Criminalising Hacking Tools

Category: IT,Computer,Technology,Programming Free PDF
Tag: Security
Description

CMA Revision/Sommer/ page 1 Criminalising Hacking Tools

Peter Sommer

Summary

Making the sale, possession and distribution of the tools of hacking a criminal

offence has obvious attractions. But many such tools are dual use and new laws run

the risk of significantly inhibiting the activities of investigators, incident responders,

penetration testers and academics. Recent UK attempts at framing such a law are

discussed in order to show the broader problems of policy and wording.

It is one of the most frequently reproduced graphs in information system security.

The horizontal axis is a time line; the vertical axis is marked from low to high .

There are two trawls. The first, starting low in the 1980s and increasing to high as we move forward in time is marked Sophistication of Attacker Tools . the second

starts high and decreases to low over time and is marked Required Knowledge

of Attackers .

The graph first appeared (I think) in a GAO Report in May 1996 1 and took the story in terms of hacking tools as far as sniffers, packet spoofing and tools with GUIs.

Today the tools would include virus generators, DNS polluters, botnet control tools

as well as versions of older tools which are now much more sophisticated.

It is not surprising that there should have been demands to criminalize hacking tools

production, sale, even possession.

These demands were reflected in the 2001 Council of Europe Cybercrime Treaty 2 The difficulty is that many hacking tools are indistinguishable from utilities that are

essential for the maintenance and security of computers and networks. Eleven years ago, in April 1995, Dan Farmer and Wietze Venema released a program called

Security Administrator Tool for Analyzing Networks, which resolves for better or worse to the acronym SATAN. It was designed to automate the process of testing

systems for security vulnerabilities. Written largely in perl it adopted the then

relatively novel technique of using a web browser as an interface. In essence it was a

rule-based engine backed by a database of vulnerabilities. As well as reporting the presence of vulnerabilities, SATAN also gathered large amounts of general network

information, such as which hosts are connected to subnets, what types of machines

they are and which services they offer.

As soon as it was announced, critics rushed in to complain that although not intended

as such, it was in essence a series of gifts to hackers. Farmer and Venema went on to

write the Coroner s Toolkit, a series of Unix-based forensics utilities. They are also

1 GAO/AIMD-96-84 Defense Information Security 2 http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm

Despite its name has been signed up to by such countries as the USA, Canada, South Africa and Japan. As of March 2006 twelve signatories

had ratified but there are a further 30 nations who has signed the convention but not ratified

CMA Revision/Sommer/ page 2 the authors of the book Forensic Discovery. 3 SATAN and another similar automated testing tool, ISS (which for some reason never attracted the same level of

ire from security professionals) , soon started to turn up on the hacker bulletin boards,

IRC channels and indeed on the hard-disks of hackers who had been raided by the

authorities. ISS in an early form, for example, was used by the UK hacker

DataStream Cowboy in his attacks on sensitive US military sites in March 1994. 4 If we look at the range of security and hacking tools available at the moment we can

see the extent of the problem of dual use :

Class of Tool

Legitimate and Illegitimate Uses

Automated

Penetration Testing Modern ICT systems are too complex and

too subjected to constant change for the

traditional specify and verify approach to

the selection of security measures. Regular

penetration testing is an essential additional

element in providing security. Having

reached that decision it makes sense to

create automated tools. The typical

penetration testing tool consists in the first

instance of a series of probes to get an

operating system or application to disclose

information about themselves. The tool

also has a database of weaknesses, so that

subsequent probes are designed to establish

whether the weaknesses have been patched.

In the hands of a penetration tester, the

outcome is simply a technical report with

recommendations. The identical tool used

by a malicious hacker identifies routes to

unauthorised access.

Website Load

Capacity Testing The owners of large websites need server

resources sufficient to meet given levels of

customer demand or run the risk of

complaints. They use tools to assist them.

The same tool can be used to cause a Denial

of Service

Password Cracking;

Decryption Tools Many modern password-based access

control systems are designed so that the

system administrator does not have direct

access to the list of passwords for his users.

Many individuals use stand-alone

encryption to protect their sensitive files. In

those circumstances there is a legitimate

requirement for tools that can crack

passwords. The same tools can be used to

gain unauthorised access to a computer or to

3 Addison-Wesley, 2004, ISBN 0-201-63497-X 4 The matter came to trial in the UK in 1997; the author was the expert witness hired by DataStream

Cowboy s lawyers to help them understand the evidence.