[tptacek]

As someone who works in this field and has been a party to breach investigations, it is really hard for me to imagine a breach in which the website of the Los Angeles Times is defaced costing less than $5000. I'm actually surprised --- as, apparently, were the prosecutors --- that the established losses were capped at ~$15,000.

If you're operating a company with real customers and real cash flow at any kind of real scale, and you suffer a serious breach, figure $50,000-$60,000 is table stakes for getting that breach resolved.

The intuition you need, to price these things out, is that once an attacker obtains unexpected unauthorized access to a system, the very next thing they do (and, in this case, the very next thing they tried to do --- much to Keys chagrin) is extend and persist access. Which means that if you're resolving a breach, you have to re-assess every system that the attackers got unexpected access to and verify that they didn't (a) implant something that will restore access in the future or (b) uncover some latent vulnerability that would allow them to do that.

Nobody reliably assesses internal systems (those systems you get unexpected access to once you successfully obtain unauthorized access). Nobody. An attacker gets behind the login prompt on a CMS you've deployed? You probably need to re-assess the whole CMS, because a big chunk of your security for that CMS probably relied on the idea that attackers don't know and can't reach all the URL endpoints behind the login prompt. The attacker gets code execution somehow? Now they're on your internal network, and the same goes for every system on the internal network.

It adds up fast. And your insurance company will (a) demand that you pay it, and (b) shortlist your DFIR vendors for you.

Not fun times.

[jessaustin]

It is surprising to mere mortals that reverting a web page to a previous version, as GP described, costs that much. I can see an argument to include costs of investigation, and a much more tenuous argument to include costs to fix a vulnerability, but frankly the arguments not to include those costs seem more compelling. After all the defendant in this case didn't design and implement the relatively weak security. That was a business decision by managers and executives.

[EDIT:] I see you've added some material that explains why investigations cost more. That seems reasonable, but in many cases attackers are not within the reach of prosecution. If we allow firms to blame the "hacker" for needing to investigate how bad their security is, ISTM we're letting them shift the blame to parties who can't actually fix their problems.

[tptacek]

Can you be more precise about "relatively weak security"? The accused in this case exfiltrated credentials to the system that was compromised. Most companies would fall to that attack.

Meanwhile: they clearly can't just revert the web page. Keys gave a hacker group a login for a web application. How, exactly, does Trib Corp know how much damage the hacker group did to the server? There needs to be an investigation, and the norm is that the investigation should be done by a third party.

Meanwhile, there's a principle in the law that you take the victim as they come. In US tort law, it's called "the eggshell skull rule". It means if you hit someone over the head with a book or something and unexpectedly fracture their skull because it turns out to have been as thin as an eggshell, you are still responsible for the damage you caused.

[jessaustin]

It's my understanding that credentials were used to access a system from "outside" some time after the employment of the user associated with those credentials ceased. That is weak, relative to other firms that take the steps necessary to retire the credentials of former employees. I've worked at such firms; I know they exist. You probably have a better sense of the "average" state, however.

It isn't at all clear to me that the eggshell rule is relevant to this situation. This was not an act of violence. Packets were exchanged among computers, which resulted in other packets being exchanged among computers. The "legal reasoning by tortured analogy" one sees so often on HN has really crippled our collective intelligence.

[tptacek]

The rule isn't about violence. It's about the fact that someone who commits a wrong can't rely on the victim's prior diminished circumstances to mitigate the impact of their own wrong.

The person who smacks the eggshell-skulled victim upside the head with a magazine couldn't imagine that doing so would have fractured their skull. People don't normally have skulls as thin as eggshells. "Tough shit", says the law. "If you don't want to expose yourself to the risk of fracturing someone's skull, don't hit people upside their heads with magazines."

By the same token, whatever frailties existed in Trib Corp's internal security, necessitating expensive post-breach cleanup, are justifiably imputed to Keys, not to Trib Corp.

[jessaustin]

Wow I wish that "rule" applied somehow to cyclists and pedestrians killed by motorists. That would be handy!

As described above, against a firm with a modicum of security procedure, this "attack" would have been a no-op. As in, all the same actions could have been taken, and they would have had no effect whatsoever. "Attacks" like this take place every day, and many even succeed, with no action from prosecutors whatsoever.

You and I have different conceptions of justice. It may well be that yours conforms more exactly to that enforced by the courts; we don't live in a perfect world.

[tptacek]

That rule very much does apply to cyclists killed by motorists! But remember, the rule is that you impute harm caused by a tort or a criminal offense. You have to start by establishing the driver was at fault.

[kbenson]

It's not even always about finding how bad your security is. Sometimes you might know exactly how they got in, but that doesn't affect whether you've successfully cleaned them out at all. Once someone is on your system, being absolutely sure you've cleaned the systems out of security issues is something you'll never quite be sure of, without booting trusted third party media and comparing the disk to a known good backup. Most sysadmins I know don't bother, it's easier to just restore from a known good backup and selectively copy anything over that was changed more recently. Restoring a live system from backup and making sure it's fit for production duty is quite a bit more involved than changing a password, or patching a program. It's not a huge burden, but extend it across tens of servers, and costs start piling up quick.

If you find out that someone's been coming into your house when you're not there for a few weeks, but you're not entirely sure how, you don't just change your key, you also check all your windows, possibly fix the latch or replace the window on any that are broken, etc.

[kybernetikos]

This is perhaps not directly related to this story, but it seems common that hackers are taken to be liable for the cost to fix whatever weaknesses they used to make the breach. This is like not fitting any locks on your doors, and then charging the burglar to put new locks on after a burglary.

The cost should generally be limited to the actual damage done by the hacker, rather than include things that the company should have been doing anyway.

After someone uses an open window to obtain entry, does that mean that they can be charged with the cost of locating and auditing every copy of every physical key to the premises, on the basis that they could have found one and stolen it while they were in the building?

[tptacek]

No, that's not common. The damages imputed to attackers arise directly from what they did. The problem is that people ignore a whole class of damages in these cases: the DFIR work that is required to ensure that whoever attacked you didn't also persist themselves somehow.

[kybernetikos]

The problem is that that work seems essentially unlimited (you can invent crazier and crazier possibilities that you need to check for), and doesn't seem to be something that we do so much for physical intrusions which nevertheless have the same features (you can find keys, take copies of keys, even change locks or cut make false walls / doors).

Your infrastructure should aim to be robust against people persisting themselves (in this case, something that allows an employee to persist themselves beyond the validity of their credentials is a serious problem whether the hacker does it or not). Where it is not, that's your failing. Charging the hacker for finding out where your infrastructure is failing is perverse since if anything their attack made it easier to spot a failing. If they did persist themeselves, then obviously the cost to fix that belongs on the hacker, but the cost to identify such things is something you should be doing anyway.

[tptacek]

The costs imputed to Keys in this case were under $20,000. There is absolutely no way the Tribune Corporation got a real, industry standard forensics investigation done for that sum of money.

I don't understand how you could impute the cost of auditing infrastructure for backdoors that could have been planted in a breach to the victim of the breach, rather than to the person convicted of causing the breach. We're not talking about having each of Trib Corp's applications assessed (the cost of that would be in the many hundreds of thousands of dollars, minimum).