Reconnaissance
- Active / passive
Gaining access
- Operating system level / application level
- Network level
- Denial of service
- Uploading / altering / downloading programs or data
If we need to take countermeasures, we need to first understand the anatomy of an attack. This is crucial to understand and design countermeasures when an attack is imminent or is detected. Broadly, a hack attack can be dissected into five phases.
Reconnaissance
- This is the phase where the attacker gathers information about a target using active or passive means.
- In this phase, the attacker begins to probe the target for vulnerabilities that can be exploited.
- If vulnerability is detected, the attacker can exploit it to gain access into the system.
- Once the attacker gains access, he usually maintains his access to fulfill the purpose of his entry.
- Most attackers attempt to cover their tracks so that they cannot be detected or penalized under criminal law.
Phase 1 - Reconnaissance
Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack. It involves network scanning either external or internal without authorizationBusiness Risk - 'Notable' - Generally noted as a "rattling the door knobs" to see if someone is watching and responding. Could be future point of return when noted for ease of entry for an attack when more is known on a broad scale about the target.
Passive reconnaissance involves monitoring network data for patterns and clues.
Examples include sniffing, information gathering etc.
Active reconnaissance involves probing the network to detect
accessible hosts
open ports
location of routers
details of operating systems and services
End SidebarReconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of attack prior to launching an attack. This phase is also where the attacker draws on competitive intelligence to learn more about the target. The phase may also involve network scanning either external or internal without authorization.
This is a phase that allows the potential attacker to strategize his attack. This may spread over time, as the attacker waits to unearth crucial information. One aspect that gains prominence here is social engineering. A social engineer is a person who usually smooths talk's people into revealing information such as unlisted phone numbers, passwords or even sensitive information. Other reconnaissance techniques include dumpster diving. Dumpster diving is the process of looking through an organization's trash for discarded sensitive information. Building user awareness of the precautions they must take in order to protect their information assets is a critical factor in this context.
Attackers can use the Internet to obtain information such as employee contact information, business partners, technologies in use and other critical business knowledge. For example, a Whois database can give information about internet addresses, domain names, contacts etc. If a potential attacker obtains the DNS information from the registrar, and is able to access it, he can obtain useful information such as mapping of domain names to IP addresses, mail servers, host information records etc.
It is important that the organization has appropriate policies to protect usage of its information assets and also to serve as guidelines to users of what is acceptable use. These policies can also serve to increase user awareness and make users more accountable for their actions.
Reconnaissance techniques can be categorized broadly into active and passive reconnaissance.
When an attacker is approaching the attack using passive reconnaissance techniques, he does not interact with the system directly. He will use publicly available information, social engineering, dumpster diving etc as a means of gathering information.
When an attacker uses active reconnaissance techniques, he will try to interact with the system by using tools to detect open ports, accessible hosts, router locations, network mapping, details of operating systems and applications.
The next phase of hacking is scanning, which is discussed in the following section. Some experts do not differentiate scanning from active reconnaissance. However, there is a slight difference in that scanning involves more in depth probing on the part of the attacker. Often reconnaissance and scanning phases overlap and it is not always possible to demarcate these phases as water tight compartments.
Active reconnaissance is usually used when the attacker discerns a low threat to his reconnaissance activities being detected. Newbie and script kiddies are often seen attempting this to get faster visible results and sometimes for the brag value they contain.
As an ethical hacker, you must be able to distinguish between the various reconnaissance methods and be able to advocate preventive measures in the light of the potential threat. Organizations on their part must have addressed security as an integral part of their business or operational strategy and must have proper policies and procedures in place to check such activity.
Phase 2 - Scanning
Scanning refers to pre-attack phase when the hacker scans the network with specific information gathered during reconnaissance.Business Risk - 'High' - Hackers have to get a single point of entry to launch an attack and could be point of exploit when vulnerability of the system is detected.
Scanning can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners etc.
End SidebarScanning refers to the pre-attack phase when the attacker scans the network with specific information gathered during reconnaissance. We have discussed active and passive reconnaissance above. Scanning can be considered to be a logical extension of active reconnaissance. Often attackers use automated tools such as network/host scanners, war dialers, etc to locate systems and attempt to discover vulnerabilities.
An attacker can gather critical network information such as mapping of systems, routers and firewalls by using simple tools such as traceroute. Alternatively, they can use tools such as Cheops to add sweeping functionality along with that rendered by traceroute.
Port scanners can be used to detect listening ports to find information about the nature of services running on the target machine. The primary defense technique in this regard is to shut down services that are not needed. Appropriate filtering may also be adopted as a defense mechanism. However, attackers can still use tools to determine the rules implemented for these filtering.
The most commonly used tools are vulnerability scanners that can search for several known vulnerabilities on a target network. These can detect over thousands of vulnerabilities. This gives the attacker the advantage of time because he has to find just a single means of entry while the systems professional has to secure several vulnerabilities by applying patches.
Organizations that deploy intrusion detection systems still have reasons to worry because attackers can use evasion techniques at both application and network levels. However, a properly configured NIDS cannot be detected and all the better ones do anomaly detection, making it difficult for evasion techniques to work.
Phase 3 - Gaining Access
Gaining Access refers to the true attack phase. The hacker exploits the system.The exploit can occur over a LAN, locally, Internet, offline, as a deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking, password filtering etc.
Influencing factors include architecture and configuration of target system, skill level of the perpetrator and initial level of access obtained.
Business Risk - 'Highest' - The hacker can gain access at operating system level, application level or network level.
This is the most important phase of an attack in terms of potential damage. Hackers need not always gain access to the system to cause damage. For instance, denial of service attacks can either exhaust resources or stop services from running on the target system. Stopping of service can be done by killing processes, using a logic / time bomb or even reconfiguring and crashing the system. Resources can be exhausted locally by filling up outgoing communication links etc.
The exploit can occur over a LAN, locally, Internet, offline, as a deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking etc.
Spoofing is a technique used by attackers to exploit the system by pretending to be someone else or a different system. They can use this technique to send a malformed packet containing a bug to the target system and exploit a vulnerability. Packet flooding may be used to remotely stop availability of essential services. Smurf attacks try to elicit a response from available users on a network and then use their legitimate address to flood the victim.
Factors that influence whether a hacker can gain access to a target system include architecture and configuration of target system, skill level of the perpetrator and initial level of access obtained. The most damaging of the denial of service attacks can be a distributed denial of service attacks, where an attacker uses zombie software distributed over several machines on the Internet to trigger an orchestrated large scale denial of services.
