GRAY_HAT_927
INITIAL THOUGHTS
"EVERYWHERE, THERE IS THIS SYSTEMATIC CONFUSION BETWEEN CIVILIZATION AND SOCIETY. CIVILIZATION REQUIERES THAT ALL LIVE UNDER THE RULE OF LAW. WHERE THE MONEY-POWER ELITES OF A SOCIETY LIVE ABOVE THE LAW, THERE IS NO CIVILIZATION."
We currently live in a very interesting time. Informnation security and the legal system are being slammed together in a way that is straining the resources of both systems. The information security world uses terms like bits, packets and bandwidth and the legal community uses words like jurisdiction, liability and statutory interpretation. In the past, these two very different sectors has their own focus, goals and procedures and did not collide with one another. But, as computers have become the new tools for doing business and for committing traditional and new crimes, the two worlds have had to independently approach and then interact in a new space--a space now sometimes referred to as cyberlaw.
The U.S. invented the Internet basically with tax payer's money. We developed all the system of switching packets concept or information.
Here is the definition of Internet: The Interner is just a bunch of protocols that clever people put up together and it makes possible the exchage of information all over the world.
IN A PERFECT PROGRAMABLE WORLD ALL OUR DEVICES WILL ACT LIKE ONE, they all be able to communicate, talk to each other. Adjust themselves base on each other readings.
ETHICAL HACKING AND THE LEGAL SYSTEM
Cyberlaw
Legislators, governmental and private information security organizations, and law enforcement professionals are constantly updating laws and related investigative techniques in an effort to countereach new and emerging form of attack and technique that the bad guys come up with. This means security technology developers and other professionals are constantly tryingto outsmart sophisticated attackers, and vice versa. In this context, the laws being enacted provide an accumulated and constantly evolving set of rules that attempts to stay in step with new types of crimes and how they are carried out.
Compounding the challenge for business is the fact that the information security situation is not static; it is highly fluid and will remain so for the foreseeable future.
Cyberlaw is a road term encompassing many elements of business, including how a company contracts and interacts with its suppliers and customers, sets policies for employees handling data and accesing company systems, uses computers to comply with govermment regulations and programs, and so on. A very important subset of these laws is the group of laws directed at preventing and punishing unauthorized acces to computer networks and data. Security professionals should be familiar with these laws, since they are expected to work in the construct the laws provide. A misunderstanding of these ever-evolving law, which is certainly possible given the complexity of computer crimes, can in the extreme case, result in the innocent being prosecuted or guilty remaining free. And usually it is the guilty ones who get to remain free.
Many countries, particulary those whose economies have more fully integrated computing and telecommunications technologies, are struggling to develop laws and rules for dealing with computer crimes. It is meant to raise awareness of the importance of considering these laws in your work activities as an information security professional.
Many U.S. federal computer crime statutes:
- 18 USC 1029: Fraud and Related Activity in Connection with Acces Devices
- 18 USC 1030: Fraud and Related Activity in Connection with Computers
- 18 USC 2510: et seq: Wire and Electronic Communications Interception and Interception of Oral Communications.
- 18 USC 2701 et seq: Stored Wire and Electronic Communications and Transactional Records Access
- The Digital Millennium Copyright Act
- The Cyber Security Enhancement Act of 2002
- Securely Protect Yourself against Cyber Trespass Act.
18 USC section 1029: The Access Device Statute
The purpose of the Access Device Statute is to curb unauthorized acces to accounts; theft of money, products and services; and similar crimes. It does so by criminalizing the possession, use or trafficking of counterfeit or unauthorized access devices or device making equipment and other similar activities, to prepare for, facilitate or engage in unauthorized acces to money, goods and services. It defines and establishes penalties for fraud and illegal activity that can take place through the use of such counterfeit access devices.
The elements of a crime are generally the things that need to be shown in order for someone to be prosecuted for that crime. These elements include consideration of the potentially illegal activity i hight of the precise definition of access device, counterfeit access device, unauthorized access device, scanning receiver and other definitions that together help to define the scope of the statute's application.
The term access device refers to a type of application or piece of hardware that is created specially to generate access credentials (passwords, credit card numbers, long distance telephone service access codes, PINs and so on) for the purpose of unauthorized access. Specially, it is defined broadly to mean:
...any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number or other telecommunications service, equipment or instrument identifier or other means of account access that can be used, alone or in conjunction with another access device, to obtain mone, goods, services or any other thing of value or that can be used to initiate a transfer to funds(other than a transfer originated solely by paper instrument).
Phreakers (telephone system attackers) use a software tool to generate a long list of telephone service codes so they can acquire free long distance services and sell thse services to other. The telephone service codes that they generate would be considered to be wothin the definition of an access device, since they are codes or electronic serial numbers that can be used, alone or in conjunction wiht another access device, to obtain services. They would be counterfeit access devices to the extent that the software tool generated false numbers that were counterfeit, fictitious, or forged. Tnally, a crime would occur with each undertaking of the the activities of producing, using or selling these codes, since the Access Device Statute is violated by whoever "knowingly and with intent to defraud, produces, uses, or traffics in one or more counterfeit access devices."
