RE: SQL Injection Legalities

[Joe <junk () quickfinger com>]

I am not a lawyer.  Moderator, feel free to reject.

Comments in line.

On Wed, 17 Jul 2002, Michael Deyo wrote:

> All computers connected to the Internet potentially engage
> in interstate communication by the nature of the way in which the
> Internet operates, so this statue applies to all Internet hosts.
> The entire text of the Act can be viewed at
> http://www.usdoj.gov/criminal/cybercrime/1030_new.html.

Can you cite a court precedent?  I would disagree.  Yes, all
computers connected to the internet potentially engage in interstate
communication, but my interpretation of this law is that the "crime"
must occur across state lines.  Most hackers capable of using
traceroute can prove their packets did or did not cross state lines.
Alternatively, the hacker could simply use the same ISP as the
target.

> In your scenario, you were authorized to access the website and
> enter search terms at your discretion.  I would argue that it is
> the responsibility of the computer system owner to communicate what
> types of activity are authorized and unauthorized.  If there was
> specific communication that SQL injection constitutes unauthorized
> activity, and that only valid search terms should be entered, you
> have violated this Act.  If, however, you accessed the site and had
> a reasonable belief that you held the privilege to enter any and
> all search terms, it would be difficult to prove intent to gain
> unauthorized access on your part.  In addition, it is the
> responsibility of the system developer to include security
> mechanisms to prevent unauthorized access.  You did not circumvent
> a security mechanism in this case.

Interesting observation.  Kudos!

> Another issue to examine is the degree of damage caused to the
> system as a result of the SQL injection.  If you simply returned
> the entire product listing, this is a relatively benign activity.
> This is assuming that the information returned is not particularly
> sensitive, such as bank records, credit card numbers, or protected
> health information.  If, however, you used SQL injection to modify
> information or destroy data, this is a more critical issue.  This
> will certainly violate the Federal statue, and most state laws.
> While it may be implied that you have authorization to view the
> resulting information of searches, it is not implied that you are
> authorized to modify or delete system information.

According to the statute cited, all you have to do is "obtian
information."  It doesn't matter if the information is benign,
sensitive or damaged.  It might make a difference in sentencing, but
not in determination of guilt (assuming jurisdiction is met).

> Mike
>
>
> -----Original Message-----
> From: Deus, Attonbitus [mailto:Thor () HammerofGod com]
> Sent: Wednesday, July 17, 2002 12:48 PM
> To: Pen-Test
> Subject: SQL Injection Legalities
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I hesitate asking the group about law, but here goes:
>
> Lets say a site gives you the capability to search their product-base via a
> web input box.  You know, the standard search/submit deal.
>
> You type in "bicycle" and it gives you everything that starts with
> "bicycle."  Simple enough.  As we all know, web app susceptibility to SQL
> injects runs amok; lets say in this case that instead of typing "bicycle,"
> I type "bicycle' or 1=1--" and get all the products.  Have I broken the
> law?  More specifically, have I broken the law in the US?
>
> One could argue that the site is allowing me to specify what I want to see,
> and all I am doing is typing in what I want...  Though the developer may
> not have intended for me to pull up the data like that, does my doing so
> constitute a crime?
>
> I'm not looking for ethical or moral debate here, I am hoping someone has
> some distinct legal experience who knows.  Thanks.
>
> AD


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/