Bugtraq mailing list archives
Re: [security] Re: Major hack attack on the U.S. Senate
From: "Bernie, CTA" <cta () hcsin net>
Date: Tue, 03 Feb 2004 17:08:45 -0500
On 2 Feb 2004 at 23:02, rsh () idirect com wrote:
On Fri, 23 Jan 2004 Daniel.Capo () tco net br wrote:Which means the Democrats screwed up setting up their own share point and allowed public access to it. There was no "computer glitch" which was "exploited". This was completely a human screw-up. And there was no hacking ("exploitation of a computer glitch") done by the Republicans. Unless you wish to call clicking on a share point configured with public access and opening it up "hacking".AFAIK, "hacking" is legally defined in the USA as being unauthorized access to computer resources. It doesn't matter if the resource was adequately protected (or protected at all) in first place or not. If you were not given permission to make use of that resource, you are criminally liable.Do you have an explicit permission to read the content of a www.cnn.com? What is the difference between opening a web URL and a network share?In a word, Intent. If a CNN intends you to read the news on their web site and gets advertising revenue when you do, you are not hacking when you go there. If the Senate does NOT intend you to read their files and leaves open a network share in error or through ignorance, you are hacking when you go there. As silly as it seems, that is the way the laws were designed to work.
<<< I believe the US Courts would find that the "Intent" of the Democrats to assert that their files were not for public access, alone not persuasive. It's my experience that the Court would perhaps look at the facts associated with the following primary questions 1. Was there a Security or Computer / Network User Policy in force which all users (Parties) were aware of, or better yet signed, specifically identifying how public and private realms are delineated, and how access to private files is administered? I would wager that there was no such Policy in place, and therefore no way to establish a Chinese wall. 2. Where there any safeguards in place to restrict access to authorized users, and if so were these circumvented and by who? In this case, safeguards could have been implemented, and it may have been the Intent of the Democrats to do so, but the fact remains that they were not. Therefore, no hack or willful breech of the systems security occurred. 3. Were there any notices (i.e. the word Confidential, Restricted, etc, placed in the Header, Footer or Watermark of the Document Files) or file/directory naming convention e.g. Confidential - Republicans Keep Out, indicating that the files were confidential or more specifically not for public access? If there were such notices or naming convention an argument could be made that parties did receive notice that the files were to be considered private or not for public access. 4. If there were notices or marks indicating that the files and their content were private, then, did the person who accessed and disclosed content of these files do so with the "Intent" to cause harm to the Author? Well, that is a tough one. Obviously both sides are involved in the game of political tactics, (information warfare), against their opponents "Party". However, the law looks at harm to an individual, so was any individual hurt by the disclosure? Was that the intent of the disclosing party? I would analyze the transaction and occurrences in this case by drawing an analogy to that of a Public Library. In such a Library, there are books and records, which are made available to the Public, although notice of this is typically not placed on each book or record (file). However, there are also areas (rooms) within the premises, which may contain other books and records (such as operational and administrative records) that the Library considers private for access by authorized personal. Typically, the Library would take measures to secure these areas and ensure that access to these rooms is controlled, doors locked, or notice is displayed indicating that the area is Private, i.e., General Public Keep Out. Likewise, the Democrats may have had the Intent to establish that certain areas and its contents were private, but failed to mark these areas (Directories) or ensure that safeguards were properly implemented to control access. The bottom line is that basic security policies, procedures and safeguards were not in effect in the Senate's Network to prevent unauthorized access, or more importantly alert the casual user that the files are private and not public domain. - - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Current thread:
- Re: Major hack attack on the U.S. Senate Mariusz Woloszyn (Feb 02)
- Re: [security] Re: Major hack attack on the U.S. Senate rsh (Feb 03)
- Re: [security] Re: Major hack attack on the U.S. Senate Bernie, CTA (Feb 04)
- RE: [security] Re: Major hack attack on the U.S. Senate Larry Seltzer (Feb 07)
- Re: [security] Re: Major hack attack on the U.S. Senate Bernie, CTA (Feb 04)
- Re: Major hack attack on the U.S. Senate Christian Vogel (Feb 03)
- Re: Major hack attack on the U.S. Senate Ron DuFresne (Feb 03)
- Re: Major hack attack on the U.S. Senate Daniel . Capo (Feb 03)
- Re: Major hack attack on the U.S. Senate Thomas M. Payerle (Feb 06)
- RE: Major hack attack on the U.S. Senate David Schwartz (Feb 03)
- Re: [security] Re: Major hack attack on the U.S. Senate rsh (Feb 03)