The risk involved when an attacker gains access is perceived to be high; as the attacker can gain access at the operating system level, application level or even the network level, thereby accessing several systems over the network.
Phase 4 - Maintaining Access
Maintaining Access refers to the phase when the hacker tries to retain his 'ownership' of the system.The hacker has exploited a vulnerability and can tamper and compromise the system.
Sometimes, hackers harden the system from other hackers as well (to own the system) by securing their exclusive access with Backdoors, RootKits, Trojans and Trojan horse Backdoors.
Hackers can upload, download or manipulate data / applications / configurations on the 'owned' system.
End SidebarOnce a hacker gains access to the target system, the attacker can choose to both use the system and its resources and further use the system as a launch pad to scan and exploit other systems, or keep a low profile and continue exploiting the system. Both these actions have damaging consequences to the organization. For instance he can implement a sniffer to capture all the network traffic, including telnet and ftp sessions to other systems.
Attackers choosing to remain undetected remove evidence of their entry and use a backdoor or a Trojan to gain repeat access. They can also install rootkits at the kernel level to gain super user controls. The reason behind this is that rootkits gain access at the operating system level while Trojan horse gain access at the application level and depend on users to a certain extent to get installed. Within Windows systems most Trojans install themselves as a service and run as Local System which is above administrator.
Hackers can use Trojan horses to transfer user names, passwords, even credit card information stored on the system. They can maintain control over 'their' system for long time periods by 'hardening' the system against other hackers and sometimes in the process do render some degree of protection to the system from other attacks. They can then use their access to steal data, consume CPU cycles, trade sensitive information or even resort to extortion.
Organizations can use intrusion detection systems or even deploy honeynets to detect intruders. The latter though is not recommended unless the organization has the required security professional talent to leverage the concept for protection.
Phase 5 - Covering Tracks
Covering Tracks refers to the activities undertaken by the hacker to extend his misuse of the system without being detected.Reasons include need for prolonged stay, continued use of resources, removing evidence of hacking, avoiding legal action etc.
Examples include Steganography, tunneling, altering log files etc.
Hackers can remain undetected for long periods or use this phase to start a fresh reconnaissance to a related target system.
End SidebarAn attacker would like to remove evidence of his presence and activities for various reasons including maintaining access, evading criminal punishment etc. This normally entails removing any evidence from the logs files and replacing system binaries with trojans, such as ps or netstat, so that the system administrator cannot detect the intruder on the attacked system. Once the trojans are in place, the attacker can be assumed to have gained total control of the system. Just as there are automated scripts for hacking, there are also automated tools for hiding intruders, often called rootkits. By executing the script, a variety of critical files are replaced, hiding the attacker in seconds.
Other techniques include Steganography, tunneling etc. Steganography is the process of hiding data - for instance in images and sound files. Tunneling takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space in the TCP and IP headers can be used for hiding information.
An attacker can use the system as a cover to launch fresh attacks against other systems or use it as a means to reach another system on the network undetected. Thus this phase of attack can turn into a new cycle of attack by using reconnaissance techniques all over again.
There have been instances where the attacker has lurked on the systems even as systems administrators have changed. The system administration can deploy host based IDS and antivirus tools that can detect Trojans and other seemingly benign files and directories.
As an ethical hacker you must be aware of the tools and techniques that are deployed by attackers so that you are able to advocate and take countermeasures to ensure protection. These will be detailed in later modules.
Hacker Classes
Black hats
- Individuals with extraordinary computing skills, resorting to malicious or destructive activities. Also known as 'Crackers.'
- Individuals professing hacker skills and using them for defensive purposes. Also known as 'Security Analysts'.
- Individuals who work both offensively and defensively at various times.
Former Black Hats
Reformed crackers
First-hand experience
Lesser credibility perceived
White Hats
Independent security consultants (maybe groups as well)
Claims to be knowledgeable about black hat activities
Consulting Firms
Part of ICT firms
Good credentials
Hackers can be classified into various categories based on their activity profile.
'Black hats' are used to describe those hackers who use their computer skills with malicious intent for illegal purposes or nefarious activities. This category of hackers are often associated with criminal activity and sought by law enforcement agencies.
On similar lines, 'white hats' are used to describe those hackers who use their hacking ability for defensive purposes. They are mostly security analysts who are knowledgeable in hacking countermeasures.
Often, the term 'grey hats' are used to describe that segment of people who believe in full disclosure. They believe that other people who come across the information disclosed are able to make a judicious use of the information. This is debatable as there is no universal morality in values or norms.
Ethical hackers are information security professionals who are engaged in evaluating the threats to an organization from attackers. Ethical hackers possess excellent computer expertise, and are called so because primarily, these professionals are entirely trustworthy. Ethical Hackers can be classified into the following categories:
Former black hats: This group comprises of former crackers who have taken to the defensive side. They are better informed about security related matters as they have no dearth of experience and have access to the right information through hacker networks. However, they do not earn credibility for the very same reasons, as they may pass along sensitive information knowingly or inadvertently to the hacker network, thereby putting the enterprise at risk.
White hats: We had discussed this category of people above. They profess to have skills on par with the black hats. However, it remains to be seen if they can be as efficient in information gathering as black hats. These are independent security consultants working either individually or as a group. These people are widely patronized as ethical hackers because of their ideals and their value system.
Consulting firms: This is a new trend being seen in ICT consulting services with the increasing demand for third party security evaluations. These firms boast of impressive talent and credentials. However, a word of caution is necessary with regard to background checks of these individuals as they may include former black hats and even script kiddies, who take up assignments for the thrill it gives them.
Hacktivism
Refers to 'hacking with / for a cause'.
Comprises of hackers with a social or political agenda
Aims at sending across a message through their hacking activity and gaining visibility for their cause and themselves.
Common targets include government agencies, MNCs, or any other entity perceived as 'bad' or 'wrong' by these groups / individuals.
It remains a fact however, that gaining unauthorized access is a crime, no matter what the intent.
Hacktivism' refers to a kind of electronic civil disobedience in which activists take direct action by breaking into or protesting with government or corporate computer systems. It can be considered as a kind of information warfare, and it's on the rise. The hacktivists consider their obligation to bring an offline issue close to their agenda into the online world. The apparent increase in hacktivism may be due in part to the growing importance of the internet as a means of communication. As more people go online, web sites become high-profile targets.
Internet hacktivists believe that the "state sponsored censorship of the internet erodes peaceful and civilized coexistence, affects the exercise of democracy, and endangers the socioeconomic development of nations". For instance, they may have agendas that consider "state-sponsored censorship of the internet as a serious form of organized and systematic violence against citizens, intended to generate confusion and xenophobia, and a reprehensible violation of trust". For instance, the Cult of the Dead Cow, an older security group states that their objective is to "study ways and means of circumventing state sponsored censorship of the internet and implementing technologies to challenge information rights violations".
