Remember this guy ? So it does appear that using a non-standard browser can get you banged-up, especially if you are a security geek.

Evidently all security folk should switch to MSIE on Windows, and refrain from nmap, ping and traceroute…

[www.out-law.com]

‘Regrettable’ conviction under Computer Misuse Act

A man was convicted in London yesterday of hacking into a charity website, set up after the Indian Ocean tsunami disaster, in breach of the Computer Misuse Act.

Daniel James Cuthbert, a computer consultant formerly with ABN Amro bank, was given a £400 fine and ordered to pay £600 in costs at Horseferry Road Magistrates court yesterday, according to reports.

He fell foul of section one of the Computer Misuse Act, the UK’s main cybercrime legislation, on New Year’s Eve last year.

Cuthbert clicked on a banner ad to donate £30 to the Disaster Emergency Committee (DEC) appeal. However, when he did not get a confirmation or thank you in response to his donation, he feared that he had fallen for a phishing site, and decided to test the site to make sure. Unfortunately, in doing so he set off the DEC protection systems, and the police were called in.

According to SC Magazine, District Judge Mr Quentin Purdy found Cuthbert guilty with ‘some considerable regret’, but the wording of the Act made it clear that the security consultant was guilty. “Unauthorised access, however praiseworthy the motives, is an offence,” said the judge.

Cuthbert, 28, has lost his job with ABN Amro, and has since found it hard to find alternative employment, according to reports.

He told The Register, ‘They’ve now set the bar so high that there should be thousands of convictions for people doing things like these. There will be lot of anger from security professionals and the police will find it harder to get help in future.”

See also

[www.theregister.co.uk]

[Cuthbert], 28, of Whitechapel, London, told Horseferry Road Magistrates Court yesterday that he had made a donation on the site, but when he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check its security. This action set off an Intruder Detection System in a BT server room and the telco contacted the police.

The prosecution made an application for costs but declined to seize Cuthbert’s Apple notebook on which the offences were committed. They made no further claim for compensation.

The defence asked for some sort of discharge because the case came close to “strict liability” – it was his responsibility but not his “fault”. Mr Harding, for the defence, said: “His reasoning was not reprehensible. He was convicted because of the widely-drafted legislation that could catch so many.”

and [www.scmagazine.com] ; from the latter:

In sentencing, District Judge Mr Q Purdy said that it was “with some considerable regret” that he passed down a guilty verdict, but the Act made it quite clear that Cuthbert had knowingly performed unauthorized actions against DEC’s systems. Judge Purdy acknowledged that, though Cuthbert had avoided a custodial sentence, the potentially dire impact on his career may be “a heavy price to pay.”

The conviction could have serious knock-on effects for security professionals.

Peter Sommer, a senior research fellow with the Information Systems Integrity Group at the London School of Economics, said security professionals would now almost certainly have to be more careful and would want to have a cast iron description, when hired, of what they were authorized to do.

Sommer, who examined logs for Cuthbert’s defense counsel and gave expert witness to the court, said he thought that, for the extent of Cuthbert’s offense “it’s a very heavy penalty to have to pay.” He said he thought it was “fairly unfair,” and that he had had “grave misgivings” about the decision to prosecute. But Cuthbert had initially, when arrested, lied to the police, which may have been his undoing.

When asked if this conviction might drive a wedge between the infosec community and the police, Sommer said “it’s certainly not going to help … and the Computer Crime Unit is going round the City [of London] with a begging bowl saying why don’t you fund us directly … and I think they’re going to find it now more difficult.”

…and the Police position is, as-usual in grey cases, a matter of hiding behind the book:

But Judge Purdy said that, under the CMA, Cuthbert’s ultimate aims, whether “malevolent or benevolent” did not bear upon the fact that “unauthorized access, however praiseworthy the motives, is an offense.”

The Met Police’s Computer Crime Unit led the investigation against Cuthbert, which has dragged on since early this year.

“We welcome today’s outcome in a case which fully tests the computer crime legislation,” said DC Robert Burls of the Metropolitan Police’s Computer Crime Unit. “[We] hope it sends out a reassuring message to the general public that in this particular case the appropriate measures were in place that enabled donations to be made via the Disaster Emergency Committee website.”

The Internet is soon to become like the railways and roads. You’re meant to use them and pay whilst staying in well-defined cars and carriages which can be monitored and controlled.

Evidently the days of freedom-to-roam are numbered.

Update: 1235BST I’ve just had the following URL forwarded to me:

http://www.samizdata.net/blog/archives/008118.html

The first test he used was the (dot dot slash, 3 times) “../../../” sequence. The “../” command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allowing you to move three times. It is not a complete attack as that would require a further command. It was merely a light “knock on the door”. The other test, which constituted an apostrophe (‘) was also used. He received no error messages in response to his query, so he was then satisfied that the site was safe. He returned to his regular duties, and forgot the matter.

There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.

Twenty days later he was arrested at his place of work and had his house searched. In the first part of his interview, he did not readily acknowledge his actions, but in the second half of the interview, he did. He was a little distraught and confused upon arrest, as any otherwise completely law abiding person would be in that situation and did not ask for a solicitor, as he maintained he did nothing wrong. His tests were done in the space of two minutes, then forgotten about.

The *../* sequence triggered off the alarm which was set up as “high” for this sort of “attack” at the donate.bt.com website. This alerted someone that there was something potentially suspicious going on. This was then passed up to someone who reported it to the police. They found their suspect through the IP address and were able to trace it to Cuthbert’s laptop.

So: It’s faffing around with URLs is a “serious” security attack, and can land you with a fine; I really would be interested to meet the person who set this up, and ask for their justification…