Another example of an activity that violates the Access Device Statute is the activity of crackers, who use password dictionaries to generate thousands of possible passwords that uses may be using to protect their assets.
A common method that attackers use when trying to figure out what credit card numbers merchants will accept is to use an automated tool that generates random sets of potentially usable credit card values. Two tools (easily obtainable on the Internet) that generate large volumes of credit card numbers. The attackers submit these these generated values to retailers and other with the goal of fraudulently obtaining services or goods. If the credit card value is accepted, the attacker knows that this is a valid number, wich they then continye to use( or sell for use) until the activity is stopped through the standard fraud protection and notification systems that are employed by credit card companies, ratailers, and banks. Because this attack type has worked so well in the past, many mercahnts now require users to enter a unique card identifier when making online purchases. This identifier is the three digit number located on the back of the card that is unique to each physical credit card (no just unique to the account). Guessing a 16 digit credit card number is challenging enough, but factoring in another three digit identifier makes the task much more difficult without having the card in hand.
Another example of an access device crime is skimming. Skimming scams use gas station credit card readers to get information. The device hidde inside gas pumps and the cards corresponding PINs get stole using hidden video cameras. In some cases, a wireless connection sends the stolen data back to hackers so they don't have to return to the pump to collect the information.
outlines the crime types addressed in section 1029 and their corresponding punishment. These offenses must be committed knowingly and with intent to defraud for them to be considered federal crimes.
CRIME
producing,using or trafficking in one or morecounterfeit access devices | PENALTY Fine of $50,000 or twice thevalue of the crime and/or up to 10 years in prision, $100,000 and/or up to 20 years in prision if repeat offense | EXAMPLE
Creating or using a software tool to generate credit card numbers |
Using or obtaining an access device to gain unauthorized access and obtain anything of value tataling $1,000 or more during a one year period | Using or obtaining an access device to gain unauthorized access and obtain anything of value tataling $1,000 or more during a one year period | Using a tool to capture credentials and using the credentials to break into the pepsi-cola network for instance and stealing their soda recipe |
possessing 15 or more counterfeit or unauthorized access devices | Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison $100,000 and/or up to 20 years in prison if repeat offense | Hacking into a database and obtaining 15 or more credit card numbers |
Producing, trafficking, having control or possession of device making equipment | Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison $1,000,000 and/or up to 20 years in prison if repeat offense | Creating, having or selling devices to obtain user credentials illegally for the purpose of fraud |
Effecting transactions with access devices issued to another person in order to receive payment or other things of value tataling $1,000 or more diring a one year period | Fine of $10,000 or twice the value of the crime and/or up to 15 years in prison $100,000 and/or up to 20 years in prison if repeat offense | Setting up a bogus website and accepting credit card numbers for products or service that do not exist. |
Soliciting a person for the purpose of offering an access device or selling information regarding how to obtain an access device | Fine of $50,000 or twice the value of the crime and/or up to 10 years in prison $100,000 and/or up to 20 years in prison if repeat offense | Cloning cell phones and reselling them or employing them for personal use |
Using, producing, trafficking or having custody or control of scanning receiver | Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison $100,000 and/or up to 20 years in prison if repeat offense | Scanners used to intercept electronic communication to obtain electronic serial numbers, or mobile identification numbers for cell phone recloning purposes |
Producing, trafficking, having control or custody of hardware or software used to alter or modify telecommunications instruments to obtain unauthorized access to telecommunications services | Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison $ 100,000 and/or up to 20 years in prison if repeat offense | Using and selling tools that can reconfigure cell phones for fraudulent activities or PBX telephone fraud and different phreaker boxing techniques to obtain free telecommunication service |
Causing or arranging for a person to present to a credit card system member ot its agent for payment records of transactions made by access device | Fine of $10.000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years in prison if reapeat offense | Creating phony credit card transactions recods to obtain products or refunds |
A further example of a crime that can be punished under the Access Device Statute is the creation of a website or the sending of e-mail "blasts" that offer false or fictitious products or services in an effort to capture credit card information, such as products that promise to enhance one's sex life in return for a credit card charge.
Section 1029 addresses offenses that involve generating or illegally obtaining access credentials, which can involve just obtaining the credentials or obtaining and using them. These activities are considered criminal whether or not a computer is involved.
18 USC Section 1030 of the Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) (as amended by the USA Patriot Act) is an important federal law that addresses acts that compromise computer networks security. It prohibits unauthorized access to computers and network systems, extortion through threats of such attacks, the transmission of code or programs that cause damage to computers and other related actions. It addresses unauthorized access to government, financial institutions and other computer and network systems and provides for civil and criminal penalties for violators. The act outlines the juridiction of the FBI and Secret Service.
The offenses must be committed knowingly by accessing a computer without authorization or by exceeding authorized access. You can be held liable under the CFAA if you knowingly accessed a computer system without authorization and caused herm, even if you did not know that your actions might cause harm.
