[ISN] Bad Raps for Non-Hacks

From: InfoSec News (isnat_private)
Date: Tue Jun 17 2003 - 00:14:49 PDT

  • Next message: InfoSec News: "[ISN] Linux file locking mechanisms - Flock, Lockf, and Fcntl"

    http://www.securityfocus.com/columnists/167
    
    By Mark Rasch
    June 16, 2003 
    
    A few odd cases show that you don't have be a digital desparado to be
    accused of a cybercrime... particularly if you embarrass the wrong
    bureaucrats.
    
    Some recent (and not so recent) cases illustrate how computer security
    professionals and well intentioned whistle-blowers face a genuine risk
    of running afoul of computer crime statutes simply for forgetting to
    ask the right person, "May I?," before doing a computer security
    assessment.
    
    Take the case of Scott Moulten, a computer security professional in
    Georgia. He was the principal person responsible for computer security
    (through a private company) for a county in Georgia. The county worked
    with various cities coordinating and providing 911 Emergency Response
    Services. When one city wanted to hook up to the county's 911 network,
    Moulten performed a port scan and throughput test on that city's
    network to see if the computers were vulnerable to exploit.
    
    Of course, they were. Moulten wisely went no further, and never
    attempted to penetrate any of the computers he scanned, and the city
    eventually plugged the holes. Did the city award him a medal? A raise?  
    A new contract? No... they promptly contacted the Georgia Bureau of
    Investigation, which searched and seized his computer and arrested him
    for violating the Georgia computer crime laws. The statue in question
    made it a felony to use a computer with the intention of "obstructing,
    interrupting, or in any way interfering with the use of a computer
    program or data... regardless of how long the alteration, damage, or
    malfunction persists." Since the port scan infinitesimally slowed the
    computer, the government supposed, Moulten violated the statute.
    
    Thousands of dollars of legal fees later (and a civil case to defend
    as well), the government abandoned the criminal prosecution with no
    charges filed.
    
    Things went worst for Stefan Puffer, a Houston computer security
    consultant who briefly worked as a contractor with the Harris County,
    Texas district clerk's office. Puffer conducted a "war driving"  
    exercise, reportedly accompanied by the head of Harris County's
    Central Technology Department, and a reporter for the Houston
    Chronicle. Puffer demonstrated that the Harris County clerk's office's
    802.11b network was misconfigured to allow anyone to have access to
    the network. It was reported that Puffer uploaded a ".gif" file on one
    of the computers to demonstrate the ease with which an outsider could
    access the network -- an allegation Puffer denied.
    
    The County clerk initially poo-pooed the incident, claiming that no
    data was compromised and that the wireless network was simply a "test"  
    network which wasn't in full use. But once the Houston Chronicle ran
    an article describing the wireless vulnerability, embarrassed county
    officials brought their network up to snuff.
    
    For his efforts, Puffer was investigated by FBI agents, who kicked in
    his door at 6AM, seized his computers and all electronic media and
    effectively put him out of business. Then he was indicted by a federal
    grand jury for violating the federal Computer Fraud and Abuse Act --
    with the "damages," bizarrely, assessed as the money the county spent
    the close the hole. Efforts to convince the United States Attorney's
    Office in Texas to dismiss the charges were unsuccessful, and Puffer
    eventually had to stand trial -- at a cost of tens of thousands of his
    own and taxpayer dollars. The jury acquitted him in 15 minutes.
    
    Even just writing about computer security can get you in trouble. In
    1997, Justin Boucher wrote an article for an underground high school
    newspaper describing, in the most general terms, common computer
    security vulnerabilities at the High School - most notably bad
    passwords. The article prodded his classmates to exploit the
    vulnerabilities, but also implored them to "never harm, alter or
    damage any computer, piece or software, or person in any way; if
    damage has been done do what is necessary to correct that damage, and
    to prevent it from occurring in the future and inform computer
    managers about lapses in their security, when you're done exploiting
    it."
    
    Boucher himself never illegally accessed any school computers, nor is
    there any evidence that others did using this information he
    published. Nevertheless, the young whistleblower was expelled from
    school for one year -- an expulsion that was affirmed by the courts.
    
    
    Staying Legal
    
    The critical part of the school board's -- and the court's -- decision
    was the conclusion that the publication of the article constituted a
    criminal act, because it "provided instruction to the public and
    unauthorized persons on how to access the school district computer
    programs and disclosed restricted access information to the school
    district's computers" in violation of Wisconsin's computer crimes
    law." The court pointed out that the Wisconsin law made it a crime to
    "Disclose[] restricted access codes or other restricted information to
    unauthorized persons." Thus, telling the wrong people about the
    vulnerabilities discovered can lead to jail.
    
    All of these cases had a few things in common. First, there was no
    intent to damage or destroy computers or information contained in
    them, and any damage done was exceedingly minimal. There was likewise
    no intent to extort the owners of the computers -- like Russian hacker
    Alexi Ivanov, who exposed security vulnerabilities in an effort to get
    paid to fix them. Third, in each of the cases, those responsible for
    security at the organization were publicly embarrassed by their poor
    security.
    
    The final commonality is the lack of express consent. One key trigger
    to virtually all computer crime statutes is the "access" to a computer
    without authorization, or in some cases, in excess of authorization.
    
    The combination of broad computer crime laws mixed with defensive
    bureaucrats embarrassed by their own failings could harbor dangers for
    non-professionals doing seemingly harmless non-invasive procedures
    like port scans and wireless drive-bys on networks that they arguably
    have some interest in seeing protected.
    
    That's because many state computer crime statutes define "access" to a
    computer as any communication with it, or use of the resources of the
    computer -- however slight. Thus, to stay legal, a one must obtain
    permission from someone in authority prior to performing even mild
    tests, preferably in writing, and preferably explaining the entire
    scope of the test and the possibility of damage (a waiver of liability
    would be nice too.).
    
    Professional penetration testers already know to get explicit
    authorization in writing before beginning work. But given the dramatic
    sweep of some of these laws, and the growing history of their abuse,
    simple authorization may not be enough. Pen testers should have the
    client detail exactly the scope and extent of the network to be tested
    -- a range of IP addresses, domains, or physical locations. Straying
    beyond these ranges may land the tester in legal hot water.
    
    And whatever happens, don't write about it for your local High School
    newspaper.
    
    
    SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the 
    Justice Department's computer crime unit, and now serves as Senior 
    Vice President and Chief Security Counsel at Solutionary Inc. 
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 17 2003 - 02:30:34 PDT