Tuesday, January 8, 2008

New Information Security Threats

Now, your network connection isn't the only point of attack for malware. According to this article from C|NET malware has been found preinstalled on USB enabled consumer devices, including an Mp3 player, and (something I didn't even know existed) a digital picture frame. This isn't a case like the Sears holding company fiasco (described here), where the company installed tracking software with arguably insufficient notice. Instead, the malware found on the USB devices is something about which consumers are given no warning whatsoever.

So what does all this mean legally? The first thing it means is that law abiding companies should make sure that they have effective programs in place to prevent unauthorized software from being run on their systems, because this new attack vector (which includes picture frames) could lead to security breaches, and their attendant legal consequences. The second thing it means is that we're likely to see a ton of litigation against device distributors. When Sony shipped CDs with malware pre-installed, they were sued, and eventually settled in class action litigation for (among other things) fraud, deceptive trade practices, and trespass to chattels. I envision many similar suits happening in the future, many of which will probably inculde device distributors who didn't know what their manufacturers put on the devices while they were being made. Finally, I have a distant hope that news like this will lead to more people recognizing the dangers of malware and identity theft. A great example of the lack of regard many people have for information security is this post from BoingBoing which describes an individual who sought to prove security concerns were unwarranted by publishing his bank account number (which, predictably, was used to set up an unauthorized direct debit in his name). Maybe the shock of learning that every day objects like a picture frame can be used to steal data will end up making people more aware of the importance of information, and the lengths criminals will go to to steal it.

1 comment:

Anonymous said...

Hi
This is Maanik, I am a big fan of Indian IT industry. I found your blog during searching from Information Security consulting services in India. I found this blog very informative.