Bugtraq mailing list archives

Re: [security] Re: Major hack attack on the U.S. Senate


From: "Bernie, CTA" <cta () hcsin net>
Date: Tue, 03 Feb 2004 17:08:45 -0500

On 2 Feb 2004 at 23:02, rsh () idirect com wrote:

On Fri, 23 Jan 2004 Daniel.Capo () tco net br wrote:

Which means the Democrats screwed up setting up their own
share point and allowed public access to it.  There was no
"computer glitch" which was "exploited".  This was
completely a human screw-up.  And there was no hacking
("exploitation of a computer glitch") done by the
Republicans. Unless you wish to call clicking on a share
point configured with public access and opening it up
"hacking".

AFAIK, "hacking" is legally defined in the USA as being
unauthorized access to computer resources. It doesn't matter
if the resource was adequately protected (or protected at all)
in first place or not. If you were not given permission to
make use of that resource, you are criminally liable.

Do you have an explicit permission to read the content of a
www.cnn.com? What is the difference between opening a web URL
and a network share?

In a word, Intent.  If a CNN intends you to read the news on
their web site and gets advertising revenue when you do, you are
not hacking when you go there.  If the Senate does NOT intend you
to read their files and leaves open a network share in error or
through ignorance, you are hacking when you go there.  As silly
as it seems, that is the way the laws were designed to work.

<<<
I believe the US Courts would find that the "Intent" of the 
Democrats to assert that their files were not for public access, 
alone not persuasive.  It's my experience that the Court would 
perhaps look at the facts associated with the following primary 
questions

1.      Was there a Security or Computer / Network User Policy in 
force which all users (Parties) were aware of, or better yet 
signed, specifically identifying how public and private realms 
are delineated, and how access to private files is administered? 
 I would wager that there was no such Policy in place, and 
therefore no way to establish a Chinese wall.

2.      Where there any safeguards in place to restrict access to 
authorized users, and if so were these circumvented and by who? 
In this case, safeguards could have been implemented, and it may 
have been the Intent of the Democrats to do so, but the fact 
remains that they were not.  Therefore, no hack or willful 
breech of the systems security occurred.

3.      Were there any notices (i.e. the word Confidential, 
Restricted, etc, placed in the Header, Footer or Watermark of 
the Document Files) or file/directory naming convention e.g. 
Confidential - Republicans Keep Out, indicating that the files 
were confidential or more specifically not for public access? If 
there were such notices or naming convention an argument could 
be made that parties did receive notice that the files were to 
be considered private or not for public access.

4.      If there were notices or marks indicating that the files and 
their content were private, then, did the person who accessed 
and disclosed content of these files do so with the "Intent" to 
cause harm to the Author? Well, that is a tough one. Obviously 
both sides are involved in the game of political tactics, 
(information warfare), against their opponents "Party". However, 
the law looks at harm to an individual, so was any individual 
hurt by the disclosure? Was that the intent of the disclosing 
party?

I would analyze the transaction and occurrences in this case by 
drawing an analogy to that of a Public Library. In such a 
Library, there are books and records, which are made available 
to the Public, although notice of this is typically not placed 
on each book or record (file). However, there are also areas 
(rooms) within the premises, which may contain other books and 
records (such as operational and administrative records) that 
the Library considers private for access by authorized personal. 
Typically, the Library would take measures to secure these areas 
and ensure that access to these rooms is controlled, doors 
locked, or notice is displayed indicating that the area is 
Private, i.e., General Public Keep Out.

Likewise, the Democrats may have had the Intent to establish 
that certain areas and its contents were private, but failed to 
mark these areas (Directories) or ensure that safeguards were 
properly implemented to control access. The bottom line is that 
basic security policies, procedures and safeguards were not in 
effect in the Senate's Network to prevent unauthorized access, 
or more importantly alert the casual user that the files are 
private and not public domain.

-
-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************



Current thread: