Feb 15, 2012
Ethics and Legality
Know the laws dealing with computer crimes and their implications Recent FBI reports on computer crime indicate that unauthorized computer use in 2005 was reported at 56 percent of U.S. companies surveyed. This is an increase of 3 percent from 2004. Various website attacks were up 6 percent from 2004. These figures indicate that computer crime caused by hackers continues to increase. A computer or network can become the victim of a crime committed by a hacker. Hackers use computers as a tool to commit a crime or to plan, track, and control a crime against other computers or networks. Your job as an ethical hacker is to find vulnerabilities before the attackers do and help prevent them from carrying out malicious activities. Tracking and prosecuting hackers can be a difficult job as international law is often ill-suited to deal with the problem. Unlike conventional crimes that occur in one location, hacking crimes might originate in India, use a system based in Singapore, and target a computer network located in Canada. Each country has conflicting views on what constitutes cyber crime. Even if hackers can be punished, attempting to do so can be a legal nightmare. It is hard to apply national borders to a medium such as the Internet that is essentially borderless.
Some individuals approach computing and hacking from the social perspective and believethat hacking can promote change. These individuals are known as hactivists, these “hacker activists” use computers and technology for hi-tech campaigning and social change. They believe that defacing websites and hacking servers is acceptable as long as it promotes their goals. Regardless of their motives, hacking remains illegal and they are subject to the same computer crime laws as any other criminal.Overview of U.S. Federal Laws
Although some hackers might have the benefit of bouncing around the globe from system to system, your work will likely occur within the confines of the host nation. The United States and some other countries have instigated strict laws to deal with hackers and hacking. During the past five years, the U.S. federal government has taken an active role in dealing with computer, Internet, privacy, corporate threats, vulnerabilities, and exploits. These are laws you should be aware of and not become entangled in. Hacking is covered under law Title 18: Crimes and Criminal Procedure: Part 1: Crimes: Chapter 47: Fraud and False Statements: Section 1029 and 1030. Each are described here:
Fraud and related activity with access devices. This law gives the U.S. federal government the power to prosecute hackers that knowingly and with intent to defraud, produce, use, or traffic in one or more counterfeit access devices. Access devices can be an application or hardware that is created specifically to generate any type of access credentials, including passwords, credit card numbers, long distance telephone service access codes, PINs, and so on for the purpose of unauthorized access.
Fraud and related activity in connection with computers. The law covers just about any computer or device connected to a network or Internet. It mandates penalties for anyone who accesses a computer in an unauthorized manner or exceeds one’s access rights. This a powerful law because companies can use it to prosecute employees when they use the rights the companies have given them to carry out fraudulent activities.
Sections 1029 and 1030 are the main statutes that address computer crime in U.S. federal law. Understand its basic coverage and penalties.
The Evolution of Hacking Laws
In 1985, hacking was still in its infancy in England. Because of the lack of hacking laws, some British hackers felt there was no way they could be prosecuted. Triludan the Warrior was one of these individuals. Besides breaking into the British Telecom system, he also broke an admin password for Prestel. Prestel was a dialup service that provided online services, shopping, email, sports, and weather. One user of Prestel was His Royal Highness, Prince Phillip. Triludan broke into the Prince’s mailbox along with various other activities, such as leaving the Prestel system admin messages and taunts. Triludan the Warrior was caught on April 10, 1985, and was charged with five counts of forgery, as no hacking laws existed. After several years and a 3.5 million dollar legal battle, Triludan was eventually acquitted. Others were not so lucky because in 1990, Parliament passed The Computer Misuse Act, which made hacking attempts punishable by up to five years in jail. Today, the UK, along with most of the Western world, has extensive laws against hacking.
The federal punishment described in Sections 1029 and 1030 for hacking into computers ranges from a fine or imprisonment for no more than one year. It might also include a fine and imprisonment for no more than twenty years. This wide range of punishment depends on the seriousness of the criminal activity and what damage the hacker has done. Other federal laws that address hacking include:
Electronic Communication Privacy Act
Mandates provisions for access, use, disclosure, interception, and privacy protections of electronic communications. The law encompasses USC Sections 2510 and 2701. According to the U.S. Code, electronic communications “means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic, or photo optical system that affects interstate or foreign commerce.” This law makes it illegal for individuals to capture communication in transit or in storage. Although these laws were originally developed to secure voice communications, it now covers email and electronic communication.
Computer Fraud and Abuse Act of 1984
The Computer Fraud and Abuse Act (CFAA) of 1984 protects certain types of information that the government maintains as sensitive. The Act defines the term “classified computer,” and imposes punishment for unauthorized or misused access into one of these protected computers or systems. The Act also mandates fines and jail time for those who commit specific computer - related actions, such as trafficking in passwords or extortion by threatening a computer. In 1992, Congress amended the CFAA to include malicious code, which was not included in the original Act.
The Cyber Security Enhancement Act of 2002 - This Act mandates that hackers who carry out certain computer crimes might now get life sentences in jail if the crime could result in another’s bodily harm or possible death. This means that if hackers disrupt a 911 system, they could spend the rest of their days in jail.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 - Originally passed because of the World Trade Center attack on September 11, 2001. Strengthens computer crime laws and has been the subject of some controversy. This Act gives the U.S. government extreme latitude in pursuing criminals. The Act permits the U.S. government to monitor hackers without a warrant and perform sneak and peek searches.
The Federal Information Security Management Act (FISMA) - Signed into law in 2002 as part of the E-Government Act of 2002, replacing the Government Information Security Reform Act (GISRA). FISMA was enacted to address the information security requirements for non-national security government agencies. FISMA provides a statutory framework for securing government owned and operated IT infrastructures and assets.
Federal Sentencing Guidelines of 1991 - Provide guidelines to judges so that sentences would be handed down in a more uniform manner.
Economic Espionage Act of 1996 - Defines strict penalties for those accused of espionage.
U.S. Child Pornography Prevention Act of 1996 - Enacted to combat and reduce the use of computer technology to produce and distribute pornography.
U.S. Health Insurance Portability and Accountability Act (HIPPA) - Established privacy and security regulations for the health care industry.
Tags : Ethical Hacking