Identity Management & The Law

According to an article posted on DigitalIDNews, there has been significant work related to the technical exchange of identity information and actual authentication processes.  There has not been a focused look at the legal issues, implications, and liabilities of the parties responsible for properly identifying and authenticating users or customers.

The American Bar Association’s (ABA) Federated Identity Management Legal Task Force has been setup over a year ago to analyze and address legal, privacy and liability issues that arise as Federated ID Management Systems are adopted and deployed.  In identity theft situations, case law is beginning to emerge.  Courts are starting to point the finger at businesses that did not do enough to protect personal information.  Businesses need to meet obligations and properly identify and authenticate individuals, and make sure not to release personal or confidential information.  The Federal Trade Commission has even instituted enforcement actions where businesses did not authenticate customers properly.


Struggling With Identity Theft

John Webb found out his identity had been stolen 20 years ago.  It was a revelation that led to hours on the phone with credit card companies, banks and government agencies.  Today, Webb helps prosecute identity thieves, who are growing in number and advancing technologically, targeting everyone from senior citizens to large law firms.  He wouldn’t wish the affects of ID-theft on his worst enemy.

Identity theft is difficult to prosecute because it often goes undetected for months or years, and culprits are hard to track down.  Part of the problem is that it is difficult for victims to go after the hackers’ money in civil court because outdated case law and statutes don’t address modern technology.  The monetary loss is the least of the victim’s problems, the difficult part is that, most of the time, you don’t know where that breach has occurred.  The victimization keeps on going.  Every time you get a call from a collection agency, you have to write a letter to a credit agency saying, “That’s not me.”

Sgt. David Howard with the Metro Police Department’s fraud division said cleaning up identity theft can take a victim up to 700 hours of phone calls, affidavits and paperwork.  If money has been taken, there’s usually no way to get it back.

The Tennessean

Law Firms Remain Juicy Targets

Okay, forego the lawyer jokes for a second, and read.  Last spring, a Long Beach law firm received an e-mail from a Hong Kong businessman seeking help collecting debts from American customers.  An attorney with the firm saw a great opportunity to reel in more business during the economic downturn and agreed to help.  After a month of signing paperwork and exchanging telephone calls with his client, the attorney received word from one debtor who sent a $200,000 cashier’s check to pay off his oustanding balance.  The attorney deposited it in his firm’s account, subtracted his $10,000 fee and wired the remaining amount to his Hong Kong client.

Microsoft Wielding New Botnet Legal Weapon

Last Wednesday, Microsoft announced that it had been granted a court order that yanked nearly 300 sites from the Internet. Microsoft said those sites were a key link between hackers and the PCs that make up the Waledac botnet. The legal tactic garnered accolades from many security professionals as a precedent-setting move and resulted in what Microsoft called “a major botnet takedown”, a fact that some researchers dispute.

Microsoft has several other botnets in its sights, and believes it can use the same legal tactics against their command-and-control centers. “This shows it can be done,” said Richard Boscovich, senior attorney with Microsoft’s Digital Crimes Unit. “Each botnet is different, of course, but this is another arrow in the quiver. This is not the last effort. We have other operations on the drawing board.” But the company also admitted that it had not yet severed all communications between the controllers of Waledac and the thousands of compromised Windows computers used by hackers to pitch bogus security software and send a small amount of spam.


Hackers Still Targeting Law & PR Firms

Hackers are continuing to target law and public relations firms with a sophisticated e-mail spear-phishing scheme that allows them to break into computer networks and steal sensitive data, often linked to large corporate clients doing business overseas.

The FBI issued an advisory in November that warns companies of “noticeable increases” in efforts to hack into law firm computer systems.  This trend began as far back as two years ago, but has recently spiked dramatically.  Spear phishing attacks manifest themselves in the form of highly personalized e-mails that often slip through defenses and appear harmless because they have subject lines appropriate to a person’s business, and appear to come from a trusted source.  The attackers appear to be doing a fair amount of homework researching thier intended targets and their working relationships.

Law firms tend to store a tremendous concentration of critical, private information.  Infiltrating those computer networks would be a really optimal way to obtain economic, personal and personal security related information.  The hackers often target companies that are negotiating a major international deal — anything from seeking a patent on a sensitive new technology to opening a plant in another country.

Alan Paller, director of research at computer-security organization SANS Institute says that a major law firm in New York was hacked into in early 2008 during an attack that originated in China.  As is often the case with online crime, it is difficult to tell whether hackers were working on behalf of the country’s government, located within that country, or simply routing computer traffic through that country as a diversionary and covering tactic. 

While opening a “spear phishing” e-mail itself does not usually pose a danger, they often contain links to websites or attachments that when opened, will install malicious programs.   Once the hacker has established themselves on the network, they often launch a program that searches for, gathers, copies, and sends files to a computer server, usually in another country to complicate jurisdictional determinations and tracking efforts.  This program also may create a back door that will allow hackers to get back in.   The attachments used can appear to be anything from a photo to an executable program, and the links can be anything at all from an apparent joke site, must see pictures, or a current news item.