Cybersecurity
Legal Aspects
SFL @ TU Dortmund
Thanks to (CISPA) for sharing slide contents
Copyright By PowCoder代写 加微信 powcoder
Legal Aspects
• Maliciously violating the CIA goals of other systems is typically illegal
• In Germany, especially StGB (criminal code) regulates this
• Cyberlaw jurisdictions were piggybacked to existing articles • § 202 „Violation of privacy of correspondence“ (→ Confidentiality)
• § 263 „Fraud“ (→Integrity)
• § 303 „Criminal damage“ (→ Integrity, Availability)
• We will provide a very basic overview and several practical examples
Attacks on CIA Goals and Matching Sections of StGB
Confidentiality Integrity Availability
Data Espionage (202a)
Data Tampering (303a)
Computer sabotage (303b)
Data interception (202b)
Computer sabotage (303b)
Acts preparatory of 202a and 202b (202c)
Computer fraud (263a)
Data Handling (202d)
§202a – Data espionage (Ausspähen von Daten)
Obtaining vs. possibility to obtain: §202a already applies if the attacker could (in principle) obtain private data after having circumvented the protection; there is no need to actually obtain it.
• (1) Whosoever unlawfully obtains data for themselves or another that were not intended for them and were especially protected against unauthorised access, if they have circumvented the protection, shall be liable to imprisonment not exceeding three years or a fine.
• (2) Within the meaning of subsection (1) above data shall only be those stored or transmitted electronically or magnetically or otherwise in a manner not immediately perceivable.
Access control: §202a applies only if the data is explicitly protected by access control (e.g., authentication such as passwords) that requires substantial (technical / time-wise) bypassing effort.
Versuchsstrafbarkeit: §202a does not apply to experimental criminality (keine Versuchsstrafbarkeit) Example: The pure attempt to bruteforce passwords of a secured login is not a criminal offense under §202a, unless the attempt is successful.
§202a – Data espionage (Ausspähen von Daten) – Examples
• Logging into LSF as instructor to retrieve grades of students
• Achieved by guessing the corresponding password, which is „1234“
→criminal offence (under §202a)
• Using KRACK attack to eavesdrop on your neighbour‘s wifi connection • Allows to „remove“ encryption (null key used for XOR)
→criminal offence (under §202a)
• Eavesdropping on unencrypted wifi in a coffee shop
• Only sniffing, no active insertion of packets
• Communication was not protected against unauthorised access
→ no criminal offence under §202a (no circumvention) (be careful: we will revisit this example in §202b!)
§202b – Data Interception (Abfangen von Daten)
• Whosoever unlawfully intercepts data (section 202a(2)) not intended for them, for themselves or another by technical means from a non- public data transmission or from the electromagnetic broadcast of a data processing facility, shall be liable to imprisonment not exceeding two years or a fine, unless the offence incurs a more severe penalty under other provisions.
Public vs. non-public data transmission: Generally, communication is non-public if the group of communication participants is limited. In particular, the fact that communication is not encrypted does not imply that it is by definition public.
§202b – Data Interception (Abfangen von Daten) – Examples
• Eavesdropping on unencrypted Wifi in a coffee shop
• Only sniffing, no active insertion of packets
• Even unencrypted connections can be non-public (e.g., email)
→criminal offence under §202b
• Sniffing a company network as part of a contractual penetration test • Data becomes intended to “offender” due to formal contract
→no criminal offence under §202b (lawful interception)
• Development of tool suite to eavesdrop on unencrypted Wifi
• not used by the author himself, only made available on underground forum
→ no criminal offence under §202b (author never intercepted; but: §202c!)
Hacking for SFL
• Assume you‘ll need to intercept communication as part of the SFL exercises. Does §202b StGB apply?
A: Yes, but only if I succeed.
B: Yes, even the attempt.
C: No way.
§202c – Acts preparatory to data espionage and interception
• (1) Whosoever prepares the commission of an offence under section 202a or section 202b by producing, acquiring for himself or another, selling, supplying to another, disseminating or making otherwise accessible
1. passwords or other security codes enabling access to data (section 202a(2)), or
2. software for the purpose of the commission of such an offence,
shall be liable to imprisonment not exceeding one year or a fine.
• (2) Section 149(2) and (3) shall apply mutatis mutandis.
Possession: §202c does not apply to the sole possession without clear malicious intent of such passwords and/or software.
§202c – Acts preparatory to data espionage and interception – Examples
• Development of a dedicated bruteforcing tool to break into login →criminal offence (under §202c)
But: §202c does not apply to dual-use tools (benign programs that can be misused), such as network sniffers. §202c applies to hacker tools, only.
• Development of a „hacking“ tool
• M. van Hoef built proof-of-concept for KRACK attack
• Can be used to remove encryption from a WPA2 connection
– Allows attacker to eavesdrop, while circumventing special protection (§202a)
→(theoretically) criminal offence (under §202c) • Important: malicious intent
• Was the tool developed with the goal in mind to conduct an attack against an unknowing target? Or was it just repurposed/abused for a malicious intent?
• Dual-use tools (the latter) are typically not subject to §202c
§202d – Handling Stolen Data
• (1) Whoever procures, for themselves or another person, supplies to another person, disseminates or otherwise provides access to data (section 202a (2)) which are not generally accessible and which another person has obtained by an unlawful act for the purpose of personal enrichment or the enrichment of a third party or to harm another person incurs a penalty of imprisonment for a term not exceeding three years or a fine.
• (2) The penalty may not be more severe than the penalty threatened for the prior offence.
• (3) Subsection (1) does not apply to activities which exclusively serve the purpose of performing lawful official or professional duties. […]
§202d – Handling Stolen Data – Examples
• You buy/sell stolen credit card data to buy goods „for free“ →criminal offence (under §202d)
• A tax officer processes stolen digital documents relevant to taxes (e.g., hackers may have stolen such documents from a Swiss bank)
→ No criminal offence (under §202d), as excempted in subsection (3)
Selling Popular Word Lists
• You derive a list of popular words from Wikipedia and sell it online, as you assume it contains several typically-used passwords. Does §202d apply?
B: Only if the list actually contains valid passwords.
§263a – Computer fraud
• (1) Whoever, with the intention of obtaining an unlawful pecuniary benefit for themselves or a third party, damages the property of another by influencing the result of a data processing operation by incorrectly configuring the computer program, using incorrect or incomplete data, making unauthorised use of data or taking other unauthorised influence on the processing operation incurs a penalty of imprisonment for a term not exceeding 5 years or a fine.
• (2) […]
• (3) Whoever prepares an offence under subsection (1) […] incurs a
penalty of imprisonment for a term not exceeding 3 years or a fine. • (4) […]
§263a – Computer fraud – Examples
• You abuse a stolen EC card to withdraw money
→ criminal offence under §263a, as it is an „unauthorized use“
• You abuse phished online banking credentials to transfer money → criminal offence under §263a, as it is an „unauthorized use“
• You manipulate a gambling program such that you can realiably win → criminal offence under §263a, as it is an „unauthorized influence“
§303a – Data tampering
• (1) Whosoever unlawfully deletes, suppresses, renders unusable or alters data (section 202a (2)) shall be liable to imprisonment not exceeding two years or a fine.
• (2) The attempt shall be punishable.
• (3) Section 202c shall apply mutatis mutandis to acts preparatory to an offence under subsection (1) above.
§303a – Data tampering – Examples
• A disgruntled administrator deletes access logs to remove their traces from accessing a server room
• deleted important documents for sales department →criminal offence under §303a
• Hacktivists conduct a Denial of Service attack against Amazon • Amazon services are unavailaible for 30 minutes
• → no criminal offence under §303a (no data has been tampered with)
§303b – Computer sabotage
• (1) Whosoever interferes with data processing operations which are of substantial importance to another by
1. committing an offence under section 303a(1); or
2. entering or transmitting data (section 202a(2)) with the intention of
causing damage to another; or
3. destroying, damaging, rendering unusable, removing or altering a data processing system or a data carrier,
shall be liable to imprisonment not exceeding three years or a fine.
• (2) If the data processing operation is of substantial importance for another’s business, enterprise or a public authority, the penalty shall be imprisonment not exceeding five years or a fine.
• (3) The attempt shall be punishable.
§303b – Computer sabotage
• (4) In especially serious cases under subsection (2) above the penalty shall be imprisonment from six months to ten years. An especially serious case typically occurs if the offender
1. causes major financial loss,
2. acts on a commercial basis or as a member of a gang whose purpose is
the continued commission of computer sabotage, or
3. through the offence jeopardises the population’s supply with vital goods or services or the national security of the Federal Republic of Germany.
• (5) Section 202c shall apply mutatis mutandis to acts preparatory to an offence under subsection (1) above.
§303b – Computer sabotage – Examples
• Denial of Service attack
• Botnet used to make billions of requests to amazon.com • Given the high load, amazon.com is offline for 30 minutes
→criminal offence (under §303b)
• Revenge hacking
• Hacker deletes all data from ex‘s computer (no backup)
• Data (e.g., photos, study docs) can be of „substantial importance“
→criminal offence (under §303b)
Ransomware
• You develop a ransomware, which encrypts the disks of any infected computer. The ransomware then asks for a certain amount of money with the promise of releasing the key to the encrypted files.
• Which sections apply?
A: §202a, §303a
B: §303a, §303b
C: §202b, §303a
Legal Aspects: Summary
• Security goals can be (somewhat) mapped to laws
• In Germany, violation of information security goals is punishable by
different laws
• §202a-d cover confidentiality
• §263a and §303a-b covers integrity • §303b covers availability
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com