Police Blotter: Ex-Employee Sued for Deleting Files
Plus: DOE data on the run; can a developer spec make for more secure applications?
In the second instance of its kind, a judge has ruled that an employee who permanently deletes files from a corporate computer has violated the Computer Fraud and Abuse Act (CFAA.)
An employee at PharMerica has been sued over allegations that he permanently deleted 475 files from his corporate laptop prior to resigning, causing PharMerica to lose access to its information and suffer expenses to attempt to recover those files.
What isn’t clear at all is just what it was in those files. There seems to be some speculation that the deleted files contain information PharMerica could use to sue the employee for theft of intellectual property, but this hasn’t been asserted by the plaintiffs (in the available information). Clearly, if they have some evidence that this was the case, it would make the reason for the suit more obvious. At this point, however, it looks more like a fishing expedition by the plaintiffs.
While the CFAA isn’t explicit, it would seem reasonable that the deleted files contain information that is actually of value to the plaintiff for the act of deleting them to be illegal. However, it may well be that there is no such requirement, meaning that any files deleted, for any reason, can invoke the Act.
The bottom line is that if you are planning on permanently erasing personal files, you should probably seek permission to do so from someone else in the company. Alternatively, ensure that no personal files are stored on the corporate system in the first place.
Department of Energy Loses 20 Classified PCs
If you want to read a story that will build your confidence in the government’s relatively new emphasis on computer security, here it is. An office in charge of counterintelligence regarding nuclear secrets can’t account for 20 desktop computers that are identified as being under its control. Worse, 14 of those were definitely storing classified information (the other six may have been).
A story to warm the cockles of your heart. Sure is nice to know that classified secrets are being handled this way. According to the report, not only is this an example of a long-standing problem with the office (not being able to account for equipment it had under its control) but there were some additional 125 computers that it had to go to “extraordinary lengths” to determine the location of. Poor inventory records are cited and are a large part of the problem, but a better understanding and appreciation of their mandate would be more effective.
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here.
WS-I Publishes Basic Security Profile 1.0
The Web Services Interoperability Organization has published the WS-I Basic Security Profile (BSP) 1.0, an adjunct to its Basic Profile 1.1. The organization attempts to standardize specifications that allow for broad interpretation into a model that will offer the greatest interoperability. Among its members are IBM, Microsoft, Novell and others. The WS-I BSP 1.0 covers HTTP over TLS and SOAP Message Security.
The spec is certainly a laudable effort, if implemented by developers. Unfortunately at this point, that fact is yet to be realized as so many developers are forging ahead on their own paths. WS-I could help to resolve many of our concerns over Web 2.0, but only if developers are someone forced -- or at the very least constrained -- to follow their guidelines.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.