CRIME Acquiring national defense, foreign relationsor restricted atomic energy information with the intentor reason to beleive that the information can be used to injure the U.S.or to the advantage or any foreign nation | PUNISHMENT | EXAMPLE
|
obtaining information in financial record from a financial institution or card issuer or information on a consumer in a file from a consumer reporting agency. Obtaining information from any department or agency of the U.S. or protected computer involved in interstate and foreign communication. | fine and or up to 1 year in prision, up to 10 years in prision ir repeat offense | Makes it federal crime to violate the integrity of a system, even if information is not gathered. One example is carrying out denial of service attacks agains government agancies. |
Furthering afraud by accessing a federal interest computer and obtaining anything of value, unless the fraud and the thing obtained consists only of the user of the computer and the use is not more than $5,000 in a one year period | Fine and or up to 5 years in prison up to 10 years in prison if repeat offense. | Breaking into a powerful system and using its processing power to run a password cracking application. |
Employing a computer used in interstate commerce and knowingly causing the transmission of a program, information, code or command to a protected computer that results in damge or the victim suffering some type of loss. | penalty with intent to harm fine and or up to 5 years in prison up to 10 years in prison if repeat offense. Penalty for acting with reckless disregard fine and or up to 1 year in prison. | Intentional: Disgruntled employee uses his access to delete a whole database. Reckless disregard: Hacking into a system and accidentally causing damage( or if the prosecution cannot prove that the attacker's intent was malicious) |
Furthering a fraud by trafficking in passwords or similar information that will allow a computer to be accessed wihtout authorization, if the computer affected is used by or for the government. | Fine and or up to 1 year in prision, up to 10 years in prison if repeat offense. | After breaking into a government computer obtaining user credentials and selling them. |
With intent to extort from any person any money or other thing of value, transmitting in interstate or foreign commerce any communication cantaining any threat to cause damage to a protected computer | Fine and or up to 1 year in prison, up to 10 years in prison if repeat offense. | After breaking into a government computer, obtaining user credentials and selling them. |
With intent to extort from any person any money or other thing of value, transmitting in interstate of foreign commerce any communication cantaning any threat to cause damge to a protected computer. | $250,000 fine and 10 years in prison for first offense, $250,000 and 20 years in prison for subsequent offenses | Encrypting all data on a government hard drive and demanding money to then decrypt the data. |
The term "protected computer" as commonly put forth in the CFAA, means a computer used by the U.S. government, financial institutions or any system "used in interstate or foreign commerce or communication. The CFAA is the most widely referenced statute in the prosecution of many types of computer crimes. A casual reading of the CFAA suggest tha it only addresses computers used by government agencies and financial institutions, but there is a small (but inportant) clause that extends its reach. This clause says that the law applies also to any system "used in intersate or foreign commerce or communication."The meaning of" used in interstate of foreign commerce or communication" is very broad and as a result, CFAA operates to protect nearly all computers and networks. Almost every computer connected to a network or the Internet is used for some type of commerce or communication, so this small clause pulls nearly all computers and their uses under the protective umbrella of the CFAA. Amendments by the USA Patriot Act to the term "protected computer" under CFAA extended the definition to any computers located outside the United States, as long as they affect interstate or foreign commerce or communication of the Unite States. So if the Unite States can get the attackers, they will attempt to prosecure them no matter where in the world they live.
The CFAA has been used to prosecure many people for various crimes. Tho types of unauthorized access can be prosecured under the CFAA: These include wholly unauthorized access by outsiders, and also situations where individual, such as employees, contractors and others with permission, exceed their authorized access and commit crimes. The CFAA states that if someone accesses a computer in an unauthorized manner or eceeds his or her access rights, that individual can be found guilty of a federal crime. This clause allows companies to prosecure employees who carry out fraudulent acvtivities by abusing (and exceeding) the access rights their company has given them.
Many IT professianals and security professionals have relatively unlimited access rights to networks due to their job requirements. However, just because an individual is given access to the accounting databese, doesn't mean she has the right to exceed that authorized access and exploit it for personal purposes. The CFAA could apply in these cases to prosecute even trusted, credentialed employees who performed such misdeeds.
Under the CFAA, the FBI and the Secret Service have the responsibility for handling these types orf crimes and they have their own jurisdictions. The FBI is responsible for cases dealing with national security, financial institutions and organized crime. The Secret Service's jurisdiction encompasses any crimes pertaining to the Treasury Departments and any other computer crime that does not fall within the FBI's jurisdiction.
The Secret Service's juridiction and responsibilities have grown since the Department of Homeland Security (DHS) was established. The Secret Service now deals with with several areas to protect the nation and has established an Information Analysis and Infrastructure Protection division to coordinate activities in this area. This division's responsibilities encompasses the preventive procedures for protecting "critical infrastructure" which include such things as power grids, water suppies and nuclear plants in addition to computer systems.