RE: How hackers cause damage... was Vulnerabilites in new laws on computer hacking

["Al Sutton" <asutton () argosytelcrest com>]

Is it just me, or does anyone else think this rather long email should have
been summed up as...

"Treat a hacking incident the same way as you would a physical breakin.
Physically the person may not have taken your paper records, but they may
have taken pictures or photo-copies of them, and thus you have a problem
with loss of information (confidential deal & negociations, customer lists,
etc.), and you'd probably want to take measures to recover the cost of the
lost information. Also, if you suffer a physical break in you wouldn't just
rebuild the fence, set the alarm back on with the same codes, and hope for
the best, you'd look to improve things, you should apply a similar policy to
your IT infrastructure if it fails".

Did I miss anuthing?

Al.

-----Original Message-----
From: Craig Wright [mailto:cwright () bdosyd com au] 
Sent: 23 February 2006 10:26
To: security-basics () securityfocus com
Cc: fla.linux () gmail com
Subject: How hackers cause damage... was Vulnerabilites in new laws on
computer hacking



Hello,
There have been a large number of ill-informed posts regarding damage caused
by cyber-trespass. This is for the purpose of this post described as
breaking into a system with no clear intent to cause damage i.e. no Mens Rea
or guilty mind. I will exclude all references to intention to damage or
wilful damage and limit this to reckless damage alone.

Next, I will exclude Mens Rea as it may pertain to the fact that the act of
committing a computer crime is by definition illegal. We all seem to
understand that breaking into a computer without permission is a breach of
the law so I shall not explore this avenue of argument.

The term in law refers to "actus non facit reum nisi mens sit rea", which
means that "the act will not make a person guilty unless the mind is also
guilty. This is a common defence in criminal cases though it will not help
you in a civil tort case (i.e. civil damages).

With the seeming ignorant state that exists (not to all reading) to the
levels of damage caused by breaking into systems and committing
cyber-trespass I will endeavour to detail the resultant state of affairs.

I will aim solely at corporate systems for the critique following. This is
not to state that Government, privately run or organisational systems have
any lesser effects resultant from attack, but that this is a post and not a
dissertation (though it is moving in that direction).

First we have the argument that has been fielded that at worst a system
would just need to be rebuilt. A prior poster stated that he would analyse
his system and track the incident. For the majority of the world this is not
so simple. Most people are not skilled in either incident response
techniques or digital forensic science (please note computer forensics is a
misnomer and grammatically incorrect). Nor are most companies able to afford
to rebuild systems on a regular basis for the fun of it.

Cyber-trespass leaves one in a state of doubt. It is commonly stated that
the only manner of recovery from a system compromise is to rebuild the host.
I will resist quoting a voluminous amount of material at this point (unless
somebody wishes to dispute this :). It is needless to say that documents,
working papers and processes on this topic are widely available. SANS, CERT
and the CIS all recommend that a compromised system be rebuilt, not from
backup, but from scratch.

Further one must "Resist the temptation of restoring from backups" *1 and
complete an "entire system install be performed from read-only distribution
media".

So here, we have to look to the cost of both rebuilding the system and
recreating the data. In the modern corporation, the primary assets are often
vested in the intellectual capital of the firm.

First, the system needs to be rebuilt as was listed above. There is no
argument here (though I am willing to engage in one) over the need to
rebuild the system. The people at the company that was attacked do not and
cannot know your motives. They cannot assume you are benign, but have to
assume that you are malignant being that you are willing to break the law,
that you are willing to face gaol.

If they assume otherwise they will suffer again. How do they know that you
have not installed a rootkit? How is it known that there is no timebomb on
the server. You as the attacker have already demonstrated that you are not
bound my conventional morality and ethics. You have violated property
rights, entered and penetrated a system, breached the defences and raped the
security of the site you choose as just "practice".

Every attacker that does this makes it easier for the truly malicious
attacker to succeed.

On top of this, add the loss due the unavailability, reputation and
compliance costs. Let us for the moment forget the costs of tort against the
company. The costs of action for a violation of privacy rights. The costs
from a violation of PCI-DSS. HIPPA Violations or the effects to the
companies share price.

Costs. They seem to be all over the place when you actually think about it.
Each of these costs is damage. This damage needs to be recovered. We all
pay. 

Now most organisations do not have, not can afford to retain skilled
incident response professionals. They need to employ external parties at a
cost. Even when they do have internal staff there is a cost, but the
accounting process is not so simple.

At rates (and this is based in Sydney, Australia) hiring personal from a
respected firm (and it is not likely to be less in the case of fear from an
attack driving firms to a position of trust) will have a charge out rate in
the order of $ 250-450 per hour. The investigation will take 10 -100 hours
(and in some cases longer though rare).

Is the cost of damages when placed against the risk worth it. I hope not,
but this is a personal risk decision for the individual to decide. I can do
little to stop you committing cyber-trespass just as I can do little to stop
you robbing a 7-11. Mind you however, I am a bit of an a*8hole. If I get
involved I will (in my personal time if needs be) map out every piece of
information that you have done and ensure that every lie you tell to try to
worm out (aimed at those who still try to do this act) of the consequences
is proved beyond a reasonable doubt in court.

Animus nocendi or a mind to harm reference the precise familiarity of
illegal content of behaviour, and of its possible consequences. Now that you
have read this post, it may be argued that you have come to understand that
there are consequences for your actions if you choose to still attack a
system (aimed at those who do). Please feel free to flame me as reading this
post effectively provides the essential condition to give a penal
condemnation if you still choose to violate the law by breaking into systems
and causing damage.

Regards,

Craig

 

PS

So called.. NON-Malicous attacks have caused the following events to occur

1   Loss of human life (though systems damage)

2   Insolvancy and the resultant human costs (lost jobs, etc)

so much for no damage... PPS even longer rant as to each of these with
statistical data available ;)


Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You
may not rely on this message as advice unless it has been electronically
signed by a Partner of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------