Most hacktivists aim at sending across a message through their hacking activity and gaining visibility for their cause and themselves. Common targets include government agencies, MNCs, or any other entity perceived as 'bad' or 'wrong' by these groups / individuals. It remains a fact however, that gaining unauthorized access is a crime, no matter what the intent.
What do Ethical Hackers do?
"If you know the enemy and know yourself, you need not fear the result of a hundred battles."
- Sun Tzu, Art of War
Ethical hackers tries to answer:
What can the intruder see on the target system? (Reconnaissance and Scanning phase of hacking)
What can an intruder do with that information? (Gaining Access and Maintaining Access phases)
Does anyone at the target notice the intruders attempts or success? (Reconnaissance and Covering Tracks phases)
If hired by any organization, an ethical hacker asks the organization what it is trying to protect, against whom and what resources it is willing to expend in order to gain protection.
End SidebarAn ethical hacker's evaluation of information systems security seeks answers to three basic queries:
What can an attacker see on the target systems? This is in line with the earlier comment on crackers thinking 'out of the box'. Normal and routine security checks by system administrators can overlook several vulnerabilities that can be exploited by a creative and innovative mind. This also describes the reconnaissance and scanning phases of hacking discussed earlier in this module.
What can an attacker do with available information? The ethical hacker tries to know the intent and purpose behind potential exploits. This makes it possible to take appropriate countermeasures. This describes the two phases - gaining access and maintaining access in hacking. This is the true attack phase and the ethical hacker needs to be one step ahead of the hacker, in order to provide adequate protection.
Are the attackers' attempts being noticed on the target systems? Often crackers enter a system and lurk around before they actually wreck havoc. They take their time in assessing the potential use of the information exposed. If the activities of an attacker are not noticed on target systems, the attackers can, and will, spend weeks or months trying to break-in and will usually eventually succeed in compromising the target system's security.
In order to do this, the attackers may even clear their tracks by modifying log files and creating backdoors or deploying Trojans. The ethical hacker needs to investigate whether such an activity has been recorded and what preventive measures were taken if any. This not only gives him an indirect assessment of the cracker's proficiency, but also gives him an insight into the security related activities of the enterprise / system he is evaluating.
The entire process of ethical hacking and subsequent patching of discovered vulnerabilities would depend on questions such as:
What is the organization trying to protect, against whom or what and how much resources the organization is willing to expend in order to gain protection.
Sometimes, when such exercises are taken up without proper framework, the organization might decide to call off the evaluation at the first instance of vulnerability reporting. These may be to ward off further discovery or save on resources. Therefore it is imperative that the ethical hacker and the organization work out a suitable framework.
The organization must be convinced about the need for the exercise. Usually the concerned personnel have to be guided to concisely describe all of the critical information assets whose loss could adversely affect the organization or its clients. These assets can also include secondary information sources, such as employee names and addresses (which are privacy and safety risks), computer and network information (which could provide assistance to an intruder), and other organizations with which the primary client organization collaborates (which provide alternate paths into the target systems through a possibly less secure partner's system).
Last, but not the least, the ethical hacker must remember that it is not possible to guard systems completely as we have discussed before in this module.
Skill Profile of an Ethical Hacker
Computer expert adept at technical domains.
In-depth knowledge about target platforms (such as windows, Unix, Linux).
Exemplary knowledge in networking and related hardware / software.
Knowledgeable about security areas and related issues - though not necessarily a security professional.
End SidebarWe have seen what hackers are capable of doing during an attack. Activities of this nature require the skill profile of a computer expert. Ethical hackers should also have strong computer knowledge including programming and networking.
They should be proficient at installing and maintaining systems that use popular operating systems (e.g. UNIX or Windows or Linux) usually used on target systems. Detailed knowledge of the hardware and software provided by popular computer and networking hardware vendors complements this basic knowledge. It is not always necessary that ethical hackers possess any additional specialization in security. However, it is an advantage to know how various systems maintain their security. These systems management skills are necessary for actual vulnerability testing and for preparing the report after the testing is carried out.
An ethical hacker should be one step ahead of the malicious hacker and possess immense patience and the capability of persistent concentration. A typical evaluation may require several days, perhaps even weeks of analysis than the actual testing itself. When an ethical hacker encounters a system with which he is not familiar, he will take the time to learn everything about the system and try to find its vulnerable spots.
Finally, keeping up with the ever-changing world of computer and network security requires continuous education and review on part of the ethical hacker. An ethical hacker will use constructive methods as opposed to destructive methods adopted by the malicious hacker. The intent behind an ethical hacker's actions is to protect and rectify the system of its vulnerabilities. An ethical hacker is convinced that he can change something by means of constructively using his skills. He is reliable and trustworthy since he might discover information about the organization that should remain secret.
How do they go about it?
Any security evaluation involves three components:
Preparation - In this phase, a formal contract is signed that contains a non-disclosure clause as well as a legal clause to protect the ethical hacker against any prosecution that he may attract during the conduct phase. The contract also outlines infrastructure perimeter, evaluation activities, time schedules and resources available to him.
Conduct - In this phase, the evaluation technical report is prepared based on testing potential vulnerabilities.
Conclusion - In this phase, the results of the evaluation is communicated to the organization / sponsors and corrective advise / action is taken if needed.
Any security testing involves three phases - preparation, conduct and conclusion. We have seen that a security evaluation is based on questions such as what the corporate is trying to protect, against whom and at what cost? After discussing these aspects with the organization, a security plan is prepared which will identify the systems that are to be tested for vulnerabilities, how the testing would be carried out (methodology) and what restrictions may be applied (limitations faced).
While it is theoretically possible to say that the testing strategy should follow a "no-holds-barred" approach, practically this is not usually the case. This approach is encouraged so that the ethical hacker is given the chance to gain maximum access.
The next aspect is how to conduct the evaluation. There are several methods for carrying out ethical hacking, but the two most used approaches are the limited vulnerability analysis and attack and penetration testing. Limited vulnerability analysis deals with enumerating the specific entry points to the organization's information systems over the Internet, as well as the visibility of mission critical systems and data from a connection on the internal network. On detection, the potential entry points and mission critical systems are scanned for known vulnerabilities. The scanning is done using standard connection techniques and not solely based on vulnerability scanners.
In an attack and penetration testing, discovery scans are conducted to gain as much information as possible about the target environment. Similar to the limited vulnerability analysis, the penetration scans can be performed from both the Internet and internal network perspective. This approach differs from a limited vulnerability analysis in that here, the testing is not limited to scanning alone. It goes a step further and tries to exploit the vulnerabilities. This is said to simulate a real threat to data security.
Clients usually prefer a limited vulnerability analysis because they don't want to risk loss of data or any other damage.
It should be communicated to the organization that there are inherent risks in undertaking an ethical hack. These can include alarmed staff and unintentional system crashes, degraded network or system performance, denial of service, and log-file size explosions. A possible way of minimizing this risk is to conduct the tests after working hours or holidays. The organization should also provide contacts within, who can respond to calls from the ethical hackers if a system or network appears to have been adversely affected by the evaluation or if an extremely dangerous vulnerability is found that should be immediately corrected. While conducting an evaluation, ethical hackers may come across security holes that cannot be fixed within the pre determined timeframe.
Therefore, the ethical hacker must communicate to his client the urgency for corrective action that can extend even after the evaluation is completed. If the system administrator delays the evaluation of his system until a few days or weeks before his computers need to go online again, no ethical hacker can provide a really complete evaluation or implement the corrections for potentially immense security problems. Therefore, such aspects must be considered during the preparation phase.
The last phase is the conclusion phase, where the results of the evaluation are communicated explicitly in a report and the organization appraised of the security threats, vulnerabilities and recommendations for protection.
Modes of Ethical Hacking
Remote network - This mode attempts to simulate an intruder launch an attack over the Internet.
Remote dial-up network - This mode attempts to simulate an intruder launching an attack against the client's modem pools.
Local network - This mode simulates an employee with legal access gaining unauthorized access over the local network.
Stolen equipment - This mode simulates theft of a critical information resource such as a laptop owned by a strategist, (taken by the client unaware of its owner and given to the ethical hacker).
Social engineering - This aspect attempts to check the integrity of the organizations employees.
Physical entry - This mode attempts to physically compromise the organization's ICT infrastructure.
There are several ways to conduct a security evaluation. An ethical hacker may attempt to perform an attack over various channels such as:
Remote network.
This test simulates the intruder launching an attack across the Internet. The primary defenses that must be defeated here are border firewalls, filtering routers etc.
Remote dial-up network.
This test simulates the intruder launching an attack against the organization's modem pools. The main targets of dial up testing are PBX units, Fax machines and central voice mail servers. The primary defenses that must be defeated here are user authentication schemes. These kinds of tests should be coordinated with the local telephone company.
Local network.
This test simulates an employee or other authorized person who has a legal /authorized connection to the organization's network. The primary defenses that must be defeated here are intranet firewalls, internal Web servers and server security measures.
Stolen equipment.
In the real world scenario, often laptops are stolen during transit and the objective of this test is to evaluate how users protect their information assets. For example, if a stolen laptop has stored passwords or critical information that can be easily accessed, this can be a security breach. Attackers can even remote dial in to the main servers of the organization with proper authentication.
Social engineering.
This test evaluates the integrity and awareness of the target organization's personnel. A typically quoted example of social engineering is that of an intruder calling the organization's computer help line and asking for the external telephone numbers of the modem pool. Defending against this kind of attack is the hardest, because people and personalities are involved. To be of assistance comes naturally in organizations gearing more toward a service orientation and this may inadvertently lead to security compromises. Oft seen scenarios include telling someone who appears to be lost where the computer room is located, or to let someone into the building who does not carry on him the proper identification credentials. The only defense against this is to raise security awareness.
Physical entry.
This test acts out a physical penetration of the organization's building. The primary defenses here are a strong security policy, security guards, access controls and monitoring, and security awareness.
Security Testing
There are many different forms of security testing. Examples include vulnerability scanning, ethical hacking and penetration testing. Security testing can be conducted using one of two approaches:
Black-box (with no prior knowledge of the infrastructure to be tested)
White-box (with a complete knowledge of the network infrastructure).
Internal Testing is also known as Gray-box testing and this examines the extent of access by insiders within the network.
We have discussed the channels of testing in the previous discussion; here we will focus on the testing approach or methodology. Security testing has been addressed in the context of software development for quite sometime. In the context of ethical hacking, the security professional has to conduct a security evaluation and test the system for vulnerabilities. This can be approached in different ways.
The concept of black-box testing is based on the assumption that the ethical hacker has no prior knowledge or information about the system. In this sense, black-box testing simulates a true web-hacking attack, beginning with nothing but the organization's corporate name. From here the ethical hacker gathers information about the network and the business from as many outside sources as possible. This can include publicly available information from sources such as web sites and media publications that contain useful information about the business. Social engineering techniques may also be used where information is gathered from unsuspecting employees. This aspect will be dealt in detail in later modules. This is similar to the reconnaissance phase that a malicious attacker would carry out prior to an attack. This gives the ethical hacker an idea of all possible security lapses including policy level lapses.
The ethical hacker then uses scanning tools such as port scanners to aid him in network mapping. The ethical hacker begins probing the network for exploitable vulnerabilities based on a network map created from the initial investigation. This is exactly like the scanning phase of a hack attack. The ethical hacker does everything that a hacker does. Exploiting vulnerabilities is an important part of a penetration test. The ethical hacker tries to exploit them in such a way that they do not cause damage however, sometimes they do. This is taken care of in the legal paperwork drawn during the rules of engagement. While attacks such as denial of service attacks do not have a place in a penetration test; actually breaking in has to be done in most cases to demonstrate the true impact of vulnerabilities discovered. In addition, the ethical hacker recommends counter measures to patch the security hole.
The concept of white-box testing on the other hand is based on the assumption that the ethical hacker knows the system and has full access to system related information. Nevertheless, white-box testing has fundamental similarities in terms of the testing involved. The ethical hacker is given full access to information about the client's organization and network infrastructure from the outset. The ethical hacker has access to all system design and implementation documentation, which may include listings of source code, manual and circuit diagrams. This helps the ethical hacker adopt a structured and formal approach. However, a good ethical hacker will also test the validity of the information provided initially, rather than work under the assumption that it is true.
It is considered by some security experts that the black-box testing closely imitates a real web based attack. However, this need not hold good as script kiddies can easily know details of the operating systems and run scripts to exploit vulnerabilities. More often than not, the hacker is no total stranger to the system. He has access to insider information or may even be an insider. Many organizations are subject to attack from internal sources where full systems knowledge can be assumed.
