The term “ethical hacking” seems like an oxymoron at first glance, but is clearly the only effective method of ensuring that a company can be relatively certain that its system can withstand certain computer attacks.
The Ethical Hacking Council defines the goal of the ethical hacker as to “help the organisation take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within the legal limits”.
A question that I am often asked is, “How can a penetration tester or ethical hacker be sure that his activities remain lawful?” The easy response is that the terms of engagement should be defined in advance. The law is concerned with unauthorised access to computer systems, so an IT security consultant should be well aware of what they are actually authorised to do. The reality, however, is that the law regarding cyber crime is fairly ambiguous and I do have sympathy with penetration testers and ethical hackers, given the potential minefield that surrounds them.
Background to Hacking Law
It is easy to appreciate the difficulties faced by Parliament when drafting statute, but never more so than in respect of the laws relating to computer offences. The evolution of hardware technology is arguably now moving more swiftly than consumer demand, but it is in the progression of software systems that we are seeing an absolute sea-change.
The internet has proven to be a societal equaliser – armed with only a computer and access to the internet, there is the potential for us all to become hackers. We are now seeing 15 year old hackers targeting large corporate bodies, causing them significant disruption and getting away with it in the majority of cases.
The case that focused Parliament on the necessity for specific hacking laws dates back as far as 1988 to the Schifreen and Gold case.
British Telecom had introduced a simple computer communication system called Prestel, which worked by dialling the computers number and then having the telephone system connect the dialler to the appropriate Prestel centre. A subscriber to this system would then be asked to enter their password and identity number in order to access their respective section of the database.
A man called Robert Schifreen was attending a trade show and observed an engineer for Prestel enter his details in the system – a username of 22222222 and a password of 1234. Presumably, this was an administrator account and Schifreen, along with his friend Stephen Gold, were then able to thoroughly explore the Prestel system. Once in the system, they changed some data and even managed to gain access to the personal message box of the Duke of Edinburgh, Prince Phillip, leaving the message, “Good afternoon HRH Duke of Edinburgh” in the process. After these exploits, Schifreen sold his story to the Daily Mail and even appeared on television to discuss what he had been a part of.
Unfortunately for Schifreen, the Prestel computer network was more successful and widely used than he had realised, being utilised by the likes of the Bank of Scotland and the Nottingham Building Society as their secure banking system. The UK military were also reputed to use it as their standby messaging service, if their primary computers were ever to become unavailable. It was even suggested that the Prestel network could have been used to control and launch the UK’s nuclear missile stock. Clearly, this unauthorised access caused discomfort for a lot of high-powered people, who were also irked that Schifreen and Gold were now bragging to the media.
Both GCHQ and MI6 became involved and began to investigate Schifreen and Gold. The pair’s online activity was closely monitored and it was decided that, in the interests of national security, it was best if the two were arrested and prosecuted. This decision then caused a big problem for the prosecution – what exactly were they to be charged with?
This is the first part of an article that first appeared in PenTest magazine. The remaining parts will be published on this blog on a weekly basis.