title: Can someone please sue one of them?
by: Scott Bradner
Sad to say it was not a surprise. It did not surprise me when CNN announced yet another case of credit card and other customer information stolen from a hacked web site. The scale was a bit of a surprise though -- 40 US web sites along with some yet unrevealed number of non-US sites had been broken into and information on more than a million credit cards stolen. CNN pointed to an FBI advisory memo for the details. The FBI advisory memo (http://www.fbi.gov/pressrm/pressrel/pressrel01/nipc030801.htm) is a bit terse but reveals that the breakins have been going on for a while, have all been on Windows NT servers, and the perpetrators are not exploiting new security holes. They are using holes that Microsoft fixed as long ago as 1998!
It is bad enough that more and more web sites are using the same software -- it's almost as if there is a concerted effort to ensure that the maximum number of sites will be vulnerable when a new security hole is found -- it's even worse when the site operators can not even keep the software up to date. In this case Microsoft even made the patches available for free. Here are sites with tens or hundreds of thousands of customer records on their servers, many doing millions of dollars a year in e-commerce transactions and they can not get around to applying free security fixes? (You can find out if your site is one of the tardy ones by getting a free scanning tool that will be put out in the near future by The Center for Internet Security. -http://www.cisecurity.org/toolreq.html)
Where have the security people at these sites been? Where have their auditors been? I've watched the Harvard internal auditors in action reviewing web servers and one of the first things they do (after checking to be sure there are no accounts on the server which do not have passwords) is to verify that the software is fully up to date. It should not take someone with a lot of clues to figure out that this should be done. There seems to be empirical evidence that the number of clues in the world about any given topic is a constant and as the number of practitioners of that topic rises the average clue density goes down. And e-commerce is a rather big thing these days.
If we cannot depend on the site operators having any idea how to run a web site securely what chance do we have? The only one I can think of is a court finding that web site operators who commit and their auditors who do not find these sorts of lapses should be legally liable for the full cost of everyone recovering from their stupidity along with substantial punitive damages.
disclaimer: Harvard, an arms merchant for lawyers, has not expressed an opinion on this situation.