David Cook - CyberSolicitor
  • Profile
  • Seminars & Media
  • Blog

Joshua Schichtel – casualty of the botnet wars

Posted on 12 October 2012

Joshua Schichtel of Phoenix, Arizona has been jailed for 30 months for selling access to thousands of hijacked home computers.

Schichtel pleaded guilty to attempting to cause damage to multiple computers without authorisation, through the use of botnets. Millions of computers unwittingly become part of a botnet, which are networks of machines that have been infected with a malicious computer programme. This programme allows unauthorised users to then control the infected computers remotely.

0 Comments

+Read more

Bow Street Mags and Allison – The Courts reject their previous interpretation of unauthorised access

Posted on 10 October 2012

As discussed in the previous blog, “The Court’s Nonsensical Approach to Unauthorised Access in DPP v Bignell” the early decision of the Court in relation to unauthorised access suggested that the actions of a person authorised to access parts of a computer system, but who then accessed other parts without permission, would not be covered by the Computer Misuse Act 1990 (‘the Act’).

0 Comments

+Read more

The Court’s nonsensical approach to unauthorised access in DPP v Bignell

Posted on 8 October 2012

The Computer Misuse Act 1990 (‘the Act’) introduced three new offences into UK law, namely, unauthorised access to computer material; unauthorised access to computer material with intent to commit, or facilitate the commission of, a further offence; and unauthorised modification of computer material.

0 Comments

+Read more

Can the Law Keep Pace with Social Media Trolls?

Posted on 29 June 2012

A Brighton woman who received death threats and other online abuse on Facebook has won a landmark High Court order forcing the social network to disclose the identities of anonymous internet trolls who targeted her. In the same week Ken Clarke announced government proposals to force internet service providers (ISPs) as part of the Defamation Bill to help identify online abusers without having to go down the litigation route.

0 Comments

+Read more

Communications Data Bill: Real Criminals Will Still Hide Online

Posted on 22 June 2012

The government published a draft version of the controversial Communications Data Bill which, if brought into force, will require internet service providers (ISPs) to retain the records of every phone call, email and website visit in the UK. David Cook, cyber crime solicitor at Pannone, says the Bill represents a significant increase in the already copious UK surveillance powers, and warns real criminals will use already available methods to hide their online activities.

0 Comments

+Read more

Cybercrime mastermind jailed for creating botnet

Posted on 15 June 2012

A 27 year old Russian citizen, Georgiy Avanesov, has been jailed for four years after being found guilty of charges of creating and spreading the ‘Bredolab’ botnet that infected an estimated 30 million computers around the world. 

0 Comments

+Read more

Uncertain law leaves penetration testers in limbo – Part 4/4

Posted on 11 June 2012

This is the final part of a series of articles.  The third part can be found here. 

The Crown Prosecution Service, responsible for bringing prosecutions on behalf of the public, drafted guidance in an attempt to clarify some of these issues.  They suggested the following test:

  1. Has the article been developed primarily, deliberately and for the sole purpose of committing a Computer Misuse Act offence?
  2. Is the article available on a widespread commercial basis and sold through legitimate channels?
  3. Is the article widely used for legitimate purposes?
  4. Does it have a substantial installation base?
  5. What was the context in which the article was used to commit the offence compared with its original intended purpose?

0 Comments

+Read more

Uncertain law leaves penetration testers in limbo – Part 3/4

Posted on 4 June 2012

This is the third part of a series of articles.  The second part can be found here.

Harmonising national laws

Following the enactment of the Computer Misuse Act, the Council of Europe were well aware of the borderless nature of the internet, and the inherent problems of policing it, and began attempting to harmonise national laws relating to cyber crime.  In particular, they wanted to criminalise “the production, sale, procurement for use, import, distribution or otherwise making available of… a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed” when “committed intentionally and without right”.

The Computer Misuse Act 1990 was amended in a variety of ways, including a new s.3A, and, criminalised acts which should concern the penetration tester community:

0 Comments

+Read more

Uncertain law leaves penetration testers in limbo – Part 2/4

Posted on 28 May 2012

This is the second part of a series of articles.  The first part can be found here.

At that time, there was no “hacking” offence and so it was eventually decided that a charge of “making a false instrument” (under the Forgery and Counterfeiting Act 1981) was the most appropriate offence. 

This statute is most often used for forgery type offences, in which the instrument is a means of proving purchase and then obtaining something. The “instrument” in question for Schifreen and Gold was explained to be “the user segment” part of the protocol.  The intellectual dishonesty is rather clear and it was always apparent that this was a manipulation of the statute.

0 Comments

+Read more

Uncertain law leaves penetration testers in limbo – Part 1/4

Posted on 21 May 2012

The term “ethical hacking” seems like an oxymoron at first glance, but is clearly the only effective method of ensuring that a company can be relatively certain that its system can withstand certain computer attacks.

The Ethical Hacking Council defines the goal of the ethical hacker as to “help the organisation take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within the legal limits”.

A question that I am often asked is, “How can a penetration tester or ethical hacker be sure that his activities remain lawful?”  The easy response is that the terms of engagement should be defined in advance.  The law is concerned with unauthorised access to computer systems, so an IT security consultant should be well aware of what they are actually authorised to do.  The reality, however, is that the law regarding cyber crime is fairly ambiguous and I do have sympathy with penetration testers and ethical hackers, given the potential minefield that surrounds them.

0 Comments

+Read more

« Older entries    Newer entries »

Follow me on Twitter

My Tweets

Return to top

The content of this website reflects my personal opinion, which is not necessarily shared by my employer. Nothing contained on this website constitutes legal advice and certainly should not be relied upon as such.

Blog at WordPress.com.

David Cook – CyberSolicitor
Create a free website or blog at WordPress.com.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
Cancel