Advertisement
Promo

Security threats Toolkit

Guide tells 'grey hats' how to avoid legal pitfalls

Tom Espiner ZDNet.co.uk

Published: 25 Nov 2008 15:13 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The US-based Electronic Frontier Foundation has published a guide on how IT professionals can avoid falling foul of the law as a result of ethical hacking.

The Electronic Frontier Foundation (EFF) 'Grey Hat' Guide ponders such questions as what a security researcher should do if they unintentionally "violate the law" in the course of their investigations.

"A computer-security researcher who has inadvertently violated the law during the course of her investigation faces a dilemma when thinking about whether to notify a company about a problem she discovered in one of the company's products," the guide states. "By reporting the security flaw, the researcher reveals that she may have committed unlawful activity, which might invite a lawsuit or criminal investigation. On the other hand, withholding information means a potentially serious security flaw may go unremedied."

The EFF said that researchers in this situation could reconstruct research using technology they are authorised to use, or report the flaw in general terms. However, both of these options are "undesirable", the EFF said.

In terms of US law, researchers could inadvertently flout include the Computer Fraud and Abuse Act, anti-circumvention provisions of the Digital Millennium Copyright Act, other copyright law, and other state and international laws, the EFF warned.

The EFF, therefore, recommended that security researchers consult with an attorney before undertaking potentially risky research."Because the regulatory regime is complicated and non-intuitive, security researchers may have more reason to worry about legal challenges than other scientists," the guide states. "Potentially, a researcher may unintentionally violate the law through ignorance or misplaced enthusiasm, or an offended party can stretch or misuse the law to challenge research that casts its products or services in a negative light."

Read this

Comment
Tackling the threat from compromised websites

Most web-based malware now comes from genuine sites that have been compromised, but security expert Mary Landesman wonders: are site owners and visitors are addressing the problem?

Read more +

The guide adds that companies that regularly deal with vulnerabilities, such as software firms, are less likely to sue "innocent researchers".

UK IT professionals also need to try to avoid legal entanglement, penetration-testing company First Base Technologies told ZDNet UK on Tuesday. Potential pitfalls include transgression of the Computer Misuse Act (CMA) and breaking anti-terrorism, privacy and human-rights laws, according to Peter Wood, chief of operations for First Base Technologies.

"We engage the owner of a system to get explicit permission before doing penetration testing," said Wood. "Some internal employees get a bit over-enthusiastic and unintentionally bring down systems — more frequently than you would expect. Clients have experienced someone doing something silly a couple of times a year. Doing research on the web and then testing exploits on systems will leave you on very dodgy ground."

Using tools such as TCP port scanners inappropriately can transgress the CMA, Wood warned. "Even tools like SuperScan will connect to a service and are not non-invasive," he said.

Use of such tools can be illegal under the CMA, as the researcher would be using the system for a purpose other than that for which it was originally intended, said Wood.

"For example, to do a vulnerability analysis on an SMTP mail server, it's likely you'd connect to a scanning tool, to answer questions about how the mail server is configured," said Wood. "But that would be using the mail server for a purpose [for which] it was not intended."

Gaining explicit consent from the owner of the systems to be tested could circumvent this problem, and also overcome potential problems with privacy and human-rights issues, Wood added.

"People evaluating security on individual workstations may not have thought of privacy considerations," said Wood. To overcome potential copyright issues, non-disclosure agreements could be entered into, he added.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:









Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

5 comments

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters