The government published a draft version of the controversial Communications Data Bill which, if brought into force, will require internet service providers (ISPs) to retain the records of every phone call, email and website visit in the UK. David Cook, cyber crime solicitor at Pannone, says the Bill represents a significant increase in the already copious UK surveillance powers, and warns real criminals will use already available methods to hide their online activities.
A 27 year old Russian citizen, Georgiy Avanesov, has been jailed for four years after being found guilty of charges of creating and spreading the ‘Bredolab’ botnet that infected an estimated 30 million computers around the world.
This is the final part of a series of articles. The third part can be found here.
The Crown Prosecution Service, responsible for bringing prosecutions on behalf of the public, drafted guidance in an attempt to clarify some of these issues. They suggested the following test:
- Has the article been developed primarily, deliberately and for the sole purpose of committing a Computer Misuse Act offence?
- Is the article available on a widespread commercial basis and sold through legitimate channels?
- Is the article widely used for legitimate purposes?
- Does it have a substantial installation base?
- What was the context in which the article was used to commit the offence compared with its original intended purpose?
This is the third part of a series of articles. The second part can be found here.
Harmonising national laws
Following the enactment of the Computer Misuse Act, the Council of Europe were well aware of the borderless nature of the internet, and the inherent problems of policing it, and began attempting to harmonise national laws relating to cyber crime. In particular, they wanted to criminalise “the production, sale, procurement for use, import, distribution or otherwise making available of… a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed” when “committed intentionally and without right”.
The Computer Misuse Act 1990 was amended in a variety of ways, including a new s.3A, and, criminalised acts which should concern the penetration tester community:
This is the second part of a series of articles. The first part can be found here.
At that time, there was no “hacking” offence and so it was eventually decided that a charge of “making a false instrument” (under the Forgery and Counterfeiting Act 1981) was the most appropriate offence.
This statute is most often used for forgery type offences, in which the instrument is a means of proving purchase and then obtaining something. The “instrument” in question for Schifreen and Gold was explained to be “the user segment” part of the protocol. The intellectual dishonesty is rather clear and it was always apparent that this was a manipulation of the statute.
The term “ethical hacking” seems like an oxymoron at first glance, but is clearly the only effective method of ensuring that a company can be relatively certain that its system can withstand certain computer attacks.
The Ethical Hacking Council defines the goal of the ethical hacker as to “help the organisation take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within the legal limits”.
A question that I am often asked is, “How can a penetration tester or ethical hacker be sure that his activities remain lawful?” The easy response is that the terms of engagement should be defined in advance. The law is concerned with unauthorised access to computer systems, so an IT security consultant should be well aware of what they are actually authorised to do. The reality, however, is that the law regarding cyber crime is fairly ambiguous and I do have sympathy with penetration testers and ethical hackers, given the potential minefield that surrounds them.
Low Orbit Ion Cannon is a Denial of Service (DoS) application which has been released into the public domain and 2012 has brought an alarming increase in the number of application downloads.
The idea behind LOIC is that it can allow you to participate in DoS attacks even if you’ve no clue how to really use a computer. DoS attacks are launched with the intention of attempting to make a computer or network unavailable to its intended users and the usual targets are high profile web-servers such as banks.
