Home page logo
/

basics logo Security Basics mailing list archives

RE: How hackers cause damage... was Vulnerabilites in new laws on computer hacking
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 27 Feb 2006 15:01:51 -0800

1)  If it's your friend's machine, you should be able to get 
authorization from him/her.  Do you really know what 153.18.19.33 
is?  Does knowing what it was yesterday tell you what it is today?
Do you know that it's not monitoring oxygen levels and anaesthetic
flow during surgery?  Answers:  No.

2)  Same answer as above.

As far as "ability to bring down" -- there are legacy boxes out 
there which may crash when subjected to fairly simple probe code.
(No, I will not volunteer details.)  How do I know that you're not
hunting for them?  Answer:  I *have to* assume that you are.

If you have permission, this whole thread doesn't apply to you.  If
you don't have permission -- THEN you don't have permission.  A
weasel "but I only meant to ..." *might* get you a lighter sentence,
but it won't change that you broke the law.  Nor should it.

David Gillett


-----Original Message-----
From: dave [mailto:fla.linux () gmail com] 
Sent: Saturday, February 25, 2006 8:20 AM
To: security-basics () securityfocus com
Cc: ROB DIXON
Subject: Re: How hackers cause damage... was Vulnerabilites 
in new laws on computer hacking

Good points???

1   Loss of human life (though systems damage)
How can a kid trying to crack his friends server cost someone 
their life?

2   Insolvancy and the resultant human costs (lost jobs, etc)
Pretty much same answer as above

I think a point was missed...We were initially talking about 
some kid who is trying to learn about computers by cracking 
various machines. Not some *super hacker* with the ability to 
bring down serious systems. I think the point I made was also 
overlooked...

If you are hell bent for leather and you simply must learn 
how to break into computers then at the very least be wise 
about what systems you try to crack into! Dont mess with 
production systems...dont mess with bank, hospitals, any big 
corporate company. Dont ever mess with any real businesses 
period. Dont think about government or law enforcment systems 
etc... Dont run "untested" exploits on otherwise important 
servers where crashing would be serious problem. As far as 
someone losing their life...please give a (realistic) example 
or two of how a human life was lost cause a kid tried to 
crack his friends web server or exploit some unpatched SSH 
deamon on some machine at his dinky little job. As far as 
someone losing his job...in an extreme scenario this could 
happen but not if the newbie cracker is wise in his choice of 
targets (if you can not be wise regarding your targets then 
you shouldnt be cracking computers). And as harsh as this may 
sound I will say it anyway...If some otherwise unskilled 
script kiddie, can break into your *important* system and do 
something bad enough to cause someone to possibly lose their 
life then you as the admin should be fired! 

I also mentioned the financial burden 'Non malicous' attacks 
imposes on companies in resonding to the break-in. Once 
again...be wise about your targets...think small and 
realistic. You are NOT Aleph one or Mitnick or who ever...You 
are a script kiddie just trying to learn how it works. If you 
are at the point where your are bored with basic servers and 
want to venture into mainframe or otherwise corporate hacking 
then you are really no longer just some kid trying to learn 
and therefore you no longer are the point of this topic.

#### Kids trying to learn about computers who break into 
small scale targets and do no harm should do NO time!
#### skilled crackers/hackers who cause harm (be it intential 
or not) on important/critical systems should know better and 
should be prosicuted/punished accordingly. If someone lost 
their life due to a careless cracker then manslaughter 
charges should follow etc...



ROB DIXON wrote:

Well put Craig.
You made some good points regarding the so called 
"NON-Malicous attacks".



Robert L. Dixon,  CSO
CHFI A+
State of West Virginia's
West Virginia Office of Techonology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
Email:rdixon () workforcewv org
 

"Craig Wright" <cwright () bdosyd com au>  >>>
       


Hello,
There have been a large number of ill-informed posts 
regarding damage caused by cyber-trespass. This is for the 
purpose of this post described as breaking into a system with 
no clear intent to cause damage i.e. no Mens Rea or guilty 
mind. I will exclude all references to intention to damage or 
wilful damage and limit this to reckless damage alone.

Next, I will exclude Mens Rea as it may pertain to the fact 
that the act of committing a computer crime is by definition 
illegal. We all seem to understand that breaking into a 
computer without permission is a breach of the law so I shall 
not explore this avenue of argument.

The term in law refers to "actus non facit reum nisi mens 
sit rea", which means that "the act will not make a person 
guilty unless the mind is also guilty. This is a common 
defence in criminal cases though it will not help you in a 
civil tort case (i.e. civil damages).

With the seeming ignorant state that exists (not to all 
reading) to the levels of damage caused by breaking into 
systems and committing cyber-trespass I will endeavour to 
detail the resultant state of affairs.

I will aim solely at corporate systems for the critique 
following. This is not to state that Government, privately 
run or organisational systems have any lesser effects 
resultant from attack, but that this is a post and not a 
dissertation (though it is moving in that direction).

First we have the argument that has been fielded that at 
worst a system would just need to be rebuilt. A prior poster 
stated that he would analyse his system and track the 
incident. For the majority of the world this is not so 
simple. Most people are not skilled in either incident 
response techniques or digital forensic science (please note 
computer forensics is a misnomer and grammatically 
incorrect). Nor are most companies able to afford to rebuild 
systems on a regular basis for the fun of it.

Cyber-trespass leaves one in a state of doubt. It is 
commonly stated that the only manner of recovery from a 
system compromise is to rebuild the host. I will resist 
quoting a voluminous amount of material at this point (unless 
somebody wishes to dispute this :). It is needless to say 
that documents, working papers and processes on this topic 
are widely available. SANS, CERT and the CIS all recommend 
that a compromised system be rebuilt, not from backup, but 
from scratch.

Further one must "Resist the temptation of restoring from 
backups" *1 and complete an "entire system install be 
performed from read-only distribution media".

So here, we have to look to the cost of both rebuilding the 
system and recreating the data. In the modern corporation, 
the primary assets are often vested in the intellectual 
capital of the firm.

First, the system needs to be rebuilt as was listed above. 
There is no argument here (though I am willing to engage in 
one) over the need to rebuild the system. The people at the 
company that was attacked do not and cannot know your 
motives. They cannot assume you are benign, but have to 
assume that you are malignant being that you are willing to 
break the law, that you are willing to face gaol.

If they assume otherwise they will suffer again. How do they 
know that you have not installed a rootkit? How is it known 
that there is no timebomb on the server. You as the attacker 
have already demonstrated that you are not bound my 
conventional morality and ethics. You have violated property 
rights, entered and penetrated a system, breached the 
defences and raped the security of the site you choose as 
just "practice".

Every attacker that does this makes it easier for the truly 
malicious attacker to succeed.

On top of this, add the loss due the unavailability, 
reputation and compliance costs. Let us for the moment forget 
the costs of tort against the company. The costs of action 
for a violation of privacy rights. The costs from a violation 
of PCI-DSS. HIPPA Violations or the effects to the companies 
share price.

Costs. They seem to be all over the place when you actually 
think about it. Each of these costs is damage. This damage 
needs to be recovered. We all pay. 

Now most organisations do not have, not can afford to retain 
skilled incident response professionals. They need to employ 
external parties at a cost. Even when they do have internal 
staff there is a cost, but the accounting process is not so simple.

At rates (and this is based in Sydney, Australia) hiring 
personal from a respected firm (and it is not likely to be 
less in the case of fear from an attack driving firms to a 
position of trust) will have a charge out rate in the order 
of $ 250-450 per hour. The investigation will take 10 -100 
hours (and in some cases longer though rare).

Is the cost of damages when placed against the risk worth 
it. I hope not, but this is a personal risk decision for the 
individual to decide. I can do little to stop you committing 
cyber-trespass just as I can do little to stop you robbing a 
7-11. Mind you however, I am a bit of an a*8hole. If I get 
involved I will (in my personal time if needs be) map out 
every piece of information that you have done and ensure that 
every lie you tell to try to worm out (aimed at those who 
still try to do this act) of the consequences is proved 
beyond a reasonable doubt in court.

Animus nocendi or a mind to harm reference the precise 
familiarity of illegal content of behaviour, and of its 
possible consequences. Now that you have read this post, it 
may be argued that you have come to understand that there are 
consequences for your actions if you choose to still attack a 
system (aimed at those who do). Please feel free to flame me 
as reading this post effectively provides the essential 
condition to give a penal condemnation if you still choose to 
violate the law by breaking into systems and causing damage.

Regards,

Craig



PS

So called.. NON-Malicous attacks have caused the following 
events to occur

1   Loss of human life (though systems damage)

2   Insolvancy and the resultant human costs (lost jobs, etc)

so much for no damage... PPS even longer rant as to each of 
these with statistical data available ;)


Liability limited by a scheme approved under Professional 
Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such 
legislation exists.

DISCLAIMER
The information contained in this email and any attachments 
is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have 
received this email in error, please inform us promptly by 
reply email or by telephoning +61 2 9286 5555. Please delete 
the email and destroy any printed copy.  

Any views expressed in this message are those of the 
individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO 
or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email 
or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.


-------------------------------------------------------------
--------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec 
management 
education and the case study affords you unmatched 
consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business 
Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
-------------------------------------------------------------
--------------


 




--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting 
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business 
Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]