, SecurityFocus 2003-01-06
A new California law requiring companies to notify their customers of computer security breaches applies to any online business that counts Californians as customers, even if the company isn't based in the Golden State.
Expand all |
Post comment
>
> I also wonder, though, if it will work if the company is
> based "outside of the golden state."
I think that was pretty clearly covered in the article.
> Just some thaughts.
Perhaps some other "thaughts"[sic] would be this...look at the question of what constitutes "knowledge" of an incident, as stated in the article. There are a great many organizations out there that do NOT know, nor do they have any idea, that they've been compromised. I'm not talking universities, only corporations and companies. WAPs, rogue servers, etc....they all contribute. This past spring I received a copy of an IRC bot (see my write up on SF on the "russiantopz" bot) from an admin...he'd seen a client get infected w/ the bot, but the client had no idea whatsoever, until they were informed of the infection.
It stands to reason that most organizations don't have any idea that they've been compromised by an external attacker. Please note I'm completely ruling out internal hacks, and only talking about external ones. So...if they don't know, how can they report it. In fact, that seems to be a pretty extreme loophole in the law...think about it. When it comes time to spend money on infosec, the consideration is now (not that it isn't already) going to be, "if we know about it, we'll have to report it". So, the reasoning is then, if the money isn't spent on security, it's not only saved then and there, but also in the future when hacks aren't reported.
Brian McWilliams recently had an article posted in Wired that talked about a PR firm that used Frontpage create their web sites. The firm had job listings posted, with links to the job descriptions. The links were of the form "ftp://username:password@ftpserver". The username was an admin level username, with it's associated password. According to the article, the firm had been informed of this situation in June of this year, which they admitted...but they thought they'd fixed it. Also according to the article, a 13.5MB customer database could be downloaded from the site.
What we would hope would happen in an ideal world is that everyone would figure that if they could say, "Yes, we were hacked, BUT we had mechanisms in place that allowed us to catch the perpetrator", things would be okay. However, history hasn't played out that way thus far.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/1984/17561#17561