Another aspect to be considered while testing is that hackers are known to have great patience and immense determination. They may plan and phase their attacks over months which are not the case with an ethical hacker who uses a predetermined methodology to fit inside the time constraint. This methodology can be common knowledge and hence, it may miss out on vulnerabilities that a hacker may otherwise notice.
It is imprudent to assume that a hacker would not adopt a structured approach, and will not continue probing over time until a system is compromised. This is especially true if an organization has external networks which are not publicly listed, as these will not show up at the information gathering stage in a black-box testing and will therefore not be tested. Hackers can stumble across unlisted networks using random scanning techniques and exploit potential vulnerabilities. It must be remembered that any computer connected to the Internet is typically scanned several times a day as hackers search for systems they can compromise.
There is another consideration that comes into play while choosing a method for testing. This is value for money. If monetary resources and time are a constraint, black box testing may not be the best option. This is where an organization may consider internal testing. Also known as grey-box testing, this allows system administrators and network professionals to take time and resources to test the system and detect vulnerabilities. This is called grey box testing because it is quite possible that they are known and unknown aspects of the system.
In short, all forms of security testing can be of value to an organization; however, it is up to the organization to decide what works in its best interests under the given circumstances. A black-box test may highlight how supposedly confidential information is leaked, while a white-box test is likely to dedicate much more time to probing for vulnerabilities and will address the security of all external connections. In security terms, it is more prudent to assume the worst when testing a network, thus addressing all potential vulnerabilities and weaknesses. The case for ethical hacking lies here, as it should be assumed that a hacker does have a full knowledge of the network infrastructure, because if security relies solely on its secrecy then it is as good as nonexistent.
Deliverables
Ethical Hacking Report
Details the results of the hacking activity, matching it against the work schedule decided prior to the conduct phase.
Vulnerabilities are detailed and avoidance measures suggested. Usually delivered in hard copy format for security reasons.
Issues to consider - Nondisclosure clause in the legal contract - availing the right information to the right person), integrity of the evaluation team, sensitivity of information.
End SidebarWe had discussed the first two phases of a security evaluation by an ethical hacker previously. Here, we will discuss in brief, the conclusion phase and the final deliverable of the ethical hack project. The final ethical hacking report details the results of the hacking activity. It is a collection of all of the ethical hacker's discoveries made during the evaluation.
Vulnerabilities that were detected are explained in detail and recommendations given to avoid exploits. The objective should be to bring into effect a permanent security solution and not a temporary patch up that can be overridden easily. The organization can also solicit the participation of its internal employees. This can be in the form of suggestions or observations made by them while conducting the evaluation. If social engineering testing has exposed problems, the report must address this issue with specific recommendations to raise awareness of the people concerned. The report must include specific advice on how to close the vulnerabilities and keep them closed.
Usually, the ethical hacking report is delivered in hard copy and the soft copy destroyed for security reasons. For instance, if this report is accessed by the wrong people or people with wrong intentions, it can have catastrophic consequences. Examples commonly cited include its use by a competitor for corporate espionage; a cracker might use it to break into the organization's computers etc. However, if it is a long term client, the ethical hacker might need the information for future tests. In this case, the organization can store it encrypted in an offline system with very limited access. Hard copies should be stored in a safe with all copies numbered.
There are also certain issues to be considered while delivering the report, such as who would receive the report, and how the sensitivity of the report may be conveyed. Usually, the ethical hackers would have an ongoing responsibility to ensure the safety of any information they retain. So in some cases all information related to the work is destroyed at the end of the contract.
Computer Crimes and Implications
Cyber Security Enhancement Act 2002 - implicates life sentences for hackers who 'recklessly' endanger the lives of others.
The CSI/FBI 2002 Computer Crime and Security Survey noted that 90% of the respondents acknowledged security breaches, but only 34% reported the crime to law enforcement agencies.
The FBI computer crimes squad estimates that between 85 to 97 percent of computer intrusions are not even detected.
Stigma associated with reporting security lapses
Computer crimes can be broadly separated into two categories:
Crimes facilitated by a computer.
Computer-facilitated crime occurs when a computer is used a s a tool to aid criminal activity. This can include storing records of fraud, producing false identification, reproducing and distributing copyright material, collecting and distributing child pornography etc.
Crimes where the computer is the target.
Crimes where computers are the targets are not similar to traditional types of crimes. Sophisticated technology has made it more difficult to answer questions regarding identification of the criminal, nature of crime, identity of the victim, location or jurisdiction of the crime and other details. Therefore, in an electronic or digital environment evidence has to be collected and handled differently than in the traditional crime scene.
The Cyber Security Enhancement Act 2002 -implicates life sentences for hackers who 'recklessly' endanger the lives of others. The CSI/FBI 2002 Computer Crime and Security Survey noted that 90% of the respondents acknowledged security breaches, but only 34% reported the crime to law enforcement agencies. The FBI computer crimes squad estimates that between 85 to 97 percent of computer intrusions are not even detected. Nevertheless, there remains a stigma associated with reporting security lapses to law enforcement agencies which should be addressed by enterprises seriously, with a fresh perspective.
Legal Perspective (US Federal Law)
Federal Criminal Code Related to Computer Crime:
18 U.S.C. § 1029. Fraud and Related Activity in Connection with Access Devices
18 U.S.C. § 1030. Fraud and Related Activity in Connection with Computers
18 U.S.C. § 1362. Communication Lines, Stations, or Systems
18 U.S.C. § 2510 et seq. Wire and Electronic Communications Interception and Interception of Oral Communications
18 U.S.C. § 2701 et seq. Stored Wire and Electronic Communications and Transactional RecordsAccess
End SidebarThe primary Federal statute that criminalizes breaking into computers and spreading malicious viruses and worms is the Computer Fraud and Abuse Act, codified at Title 18 of the United States Code, Section 1030. Other statutes that are typically implicated in a hacking case include Section 1029 of Title 18, which criminalizes the misuse of computer passwords, and Section 2511 of Title 18, which criminalizes those hackers that break into systems and install sniffers to illegally intercept electronic communications.
The main statutes that address computer crimes are listed below.
18 U.S.C. § 1029. Fraud and Related Activity in Connection with Access Devices
18 U.S.C. § 1030. Fraud and Related Activity in Connection with Computers
18 U.S.C. § 1362. Communication Lines, Stations, or Systems
18 U.S.C. § 2510 et seq. Wire and Electronic Communications Interception and Interception of Oral Communications
18 U.S.C. § 2701 et seq. Stored Wire and Electronic Communications and Transactional Records Access
In this module, we will briefly examine the two most important statutes regarding computer crime: 18 U.S.C. § 1029 and 18 U.S.C. § 1030.
Section 1029
Subsection (a) Whoever -
knowingly and with intent to defraud produces, uses, or traffics in one or more counterfeit access devices;
knowingly and with intent to defraud traffics in or uses one or more unauthorized access devices during any one-year period, and by such conduct obtains anything of value aggregating $1,000 or more during that period;
knowingly and with intent to defraud possesses fifteen or more devices which are counterfeit or unauthorized access devices;
knowingly, and with intent to defraud, produces, traffics in, has control or custody of, or possesses device-making equipment;
knowingly and with intent to defraud effects transactions, with 1 or more access devices issued to another person or persons, to receive payment or any other thing of value during any 1-year period the aggregate value of which is equal to or greater than $1,000;
without the authorization of the issuer of the access device, knowingly and with intent to defraud solicits a person for the purpose of—
offering an access device; or
selling information regarding or an application to obtain an access device;
knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a telecommunications instrument that has been modified or altered to obtain unauthorized use of telecommunications services;
knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a scanning receiver;
knowingly uses, produces, traffics in, has control or custody of, or possesses hardware or software, knowing it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument so that such instrument may be used to obtain telecommunications service without authorization; or
without the authorization of the credit card system member or its agent, knowingly and with intent to defraud causes or arranges for another person to present to the member or its agent, for payment, 1 or more evidences or records of transactions made by an access device.
End SidebarThis law assumes great significance in the contemporary world that is driven by symbolic data. By symbolic data, we mean bank account numbers, credit card numbers, personal identification numbers and passwords. The characteristic of these symbolic data is that these can be easily used in lieu of physical security mechanisms. This is the very feature that makes them susceptible to fraud and illegal activities such as identity theft. These activities are not restricted to a physical boundary, but can span international areas.
The statute Title 18 U.S.C section 1029, also referred to popularly as the "access device statute" is a highly versatile means of investigating and prosecuting criminal activity involving fraud. One of the challenges that ecommerce has thrown open to law enforcement agencies arises from the ability of criminals and hackers to obtain online and then use certain computer programs, such as Credit Master and Credit Wizard, which generate large volumes of credit card numbers. These programs help these hackers find particular credit card numbers that online merchants would accept.
These are illegal means as the hackers are not authorized to use them. Having generated large number of credit card numbers, these hackers can use them at random to commit financial fraud over the net. This can be in the form of an online fraud scheme, or substantial fraudulent purchases of goods or services, or cause fraudulent billings for nonexistent goods or services, at the expense of the credit card company or the customers to whom the valid credit card numbers have been assigned.
In the slide above, note that 'counterfeit access device' refers to any access device that is counterfeit, fictitious, altered, or forged, or an identifiable component of an access device or counterfeit access device. An example is long distance telephone service access codes fabricated by a hacker that can be counterfeit even though those codes are valid code numbers in a company's computer access base.
Also note that the term "one-year period" in this subsection is not limited to a single calendar year, but includes any continuous one-year period within which the accused has obtained anything of value aggregating $1,000 or more.
An example of online fraud would be the oft seen example of a large scale online marketing scheme where the concerned individual uses another business merchant's credit card account because he would not gain the bank's approval or authorization if he were to describe his activity truthfully. These include cases where online merchants promise miracle cures or prescription medicines over the Internet.
Another oft quoted example is that of offenders soliciting users over email to secure credit card or PIN numbers and using them to purchase merchandise such as electronic equipment or computers. This would amount to unauthorized access as well as counterfeit access.
The subsection 1029(a)(3) is cited primarily in cases of theft of credit card numbers from ecommerce sites, or even physical possession of stolen or lost cards. It applies to hackers who obtain these by hacking into a system and then offers to sell them. There have actually been cases where a hacker had attempted to sell more than 60,000 stolen credit card numbers with high credit limits from websites, and was apprehended by the FBI.
The 1029(a)(5) subsection comes into effect when for instance, an offender persuades a person with a valid credit card number to give the offender that credit card number because the person believes that he or she will receive something of substantial value in return. This is also applicable when these numbers are used to purchase high value merchandise from ecommerce sites.
The 1029(a)(6) subsection deals with criminal activities such as when an offender offers the consumer credit cards, obtains advance payment and then does not deliver. This can be electronic merchandise as well, as seen in a recent case where an offender purchased high value computer equipment by floating a fake escrow company and did not pay the suppliers, while he schemed to resell these items.
This offense may apply, for example, when a criminal operating a large scale fraud scheme has used false in formation a bout his business to obtain a merchant account from a bank, or uses an existing account of a legitimate business, so that he can process credit card charges through that account. The criminal then obtains credit card numbers from the victims of his scheme and submits those numbers for payment to the bank where the merchant account is located. If the financial institution that established the merchant account did not authorize that account to be used by those operations, all transactions that the criminal conducts through that merchant account may be considered "unauthorized" by that financial institution.
The 1029(a)(7) offense may apply, for example, to persons who make, distribute, or use "cloned " cell phones in the course of a scheme to defraud, such as a telemarketing fraud scheme, or in connection with another criminal enterprise. This assumes significance under the context of mobile commerce.
The 1029(a)(8) subsection states that whoever "knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a scanning receiver" commits a federal offense if the offense affects interstate or foreign commerce. As used in that subsection, the term "scanning receiver" is defined as "a device or apparatus that can be used to intercept a wire or electronic communication or to intercept an electronic serial number, mobile identification number, or other identifier of any telecommunications service, equipment, or instrument."
The 1029(a)(9) subsection states that whoever "knowingly uses, produces, traffics in, has control or custody of, or possesses hardware or software, knowing it has been configured to insert or modify telecommunications identifying information associated with or contained in a telecommunications instrument so that such instrument may be used to obtain telecommunications service without authorization" commits a federal offense if the offense affects interstate or foreign commerce. As used within that subsection, the term "telecommunications identifying information" is defined as "electronic serial number or other number that identifies a specific telecommunications instrument or account, or a specific communication transmitted from a telecommunications instrument."
The 1029(a)(10) subsection states that whosoever without the authorization of the credit card system member or its agent, knowingly and with intent to defraud causes or arranges for another person to present to the member or its agent, for any payment is liable for prosecution.
Start Sidebar Penalties
in the case of an offense that does not occur after a conviction for another offense under this section--
(i) if the offense is under paragraph (1), (2), (3), (6), (7), or (10) of subsection (a), a fine under this title or imprisonment for not more than 10 years, or both; and
(ii) if the offense is under paragraph (4), (5), (8), or (9) of subsection (a), a fine under this title or imprisonment for not more than 15 years, or both;
in the case of an offense that occurs after a conviction for another offense under this section, a fine under this title or imprisonment for not more than 20 years, or both; and
in either case, forfeiture to the United States of any personal property used or intended to be used to commit the offense.
Offense under 1029(a)(1) attracts a fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(2) attracts a fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(3) attracts a fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(4) attracts a fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $1,000,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(5) attracts a fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(6) attracts a fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(7) attracts a fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(8) attracts a fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense.
Offense under 1029(a)(9) attracts a fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense.
Section 1030 - (a) (1) (2) (A) (B) (C) (3) (4) (5) (A) (B) (6) (7)
Subsection (a) Whoever—
having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--
information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
information from any department or agency of the United States; or
information from any protected computer if the conduct involved an interstate or foreign communication;
intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
physical injury to any person;
a threat to public health or safety; or
damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;
knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
such trafficking affects interstate or foreign commerce; or
such computer is used by or for the Government of the United States;
with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;
The National Information Infrastructure Protection Act of 1996 was enacted as part of Public Law 104–294. It amended the Computer Fraud and Abuse Act, which is codified at 18 U.S.C. § 1030. The United States, in a single statute, continues to address the core issues driving computer and information security at both domestic and international levels; that is, protecting the confidentiality, integrity, and availability of data and systems. These three themes provide the foundation for the Organization for Economic Cooperation and Development's (OECD) 'Guidelines for the Security of Information Systems'.
By patterning the amended Computer Fraud and Abuse Act on the OECD guidelines, the U.S. addresses how information technology crimes must be addressed--simultaneously protecting the confidentiality, integrity, and availability of data and systems. In most cases, a single point of reference--The Computer Fraud and Abuse Act, 18 U.S.C. § 1030--is provided for investigators, prosecutors, and legislators as they attempt to determine whether a particular abuse of new technology is covered under federal criminal law.
Section 1030(a)(1) would require proof that the individual knowingly used a computer without authority, or in excess of authority, for the purpose of obtaining classified information or restricted data, and subsequently performed some unauthorized communication or other improper act. In this sense then, it is the use of the computer which is being proscribed, not the unauthorized possession of, control over, or subsequent transmission of the information itself. However, a person who deliberately breaks in to a computer for the purpose of obtaining properly classified or restricted information, or attempts to do so, should be subject to criminal prosecution for this conduct.
Subsection (a) (2) is, in the truest sense, a provision designed to protect the confidentiality of computer data. The subsection 1030(a) (2) is designed to insure that it is punishable to misuse computers to obtain government information and, where appropriate, information held by the private sector. The provision has also been restructured to differentiate various aspects of protecting different types of information, thus allowing easy additions or modifications to offenses if these aspects are required to be addressed again.
Not all computer misuse warrants federal criminal sanctions. The challenge is that there is no single definitive clause that can accurately segregate important from unimportant information, and any legislation may therefore be under or over inclusive. For example, a frequent test for determining the appropriateness of federal jurisdiction--a monetary amount--does not work well when protecting information. The theft from a computer of a trial plan in a sensitive case (as in the case of the paralegal sentenced for theft of litigation trial plan) or the copying of credit reports might not meet such a monetary threshold, but clearly such information should be protected. Therefore, the act of taking all of this kind of information is now criminalized.
However, it is important to remember that the elements of the offense include not just taking the information, but abusing one's computer authorization to do so. For instance, during Operation Desert Storm, it was widely reported that hackers accessed sensitive but unclassified data regarding personnel performance reports, weapons development information, and logistics information regarding the movement of equipment and personnel. Subsection 1030(a) (2)(C) is designed to protect against the interstate or foreign theft of information by computer. Such a provision is necessary because, in an electronic environment, information can be "stolen" without transportation, and the original usually remains intact.
Section 1030(a) (3) protects the computer from outsiders, even if the outsider obtains no information. Thus, an intruder who violates the integrity of a government machine to gain network access is nonetheless liable for trespass even when he has not jeopardized the confidentiality of data. Section 1030(a) (2), on the other hand, protects the confidentiality of data, even from intentional misuse by insiders. Additionally, although a first violation of § 1030(a) (3) is always a misdemeanor, a § 1030(a) (2) violation may constitute a felony if the information taken is valuable or sufficiently misused.
When a computer is used for the government, the government is not necessarily the operator. The term 'non public' is intended to reflect the growing use of the Internet by government agencies and, in particular, the establishment of World Wide Web home pages and other public services. This makes it to perfectly clear that a person who has no authority to access any non -public computer of a department or agency may be convicted under (a) (3) even though permitted to access publicly available computers.
Subsection 1030(a) (4) insures that felony level sanctions apply when unauthorized use of the computer (or use exceeding authorization) is significant. Hackers, for example, have broken into Cray supercomputers for the purpose of running password cracking programs, sometimes amassing computer time worth far in excess of $5,000. In light of the large expense to the victim caused by some of these trespassing incidents, it is more appropriate to except from the felony provisions of subsection 1030(a)(4) only cases involving no more than $5,000 of computer use during any one-year period.
The definition of "protected computer" includes government computers, financial institution computers, and any computer "which is used in interstate or foreign commerce or communications." The term 'protected computer' was included to address the original concerns regarding intrastate "phone phreakers" (i.e., hackers who penetrate telecommunications systems). It also specifically includes those computers used in "foreign" communications. With the continually expanding global information infrastructure, with numerous instances of international hacking, and with the growing possibility of increased global industrial espionage, it is important that the United States have jurisdiction over international computer crime cases.
This section also caters to the problem of insider attack, given the rise in computer attacks from insiders such as disgruntled employees. For example, although those who intentionally damage a system should be punished regardless of whether they are authorized users, it is equally clear that anyone who knowingly invades a system without proper authority and causes significant loss to the victim should be punished as well, even when the damage caused is not intentional. In such cases, it is the intentional act of trespass that makes the conduct criminal.
To provide otherwise is to openly invite hackers to break into computer systems, safe in the knowledge that no matter how much damage they cause, they commit no crime unless that damage was either intentional or reckless. This subsection criminalizes all computer damage done by outsiders, as well as intentional damage by insiders, albeit at different levels of severity. The essence of this section is that intentional damage by trespassers and authorized users is a felony. Causing reckless damage is a felony for a trespasser, though not a crime for an authorized user. Causing negligent damage is a misdemeanor for a trespasser, and not a crime for an authorized user.
