Laws

Going outside of your contractual boundaries is not only unethical, it is also illegal. Penetration testers need to be aware of laws that might impact the type of tests they perform.

Throughout history, society has been plagued with different crimes crimes against people and crimes against property. Cybercrime is unlawful activity performed through the use of technology. Common types of cybercrime include the theft of passwords, network intrusions, possession of illegal material (child pornography), fraud, DoS attacks, eavesdropping, piracy, information warfare (cyberterrorism), malware (malicious software such as viruses), identity theft, and espionage. With the exception of perhaps DoS attacks, cybercrime presents no new types of unlawful activity. Cybercrime still constitutes crimes against people and property, just by different means.

Cybercrime does pose some new issues, however. Unlike traditional crime, cybercrime does not have physical constraints. If you were to rob a bank, you would have to arrive at the bank in person. If you were to "rob" an online bank, you could be anywhere in the world. Cybercrime also makes capturing physical evidence harder. Evidence is usually volatile and is often covered up by the perpetrator. Because cybercriminals can be anywhere in the world, law officials from different countries might have to work with each other to track down the cybercriminals.

To counteract this last difficulty, nations have sought to reach a consensus. The European Council Convention on Cybercrime acted to harmonize computer crime laws across European nations. Although noble in their attempt, reaching a consensus has been anything but harmonious. Getting more than 180 countries to agree on a single standard for security implementations is a daunting task. At best, there can only be guidelines for nations to use as "best-practices" recommendations.

The Organisation for Economic Co-Operation and Development (OECD) promotes policies geared toward producing sustainable economic growth. You can read about participating countries by visiting the OECD website at http://www.oecd.org. In 1992, the OECD published Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. On July 2, 2002, this document was updated to reflect changes in information security practices. This document is based on numerous principles, but the one most relevant to penetration testing is the reassessment principle, which states the following:

Participants should review and reassess the security of information systems and networks and make appropriate modifications to security policies, practices, measures, and procedures. (page 12)

Security assessments are essential to companies today, and those that want to follow the OECD guidelines should integrate regular penetration tests to assess their security infrastructure.

The OECD guidelines provide an initial framework for countries to then establish government standards and laws. In 1995, the Council Directive on Data Protection for the European Union declared that each European nation is to create protections similar to those spelled out in the OECD guidelines.

In the United States, penetration testers should be aware of two categories of laws:

• Laws pertaining to hacking

• Regulatory laws that produce the need for penetration testing

U.S. Laws Pertaining to Hacking

Following are examples of these laws:

• 1973 U.S. Code of Fair Information Practices

• 1986 Computer Fraud and Abuse Act (CFAA)

• State Laws

Note

At press time, the one and only computer crime law of the United Kingdom is the 1990 Computer Misuse Act. We hope for rapid success in the ongoing efforts to improve on the United Kingdom legislation on computer crime.

The sections that follow provide details on the laws in the preceding list and other laws pertaining to hacking.

1973 U.S. Code of Fair Information Practices

The Code of Fair Information Practices was developed by the Health, Education, and Welfare (HEW) Advisory Committee on Automated Data Systems. It is based on the following five principles:

1. There must be no personal data record-keeping systems whose very existence is secret.

2. There must be a way for a person to find out what information about the person is in a record and how it is used.

3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the consent of that person.

4. There must be a way for a person to correct or amend a record of identifiable information about the person.

5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must ensure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.

Although this law predates the current trends in penetration testing, it is still pertinent to professionals in the field. The fifth principle states that organizations must take precautions to prevent misuse of the data. As a penetration tester, you might gain access to sensitive personal identifiable information (PII) that you need to protect as if it were your own information. When a penetration test is finished, you should shred or incinerate PII data with a witness to verify that it has been destroyed.

1986 Computer Fraud and Abuse Act (CFAA)

If there ever were one definitive computer crime law, it would be the 18 § U.S.C. 1030 Computer Fraud and Abuse Act (CFAA). Originally based on the 1984 Fraud and Abuse Act and ratified in 1996, more computer hacking crimes are prosecuted under this law than under any other. Because of its immediate relevance, a significant portion is quoted here:

(a) Whoever - (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains - (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (B) information from any department or agency of the United States; or information from any protected computer if the conduct involved an interstate or foreign communication;

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5) (A) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and (B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused) - (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; or (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if - (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; ^[1] "r".

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection of this section. (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection of this section.

This law makes it a crime to knowingly access a computer and thereby intentionally cause damage without authorization to a protected computer. The key word here is intent. If a penetration tester were to unknowingly cause a DoS attack on a client and the contract does not permit such attacks, the penetration tester would not be guilty of this crime (although there might be consequences with civil law if there were a breach of contract). Acts committed by negligence are not covered under this law.

Security professionals who are knowledgeable of the tools and techniques covered in this book are sometimes tempted to try them at their workplace or against other organizations. These offenses come with serious penalties, however. Brett O'Keefe, the former president of a computer security consulting firm, was indicted in September 2003 for gaining access and stealing files belonging to NASA, the U.S. Army, the U.S. Navy, the Department of Energy, and the National Institute of Health by using some of the same techniques mentioned in this book. His case is ongoing, but he faces a potential 30 years in prison and a $250,000 fine.

Violators of 18 § U.S.C. 1030 can face fines and imprisonment up to 20 years.

Note

Because of sentencing guidelines, however, it is rare to find criminals sentenced to more than 5 years. Peter Borghard, for example, was sentenced to only 5 months in prison in June 2004 for cracking into the Internet service provider (ISP) Netline Services and causing a 15-hour disruption in service to its customers. David Smith, the creator of the Melissa virus (1999) that caused $80 million in damage, was sentenced to only 20 months in federal prison. These cases differ from the Brett O'Keefe case, however, in that these are not attacks against U.S. government or military facilities.

State Laws

Most states have their own computer crime laws. Generally, states divide their hacking and cracking laws into simple hacking crimes (basic unauthorized access) and aggravated hacking (unauthorized access that results in the commission of further criminal activity). Simple cracking laws are typically misdemeanors, whereas aggravated hacking crimes are felonies. Hawaii is an exception to this because it extends unauthorized access into first-degree, second-degree, and third-degree computer damage.

Cases prosecuted under state law are rare, however. As soon as a malicious attack crosses state lines, it becomes a federal offense. Because the Internet is a global network, and the Internet is the primary means that malicious hackers use to perform their attacks, most cases are prosecuted in federal courts. Cases can be tried in both federal and state court. Double jeopardy laws that prevent being tried twice for the same crime do not apply if the criminal charges are different. Therefore, computer crime could be brought before both state and federal courts.

To compare state laws, see http://nsi.org/Library/Compsec/computerlaw.

Regulatory Laws

In the preceding section, you read about laws pertaining to computer hacking. This section examines the following regulatory laws that can lead to the need for penetration testing:

• 1996 U.S. Kennedy-Kasselbaum Health Insurance Portability and Accountability Act (HIPAA)

• 2000 Graham-Leach-Bliley Act (GLBA)

• 2001 USA PATRIOT Act

• 2002 Federal Information Security Management Act (FISMA)

• 2003 Sarbanes-Oxley Act (SOX)

1996 U.S. Kennedy-Kasselbaum Health Insurance Portability and Accountability Act (HIPAA)

The U.S. Kennedy-Kasselbaum Health Insurance and Accountability Act (Public Law 104-191) was enacted on August 21, 1996 to combat fraud and abuse while improving access to health care services. Section 1173 (a)(2)(1) defines security standards for health information. It reads as follows:

SECURITY STANDARDS FOR HEALTH INFORMATION.--

"(1) SECURITY STANDARDS.--The Secretary shall adopt security standards that--" (A) take into account--"(i) the technical capabilities of record systems used to maintain health information;"(ii) the costs of security measures; "(iii) the need for training persons who have access to health information;"(iv) the value of audit trails in computerized record systems; and "(v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and"(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.

"(2) SAFEGUARDS.--Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards "(A) to ensure the integrity and confidentiality of the information; "(B) to protect against any reasonably anticipated--"(i) threats or hazards to the security or integrity of the information; and "(ii) unauthorized uses or disclosures of the information; and" otherwise to ensure compliance with this part by the officers and employees of such person.

Health care professionals are responsible for ensuring the integrity and confidentiality of individually identifiable health information (IIHI). Anyone caught who knowingly discloses IIHI can face up to $100,000 in fines and up to 5 years in prison (Section 1177). The responsibility for health care professionals was extended to technology and software vendors on April 30, 2003 when the Department of Health and Human Services enacted the final rule on security practices, which included three safeguards to protect electronic public health information (EPHI).

As mentioned in section 1173, every health care entity that transmits PII should maintain administrative, technical, and physical safeguards. Administrative safeguards relate to policies and procedures affecting the transmission of EPHI. This also covers security awareness and training. Technical safeguards relate to software and hardware technology. This inclusion extends the responsibility onto software vendors and business partners who interact with health care organizations. Physical safeguards relate to physical protection of patient records. This encompasses both hard copies and technical equipment that stores soft copies of patient information. Physical security for technical equipment extends to workstation use and security.

As part of the administrative safeguards, organizations are required to perform periodic technical and nontechnical evaluations to determine their compliance with federal regulations. If you perform penetration testing against health care institutions, you should specifically attempt to obtain EPHI from them. This entails both attacking databases (see Chapter 8, "Performing Database Attacks") and social engineering (see Chapter 4, "Performing Social Engineering").

Note

Whether you are successful in getting EPHI, you would be well-advised to suggest that the client encrypt all EPHI. If someone does manage to obtain a copy of the data, no fines will apply if the data is encrypted because no loss will have occurred.

Graham-Leach-Bliley (GLB)

Before the Graham-Leach-Bliley act of 1999 (enacted in 2000), there was little certainty that your private financial information was kept confidential. This act intends to protect private personal data while in storage by implementing security access controls. All banks, credit unions, investment companies, and their partners are impacted by this act.

Title V requires clear disclosure of the privacy policy of a financial institution regarding how and when personal information is shared with other financial institutions. Penetration testers should be familiar with the policy of the institution and test to verify its accuracy. Specifically, you should test that personal nonpublic financial data is not accessible outside the boundaries posed in the policy.

USA PATRIOT Act

After the terrorist attacks against the United States on September 11, 2001, the U.S. Senate realized that it could not deal with terrorist threats as it did in antebellum days. To allow for more available means to intercept potential threats, the Senate passed the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act" (USA PATRIOT Act) on October 21, 2001.

Among other things, this act enhances surveillance procedures by making it easier for law officials to intercept electronic communications relating to computer crimes. Included within the PATRIOT Act is the Critical Infrastructure Protection Act of 2001 (Section 1006), which encourages a continual national effort to protect the cyber community and other infrastructure services critical to maintaining economic prosperity and national defense. It calls for the analysis of cyber and telecommunications infrastructure security. Penetration testers are hired to assist in this analysis by attempting to break into simulated environments established by the U.S. government.

2002 Federal Information Security Management Act (FISMA)

The purpose of this act is to strengthen the security access controls and policies to protect network infrastructures that support U.S. federal government operations. Section 3544 requires federal agencies to assess the "risk and magnitude of the harm that could result from the unauthorized access, disclosure, disruption, modification, or destruction of such information or information systems" and to periodically test "information security controls and techniques to ensure that they are effectively implemented."

Similar to the PATRIOT Act, this act broadens the scope of federal security beyond terrorist threats while drilling down specifically to federal information infrastructures. While the PATRIOT Act addresses telecommunications and cyber threats, this act addresses federal networks. Telecommunications and cyber threat testing is usually performed in simulated environments as recommended in the PATRIOT Act, whereas security assessments referred to in FISMA are done against live and simulated federal networks.

2003 Sarbanes-Oxley Act (SOX)

Section 404 of the Sarbanes-Oxley Act requires all CEOs and CFOs of Security and Exchange Commission (SEC) reporting companies with a market capitalization in excess of $75 million to provide written reports that assess the effectiveness of their internal control systems. Noncompliance can result in fines up to $5 million and imprisonment up to 20 years.

The best type of penetration testing related to this act is gray-box testing. Here, you are hired and granted access to a company network as a typical user. Your job is to see what data and control systems you are able to manipulate or damage that can result in financial gains for someone in the company.

Non-U.S. Laws Pertaining to Hacking

The United States is not the only country to have computer crime laws. Those at the forefront of prosecuting computer crime are Australia, Canada, France, Germany, Iran, Japan, North and South Korea, Saudi Arabia, and the United Kingdom. Although the individual laws are too numerous to mention here, one that is worth mentioning is the UK Computer Misuse Act of 1990.

This act is mentioned for two reasons:

• It has had a significant impact on the decisions made by the European Council directives against computer crime and privacy.

• The penetration testing field in England is popular, and its popularity is only going to continue growing.

In brief, this act defines three computer offenses:

• Unauthorized access to computer material

• Unauthorized access with intent to commit or facilitate commission of further offences

• Unauthorized modification of computer material

This law is the only law in the UK that pertains to computer crime. As you can tell by the date of its inception (1990), it is outdated by the standards of today. This leads the security community to call parliament to revise their act. Currently, it is difficult to prosecute against attacks that were not common in 1990, such as DoS attacks.

Nevertheless, the law is being used to prosecute against computer crime. Penetration testers should be careful that their contract is fully authorized by their requestor; otherwise, they might be in violation of this act.