Security Watch

Using the Law to Silence Whistleblowers

Disclosure of security vulnerabilities in software may now invite legal action.

• By Russ Cooper
• 04/25/2005

Governance
Will companies start using legal threats to silence vulnerability whistleblowers? That may be what happened to Next Generation Security Software (NGS Software) after it found numerous security holes in a Sybase database product in late 2004.

NGS recently sent an e-mail to NTBugtraq.com, my company's security e-mail list, stating that Sybase had threatened legal action if NGS published details of the holes in its Sybase Adaptive Server Enterprise (ASE) database.

NGS, a very responsible security company, informed Sybase of the vulnerabilities and stated they would publish details in three months. This is perfectly normal and acceptable practice in the security arena.

Sybase, however, took the extraordinary step of threatening NGS with legal action. Some compromise was reached shortly thereafter, and a joint NGS-Sybase press release stated their differences had been resolved. NGS then published the details they had previously promised to publish.

One has to wonder just what the point of all of this was. It may be that Sybase wanted additional time for their customers to deploy the patches, which it had informed its customers about in February. Regardless, the threat of legal action against vulnerability disclosers could have a chilling effect, as many potential whistleblowers lack the resources to be able to defend themselves.

Microsoft has filed civil lawsuits against 117 alleged phishers. The "John Doe" suits were filed in the U.S. District Court for the Western District of Washington in Seattle, and are targeted at phishing sites that pretend to be MSN and Hotmail sites.

By filing the suits as "John Doe," Microsoft will be able to obtain warrants and other orders to collect information that may assist in determining who is responsible for the phishing sites.

The Ninth Circuit of the U.S. Court of Appeals has bolstered the legal stance of protest Web sites. It ruled in favor of Michael Kremer, who runs Wal-MartCanadaSucks.com, stating that the site did not infringe on Wal-Mart's trademark because it isn't a commercial site.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

The concern here is about the definition of a "commercial" Web site. A phishing site may or may not be construed as commercial, depending on the court's intended definition. If it only means sites which offer goods for sale, then a phishing site may well not be commercial. If, on the other hand, commercial simply means monetary gain in any form, then a phishing site is commercial. Hopefully this ruling won't prevent litigation against phishing sites.

Topoff 3, a terrorism defense exercise, will cost $16 million, the same as Topoff 2, which took place in May 2003. In that scenario terrorists unleashed a large-scale cyberattack, set off a dirty bomb in Seattle and released a pneumonic plague in Chicago. The exercise included 8,500 participants from federal, state and local agencies and 21 from Canada.

Hacking
Cisco IOS contains vulnerabilities when configured as an Easy VPN Server that could allow a remote attacker to obtain unauthorized access to network resources. Updated software is available.

Denial of Service
Cisco IOS with SSH enabled contains vulnerabilities that could allow a remote attacker to create a denial of service condition on the affected device. Patches are available.

Malicious Code
New Symbian OS malware was launched in the last 24 hours which causes a cell phone to go into infinite reboot if a reboot attempt is made.

Once this loop has begun, it's impossible to get a disinfector on the phone. Symbian runs on Nokia phones, as well as phones manufactured by Nokia for other mobile phone vendors.

Physical
Police have alleged that Michael Kemly, a cable TV technician who formerly worked for Adelphia Communications, cut that company's cable to Martha's Vineyard in two places recently. As a result, the 4,000 subscribers on the island lost their TV and Internet services.