Although subsections § 1030(a)(5)(B) and (a)(5)(C) require that the actor cause damage as a result of his or her unauthorized access, damages are not limited to those caused by the process of gaining illegal entry. Rather, all damage, whether caused while gaining access or after entry, is relevant.
For example, intruders often alter existing log-on programs so that user passwords are copied to a file which the hackers can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information has been damaged.
Nonetheless, the intruder's conduct allowed him to accumulate valid user passwords to the system, required all system users to change their passwords, and required the system administrator to devote resources to re-securing the system. Thus, although there may be no permanent "damage," the victim does suffer "loss."
As the network infrastructures continue to grow, computers will increasingly be used for access to critical services such as emergency response systems and air traffic control, and will be critical to other systems that we cannot yet anticipate.
Thus, any definition of "damage" must broadly encompass the types of harms against which people should be protected. The first is significant financial losses; the second is potential impact on medical treatment. Other aspects covered include causing physical injury to any person and threatening the public health or safety.
Subsection (a) (7) is designed to respond to a growing problem: the interstate transmission of threats directed against computers and computer networks. Such threats, if accompanied by an intent to extort, may already be covered in some instances by the Hobbs Act, 18 U.S.C. § 1951, which applies to interference with commerce by extortion. They also may be covered in some instances by 18 U.S.C. § 875(d), which applies to interstate communication of a threat to injure the property of another.
These concerns are not theoretical. In one recent case, for example, an individual threatened to crash a computer system unless he was granted access to the system and given an account. Another case involved an individual who penetrated a city government's computer system and encrypted the data on a hard drive, thus leading the victim to suspect an extortion demand was imminent.
It is worth noting that subsection (a)(7) covers any interstate or international transmission of threats against computers, computer networks, and their data and programs, whether the threat is received by mail, a telephone call, electronic mail, or through a computerized message service.
The provision is worded broadly to cover threats to interfere in any way with the normal operation of the computer or system in question, such as denying access to authorized users, erasing or corrupting data or programs, or slowing down the operation of the computer or system.
A recent case that was charged has been that of a contract employee who downloaded a zip file and transmitted said zipped file to an e-mail account on the NASA e-mail server, knowing that the zipped file in question would cause the computer system to drastically slow down or completely stop processing e-mail messages at the Glenn Research Center.
Penalties
(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if--
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortuous act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000;
(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(A)(i), or an attempt to commit an offense punishable under that subsection;
a fine under this title, imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(5)(A)(ii), or an attempt to commit an offense punishable under that subsection;
a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to commit an offense punishable under either subsection, that occurs after a conviction for another offense under this section.
Regardless of the amount of damage caused by an attack, Sections (a)(1) and (a)(7) are felonies. Similarly, sections (a)(3) and (a)(5)(C) are misdemeanors; the amount of damage is irrelevant. Sections (a)(5)(A) and (a)(5)(B) are felonies, but only if damage is caused as is outlined by 18 U.S.C. §1030(e)(8), which defines damage as the impairment to the integrity or availability of data, a program, a system or information that causes loss aggregating at least $5,000 in value during any one year period to one or more individuals; anything that modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; causes physical injury to any person; or threatens public health or safety
Section (a)(2) has its own damage provision: a violation under this section may be a felony, but only if the offense was committed (1) for purposes of commercial advantage or private financial gain, or (2) in furtherance of any criminal or tortious act in violation of the Constitution, or laws of the U.S. or of any State, or (3) if the value of the information obtained exceeds $5,000. Otherwise, it is a misdemeanor. Finally, the amount of damage is so important to Section (a)(4) that there is no violation at all unless the value of the thing obtained is more than $5,000 in any one-year period.
Although the five thousand dollar requirement appears clear, uncertainties surrounding what can be included in the calculation of damage. For example, if only the links of a web page is altered in an attack without actual damage to the system, meeting the five thousand dollar threshold may be difficult. Additionally, it may be difficult to determine a fixed amount in damages if an attacker used a victim's computer only to launch attacks.
The seriousness of a breach in confidentiality depends, in considerable part, on either the value of the information or the defendant's motive in taking it. Thus, the statutory penalties are structured so that merely obtaining information of minimal value is only a misdemeanor, but certain aggravating factors make the crime a felony.
More specifically, the crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000.
As for the monetary threshold, any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property "in the thieves' market," can be used to meet the $5,000 valuation.
"Loss" can include any monetary loss that the victim sustained as a result of any damage to computer data, a program, a system or information. In addition, loss includes the costs that were a natural and foreseeable result of any damage, and any measures that were reasonably necessary to restore or re-secure the data, the program, the system, or information. An impairment of the data's integrity may occur even though no data was physically changed or erased if the victim suffered a "loss." Therefore, a victim of a computer compromise would be advised to calculate the amount of damage based on these and similar factors. Should the victim decide to involve federal law enforcement, a timely estimate of the amount of loss may assist in swiftly tracing the attacker.
For section 1030(3) (a) (b), penalty can be an appropriate fine and /or up to 1 year in prison, 10 years if it is a repeat offense. While the sentencing has been a progressive step, it also highlights the need to draft parallel laws that would make software companies and other information technology providers legally accountable for weak or lax security. This will be an important step towards ensuring security at the design level itself. The notion that a company can produce a consumer product that is systemically flawed, and not be liable, must be addressed by law as well.
A sub-part to the penalties under 18 U.S.C. 1030(c) introducing fines and potential life sentences for offenders who either knowingly or recklessly attempt to or cause death to any person. The cyber security enhancement act also provides for fines and prison terms up to 20 years for offenders who knowingly or recklessly attempt to or cause serious bodily injury. However, recklessness is not usually treated as rising to a sufficient criminal level of intent to warrant such prison terms. For instance, recklessness in a contemporary context can also be an employee running a disk without a virus check.
Under this section, the term "loss" means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
Note that the term "protected computer" also includes a computer which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
For section 1030(4) (a), penalty can be an appropriate fine and /or up to 5 years in prison, 10 years if it is a repeat offense. The maximum statutory penalty for each count in violation of Title 18, United States Code, Section 1030(a)(4) is five years imprisonment and a fine of $250,000, plus restitution if appropriate. However, the actual sentence will be dictated by the Federal Sentencing Guidelines, which take into account a number of factors, and will be imposed in the discretion of the Court.
This section was recently used in the prosecution of former Cisco employees who exceeded their authorized access to the computer systems of Cisco Systems in order to illegally issue almost $8 million in Cisco stock to themselves.
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.
A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a) (5) (B) (i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action however, may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware. We had mentioned the need to address this legally in the previous discussion.
No comments:
Post a Comment