|
|
 |
|
|
|
|
|
|
IT
is Zone-H's contribution to the IT security world. It is a tool for
keeping always up to date administrators and ITsec professionals. It's
cool. It's free. It's the InfoSec pager.
|
|
|
|
|
|
|
paranoid
03/08/2006
Discussion have raised during the last weeks on what has to be
considered hacking and what not. A court in Barcelona (Spain) states
that some activities normally considered by the security community as
“illegal” is in fact “tolerated” and a guy has been acquitted from a
hacking accusation. The story: Javier N. a component of the “Pokemon
Hack Team” used some “security errors” to get access to pensions data.
He took some screenshots and posted those info on the net. Caught, he’s
been sent to Court with a “breaking inside computer systems”
accusation. At the end of the trial the judge decided to acquit the guy
“because he did not have any intention, nor he did, to cause damage to
any third party”. That actually opens a large hole in the security
legislation. At least in Spain. And a new big amount of issues and
responsibilities to Security Officers. The court states that if the
intention is good, and there is not a “direct” damage (we will explain
later on the reason why we refer to “direct”), then any computer system
can be accessed “just” by exploiting vulnerabilities of applications,
database systems, operating systems that have not been patched or
protected through an active security system. In practice, if you have
all kind of security systems in place, but one Javier exploits a bug in
a network protocol and accesses your system, by law it is your fault.
As long as Javier does not gain something out of it or cause damage to
you or any other party. Getting back to the reason why we refer to
“direct” damage, the court in this case is not considering completely
the aftermath and all the auditing that have surely followed the
incident, but this is indirect cost. It is not considering the fact
that the owner of the data did not want any unauthorized person to
access those data. So also the will of the owner counts zero in this
case. Someone is comparing this fact to be the owner of a field that
puts “Do Not Trespass” signs in every place and since one of the sign
was painted with the wrong paint from the vendor, then someone
accessing the field from that side has the right to enter, if he does
not cause harm. This is a complete revolution of the term of a digital
property as it was considered till today. It does not matter whether
you want or not that someone enters and uses your computer system in a
different way that you wanted. It is your fault that you did not
protect it appropriately, meaning that you openly allowed anybody free
access as long as they knew how to get in from that side. A second huge
implication is in those countries (Spain is one of those) that adopted
a strong approach to Data Protection Legislation.
In this case, the Data Processing Responsible, as it is called by the
law, could be as well responsible for Data diffusion on the internet,
in open violation to a consent that could have been given, or refused,
by any parties whose data is present into any computer system subject
to such a kind of access. In conclusion, if you are responsible for
security in a country where data protection is seriously managed, well,
your current security spending may be not enough, if you are not also
checking for 0days that could be used to access your system regardless
of all implemented security. And in some countries, like Italy for
example, you could be sentenced to jail. Hacked and sent to jail for
unauthorized data disclosure…. Something’s not working as it should,
huh?
Original article: http://www.elpais.es/articulo/elpepiautcat/20060228elpcat_10/Tes/cataluna/Absuelto/hacker/pirateo/datos/confidenciales/Generalitat
Click here to post Your comments on this article...
|
|
|
|
