Tuesday, 3 April 2012

Relevant Penetration Testing Legislation in the UK

I've compiled some short revision notes on UK legislation with regards to Penetration Testing and Security Research etc. Feel free to comment or correct.

Computer Misuse Act 1990

http://www.legislation.gov.uk/ukpga/1990/18/contents
    • Unauthorised access to computer material (section 1);
    • Unauthorised access with intent to commit or facilitate commission of further offences (section 2); and
    • Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. (section 3)
      • Making, supplying or obtaining articles for use in offence under section 1 or 3 (section 3a)
Originally nothing to make DOS attacks illegal, but modifications in Police and Justice Act 2006 changed Section 3. DDOS via botnets were already illegal as you have unauthorised access.

For most actions you would need to be doing it with intent to cause the offence, unless you are reckless. 

Ensure you have written permission to attack systems and ensure you do not go out of scope (follow redirects?).

Human Rights Act 1998

http://www.legislation.gov.uk/ukpga/1998/42/schedule/1/part/I/chapter/7
Article 8 of the Human Rights Act
Right to respect for private and family life
  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Data Protection Act 1998

http://www.legislation.gov.uk/ukpga/1998/29/contents
    • Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.

    • Personal (identifiable) data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
    • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Ensure you do not keep any records that would fall under the act for longer than is necessary - i.e. prove it is accessible and do not back up those records. Data controllers may want to employ you to test they have appropriate measures in place to secure the data.

Police and Justice Act 2006

    • Increased penalties of Computer Misuse Act. (Makes unauthorized computer access serious enough to fall under extradition)
    • Made it illegal to perform DOS attacks.
    • Made it illegal to supply and own hacking tools.
    • Be careful about how you release information about exploits!
"The current Home Office line appears to be a balance of probabilities argument, that a court decide whether it is more likely than not each individual instance of the article will be used to commit an offence, ie the offence is only committed if it will be used criminally more than legally." openrightsgroup.org

Most hacking tools are normal tools used in a slightly different manner. It is possible to fully compromise a machine using a standard web browser with SQL injection etc.You probably don't want to write a proof of concept exploit that deletes the whole filesystem rather than just loading calc.

Regulation of Investigatory Powers Act 2000

http://www.legislation.gov.uk/ukpga/2000/23/contents
    • Can be required to hand over passwords or encryption keys (part III)
    • Must keep quiet that these have been passed over.
    • Failure to do so automatic 2-3 year jail sentances.
What if you uncover encryption/passwords for a client and then are required to hand these over to authorities? What if you have forgotton your password? A good act if you want to work for GCHQ...
2012 - Extensions to this act possibly being introduced: http://www.bbc.co.uk/news/uk-politics-17595209

Serious Crime Act 2007

http://www.legislation.gov.uk/ukpga/2007/27/section/61

    • Amends Computer Misuse Act and Police and Justice Act (generally makes it less severe).
    • You have to be 'reckless' when providing hacking tools

Other relevant legislation:

Official Secrets Act 1989

    Most testers working on HMG stuff probably work under the OSA at some point.

Communications Act 2003

    Illegal to dishonestly use an electronic communication service  to avoid payment of service. Makes using open WiFi services potentially illegal (ie using someone's home network that is unsecured).


Copyright Designs and Patent Act 1988

    Do you have licences for everything?

    Vicarious Liability - makes your employer liable if you install copied software.

Fraud Act 2006

    Phising etc would fall under this if done for illegal purposes.