If an individual were to create for example, a method of delivery of the curriculum that is totally new to the industry, then this intellectual property would be protected under a patent. (Landy & Mastrobattista, 2008)

Several rules have been formed to protect digital works and their privacy that exist not only in the U.S., but are recognized worldwide. This enactment is known as the The Digital Millennium Copyright Act or DMCA. ("The digital millennium copyright act of 1998," 1998) This legislation mandates that the members of this act will prevent avoiding technological measures used to defend those works that are protected under a copyright.

One obvious violation that I see right away for virtual education is the violation of the copyright via creating a derivative work. Often in virtual education, curriculum designers will utilize games as a learning tool. If for example, the designer were to create a counting game for first grade students using Disney characters, without a license to do so they would be in violation of Disney’s copyright as those characters, or any facsimile thereof, would be considered a derivative work. (Landy & Mastrobattista, 2008) Not only would the characters themselves be an infringement of the copyright, any reference to a book, a movie or another game would constitute copyright infringement.

An interesting part of copyright rules that would apply to say, a book, may or may not apply to software. An example that Lindy uses is that if I were to purchase a copy of a book by Stephen King that is copyright protected, I can resell that same book to anyone, at anytime that I would like. However, he goes on to state that this “first sale” principle may not apply to software as it is often licensed. This means that this software cannot be transferred to another party without the permission of the licensor. (Landy & Mastrobattista, 2008)

A current issue with copyright infringement involves LimeWire.com and a $1 billion lawsuit by the recording industry. (Gardner, 2011) Currently, LimeWire is fighting for proof of revenues that have been lost both by the record companies, and third party companies such as Amazon.com and Apple. I visited the LimeWire website after reading this Reuters article and this splash page was found;

ATTENTION

“LimeWire is under a court order dated October 26, 2010 to stop distributing the LimeWire software. A copy of the injunction can be found here. LimeWire LLC, its directors and officers, are taking all steps to comply with the injunction. We have very recently become aware of unauthorized applications on the internet purporting to use the LimeWire name. We demand that all persons using the LimeWire software, name, or trademark in order to upload or download copyrighted works in any manner cease and desist from doing so. We further remind you that the unauthorized uploading and downloading of copyrighted works is illegal.” (homepage, 2011)

Although the music is not software, it is a digital download and is relevant to this topic. It is also obvious that LimeWire is destined to be in bankruptcy court very soon for violation of copyright regulations as well as infringement on intellectual property among other regulations.

Finally, the purposes of the copyright laws are to protect the author and prevent unauthorized reproduction of all types of work.

References

The digital millennium copyright act of 1998, Pub. L. No. 105-304, 112 Stat. 2860 (Oct. 28, 1998). C.F.R. (1998).

Gardner, E. (2011). LimeWire fighting to bitter end. Reuters,

homepage, L. (2011). from LimeWire.com

Landy, G. K., & Mastrobattista, A. J. (Eds.). (2008). The IT/ Digital Legal Companion: A comprehensive business guide to software, internet, and IP law Burlington: Syngress Publishing, Inc.