Wednesday, October 19, 2005

It's a hacker's life being a security pro

Hands up if you've never worried that a website that looks oh so real might just be a phishing site? We've all by now unfortunately seen enough sites that look as real as apple pie, but something - the URL usually - tells us that actually, it's a vehicle for fraud. If you work in professional computer security, this paranoia must be all the more overwhelming, and you have the tools to hand to test out your theories. It got to a certain Daniel Cuthbert, a security pro, who even lectured part time in security to members of the police's own Computer Crime Unit. Cuthbert, a well meaning citizen, went to a site to donate £30 to the Tsunami relief appeal. After making a donation but not getting any official thank-you or confirmation page, Cuthbert tested the security of the page, using tricks like putting in ../../../ to move up three directories. In fact, the site was genuine, and Cuthbert's access atempts (which failed) were recorded, Cuthbert was arrested, and successfully prosecuted for attempted unauthorised access under s 1 of the Computer Misuse Act. Last week, he was fined £400, paid £600 in costs and lost his job as a result.

Remarkably few convictions have been made under the CMA s 1 and this should not hve been one. As the defense opined, it was tantamount to turning the s 1 offence into a strict liability offense. "Unauthorised access" simplex is the least serious charge in the CMA, but it cannot be regarded as an "administrative" crime, one like wrongful parking, which in the interests of the smooth running of society should be enforceable even when the party intended to do no wrong - it can earn a term of imprisonment and quite clearly demands mens rea. Section 1 of the CMA states that

1.—(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

Arguably, Mr Cuthbert was not trying to "secure access" as his purpose but merely as his literal means to that purpose. His true intent was merely to test whether the site was actually what it claimed to be. On the Internet, this is very dificult to establish without attempting access unless the site has a digital certificate or a SET/SSL interface. This defence could have been backed up by analysis of the statute as a whole (and its peliminary debates) which clearly assume that the access that is sought to be obtained is so sought in pursuit of some criminal or at least amoral purpose.

If we are talking only of the preservation of privacy of personal data, not about criminal activity, as we really were here, then the data protection laws should suffice without needing to go to the hacking laws. This was a case for the Information Commisioner not the police. Given the longstanding and honorable tradition of benign hacking to probe security holes (which following Cuthbert, must clearly fall within the s 1 offence) there is room for a public interest/research exemption here to clarify matters, as there is indeed in relation to the arguably much less acceptable act of possession of child pornography (see the Protection of Children Act 1978 1(4)(a) and equivalent provisions for Scotland in the Criminal Justice Act 1988 and Civic Govt )(Sc) Act 1982.) As matters stand, security professionals will be unable in any circumstances to test the validity and security of a site unless they know for sure they have authorisation fom the true owner of the site.

No comments: