Phil HugginsPrivate Security Conference Winter 2003
“I AM NOT A LAWYER” This is not legal advice.This was written in 2003, laws change.
Overview Computer Misuse Act Data Protection Act RIPA / Lawful Business Practice Regulations Obscene Publications Act Protection of Children Act Summary
Most activity is covered under existing laws and regulations: Harassment Fraud Theft e.t.c. Police are constrained and empowered by other legislation: Police and Criminal Evidence Act 1984 Regulation of Investigatory Powers Act 2000 Be wary of taking technical instruction from the Police. Once you act as an ‘agent’ of the Police then the evidence you produce is bound by the same legislation they are bound by.
Targets criminal computer manipulation Modelled on trespass Section 1 – Unauthorised Access Section 2 – Unauthorised Access With Intent Section 3 – Unauthorised Modification of Contents
Section 1 lacks teeth. Sentence is a fine or 6 months. Rarely custodial. Highlighted by the prosecution of Mathew Bevan (Kuji) and Richard Pryce (Datastream Cowboy) for the 1993 Rome Labs Hack. Pryce prosecuted under Section 1 got only community service. Bevan was not prosecuted as it wasn’t seen as worthwhile by the Crown Prosecution Service.
Denial of Service Attacks Email Flood SYN Flood DDoS No Access = Not Section 1 or 2 offence No Modification = Not Section 3 offence
Raphael Gray (Curador) 2000 Stole many credit card records from a number of ecommerce websites. His defence - At no point was he aware of the limit of his authorisation to access public services. Plead guilty so defence not tested. Consider using HTTP Server Header to contain a authorisation statement.
What is Authorisation ? Authority Credentials – Username / Password What are you authorised to do ? Pin it down with Acceptable Use Statements for users and Job Descriptions for employees.
Administered by the Information Commissioner http://www.dataprotection.gov.uk/ Covers data that identifies individuals 8 Principles – 2 are particularly relevant. Appropriate technical and organisational measures should protect the data. ▪ Failure to provide such measures is an offence under the act. Data should not be held for any longer than is necessary. ▪ Current practice at a financial services client is to hold investigation related data for at least 6 months but to formally review the requirement for the data retention every 12 months.
Sensitive Data Racial / ethnic origin Political opinions Religious beliefs Membership of a trades union Physical or mental health Sexual life Criminal record
“..where monitoring goes beyond mere human observation and involves the collection, processing and storage of any personal data it must be done in a way that is both lawful and fair to workers.” Must conduct “impact assessment” for any monitoring. Employee consent is NOT required UNLESS the data to be monitored is „sensitive data” as described under the DPA. Covert monitoring requires authorisation at a “senior level” within the business.
RIPA introduced to cope with the change in communications systems since the rapid growth of the Internet. Mainly focused on issues of interception and intrusive investigation. Includes provision for law enforcement and other public bodies to try to deal with the rapid spread of good quality encryption systems. Restrictions on businesses detailed in the Lawful Business Practice Regulations.
Under RIPA it is against the law for a business to intercept communications on it’s systems. Exceptions: Under a warrant Consent of sender and receiver Required for the operation of the system
No Interception canIs there an interception ? take place. Yes Yes Have senders and receivers both given consent ? Yes No Is the interception connected with the operation of the Continue communications system ? No
Is the interception Is the interceptiononly for monitoring Yes to decide whether a No Is a confidential telephone counsellingbusiness related communication is service involved ?communications ? business related ? Yes Yes No No Have all reasonable Is the interception efforts been made to for an authorised inform users of Yes business purpose ? No Interception ? Yes NoNo interception Interception can can take place take place.
Authorised Business Use “to prevent and detect crime” “to investigate or detect unauthorised use of the telecommunications system” “to ensure the security of the system and it’s effective operation” However, must make all reasonable efforts to inform users of interception Workers, including temporary or contract staff, will be users of the system but outside callers or senders of e- mail will not be.
Amended by the Criminal Justice and Public Order Act 1994 Obscene Material is “material that would tend to corrupt those exposed to it” Case law suggests it is also obscene if it maintains a level of corruption. Very much open to interpretation by the court, no absolutes. No offence of possession. Offence of “Showing, distributing or publishing”.
Offences: Taking, distributing or showing indecent photographs or pseudo- photographs of children. Possessing indecent photographs or pseudo-photographs of children. These are absolute offences; There is no valid reason to knowingly possess these images. It is only recently that case law established the Police themselves may legally possess this material for investigation. Contact the police as soon as you discover this material. It is likely they will seize the disk and any backups and it will NOT be returned. If you require other legal material from the seized disks you can request them to copy it for you. You will probably be charged for this.
The intent to commit or the commission of a non- CMA crime is more likely to lead to successful criminal prosecution. Work with the Police but be wary of following their direction without detailed support on evidential matters. Interception is allowed but must be formally reviewed to meet both DPA and Lawful Business Practice Requirements before carried out. Inform users and employees about the possibility of monitoring through system banners and acceptable use policies.