At the start of April, a member of CabinCr3w, an Anonymous affiliated hacking group, was arrested in Utah.

John Anthony Borell III, who goes under the moniker Kahuna, appeared before the Court in relation to two offences of “computer intrusion” regarding hacking the websites of the Utah Chiefs of Police and the Salt Lake City Police Department.  He has pleaded not guilty and the matter will presumably proceed to trial.

The oddly titled “computer intrusion” offence applicable in the US is defined as follows:

Whoever knowingly causes the transmission of a program, information, code, or command, and, as a result of such conduct, intentionally causes damage without authorization, to a protected computer; shall be punished by a maximum term of 10 years imprisonment.

The UK equivalent is covered by the offence of “unauthorised access to computer material” under section 1 of the Computer Misuse Act1990.  A person is guilty of this offence if:

  1. he causes a computer to perform any function with intent to secure access to any program or data held in any computer; and
  2. the access he intends to secure is unauthorised; and
  3. he knows at the time when he causes the computer to perform the function that that is the case.

This offence holds a maximum sentence of six months imprisonment.  However, there is a more serious offence under section 3 whereby the unauthorised modification of the computer material then occurs, which is what it is alleged Borell has done.  The modification offence carries a maximum of five years imprisonment.

Of course, it is certainly not unusual for crimes to be punished more harshly in the US than in the UK, but, given the borderless nature of the internet, this does pose a slight problem.  There have therefore been numerous recent attempts to harmonise such legislation but, in the meantime, indications have been that if the US can somehow claim jurisdiction and they will attempt to extradite suspects to face their harsher sentences.

Borell is alleged to have used an SQL injection to gain access to those sites and retrieve information regarding the usernames and passwords for numerous chiefs of police from Utaha nd the personal information and passwords for many Salt Lake Citypolice officers.  The exotically named “SQL injection” is, at its simplest, a method of exploiting a web form.  For example, when you enter text in the ‘username’ and ‘password’ fields of a login screen, this is typically inserted into an SQL command.  This command checks the data entered with reference to the relevant table in the database.  If the information you have provided then matches table/row data, you are then granted access (in the case of a login screen).  However, if a person enters certain codes, the process by which authorisation is granted can be manipulated to allow access despite you not having a username or password.

Rather than get bogged down in the technical aspects of the SQL injection, it is in fact alleged that Borell used an automated tool to gain access of the webpage.  The upshot of this is that it is suggested that anyone with that tool could have gained access and that no specialist knowledge was necessary.  It may be that Borell created the tool or modified it for his purposes, but it appears to simply be an “off-the-shelf” program that they allege that he used.

Given the open-door policy of Anonymous and that use of the internet is absolutely pervasive in the under-25s, it is inevitable that use of automated hacking tools will become more popular.  The Anonymous group previously promoted the use of an automated Distributed Denial of Service (DDoS) application which is used to overload websites and prevent them from functioning properly.  That application (LOIC or “Low Orbit Ion Cannon”) was initially downloaded1000times per hour by Anonymous followers.

As hacking in general, and specifically attacks against high-profile targets, is on the increase and is becoming more common, the number of prosecutions per year will inevitably also rise.

A person using an SQL injector, or LOIC to cause a DDoS, will be committing an offence which, if they damage the system, carries a potential 10 year custodial sentence in the US jurisdiction or 5 years imprisonment if in the UK.  Even if no modification or damage occurs, an offence is nevertheless committed.

Borell has not yet been convicted of an offence and could just as easily be acquitted.  Cyber crime cases are notoriously difficult to prosecute and there is a range of technical hurdles to overcome in order to succeed.  Given that prosecutors, particularly in the UK, have limited resources, it is often possible to expose those evidential deficiencies and prevent the prosecution from succeeding.  This was the approach that I took in both the OiNK and FileSoup filesharing cases, and the Crown Prosecution Service were unable to remedy the faults and dropped the cases before they even got to Trial. 

There are certainly interesting times to come but, given that such hacking tools are almost as easy as “point and click”, expect an increase in prosecutions in future.

Advertisements