Home page logo

basics logo Security Basics mailing list archives

How hackers cause damage... was Vulnerabilites in new laws on computer hacking
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 23 Feb 2006 21:26:09 +1100

There have been a large number of ill-informed posts regarding damage caused by cyber-trespass. This is for the purpose 
of this post described as breaking into a system with no clear intent to cause damage i.e. no Mens Rea or guilty mind. 
I will exclude all references to intention to damage or wilful damage and limit this to reckless damage alone.

Next, I will exclude Mens Rea as it may pertain to the fact that the act of committing a computer crime is by 
definition illegal. We all seem to understand that breaking into a computer without permission is a breach of the law 
so I shall not explore this avenue of argument.

The term in law refers to “actus non facit reum nisi mens sit rea”, which means that "the act will not make a person 
guilty unless the mind is also guilty. This is a common defence in criminal cases though it will not help you in a 
civil tort case (i.e. civil damages).

With the seeming ignorant state that exists (not to all reading) to the levels of damage caused by breaking into 
systems and committing cyber-trespass I will endeavour to detail the resultant state of affairs.

I will aim solely at corporate systems for the critique following. This is not to state that Government, privately run 
or organisational systems have any lesser effects resultant from attack, but that this is a post and not a dissertation 
(though it is moving in that direction).

First we have the argument that has been fielded that at worst a system would just need to be rebuilt. A prior poster 
stated that he would analyse his system and track the incident. For the majority of the world this is not so simple. 
Most people are not skilled in either incident response techniques or digital forensic science (please note computer 
forensics is a misnomer and grammatically incorrect). Nor are most companies able to afford to rebuild systems on a 
regular basis for the fun of it.

Cyber-trespass leaves one in a state of doubt. It is commonly stated that the only manner of recovery from a system 
compromise is to rebuild the host. I will resist quoting a voluminous amount of material at this point (unless somebody 
wishes to dispute this :). It is needless to say that documents, working papers and processes on this topic are widely 
available. SANS, CERT and the CIS all recommend that a compromised system be rebuilt, not from backup, but from scratch.

Further one must “Resist the temptation of restoring from backups” *1 and complete an “entire system install be 
performed from read-only distribution media”.

So here, we have to look to the cost of both rebuilding the system and recreating the data. In the modern corporation, 
the primary assets are often vested in the intellectual capital of the firm.

First, the system needs to be rebuilt as was listed above. There is no argument here (though I am willing to engage in 
one) over the need to rebuild the system. The people at the company that was attacked do not and cannot know your 
motives. They cannot assume you are benign, but have to assume that you are malignant being that you are willing to 
break the law, that you are willing to face gaol.

If they assume otherwise they will suffer again. How do they know that you have not installed a rootkit? How is it 
known that there is no timebomb on the server. You as the attacker have already demonstrated that you are not bound my 
conventional morality and ethics. You have violated property rights, entered and penetrated a system, breached the 
defences and raped the security of the site you choose as just “practice”.

Every attacker that does this makes it easier for the truly malicious attacker to succeed.

On top of this, add the loss due the unavailability, reputation and compliance costs. Let us for the moment forget the 
costs of tort against the company. The costs of action for a violation of privacy rights. The costs from a violation of 
PCI-DSS. HIPPA Violations or the effects to the companies share price.

Costs. They seem to be all over the place when you actually think about it. Each of these costs is damage. This damage 
needs to be recovered. We all pay. 

Now most organisations do not have, not can afford to retain skilled incident response professionals. They need to 
employ external parties at a cost. Even when they do have internal staff there is a cost, but the accounting process is 
not so simple.

At rates (and this is based in Sydney, Australia) hiring personal from a respected firm (and it is not likely to be 
less in the case of fear from an attack driving firms to a position of trust) will have a charge out rate in the order 
of $ 250-450 per hour. The investigation will take 10 -100 hours (and in some cases longer though rare).

Is the cost of damages when placed against the risk worth it. I hope not, but this is a personal risk decision for the 
individual to decide. I can do little to stop you committing cyber-trespass just as I can do little to stop you robbing 
a 7-11. Mind you however, I am a bit of an a*8hole. If I get involved I will (in my personal time if needs be) map out 
every piece of information that you have done and ensure that every lie you tell to try to worm out (aimed at those who 
still try to do this act) of the consequences is proved beyond a reasonable doubt in court.

Animus nocendi or a mind to harm reference the precise familiarity of illegal content of behaviour, and of its possible 
consequences. Now that you have read this post, it may be argued that you have come to understand that there are 
consequences for your actions if you choose to still attack a system (aimed at those who do). Please feel free to flame 
me as reading this post effectively provides the essential condition to give a penal condemnation if you still choose 
to violate the law by breaking into systems and causing damage.





So called.. NON-Malicous attacks have caused the following events to occur

1   Loss of human life (though systems damage)

2   Insolvancy and the resultant human costs (lost jobs, etc)

so much for no damage... PPS even longer rant as to each of these with statistical data available ;)

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]