Computer Misuse Act 1990
http://www.legislation.gov.uk/ukpga/1990/18/contents- Unauthorised access to computer material (section 1);
- Unauthorised access with intent to commit or facilitate commission of further offences (section 2); and
- Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. (section 3)
- Making, supplying or obtaining articles for use in offence under section 1 or 3 (section 3a)
For most actions you would need to be doing it with intent to cause the offence, unless you are reckless.
Ensure you have written permission to attack systems and ensure you do not go out of scope (follow redirects?).
Human Rights Act 1998
http://www.legislation.gov.uk/ukpga/1998/42/schedule/1/part/I/chapter/7Right to respect for private and family life
- Everyone has the right to respect for his private and family life, his home and his correspondence.
- There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Data Protection Act 1998
http://www.legislation.gov.uk/ukpga/1998/29/contents- Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.
- Personal (identifiable) data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Ensure you do not keep any records that would fall under the act for longer than is necessary - i.e. prove it is accessible and do not back up those records. Data controllers may want to employ you to test they have appropriate measures in place to secure the data.
Police and Justice Act 2006
- Makes amendments to the Computer Misuse Act 1990
- Sections 35-38 http://www.legislation.gov.uk/ukpga/2006/48/part/5/crossheading/computer-misuse
- Increased penalties of Computer Misuse Act. (Makes unauthorized computer access serious enough to fall under extradition)
- Made it illegal to perform DOS attacks.
- Made it illegal to supply and own hacking tools.
- Be careful about how you release information about exploits!
Most hacking tools are normal tools used in a slightly different manner. It is possible to fully compromise a machine using a standard web browser with SQL injection etc.You probably don't want to write a proof of concept exploit that deletes the whole filesystem rather than just loading calc.
Regulation of Investigatory Powers Act 2000
http://www.legislation.gov.uk/ukpga/2000/23/contents- Can be required to hand over passwords or encryption keys (part III)
- Must keep quiet that these have been passed over.
- Failure to do so automatic 2-3 year jail sentances.
2012 - Extensions to this act possibly being introduced: http://www.bbc.co.uk/news/uk-politics-17595209
Serious Crime Act 2007
http://www.legislation.gov.uk/ukpga/2007/27/section/61- Amends Computer Misuse Act and Police and Justice Act (generally makes it less severe).
- You have to be 'reckless' when providing hacking tools
Other relevant legislation:
Official Secrets Act 1989
- Most testers working on HMG stuff probably work under the OSA at some point.
Communications Act 2003
- Illegal to dishonestly use an electronic communication service to avoid payment of service. Makes using open WiFi services potentially illegal (ie using someone's home network that is unsecured).
Copyright Designs and Patent Act 1988
- Do you have licences for everything?
Vicarious Liability - makes your employer liable if you install copied software.
Fraud Act 2006
- Phising etc would fall under this if done for illegal purposes.
http://www.loud-fat-bloke.co.uk/expertwanted.pdf
http://wiki.openrightsgroup.org/wiki/Police_and_Justice_Bill_2006
Unauthorised Access: Physical Penetration Testing For IT Security Teams - http://my.safaribooksonline.com/book/networking/intrusion-detection/9780470747612
http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx
http://www.theregister.co.uk/2008/09/30/uk_cybercrime_overhaul/
http://p10.hostingprod.com/@spyblog.org.uk/blog/2008/09/computer-misuse-act-amendments-come-into-force-on-1st-october-2008.html
http://wiki.openrightsgroup.org/wiki/Police_and_Justice_Bill_2006
Unauthorised Access: Physical Penetration Testing For IT Security Teams - http://my.safaribooksonline.com/book/networking/intrusion-detection/9780470747612
http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx
http://www.theregister.co.uk/2008/09/30/uk_cybercrime_overhaul/
http://p10.hostingprod.com/@spyblog.org.uk/blog/2008/09/computer-misuse-act-amendments-come-into-force-on-1st-october-2008.html
This is a really handy write up! Thanks for that. I'm just revising from the Crest exam :-)
ReplyDelete