[ISN] Big companies employing snoopers for staff email

InfoSec News isn at c4i.org
Mon Jul 26 06:34:22 EDT 2004


Forwarded from: Jason Coombs PivX Solutions <jcoombs at PivX.com>
To: isn at c4i.org, isn at attrition.org
Cc: pattonme at yahoo.com

> I'm all for balancing business needs against network security but
> does this strike anyone else as just a little bit unbalanced?

Not at all. E-mail is business communication that may result in legal
liability, binding contracts, and other significant business and legal
risks - while data and information assets stored on hard drives is
only at risk of theft.

Remember that the U.S. “Millennium Digital Commerce Act” (ESIGN) does
not define a digital signature in terms of cryptography or anything
even close to proof that a digital signature is authentic, yet
establishes full force and effect of any handwritten signature for
things like a keypress on a phone - or an e-mail. See:

http://counsel.cua.edu/FEDLAW/ESIGN.htm

Compare this to the more technical cryptography-based Digital
Signatures Act passed in Estonia:
http://www.legaltext.ee/text/en/X30081K3.htm

In the U.S. we tend to oppose all forms of key escrow, even for
signature purposes where only a certificate would perhaps be escrowed,
and we don't like the idea of creating a special legal status for a
digital signature private key. Instead we create laws that encourage
litigation. This may in fact be a superior system, from an infosec
viewpoint, since it avoids the risks that would otherwise be present
if control over private keys is lost.

Once a private key is used on anything other than a specialized
digital signature device (that does not yet exist) rather than being
used on a vulnerable software-based programmable personal computer,
exclusive control over that key becomes an unknown.

Losing control of data *may* create legal liability in the U.S.,
whereas signing a contract through an e-mail message *does* create
liability.

Anyone can forge a CEO's digital signature to bind a company under
contract, including the other party to the contract, and the only
defense the company has in court is proof that there was no business
communication or relationship between the parties to the contract -
how do you show this to a judge unless you are logging everything and
can show what it was that the CEO was actually doing when supposedly
sending the forged e-mails? How do you prove that a mail server did
*not* relay an e-mail as alleged by forged mail headers unless you
have a forensic log with a tamper-proof audit record?

We must therefore monitor, log, and audit *everything* now that the
protections we used to rely on (paper trail for important business
documents, difficulty of intercepting a sample of the CEO's
handwritten signature for forgeries, etc) are irrelevant.

Sincerely,

Jason Coombs
Director of Forensic Services
PivX Solutions, Inc.
http://www.PivX.com/forensics/

-----Original Message-----
From: InfoSec News <isn at c4i.org>
Date: Fri, 23 Jul 2004 09:34:55 
To:isn at attrition.org
Subject: Re: [ISN] Big companies employing snoopers for staff email

Forwarded from: matthew patton <pattonme at yahoo.com>

--- InfoSec News <isn at c4i.org> wrote:
> http://management.silicon.com/government/0,39024677,39122384,00.htm
> 
> By Jo Best 
> July 19 2004 
> 
> Large companies are now so concerned about the contents of the
> electronic communications leaving their offices that they're
> employing staff to read employees' outgoing emails.
> 
> According to research from Forrester Consulting, 44 per cent of
> large corporations in the US now pay someone to monitor and snoop on
> what's in the company's outgoing mail, with 48 per cent actually
> regularly auditing email content.

Yet information can readily leak through floppies, cdrom's, ftp,
https, or the 'simple' act of outsourcing laptop and desktop support.
If monitoring email were so critical to preventing information
disclosure, where and how do we categorize tens of billion dollar
international companies in say financials or pharacuticals that don't
protect against connection hopping, use telnet and X11 in the clear,
build production and DMZ unix hosts with full development (compilers,
you name it) distributions, send their laptops off to the likes of
Dell with all corporate product, sales, and other proprietary data
still on them and likewise grant these same 3rd parties significant
network access to replicate message stores, add the laptop computer to
the corporate Active Directory domain, load cryptographic identities
and so forth?

I'm all for balancing business needs against network security but does
this strike anyone else as just a little bit unbalanced?





More information about the ISN mailing list