Wednesday, 26 January 2011

Penetration testing: Permission, ownership and "hacking laws" overview

When performing a penetration test it is very important to have permission from the parties involved, which may include third parties if a company has outsourced or managed services as part of it's IT infrastructure.

In recent times, outsourcing, managed services, cloud-computing and the global nature of IT infrastructure, combined with new legislation in various countries have added complexity to penetration testing.

This has made it increasingly important for pen-testers to have a very clear understanding of who owns the systems they are targeting, and infrastructure between the testing systems and the targets (which may be affected by testing).

This blog is a brief overview of things to watch out for with the permission and legality of tests. I also outline various laws relating to computer crime in several key countries.


Written permission

Written permission is the most important prerequisite before starting a penetration test. This is very important even in an internal penetration test, performed by internal staff, because testing may affect system performance, and raise confidentiality and integrity issues.

The system owner, or decision-maker must agree to put the scope of the tests in writing. If there are any doubts during the test, this may need to be clarified and amended with more detail.

A testers written permission document is their "get out of jail free card", but it is not above the law. Sometimes it is unclear who owns systems and infrastructure (even to the client themselves). If in doubt get clarification.



Discovering new systems

During the test, you may come across additional infrastructure and systems where you are not sure who owns them, or whether you have permission to proceed. It is very important that your tests do not impact third parties, either directly or indirectly. Reconfirm individual systems with the client as you go, to make sure they know who owns the systems, and that they are within the permission and agreed scope of the test.


External penetration tests across the internet

If you are performing penetration tests across the internet, you will likely need to notify relevant ISPs, primarily yours and your customers.

This is important for various reasons, including legal and informational, but also technical reasons.

There could be many reasons why intervening infrastructure is adversely affected by tests that you run, such as system/port scanners, and vulnerability assessment tools. The last thing you want is to get sued for affecting a third party.

It may be that one of these ISPs is actually filtering some ports and threats transparently, which could mean that some tests you run are invalid. If you are testing for threats, and either your ISP or your customers ISP is filtering your tests, then you may be missing threats that are there, that perhaps may be accessible from other locations or in other ways.

During your tests, your IP addresses may get reactively blocked or blacklisted, which again could invalidate any further tests, such that real threats are missed.

An alternative, to avoid some of the risks with Internet-based testing, is to connect the testing systems directly to the external router of the client, or have the client give the tester some form of VPN or SSH tunnel to a system in that location.


Laws to consider

In addition to permission and technical issues, it is very important to have a clear understanding of the law, especially when more than one country is involved.

As you know, ignorance of the law does not stand up very well in court, so here is a (very) brief overview of relevant laws in several countries. I am not a lawyer, so for further detail please consult with your legal counsel. This is by no means a comprehensive list, and will only give you a flavor of what is out there.


Cyber crime laws in the UK
  • Computer Misuse Act (of 1990, updated 2008)
    • Prohibits deliberate unauthorized access
      • Additionally covers issues such as modification of content, blocking access, impairing operation and facilitating others to do any of the above
      • Fines and prison terms of up to 2 years
    • Recently updated to cover Denial of service
      • Up to 10 years in prison
    • Prohibits distribution of hacking tools for criminal purposes
      • Makes possession of hacking/security tools illegal where criminal intent can be established

Cyber crime laws in the US

These are probably the strictest, most comprehensive (and complex) in the world and include:
  • Title 18 (Criminal code) Sections
    • Section 1029
      • Prohibits Fraud in relation to access devices, account numbers, passwords, credit cards etc.
    • Section 1030
      • Prohibits unauthorized computer access for government, financial and commerce systems
    • Section 1362
      • Prohibits injury or destruction of communications equipment
    • Section 2510
      • Prohibits unauthorized interception of traffic (Clauses to enable service providers to monitor, and procedures for law enforcement to gain access)
    • Section 2701
      • Prohibits access to stored information without permission of owner (again, exceptions for service providers)

  • Cyber Security Enhancement Act (2002)
    • Covers attacks which recklessly causes or attempts to cause death
    • Severe penalties including possible life in prison


Cyber crime laws in Germany
  • Penal Code Section 202a (Data espionage)
    • Prohibits obtaining data without authorization, where it was specially protected against unauthorized access
    • Up to three years in prison
  • 202c (Anti-Hacking Law)
    • Prohibits creating, possessing or distributing tools used for computer attacks
  • 303a and 303b
    • Prohibits alteration and deletion of data and interference with data processing
  • Up to 5 years in jail or a fine

Cyber crime laws in Japan
  • Law 128 (1999) Unauthorized Computer Access Law
    • Prohibits unauthorized access by
      • Stealing access codes or bypassing access controls
    • Fines and up to one year in prison



Other countries

Obviously there are a lot more countries than this. Some have no computer laws, but many have similar laws.

Enforcement can be very variable in some countries. Even where no specific computer laws are in place computer crimes can often be dealt with using existing laws such as fraud, theft, criminal damage etc.


Mitigations

  • Make sure that security testers have permission in writing
  • Consider the ownership of all systems which may be affected by the test
  • Testers should be aware of the law and be in contact with legal council (in advance)
  • Testers should consult legal council regarding specific laws in all countries where systems may be accessed as part of the test

39 comments:

  1. Thanks for sharing. Learn a lot from your Blog.I have read your blog about it-security-matter It is very help full.I really enjoyed reading it, you may be a great author.I must say you've done a wonderful job by sharing your article with us.Penetration Testing UK

    ReplyDelete
  2. Precious information about penetration testing. I must say pen test is the best technique to find the security weaknesses in a computer system. Avyaan is a progressive cyber security company which maintain highest level of digital security for web and mobile applications.

    ReplyDelete
  3. This is really an excellent blog as well as its content.easy payday loans

    ReplyDelete
  4. Thanks for sharing such a nice knowledge with us. A must read blog.
    advanced loans

    ReplyDelete
  5. The blog has increased me in knowledge in a great way. I’ll surely come again here at this source. vehicle insurance

    ReplyDelete
  6. I read your blogs regularly. Your humoristic way is amusing, continue the good work!whole life insurance

    ReplyDelete
  7. Completely agree with your point that we should have permissions before applying pen testing, but can you stop hackers? They never inform you before hacking your website. Penetration testing is really mandatory whether it is internal or external. If you are looking for external then you can adopt our external penetration testing services at Avyaan.

    ReplyDelete
  8. This is fine anyway nice try guys keep on hard working, truly nice info! roofing companies Sugar Land

    ReplyDelete
  9. Your articles are very well written and unique.cashadvancecom

    ReplyDelete
  10. Actually I don’t have such words by which the praise can be dome. I just want to say that this is my ideal blog. Thank you so very much. ipv d2 mod

    ReplyDelete
  11. Keep up posting such great information; I am glad from this provided piece of information. Thanks Lakeville kitchen remodel

    ReplyDelete
  12. I constantly emailed this site post page to all my friends, because if prefer to read it then my all friends will too.Businessman Mark Curry

    ReplyDelete
  13. I’m impressed with the special and informative contents that you just offer in such short timing.
    payday loans online for virginia

    ReplyDelete
  14. Keep on sharing such wonderful information! I am with you to appreciate on every post! payday loans no credit check

    ReplyDelete
  15. You people have actually provided the best blogs that are easy to understand for the folks. Adam Short

    ReplyDelete
  16. Excellent effort to make this blog more wonderful and attractive. life insurance rates

    ReplyDelete
  17. Awesome article, keep up the great working and congratulation for the appreciation of all the people to you. cash loans

    ReplyDelete
  18. Incredible blog there, I’d love to get some extra information. water softener reviews

    ReplyDelete
  19. Cool blog site friend I'm about to suggest this to all my listing contacts.forklift training

    ReplyDelete
  20. I like your all the posts and recommended this link to my friends as well. Thanks for such amazing blog! Medical Malpractice lawyer new York city

    ReplyDelete
  21. Hi Dear, have you been certainly visiting this site daily, if that's the case you then will certainly get good knowledge. Vine Vine Skin Care

    ReplyDelete
  22. Great details here, better yet to discover out your blog which is fantastic. Nicely done!!! Vine Vine Skin Care

    ReplyDelete
  23. I love your post because I like the way you collaborate and share your opinions, great blog, carry on. antidepressants life insurance

    ReplyDelete
  24. The quality of your blogs and conjointly the articles and price appreciating. vehicle wraps

    ReplyDelete
  25. Unpatched systems are the primary targets of criminal hackers and malware

    ReplyDelete
  26. Hello Everybody,
    My name is Mrs.Irene Query. I live in Philippines and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $150,000.00 to start my life all over as i am a single mother with 2 kids I met this honest and GOD fearing man loan lender that help me with a loan of$150,000.00 US. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs.Irene Query, that refer you to him.contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

    LOAN APPLICATION FORM:
    =================
    Full Name:................
    Loan Amount Needed:.
    Purpose of loan:.......
    Loan Duration:..
    Gender:.............
    Marital status:....
    Location:..........
    Home Address:..
    City:............
    Country:......
    Phone:..........
    Mobile / Cell:....
    Occupation:......
    Monthly Income:....

    Contact Us At :urgentloan22@gmail.com

    ReplyDelete

  27. GENUINE LOAN WITH 3% INTEREST RATE APPLY NOW.
    Are you in need of a Loan to pay off your debt and start a new life? You have come to the right place were you can get your loan at a very low interest rate. Interested people/company should please contact us via email for more details.Email jubrinunityfinancialloan@gmail.com

    ReplyDelete
  28. Hello Everybody,
    My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

    BORROWERS APPLICATION DETAILS


    1. Name Of Applicant in Full:……..
    2. Telephone Numbers:……….
    3. Address and Location:…….
    4. Amount in request………..
    5. Repayment Period:………..
    6. Purpose Of Loan………….
    7. country…………………
    8. phone…………………..
    9. occupation………………
    10.age/sex…………………
    11.Monthly Income…………..
    12.Email……………..

