PowerPoint Presentation
Legal, Ethical and Social Issues
Resources
Wilhelm, T., 2010, Professional Penetration Testing – Creating and Operating a Formal Hacking Lab, Syngress
Eoghan Casey, 2011, Digital Evidence and Computer Crime, Third Edition, Elsevier
Allsopp, W., 2009, Unauthorised Access – Physical Penetration Testing For IT Security Teams, Wiley
Krutz, R. and Vines, R. D., 2008, The CEH Prep Guide – The Comprehensive Guide to Certified Ethical Hacking, Wiley
Harris, S., Allen, H., Eagle, C., Ness, J., 2007, Gray Hat Hacking – The Ethical Hacker’s Handbook, Second Ed., McGraw Hill
Intro
Penetration testing carries a certain degree of inherent legal risk
It is possible that a perfectly legal test crosses the line of questionable legal territory
Ethical Hacking requires knowledge and understanding of the
Legal systems – can be quite complex because Internet crosses international boundaries
Different legal systems
Different role of the judiciary, treatment of evidence, rights of the accused, extradition treaties, etc.
Computer related laws
Different laws
Different interpretations of the law
Ethical principles – can be subjective based on the local norms, backgrounds, stakes, religion, etc.
Garry Mckinnon case – legal battle between UK vs US https://en.wikipedia.org/wiki/Gary_McKinnon
UK Law
Most relevant legislation:
The Computer Misuse Act 1990 and 2006
The Human Rights Act 1998 (article 8)
The Regulation of Investigatory Powers Act 2000
The Data Protection Act 1984 and 1998
Computer Misuse Act 1990
In summary, three main offenses:
Unauthorized access
Prove the suspect knew his access was not authorized
Max prison of six months and/or £5000
Unauthorized access with intent to commit or facilitate commission of further offenses
Prove the suspect carried out the hacking to further some other criminal intention, e.g. theft
Max prison of six months and/or £5000
Unauthorized modification of computer material
Covers developers of viruses, worms, etc.
Max 5 years prison and/or unlimited fine
Computer Misuse Act 2006
Amendments in 2006:
To comply with the European Convention on Cyber Crime
Increased maximum penalties
Made clear that DoS is a crime
Made the development/distribution or use of hacking tools illegal
if there is an intent to commit or assist in the commission of a crime
that covers virtually every tool that an ethical hacker will use
New developments
To make ‘smart’ phones covered by the Act
Make disclosure of information illegal (e.g. publishing passwords)
CMA for the Ethical Hacker
You are conducting a black box penetration test. Due to miscommunication (e.g. wrong network, IP) you attack and compromise the wrong computer. Are you guilty?
You did not intend to attack this computer
You did intent to attack a computer
You break the encryption of a wireless network that you believed belongs to the client but actually belongs to its neighbour. Are you guilty?
A customer will want you to hack back against an attacker.
Is it lawful?
You receive written permission allowing you to perform penetration test from someone who believed they are authorized to give it but were not. Who is guilty?
Don’t forget to read security incidents listed on the link below for a joy
https://securitycurrent.com/legal-issues-in-penetration-testing/
Human Rights Act
Article 8 is the most relevant: Rights to respect for private and family life
Everyone has the rights to respect for his private and family life, his home and his correspondence
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
HRA and the Ethical Hacker
As part of your penetration test you perform some network-level snooping or sniffing (in order to get passwords for example).
Fairly indiscriminate process
You might capture a lot of private information/communications
It is easy to violate the first clause of Article 8 – the right to privacy in correspondence.
Regulation of Investigatory Powers Act
More enabling that regulating – mainly to give the law enforcement and security services greater power of surveillance.
If asked by the authorities, you are required to give all your passwords and encryption keys and not discuss that with anyone else. Automatically guilty if you don’t (2-3 year prison)
Outlaws the interception of information ‘to or from apparatus comprised in that private telecommunication system’ if it is ‘without lawful authority’.
https://www.legislation.gov.uk/ukpga/2000/23/contents
RIPA and the Ethical Hacker
Ensure that you get explicit written permission, in the rules of engagement, to perform traffic interception to cover yourself as much as possible under RIPA.
Be very careful what you intercept on somebody else’s network, be it wired, wireless or Bluetooth
Be very careful when you defeat a cryptographic mechanism in order to intercept communications (which is plausible in the case of SSL) – you don’t know what info is being communicated, there may be further penalties.
Data Protection Act
The main piece of legislation that governs the protection of personal data in the UK
It doesn’t cover privacy of information per se
Its purpose is to ensure that the information stored on individuals is:
Correct and up-to-date
Not being misused
There are eight guiding principles in the Act. The one that concerns penetration testers is the second.
Second Guiding Principle of the DPA
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
DPA and the Ethical Hacker
Live data registered under the Data Protection Act shouldn’t be used:
Personal details of staff and client information are not registered for the purpose of security testing – hence DPA says that they cannot be used
However, the ‘good‘ news here is that not you but your client will be liable if there are violations of DPA
US law
Computer Fraud and Abuse Act – applies to cases of computer-related crimes that are relevant to federal as opposed to state law
The Electronic Communications Privacy Act – regulates the privacy of data and communications in transit
Laws relating to the regulation of business practices.
The law as it applies specifically to penetration testing in the US is not as onerous as in the UK.
EU law
European Union issues directives that are addressed to member states whose responsibility is to transpose them into local national legislation
This provides comparable laws across the EU with similar provisions, penalties and burdens of proof
Data Protection Directive (led to UK DPA)
European Convention on Cyber Crime (led to UK CMA 2006)
European Network and Information Security Agency (ENISA)
Staying within the law
Skills set is very much the same for the hackers and pen-testers/ethical hackers.
Quite often you will be working on the edge of what is legal
We are doing our work in a controlled lab environment.
It is your responsibility to ensure that you always remain on the right side of the law
Security Clearance
Ensure that the individual is suitable and can be trusted to access classified or protectively marked materials
Required when working for the Central government, Law enforcement (Police or Forensic Science Service) or the Military/MoD, either as
Full-time staff
Consultant or contractor, e.g. penetration testing
Performed by the security services (MI5) and Defence Vetting Agency (DVA) upon request from a government department, organization or a list-X company
We will mainly discuss the UK, but the principles are similar for the US (far more stringent) and EU (a mix), and NATO
Come in different flavours depending on the nature of the work and the sensitivity of the target
You will almost always need a Security Check (SC) – basically clear criminal records and no dossier in the intelligence services
Principles
Regardless of level of clearance, protectively marked material should only be available to personnel with a ‘need-to-know’
e.g. DV will not give you access to everything that is TOP SECRET
The level of clearance issued should be appropriate to a person’s position and need
Security clearances should be reviewed regularly. Frequency increased for the higher clearances
Levels of Security Clearance
Basic Check (BC)
Basic level of assurance about trustworthiness and integrity of an individual
Reviews official identity documents, verifying:
Identity
Signature
Address
Employment history
Education
Allows access to CONFIDENTIAL assets and information
Does not give access to protectively marked assets and information
Levels of Security Clearance
Counter-Terrorism Check (CTC)
Required for personnel working on places close to public or sensitive figures
Gives access to information/material vulnerable to terrorist attack
Gives unrestricted access to certain government or commercial establishments
Does not give access to protectively marked assets and information
Levels of Security Clearance
Security Check (SC)
Involves
Basic check
UK criminal and security checks
Credit check (to ensure that you have sound control over your finances, i.e. managing your debs well) so you are not vulnerable to financial inducements
Requires to have been a UK resident for a minimum of five years, but is actually usually given only to British (or close allies) citizens.
Must be renewed when you change employer or every 10 years
Allows uncontrolled access to SECRET and controlled access to TOP SECRET assets and information
Levels of Security Clearance
Developed Vetting (DV)
The highest official level of security clearance
Required for people who
Have regular access to TOP SECRET assets or information
Work for the intelligence or security services
Involves
All the SC checks
Completion of a DV questionnaire
A detailed financial check
Checking of references
A detailed interview with a vetting officer (might involve your family members as well and some private questions)
Requires minimum of 10 years resident in the UK, and virtually given only to British citizens.
Given only on a project-by-project need-to-know basis
Security Clearance (USA)
Broadly similar to the UK (or the other way around)
Taken a lot more seriously, take much longer to obtain, e.g. SC in UK – 3 months, L2 in US – 1 year
Levels
Confidential, Level 1 Clearance
Secret, Level 2 Clearance
Top Secret, Level 3 Clearance – citizenship, education, employment, references, neighborhood and friends, credit, local agency checks, public records, as well as ‘lifestyle’ polygraph test
Insurance
It is practically a ‘must’ for a professional penetration tester
Most clients will expect you to have it anyway, before they even consider hiring you
Coverage:
Professional liability insurance (PLI), Professional indemnity insurance (PII), Errors & omissions (E&O)
Indemnity
General liability insurance
Requires clear criminal record
Ethics
Concerned with the standards of behaviour and considerations of what is ‘right’ and what is ‘wrong’
Generally accepted principles
Subjective interpretations based on
Individuals experience, background, nationality, religious believes, culture, family values, commercial interests, political views, etc.
‘Black’ ethics
Some common justifications of black-hat hackers
By writing viruses, I am exercising a freedom of speech
By penetrating other systems, I am increasing my knowledge
By penetrating other systems, I am helping to identify vulnerabilities so that they can be secured
Information ‘wants to be free’ and I am helping in that mission
Information system software should prevent me from inflicting harm
Computer files should always be backed up, so files that I might damage can be retrieved
Because manufacturers make most software easy to copy, it is Ok for me to copy it and use unlicensed software
If I am attacking a ‘bad’ guy, that makes me a good guy (political)
EC-Council Code of Ethics
Preserve confidentiality of information gained
Protect intellectual property of others
Disclose to appropriate persons or authorities potential dangers to any organizations, the public or individuals
Provide service in their areas of competence
Never knowingly use software obtained illegally or unethically
Not engage in deceptive financial practices
Use the clients property only in ways properly authorized
Disclose unavoidable conflicts on interest
Ensure good project management
EC-Council Code of Ethics (contd)
Add to the knowledge of the e-commerce profession
Conduct yourself in the most ethical and competent manner
Ensure ethical conduct and professional care without prejudice
Not associate with malicious hackers nor engage in malicious activities
Not purposefully compromise or cause to be compromised the client’s systems
Ensure all penetration testing systems are authorized and within legal limits
Not partake in any black hat activity or be associated with any black hat community that serves to endanger networks
Not be part of any underground hacking community for the purposes of preaching and expanding black hat activities
The Computer Ethics Institute’s Ten Commandments of Computer Ethics
Thou shall not use a computer to harm other people
Thou shall not interfere with other people’s computer work
Thou shall not snoop around in other people’s computer work
Thou shall not use a computer to steal
Thou shall not use a computer to bear false witness
Thou shall not copy or use proprietary software for which you have not paid
Thou shall not use other people’s computer resources without authorization or the proper compensation
Thou shall not appropriate other people’s intellectual output
Thou shall think about the social consequences of the program you are writing for the system you are designing
Thou shall use a computer in ways that ensure consideration and respect for you fellow humans