Penetration testing: Permission, ownership and "hacking laws" overview

When performing a penetration test it is very important to have permission from the parties involved, which may include third parties if a company has outsourced or managed services as part of it's IT infrastructure.

In recent times, outsourcing, managed services, cloud-computing and the global nature of IT infrastructure, combined with new legislation in various countries have added complexity to penetration testing.

This has made it increasingly important for pen-testers to have a very clear understanding of who owns the systems they are targeting, and infrastructure between the testing systems and the targets (which may be affected by testing).

This blog is a brief overview of things to watch out for with the permission and legality of tests. I also outline various laws relating to computer crime in several key countries.


Written permission

Written permission is the most important prerequisite before starting a penetration test. This is very important even in an internal penetration test, performed by internal staff, because testing may affect system performance, and raise confidentiality and integrity issues.

The system owner, or decision-maker must agree to put the scope of the tests in writing. If there are any doubts during the test, this may need to be clarified and amended with more detail.

A testers written permission document is their "get out of jail free card", but it is not above the law. Sometimes it is unclear who owns systems and infrastructure (even to the client themselves). If in doubt get clarification.



Discovering new systems

During the test, you may come across additional infrastructure and systems where you are not sure who owns them, or whether you have permission to proceed. It is very important that your tests do not impact third parties, either directly or indirectly. Reconfirm individual systems with the client as you go, to make sure they know who owns the systems, and that they are within the permission and agreed scope of the test.


External penetration tests across the internet

If you are performing penetration tests across the internet, you will likely need to notify relevant ISPs, primarily yours and your customers.

This is important for various reasons, including legal and informational, but also technical reasons.

There could be many reasons why intervening infrastructure is adversely affected by tests that you run, such as system/port scanners, and vulnerability assessment tools. The last thing you want is to get sued for affecting a third party.

It may be that one of these ISPs is actually filtering some ports and threats transparently, which could mean that some tests you run are invalid. If you are testing for threats, and either your ISP or your customers ISP is filtering your tests, then you may be missing threats that are there, that perhaps may be accessible from other locations or in other ways.

During your tests, your IP addresses may get reactively blocked or blacklisted, which again could invalidate any further tests, such that real threats are missed.

An alternative, to avoid some of the risks with Internet-based testing, is to connect the testing systems directly to the external router of the client, or have the client give the tester some form of VPN or SSH tunnel to a system in that location.


Laws to consider

In addition to permission and technical issues, it is very important to have a clear understanding of the law, especially when more than one country is involved.

As you know, ignorance of the law does not stand up very well in court, so here is a (very) brief overview of relevant laws in several countries. I am not a lawyer, so for further detail please consult with your legal counsel. This is by no means a comprehensive list, and will only give you a flavor of what is out there.


Cyber crime laws in the UK

• Computer Misuse Act (of 1990, updated 2008)
• Prohibits deliberate unauthorized access
• Additionally covers issues such as modification of content, blocking access, impairing operation and facilitating others to do any of the above
• Fines and prison terms of up to 2 years
• Recently updated to cover Denial of service
• Up to 10 years in prison
• Prohibits distribution of hacking tools for criminal purposes
• Makes possession of hacking/security tools illegal where criminal intent can be established

Cyber crime laws in the US

These are probably the strictest, most comprehensive (and complex) in the world and include:

• Title 18 (Criminal code) Sections
• Section 1029
• Prohibits Fraud in relation to access devices, account numbers, passwords, credit cards etc.
• Section 1030
• Prohibits unauthorized computer access for government, financial and commerce systems
• Section 1362
• Prohibits injury or destruction of communications equipment
• Section 2510
• Prohibits unauthorized interception of traffic (Clauses to enable service providers to monitor, and procedures for law enforcement to gain access)
• Section 2701
• Prohibits access to stored information without permission of owner (again, exceptions for service providers)

• Cyber Security Enhancement Act (2002)
• Covers attacks which recklessly causes or attempts to cause death
• Severe penalties including possible life in prison

• US State laws
• In the US, state laws add an extra layer of complexity
• The following location provides a good summary of the laws that apply specifically to "Computer Hacking and Unauthorized Access" by state
• http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnologyi/ComputerHackingandUnauthorizedAccessLaws/tabid/13494/Default.aspx
• In short there are MANY state laws related to computer crime, and interstate crimes may break lots of them
• Often State laws are more recent, further reaching, and more specific than USC laws

Cyber crime laws in Germany

• Penal Code Section 202a (Data espionage)
• Prohibits obtaining data without authorization, where it was specially protected against unauthorized access
• Up to three years in prison
• 202c (Anti-Hacking Law)
• Prohibits creating, possessing or distributing tools used for computer attacks
• 303a and 303b
• Prohibits alteration and deletion of data and interference with data processing
• Up to 5 years in jail or a fine

Cyber crime laws in Japan

• Law 128 (1999) Unauthorized Computer Access Law
• Prohibits unauthorized access by
• Stealing access codes or bypassing access controls
• Fines and up to one year in prison

Other countries

Obviously there are a lot more countries than this. Some have no computer laws, but many have similar laws.

Enforcement can be very variable in some countries. Even where no specific computer laws are in place computer crimes can often be dealt with using existing laws such as fraud, theft, criminal damage etc.


Mitigations

• Make sure that security testers have permission in writing
• Consider the ownership of all systems which may be affected by the test
• Testers should be aware of the law and be in contact with legal council (in advance)
• Testers should consult legal council regarding specific laws in all countries where systems may be accessed as part of the test