    Regards.
    Managements
    Email Kindly Contact: urgentloan22@gmail.com

    ReplyDelete
  29. Attention,
    This is an online advertisement from a registered Government approved and Licensed lender that gives out loans of various kinds,e.g, Mortgage loan, Business loan, Car Loans to only serious and interested parties against a very low affordable interest rate of 3%. Apply for your loan now. If you are interested contact Via: Abdallah.afandi@financier.com
    Thanks,
    Mr Yinin.

    ReplyDelete
  30. Hello Everybody,
    My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

    BORROWERS APPLICATION DETAILS


    1. Name Of Applicant in Full:……..
    2. Telephone Numbers:……….
    3. Address and Location:…….
    4. Amount in request………..
    5. Repayment Period:………..
    6. Purpose Of Loan………….
    7. country…………………
    8. phone…………………..
    9. occupation………………
    10.age/sex…………………
    11.Monthly Income…………..
    12.Email……………..

    Regards.
    Managements
    Email Kindly Contact: urgentloan22@gmail.com

    ReplyDelete
  31. Thank you adding the all detailed article on crime laws and other important facts indetail..
    I would like to share with my friends...

    Want a brand new Mixer grinder set for my kitchen? It’s the time to shift from an average mixer grinder to an advanced one. We have listed such advance and best Mixer Grinders which are available to buy in India (Searching for Best Mixer Grinder in India 2017).
    How I would like to search the Best Hair Dryer in India to use my hairs in home.

    ReplyDelete
  32. Very good info on cyber crime law. Please keep on writing.
    criminal lawyers melbourne

    ReplyDelete


  33. We are muslim Organization formed to help people in needs of helps,such as financial help. So if you are going through financial difficulty or you are in any financial mess,and you need funds to start up your own business,or you need loan to settle your debt or pay off your bills,start a nice business, or you are finding it hard to obtain capital loan from local banks,contact us today via email (powerfinance7@gmail.com) So do not let these opportunity pass you by because Allah is the same yesterday, today and forever more. Please these is for serious minded and Allah fearing People.

    LOAN APPLICATION FORM
    **********************
    1) Full Name:.....
    2) Gender:........
    3) Loan Amount Needed :...
    4) Loan Duration:...............
    5) Country:.......
    6) Home Address:..
    7) Mobile Number:.....
    8) Occupation:....
    9) Monthly Income:......
    10) Salary Date:....
    11) Purpose of loan;...

    Awaiting your swift response.
    May Allah bless you.
    IBRAHIM MUSA
    Leverage Pvt Ltd.
    Associate Director
    power Financial Service Pvt.
    Contact Us At :powerfinance7@gmail.com

    ReplyDelete

  34. Do you need a quick long or short term money with a relatively low interest rate as low as 3%? We offer business loan, personal loan, home loan, auto loan,student loan, debt consolidation loan e.t.c. no matter your credit score. We are guaranteed in giving out financial services to our numerous clients all over world. With our flexible lending packages, loans can be processed and transferred to the borrower within the shortest time possible, contact our specialist for advice and finance planning. If you need a quick loan contact us via Email: powerfinance7@gmail.com


    1. Your Full names:_______
    2. Contact address:_______
    3. Country Of Residence:______
    4. Loan Amount Required:________
    5. Duration:_____
    6. Gender:_____
    7. Occupation:________
    8. Monthly Income:_______
    9. Date Of Birth:________
    10.Telephone Number:__________

    Regards.
    Managements
    Email Him at: powerfinance7@gmail.com

    ReplyDelete
  35. Hello Everybody,
    My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:{urgentloan22@gmail.com} Thank you.

    ReplyDelete
  36. Are you in need of quick an urgent loan with relatively low interest rate as low as 3%? We offer business loan, personal loan, home loan, auto loan,student loan, debt consolidation loan e.t.c. no matter your credit score. We are guaranteed in giving out financial services to our numerous clients all over world. With our flexible lending packages, loans can be processed and transferred to the borrower within the shortest time possible, contact our specialist for advice and finance planning. If you need a quick loan contact us via Email: creditloanpvt@gmail.com

    Your Name:...............
    Your Country:...............
    Your Occupation:...............
    Loan Amount Needed:...............
    Loan Duration...............
    Monthly Income:...............
    Your Telephone Number:.....................
    Business Plan/Use Of Your Loan:...............
    Contact Us At : creditloanpvt@gmail.com
    Phone number :+44-75967-81743 (WhatsApp Only)

    ReplyDelete
  37. Great blog all the information are really awesome and great well done.
    Infrastructure Testing

    ReplyDelete
  38. We are private lending firm,We offer Loans at low interest rate of to any Interested Individual personal. We are governmental Registered authorized financial helper. for more information on how to obtain our Loans contact us today via email: (mrhamdnloanoffer@gmail.com) YOU CAN ALSO ADD US ON WHATSAPP (+919818287948)

    ReplyDelete