Forwarded from: Jason Coombs PivX Solutions <jcoombs@private> To: isn@private, isn@private Cc: pattonme@private > I'm all for balancing business needs against network security but > does this strike anyone else as just a little bit unbalanced? Not at all. E-mail is business communication that may result in legal liability, binding contracts, and other significant business and legal risks - while data and information assets stored on hard drives is only at risk of theft. Remember that the U.S. “Millennium Digital Commerce Act” (ESIGN) does not define a digital signature in terms of cryptography or anything even close to proof that a digital signature is authentic, yet establishes full force and effect of any handwritten signature for things like a keypress on a phone - or an e-mail. See: http://counsel.cua.edu/FEDLAW/ESIGN.htm Compare this to the more technical cryptography-based Digital Signatures Act passed in Estonia: http://www.legaltext.ee/text/en/X30081K3.htm In the U.S. we tend to oppose all forms of key escrow, even for signature purposes where only a certificate would perhaps be escrowed, and we don't like the idea of creating a special legal status for a digital signature private key. Instead we create laws that encourage litigation. This may in fact be a superior system, from an infosec viewpoint, since it avoids the risks that would otherwise be present if control over private keys is lost. Once a private key is used on anything other than a specialized digital signature device (that does not yet exist) rather than being used on a vulnerable software-based programmable personal computer, exclusive control over that key becomes an unknown. Losing control of data *may* create legal liability in the U.S., whereas signing a contract through an e-mail message *does* create liability. Anyone can forge a CEO's digital signature to bind a company under contract, including the other party to the contract, and the only defense the company has in court is proof that there was no business communication or relationship between the parties to the contract - how do you show this to a judge unless you are logging everything and can show what it was that the CEO was actually doing when supposedly sending the forged e-mails? How do you prove that a mail server did *not* relay an e-mail as alleged by forged mail headers unless you have a forensic log with a tamper-proof audit record? We must therefore monitor, log, and audit *everything* now that the protections we used to rely on (paper trail for important business documents, difficulty of intercepting a sample of the CEO's handwritten signature for forgeries, etc) are irrelevant. Sincerely, Jason Coombs Director of Forensic Services PivX Solutions, Inc. http://www.PivX.com/forensics/ -----Original Message----- From: InfoSec News <isn@private> Date: Fri, 23 Jul 2004 09:34:55 To:isn@private Subject: Re: [ISN] Big companies employing snoopers for staff email Forwarded from: matthew patton <pattonme@private> --- InfoSec News <isn@private> wrote: > http://management.silicon.com/government/0,39024677,39122384,00.htm > > By Jo Best > July 19 2004 > > Large companies are now so concerned about the contents of the > electronic communications leaving their offices that they're > employing staff to read employees' outgoing emails. > > According to research from Forrester Consulting, 44 per cent of > large corporations in the US now pay someone to monitor and snoop on > what's in the company's outgoing mail, with 48 per cent actually > regularly auditing email content. Yet information can readily leak through floppies, cdrom's, ftp, https, or the 'simple' act of outsourcing laptop and desktop support. If monitoring email were so critical to preventing information disclosure, where and how do we categorize tens of billion dollar international companies in say financials or pharacuticals that don't protect against connection hopping, use telnet and X11 in the clear, build production and DMZ unix hosts with full development (compilers, you name it) distributions, send their laptops off to the likes of Dell with all corporate product, sales, and other proprietary data still on them and likewise grant these same 3rd parties significant network access to replicate message stores, add the laptop computer to the corporate Active Directory domain, load cryptographic identities and so forth? I'm all for balancing business needs against network security but does this strike anyone else as just a little bit unbalanced? _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html
This archive was generated by hypermail 2.1.3 : Mon Jul 26 2004 - 06:20:41 PDT