RE: How hackers cause damage... was Vulnerabilites in new laws on computer hacking


Hello,
A kid or adult or whatever (and the figures show that most script
kiddies are adult - see prior post)

Point 1 - Loss of life
There is an example a few years back in the UK. A male nurse was
"exploring" the hospitals servers and other attached systems. These
systems ran a database. The result was that patient scripts where mixed
up.

This case *luckily* was discovered before any lives where lost. Several
people did get hospitalised.

Next NY 1993. A 21 YO male broke into the Bell systems to "study the
internal workings". This resulted in the emergency services response
lines (i.e. 911) being unavailable for a time. I see this as a threat to
life. I hope that you do as well.

USA Boston 1997, male - under 18 (age not recorded) The person accessed
airport computers causing damage and disruption to air traffic control
computers. He also broke into a pharmacy and accessed prescriptions, he
also caused the local phone company to be down for 6.5 hours on one day
(including emergency calls).

NZ ([2001] NZCA 71) - April 2001, another break into a phone company and
cause inadvertent damage case.

We are NOT talking a "super hacker". They are less likely to cause
inadvertent damage.

The script-kiddies you talk about are NOT kids in general. There are
MORE 50 + script kiddies charged than there are under 18's. Most script
kiddies are in their 20's (I posted the stats previously)

Regards
Craig

-----Original Message-----
From: dave [mailto:fla.linux@xxxxxxxxx]
Sent: 26 February 2006 3:20
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: ROB DIXON
Subject: Re: How hackers cause damage... was Vulnerabilites in new laws
on computer hacking

Good points???

1 Loss of human life (though systems damage)
How can a kid trying to crack his friends server cost someone their
life?

2 Insolvancy and the resultant human costs (lost jobs, etc)
Pretty much same answer as above

I think a point was missed...We were initially talking about some kid
who is trying to learn about computers by cracking various machines. Not
some *super hacker* with the ability to bring down serious systems. I
think the point I made was also overlooked...

If you are hell bent for leather and you simply must learn how to break
into computers then at the very least be wise about what systems you try
to crack into! Dont mess with production systems...dont mess with bank,
hospitals, any big corporate company. Dont ever mess with any real
businesses period. Dont think about government or law enforcment systems
etc... Dont run "untested" exploits on otherwise important servers where
crashing would be serious problem. As far as someone losing their
life...please give a (realistic) example or two of how a human life was
lost cause a kid tried to crack his friends web server or exploit some
unpatched SSH deamon on some machine at his dinky little job. As far as
someone losing his job...in an extreme scenario this could happen but
not if the newbie cracker is wise in his choice of targets (if you can
not be wise regarding your targets then you shouldnt be cracking
computers). And as harsh as this may sound I will say it anyway...If
some otherwise unskilled script kiddie, can break into your *important*
system and do something bad enough to cause someone to possibly lose
their life then you as the admin should be fired!

I also mentioned the financial burden 'Non malicous' attacks imposes on
companies in resonding to the break-in. Once again...be wise about your
targets...think small and realistic. You are NOT Aleph one or Mitnick or
who ever...You are a script kiddie just trying to learn how it works. If
you are at the point where your are bored with basic servers and want to
venture into mainframe or otherwise corporate hacking then you are
really no longer just some kid trying to learn and therefore you no
longer are the point of this topic.

#### Kids trying to learn about computers who break into small scale
targets and do no harm should do NO time!
#### skilled crackers/hackers who cause harm (be it intential or not) on
important/critical systems should know better and should be
prosicuted/punished accordingly. If someone lost their life due to a
careless cracker then manslaughter charges should follow etc...



ROB DIXON wrote:

Well put Craig.
You made some good points regarding the so called "NON-Malicous
attacks".



Robert L. Dixon, CSO
CHFI A+
State of West Virginia's
West Virginia Office of Techonology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
Email:rdixon@xxxxxxxxxxxxxxx


"Craig Wright" <cwright@xxxxxxxxxxxxx> >>>



Hello,
There have been a large number of ill-informed posts regarding damage
caused by cyber-trespass. This is for the purpose of this post described
as breaking into a system with no clear intent to cause damage i.e. no
Mens Rea or guilty mind. I will exclude all references to intention to
damage or wilful damage and limit this to reckless damage alone.

Next, I will exclude Mens Rea as it may pertain to the fact that the
act of committing a computer crime is by definition illegal. We all seem
to understand that breaking into a computer without permission is a
breach of the law so I shall not explore this avenue of argument.

The term in law refers to "actus non facit reum nisi mens sit rea",
which means that "the act will not make a person guilty unless the mind
is also guilty. This is a common defence in criminal cases though it
will not help you in a civil tort case (i.e. civil damages).

With the seeming ignorant state that exists (not to all reading) to the
levels of damage caused by breaking into systems and committing
cyber-trespass I will endeavour to detail the resultant state of
affairs.

I will aim solely at corporate systems for the critique following. This
is not to state that Government, privately run or organisational systems
have any lesser effects resultant from attack, but that this is a post
and not a dissertation (though it is moving in that direction).

First we have the argument that has been fielded that at worst a system
would just need to be rebuilt. A prior poster stated that he would
analyse his system and track the incident. For the majority of the world
this is not so simple. Most people are not skilled in either incident
response techniques or digital forensic science (please note computer
forensics is a misnomer and grammatically incorrect). Nor are most
companies able to afford to rebuild systems on a regular basis for the
fun of it.

Cyber-trespass leaves one in a state of doubt. It is commonly stated
that the only manner of recovery from a system compromise is to rebuild
the host. I will resist quoting a voluminous amount of material at this
point (unless somebody wishes to dispute this :). It is needless to say
that documents, working papers and processes on this topic are widely
available. SANS, CERT and the CIS all recommend that a compromised
system be rebuilt, not from backup, but from scratch.

Further one must "Resist the temptation of restoring from backups" *1
and complete an "entire system install be performed from read-only
distribution media".

So here, we have to look to the cost of both rebuilding the system and
recreating the data. In the modern corporation, the primary assets are
often vested in the intellectual capital of the firm.

First, the system needs to be rebuilt as was listed above. There is no
argument here (though I am willing to engage in one) over the need to
rebuild the system. The people at the company that was attacked do not
and cannot know your motives. They cannot assume you are benign, but
have to assume that you are malignant being that you are willing to
break the law, that you are willing to face gaol.

If they assume otherwise they will suffer again. How do they know that
you have not installed a rootkit? How is it known that there is no
timebomb on the server. You as the attacker have already demonstrated
that you are not bound my conventional morality and ethics. You have
violated property rights, entered and penetrated a system, breached the
defences and raped the security of the site you choose as just
"practice".

Every attacker that does this makes it easier for the truly malicious
attacker to succeed.

On top of this, add the loss due the unavailability, reputation and
compliance costs. Let us for the moment forget the costs of tort against
the company. The costs of action for a violation of privacy rights. The
costs from a violation of PCI-DSS. HIPPA Violations or the effects to
the companies share price.

Costs. They seem to be all over the place when you actually think about
it. Each of these costs is damage. This damage needs to be recovered. We
all pay.

Now most organisations do not have, not can afford to retain skilled
incident response professionals. They need to employ external parties at
a cost. Even when they do have internal staff there is a cost, but the
accounting process is not so simple.

At rates (and this is based in Sydney, Australia) hiring personal from
a respected firm (and it is not likely to be less in the case of fear
from an attack driving firms to a position of trust) will have a charge
out rate in the order of $ 250-450 per hour. The investigation will take
10 -100 hours (and in some cases longer though rare).

Is the cost of damages when placed against the risk worth it. I hope
not, but this is a personal risk decision for the individual to decide.
I can do little to stop you committing cyber-trespass just as I can do
little to stop you robbing a 7-11. Mind you however, I am a bit of an
a*8hole. If I get involved I will (in my personal time if needs be) map
out every piece of information that you have done and ensure that every
lie you tell to try to worm out (aimed at those who still try to do this
act) of the consequences is proved beyond a reasonable doubt in court.

Animus nocendi or a mind to harm reference the precise familiarity of
illegal content of behaviour, and of its possible consequences. Now that
you have read this post, it may be argued that you have come to
understand that there are consequences for your actions if you choose to
still attack a system (aimed at those who do). Please feel free to flame
me as reading this post effectively provides the essential condition to
give a penal condemnation if you still choose to violate the law by
breaking into systems and causing damage.

Regards,

Craig



PS

So called.. NON-Malicous attacks have caused the following events to
occur

1 Loss of human life (though systems damage)

2 Insolvancy and the resultant human costs (lost jobs, etc)

so much for no damage... PPS even longer rant as to each of these with
statistical data available ;)


Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is
confidential. If you are not the intended recipient, you must not use or
disclose the information. If you have received this email in error,
please inform us promptly by reply email or by telephoning +61 2 9286
5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender.
You may not rely on this message as advice unless it has been
electronically signed by a Partner of BDO or it is subsequently
confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.


-----------------------------------------------------------------------
----
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
-----------------------------------------------------------------------
----







------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages