Home page logo
/

basics logo Security Basics mailing list archives

RE: How hackers cause damage... was Vulnerabilites in new laws on computer hacking
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 1 Mar 2006 08:45:14 -0800

I know at least 15 folks that would let me bang away at their 
systems (without permission)

  If you *know* that they will *let* you, that IS "permission" 
(in the rest of the English-speaking world).  PROVING that you
knew, without something in writing, is left as an exercise for
the defendant.

David Gillett


-----Original Message-----
From: dave [mailto:fla.linux () gmail com] 
Sent: Wednesday, March 01, 2006 6:50 AM
To: gillettdavid () fhda edu; security-basics () securityfocus com
Subject: Re: How hackers cause damage... was Vulnerabilites 
in new laws on computer hacking

David Gillett wrote:

1)  If it's your friend's machine, you should be able to get 
authorization from him/her.

whats the fun in that! If it's a friend and you arent going 
to do anything serious you shouldnt need permission. Once 
again: choose your targets wisely. My grandfather owns a 
business...nothing much but pretty successfull. I craked 
their companies servers without permission, I didnt do 
anything but place a note on the managers desktop saying I 
was there...so what! I know at least 15 folks that would let 
me bang away at their systems (without permission)....if you 
want to practice breaking into computers and you MUST have 
permission then get together with a few buddies with the same 
interest and see what you can all put together. We found a 
number of computers in trash after christmas. Yea...they were 
a bit old but 2 of them were good P4 systems that just needed 
some virus / spyware removed. We used these FREE machines to 
set up a small wargames network with various servers IIS, 
apache, ssh etc... If you have a server ask your friends to 
hack your server and ask them to share their results. This 
not only makes you a more skilled cracker it makes you more 
skilled at reacting to attacks and gives you first hand 
experience on how to set up IDS and other ways to secure 
various systems from attacks.

Do you really know what 153.18.19.33
is?  

Does 1.2.3.4 matter...my friends server is at www.?.com. I'll 
let the dns find the ip...besides all my friends use static 
IP for their servers and internet gateways. Yea..if your 
blindly scanning 1.2.3.4-1.2.3.255 then you are looking to 
get into something you prob. shouldnt.

Does knowing what it was yesterday tell you what it is today?
Do you know that it's not monitoring oxygen levels and 
anaesthetic flow 
during surgery?

I know for a fact that it is not...if the machine is that 
easily available over the internet I am pretty certain that 
it isnt keeping someones heart pumping. Most hospitals still 
use DOS based systems for these tasks sometimes. I am most 
certain that NONE of these machines have direct internet 
connection with an internet IP address. You would have to be 
poking around deep inside their internal network...no script 
kiddie can do this (if they can, or if admin connected life 
support (or any critical) system to internet, once again, he 
should be fired. The admin(even the company that hired him) 
that put such a critical system in such an insecure area 
should also be sued for liability if someones life was lost 
due to a security breach). This is not soley the crackers 
error. Stupid admins are responsible for their stupidity too.

Answers:  No.

2)  Same answer as above.

As far as "ability to bring down" -- there are legacy boxes 
out there 
which may crash when subjected to fairly simple probe code.
(No, I will not volunteer details.)  How do I know that you're not 
hunting for them?  Answer:  I *have to* assume that you are.
 

I hunt for no one...I couldnt care less what is out there. 
Yes...please keep quiet about how to crash an old DOS box. 
I'm sure it is real tricky.

If you have permission, this whole thread doesn't apply to 
you.  If you 
don't have permission -- THEN you don't have permission.

Yes..this thread was about kids trying to learn computers cracking.

A weasel "but I only meant to ..." *might* get you a lighter 
sentence, 
but it won't change that you broke the law.  Nor should it.
 

A weasel..hahaha. Some reading comprehension there! I never 
said one should be excused for breaking a law. I said the 
extent of the punishment dealt out by the law is to extreme 
for minor cases. Once again..if you kill someone you should 
face appropriate charges...if you bring down a production 
server then you should pay for your crime accordingly. If you 
do no harm you should do know time, no 'weaseling' 
necessary. Class B and C misdomeanors should recieve fine 
maybe probation. I have said this 10 times already and still 
you think I am saying that by not damaging anything it is not 
breaking a law...listen, spitting on the sidewalk is breaking 
the law...you shouldnt do time for it! As far as saying.."how 
do I know if they did harm"...well if you work at that 
companies IT/security department its your job to know. If you 
cant fullfil your job responsibilities then you should not have one. 
If I owned a company and we got hacked and the admin tells me 
he doesnt know what happened or what the guy did then what 
use is he to me? If the admin is worrying about losing his 
job then he needs to learn how to do his job. Anyone can just 
reinstall from original media at the first sign of an incedent.

Years ago me and my little brother cracked a network for a 
flower shop down the street. We knew a girl that worked there 
and wanted to goof on her. We cracked the companies web 
server and worked our way in etc... We had no permission. We 
did no damage to the machine(s). business was not interupted 
and no customers data was at risk at anytime (at least from 
us). Should we do prison time? Has anyone here ever actually 
been to a state prison? Get real!

I have read reports (on security focus.com) of people who 
have done time for others actions. Example: Lets say I wrote 
a trojan horse program and published it. If someone else were 
to use that program for ill means then I could face charges 
for writing and publishing the program. This HAS happened 
before. A man wrote a trojan and posted it on Astalavista. 
Another person used this program to commit a crime (tried to 
hack government computer if I remember correctly). The actual 
author was charged. This is another crazy computer based 
law....but in some places it is the *law*.

This topic is old and quickly getting stale...move on. It 
appears as if the reading comprehension here is pretty 
low...over half of the reponses showed that the reader didnt 
understand what I said.

The law has differnet degrees of crimes and punishment. 
Simply cracking a computer should not be that serious...I 
will not say it again. I will not read any more responses 
from people telling me that it IS breaking the law..I know, I 
have said this 10 times myself...I think everyone is in 
agreement there. The question is, how much punishment a kid 
should receive for looking around some computer (without 
permission). According to this group we should burn him at 
the stake for his evil deed. You know, burning people alive 
for speaking against the church was *law* too at one point in 
time, even then you had those who walked around and praised 
the law and tried to sound important. Good thing man as a 
whole doesnt put up with over extreme and nonesense laws 
forever. Once we get over our fear of technology (and we get 
over the bullshit fear of "hackers" that the media has 
created...same as JAWS and going to the beach...its 
nonsense!) the laws will need to be rewritten to incude some 
sanity / reasoning.

David Gillett


 

-----Original Message-----
From: dave [mailto:fla.linux () gmail com]
Sent: Saturday, February 25, 2006 8:20 AM
To: security-basics () securityfocus com
Cc: ROB DIXON
Subject: Re: How hackers cause damage... was Vulnerabilites in new 
laws on computer hacking

Good points???

   

1   Loss of human life (though systems damage)
     

How can a kid trying to crack his friends server cost someone their 
life?

   

2   Insolvancy and the resultant human costs (lost jobs, etc)
     

Pretty much same answer as above

I think a point was missed...We were initially talking 
about some kid 
who is trying to learn about computers by cracking various 
machines. 
Not some *super hacker* with the ability to bring down serious 
systems. I think the point I made was also overlooked...

If you are hell bent for leather and you simply must learn how to 
break into computers then at the very least be wise about 
what systems 
you try to crack into! Dont mess with production 
systems...dont mess 
with bank, hospitals, any big corporate company. Dont ever 
mess with 
any real businesses period. Dont think about government or law 
enforcment systems etc... Dont run "untested" exploits on otherwise 
important servers where crashing would be serious problem. 
As far as 
someone losing their life...please give a (realistic) 
example or two 
of how a human life was lost cause a kid tried to crack his friends 
web server or exploit some unpatched SSH deamon on some 
machine at his 
dinky little job. As far as someone losing his job...in an extreme 
scenario this could happen but not if the newbie cracker is wise in 
his choice of targets (if you can not be wise regarding 
your targets 
then you shouldnt be cracking computers). And as harsh as this may 
sound I will say it anyway...If some otherwise unskilled script 
kiddie, can break into your *important* system and do something bad 
enough to cause someone to possibly lose their life then you as the 
admin should be fired!

I also mentioned the financial burden 'Non malicous' 
attacks imposes 
on companies in resonding to the break-in. Once again...be 
wise about 
your targets...think small and realistic. You are NOT Aleph one or 
Mitnick or who ever...You are a script kiddie just trying 
to learn how 
it works. If you are at the point where your are bored with basic 
servers and want to venture into mainframe or otherwise corporate 
hacking then you are really no longer just some kid trying to learn 
and therefore you no longer are the point of this topic.

#### Kids trying to learn about computers who break into 
small scale 
targets and do no harm should do NO time!
#### skilled crackers/hackers who cause harm (be it 
intential or not) 
on important/critical systems should know better and should be 
prosicuted/punished accordingly. If someone lost their life 
due to a 
careless cracker then manslaughter charges should follow etc...



ROB DIXON wrote:

   

Well put Craig.
You made some good points regarding the so called 
     

"NON-Malicous attacks".
   


Robert L. Dixon,  CSO
CHFI A+
State of West Virginia's
West Virginia Office of Techonology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
Email:rdixon () workforcewv org


     

"Craig Wright" <cwright () bdosyd com au>  >>>
      

           

Hello,
There have been a large number of ill-informed posts 
     

regarding damage caused by cyber-trespass. This is for the 
purpose of this post described as breaking into a system with 
no clear intent to cause damage i.e. no Mens Rea or guilty 
mind. I will exclude all references to intention to damage or 
wilful damage and limit this to reckless damage alone.
   

Next, I will exclude Mens Rea as it may pertain to the fact 
     

that the act of committing a computer crime is by definition 
illegal. We all seem to understand that breaking into a 
computer without permission is a breach of the law so I shall 
not explore this avenue of argument.
   

The term in law refers to "actus non facit reum nisi mens 
     

sit rea", which means that "the act will not make a person 
guilty unless the mind is also guilty. This is a common 
defence in criminal cases though it will not help you in a 
civil tort case (i.e. civil damages).
   

With the seeming ignorant state that exists (not to all 
     

reading) to the levels of damage caused by breaking into 
systems and committing cyber-trespass I will endeavour to 
detail the resultant state of affairs.
   

I will aim solely at corporate systems for the critique 
     

following. This is not to state that Government, privately 
run or organisational systems have any lesser effects 
resultant from attack, but that this is a post and not a 
dissertation (though it is moving in that direction).
   

First we have the argument that has been fielded that at 
     

worst a system would just need to be rebuilt. A prior poster 
stated that he would analyse his system and track the 
incident. For the majority of the world this is not so 
simple. Most people are not skilled in either incident 
response techniques or digital forensic science (please note 
computer forensics is a misnomer and grammatically 
incorrect). Nor are most companies able to afford to rebuild 
systems on a regular basis for the fun of it.
   

Cyber-trespass leaves one in a state of doubt. It is 
     

commonly stated that the only manner of recovery from a 
system compromise is to rebuild the host. I will resist 
quoting a voluminous amount of material at this point (unless 
somebody wishes to dispute this :). It is needless to say 
that documents, working papers and processes on this topic 
are widely available. SANS, CERT and the CIS all recommend 
that a compromised system be rebuilt, not from backup, but 
from scratch.
   

Further one must "Resist the temptation of restoring from 
     

backups" *1 and complete an "entire system install be 
performed from read-only distribution media".
   

So here, we have to look to the cost of both rebuilding the 
     

system and recreating the data. In the modern corporation, 
the primary assets are often vested in the intellectual 
capital of the firm.
   

First, the system needs to be rebuilt as was listed above. 
     

There is no argument here (though I am willing to engage in 
one) over the need to rebuild the system. The people at the 
company that was attacked do not and cannot know your 
motives. They cannot assume you are benign, but have to 
assume that you are malignant being that you are willing to 
break the law, that you are willing to face gaol.
   

If they assume otherwise they will suffer again. How do they 
     

know that you have not installed a rootkit? How is it known 
that there is no timebomb on the server. You as the attacker 
have already demonstrated that you are not bound my 
conventional morality and ethics. You have violated property 
rights, entered and penetrated a system, breached the 
defences and raped the security of the site you choose as 
just "practice".
   

Every attacker that does this makes it easier for the truly 
     

malicious attacker to succeed.
   

On top of this, add the loss due the unavailability, 
     

reputation and compliance costs. Let us for the moment forget 
the costs of tort against the company. The costs of action 
for a violation of privacy rights. The costs from a violation 
of PCI-DSS. HIPPA Violations or the effects to the companies 
share price.
   

Costs. They seem to be all over the place when you actually 
     

think about it. Each of these costs is damage. This damage 
needs to be recovered. We all pay. 
   

Now most organisations do not have, not can afford to retain 
     

skilled incident response professionals. They need to employ 
external parties at a cost. Even when they do have internal 
staff there is a cost, but the accounting process is not so simple.
   

At rates (and this is based in Sydney, Australia) hiring 
     

personal from a respected firm (and it is not likely to be 
less in the case of fear from an attack driving firms to a 
position of trust) will have a charge out rate in the order 
of $ 250-450 per hour. The investigation will take 10 -100 
hours (and in some cases longer though rare).
   

Is the cost of damages when placed against the risk worth 
     

it. I hope not, but this is a personal risk decision for the 
individual to decide. I can do little to stop you committing 
cyber-trespass just as I can do little to stop you robbing a 
7-11. Mind you however, I am a bit of an a*8hole. If I get 
involved I will (in my personal time if needs be) map out 
every piece of information that you have done and ensure that 
every lie you tell to try to worm out (aimed at those who 
still try to do this act) of the consequences is proved 
beyond a reasonable doubt in court.
   

Animus nocendi or a mind to harm reference the precise 
     

familiarity of illegal content of behaviour, and of its 
possible consequences. Now that you have read this post, it 
may be argued that you have come to understand that there are 
consequences for your actions if you choose to still attack a 
system (aimed at those who do). Please feel free to flame me 
as reading this post effectively provides the essential 
condition to give a penal condemnation if you still choose to 
violate the law by breaking into systems and causing damage.
   

Regards,

Craig



PS

So called.. NON-Malicous attacks have caused the following 
     

events to occur
   

1   Loss of human life (though systems damage)

2   Insolvancy and the resultant human costs (lost jobs, etc)

so much for no damage... PPS even longer rant as to each of 
     

these with statistical data available ;)
   

Liability limited by a scheme approved under Professional 
     

Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such 
legislation exists.
   

DISCLAIMER
The information contained in this email and any attachments 
     

is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have 
received this email in error, please inform us promptly by 
reply email or by telephoning +61 2 9286 5555. Please delete 
the email and destroy any printed copy.  
   

Any views expressed in this message are those of the 
     

individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO 
or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.
   

BDO accepts no liability for any damage caused by this email 
     

or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.
   

-------------------------------------------------------------
     

--------------
   

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec 
     

management 
   

education and the case study affords you unmatched 
     

consulting experience. 
   

Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business 
     

Continuity Planning, 
   

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
-------------------------------------------------------------
     

--------------
   



     


--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec 
management 
education and the case study affords you unmatched consulting 
experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business 
Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------

   



-------------------------------------------------------------
--------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec 
management 
education and the case study affords you unmatched 
consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business 
Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
-------------------------------------------------------------
--------------


 




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]