Thursday 20 September 2012

Hacking and Intent (UK)

A follow up to my blog what makes ethical hacker legal looking in a bit more detail at the legal requirements of being a white hat or ethical hacker. In the first article I said "a written and signed agreement between the tester and the legal owner of the system" is a requirement to ensure an ethical hacker stays legal.

In the UK the legal debate over whether you are an ethical or white hat hacker is based upon intent. When conducting a penetration test the intent of the tester is easily demonstrated as they would have a contract and a written agreement to conduct the test, it is obvious that the tester was aiming to conduct the test ethical by remaining within the law and getting permission to access the systems, hence the test is not unauthorised access and not illegal. However it is worth pointing out that it may not be just the organisation whose systems you are testing that need to give permission for the testing to occur, if the system is hosted by a 3rd party you will need authorisation from them as well, it may be covered by the hosting agreement between the 3rd party and the organisation about to be tested, but it is worth your while requesting proof of authorisation, in particular Amazon have a requirement that they need to issue permission for tests to be carried out on systems hosted on their AWS.

As a ethical or white hat hacker in the UK a big problem within the UK is the ownership of tools for conducting a penetration test, the Computer Misuse Act (CMA) of 1990 as modified by the Police and Justice Act of 2006 introduced a new offence section 3A Making, supplying or obtaining articles for use in computer misuse offences.

The offence is to do with articles that could be used for either the section 1 (unauthorised access) or the section 3 offence (carrying out unauthorised acts) just outlined. Here, articles is stated to include "any program or data held in electronic form".

Someone is guilty of the offence if
  • he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; and/or
  • he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3; and/or
  • he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
Guidance from the Crown Prosecution Service (CPS) about considering a prosecution under section 3A CMA says -

Whilst the facts of each case will be different, the elements to prove the offence will be the same. Prosecutors dealing with dual use articles should consider the following factors in deciding whether to prosecute:
  • Does the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?
  • Are students, customers and others made aware of the CMA and what is lawful and unlawful?
  • Do students, customers or others have to sign a declaration that they do not intend to contravene the CMA?
Section 3A (2) CMA covers the supplying or offering to supply an article likely to be used to commit, or assist in the commission of an offence contrary to section 1 or 3 CMA. Likely is not defined in CMA but, in construing what is likely, prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly.

In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:
  • Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)? 
  • Is the article available on a wide scale commercial basis and sold through legitimate channels? 
  • Is the article widely used for legitimate purposes? 
  • Does it have a substantial installation base? 
  • What was the context in which the article was used to commit the offence compared with its original intended purpose?
Tools such as that from Rapid7 and other recognised security audit tools easily fall within the guidance offered by the CPS, however the use of less popular tools or the use of tools distributed by the underground hacker scene may fall foul of the dual use guidance, even if the only intent is to test a system using the same tools as a black hat would.

In the UK the word intent is important in many legal cases, as proving intent is proving a guilty mind. In a criminal case in the UK the measure of whether you are guilty or not is based upon the prosecution proving the case "beyond all reasonable doubt" if the members of the jury feels there is doubt as to whether the defendant acted illegally then case is not proven and the defendant should be found not guilty.

For an illegal act to take place there must be two things
  • Actus reus (guilty act)
  • Mens rea (guilty mind)
A guilty act can be quite easy to prove, the defendant accessed the system or not, a more everyday example would be the defendant smashing a window in a house that does not belong to them, a case of vandalism or not. Prove the defendant guilty would involve showing the defendant meant to break the window, a game of street football and an accidental misplaced shot hitting a neighbours window is an example of not being a guilt mind, there was no intent it was an accident. However if they had been a history of confrontation between the two parties then it could be proved there was intent to break the window.

If in the UK and you get into legal trouble as we have an adversary judicial system it will come down to how well your defence lawyer argues your case against the prosecution lawyer, in a sense it is a debate between the defence and the prosecution with the jury or magistrates making the decision on who has made the better case. The problem being is that outcome sometimes relies on who is the better debater rather than the merits of the case.

No comments:

Post a Comment