Joshua Schichtel of Phoenix, Arizona has been jailed for 30 months for selling access to thousands of hijacked home computers.
Schichtel pleaded guilty to attempting to cause damage to multiple computers without authorisation, through the use of botnets. Millions of computers unwittingly become part of a botnet, which are networks of machines that have been infected with a malicious computer programme. This programme allows unauthorised users to then control the infected computers remotely.
As discussed in the previous blog, “The Court’s Nonsensical Approach to Unauthorised Access in DPP v Bignell” the early decision of the Court in relation to unauthorised access suggested that the actions of a person authorised to access parts of a computer system, but who then accessed other parts without permission, would not be covered by the Computer Misuse Act 1990 (‘the Act’).
The Computer Misuse Act 1990 (‘the Act’) introduced three new offences into UK law, namely, unauthorised access to computer material; unauthorised access to computer material with intent to commit, or facilitate the commission of, a further offence; and unauthorised modification of computer material.
A Brighton woman who received death threats and other online abuse on Facebook has won a landmark High Court order forcing the social network to disclose the identities of anonymous internet trolls who targeted her. In the same week Ken Clarke announced government proposals to force internet service providers (ISPs) as part of the Defamation Bill to help identify online abusers without having to go down the litigation route.
The government published a draft version of the controversial Communications Data Bill which, if brought into force, will require internet service providers (ISPs) to retain the records of every phone call, email and website visit in the UK. David Cook, cyber crime solicitor at Pannone, says the Bill represents a significant increase in the already copious UK surveillance powers, and warns real criminals will use already available methods to hide their online activities.
A 27 year old Russian citizen, Georgiy Avanesov, has been jailed for four years after being found guilty of charges of creating and spreading the ‘Bredolab’ botnet that infected an estimated 30 million computers around the world.
This is the final part of a series of articles. The third part can be found here.
The Crown Prosecution Service, responsible for bringing prosecutions on behalf of the public, drafted guidance in an attempt to clarify some of these issues. They suggested the following test:
This is the third part of a series of articles. The second part can be found here.
Harmonising national laws
Following the enactment of the Computer Misuse Act, the Council of Europe were well aware of the borderless nature of the internet, and the inherent problems of policing it, and began attempting to harmonise national laws relating to cyber crime. In particular, they wanted to criminalise “the production, sale, procurement for use, import, distribution or otherwise making available of… a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed” when “committed intentionally and without right”.
The Computer Misuse Act 1990 was amended in a variety of ways, including a new s.3A, and, criminalised acts which should concern the penetration tester community:
This is the second part of a series of articles. The first part can be found here.
At that time, there was no “hacking” offence and so it was eventually decided that a charge of “making a false instrument” (under the Forgery and Counterfeiting Act 1981) was the most appropriate offence.
This statute is most often used for forgery type offences, in which the instrument is a means of proving purchase and then obtaining something. The “instrument” in question for Schifreen and Gold was explained to be “the user segment” part of the protocol. The intellectual dishonesty is rather clear and it was always apparent that this was a manipulation of the statute.
The term “ethical hacking” seems like an oxymoron at first glance, but is clearly the only effective method of ensuring that a company can be relatively certain that its system can withstand certain computer attacks.
The Ethical Hacking Council defines the goal of the ethical hacker as to “help the organisation take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within the legal limits”.
A question that I am often asked is, “How can a penetration tester or ethical hacker be sure that his activities remain lawful?” The easy response is that the terms of engagement should be defined in advance. The law is concerned with unauthorised access to computer systems, so an IT security consultant should be well aware of what they are actually authorised to do. The reality, however, is that the law regarding cyber crime is fairly ambiguous and I do have sympathy with penetration testers and ethical hackers, given the potential minefield that surrounds them.
