The computer technology beginning has brought some good opportunities and many of these, not surprisingly are of criminal nature. This essay debates in order to control computer technology misuse, ethical hacker’s attitudes toward their activity and societal rules with respect to the illicit actions that must be inspected. The ethical hackers or security experts must be aware about the core ethical principles towards their daily actions and also the security experts in organization need to adopt the law in order to minimize or prevent computer misuse. In this essay we discuss one such act i.e. “Computer Misuse Act” that was originated in United Kingdom in the year 1990. We also talk over the consequences and problems that ethical hackers need to aspect with respect to this act.
Ethical Hackers refers to a person with a high level of skills and tools in computer systems that use their knowledge to access a system, computer or computer network without appropriate permission. They also may be a security consultants or experts who use a hacker’s techniques for defensive purposes. This group of hackers tries to think like hackers and use their techniques to assess the level of security and enhance it. There are four major categories of Hackers defined by the security experts as follow:
Black Hats: Black hats are the persons with great proficiencies in computing, and they use their knowledge and tools for offensive or malicious activities.
Gray Hats: Gray hats are the individuals who were previously black hats or the hackers who use their knowledge for both offensive and defensive based on their interest.
White Hats: White hats are the same hackers as an Ethical Hackers.
Suicide hackers: A hacker whose purpose is to bring down the critical infrastructure for a “cause” and do not worry about facing 30 years in jail for their actions.
The key part of an ethical hacker’s duty would involve dealing with data be appropriate to a third party and using tools and technical knowledge to hack into a network. This can sometime, in certain cases result in intrusion of somebody’s right to privacy and security. Hackers have different policies and each one of them approaches its target based on its own policy. Hence, it is really hard to define a life cycle or process applicable to all. Figure 1 gives the hacking life cycle or process which covers the steps that professional hacker may undertake to conduct an attack and approach their targets.
Figure 1 : Hacking Life Cycle
Reconnaissance: It is the most major and time consuming phase of hacking. The hackers use most of their time for information gathering or reconnaissance. This phase can be performed in two modes either in Passive mode or Active mode.
Scanning: This phase may be considered as reconnaissance as well as it can be process in different types of scanning i.e. Port Scan, Network Scan, IP Scan or Vulnerability Scan.
Gaining Access: In the above two phase hackers gather valuable information about the target. This valuable information includes the vulnerabilities that may be misused by the hackers to gain access to the target machine. This access may happen in the different areas such as Network, Network Equipment’s, Operating Systems and Applications.
Maintaining Access: The real hackers maintain their access to the granted system. They don’t share their information or disclose their malicious activities. Hackers most commonly install back doors, root kits or Trojans in the granted machines to maintain their access.
Clearing Tracks: It is clear that no one likes to be in suffering stage with law enforcement for cybercrimes. So as usual hackers clear their tracks on the victim’s PC or systems. They may use anti forensic tools to delete the all possible evidence or disable the security audit log and alter or delete the log files stored in the same system.
Countless countries have framed certain kind of legal add-ons on acts of illegally hacking (or cracking) into computers and networks by misusing their security vulnerabilities and weaknesses. The Computer Misuse Act is one of that and Computer Misuse act is been communicated in the UK.
Legal Issue rising from Hacking and Computer Viruses:
The actual problem may occur with the “innocent” hackers who may not have any criminal records originally but once they get privilege access to a system they may go on to commit fraud or cause harms to the systems, either by accident or intention. Furthermore, the activities of some “innocent” hackers may assist simply as a smoke screen hiding people with more threatening unknown intentions. For an offence of criminal attempt to be successfully made out the Criminal Attempts Act 1981 provides that an act must be done which is more than simply preparatory to the commission of the crime in question. Hacking into a computer system is only introductory to the commission of the fraud in question and as such a charge of attempted fraud cannot be made out. Another major problem area is computer viruses. Computer viruses often cause damage through the wiping out or modification of useful programs and data stored in the infected computer or storage capacity of the infected computer so that it cannot process for anything useful. In any event it would be undesirable to mess with the whole basis (i.e. damage to physical property) on which the 1971 Act was created just to accommodate this problem ad hoc.
The Computer Misuse ACT:
Hacking was never considered as a criminal offence until 29th August 1990 when the Computer Misuse Act 1990 became operative. The law of criminal does not normally protect confidentiality or Privacy, or indeed provide permissions against the removal or modification of private information. Traditional crimes devoted using computers are easy to understand. Examples include Internet fraud schemes, Internet gambling, online distribution of child pornography and cyber stalking. These crimes involve the online commission or acceleration of traditional criminal offenses. Crimes of computer misuse represent a new type of crime, conversely, and position additional challenges for criminal law. We can define computer misuse as conduct that purposely, significantly, irresponsibly, or carelessly origins intrusion with the proper functioning of computers and computer networks. Common examples include computer hacking, distribution of computer worms and viruses, and denial-of-service attacks. Computer misuse upsets user’s confidence on the rights and privileges delivered by computer owners and operators. For example, a personal e-mail account ordinarily gives its owner the right to access e-mail along with the privilege of exclusive access to that email. An outsider who guesses the owner’s password and gets access to the owners account and is easily able to reads the owner’s e-mails denies he/she declares that their personal e-mails have remained private, secure, and confidential. Such acts of computer misuse encroach upon the rights and privileges that the account owner was decided when he/she obtained the account.
To some extent, computer misuse can occur in two distinct ways. First, a common user he/she can go beyond the privileges on a computer, either by using a computer that he/she has no authority to use, or by using the computer in a way that they are not authorized to use it. For example, an unknown outsider person can hack into a corporate network and see private confidential files that he/she is not allowed to view. In such a case, the hacker may have beaten the privileges on the network; he/she will see more than the network was configured to allow them to view. Second, a person can cause a disowning of privileges, blocking another user from being able to enjoy the full privileges on a computer. For example, a person can deliver a denial-of-service attack that disables a network, blocking its usage. In this case, other users will try to exercise their rights to use the network, but will find that they cannot access. These two types of computer misuse are two sides of the same invent: In the first case, the user exceeds the privileges; in the second, the user denies privileges to others. Both interfere with the rights and privileges that computers have been configured to allow. Economically and Non-Economically Computer misuse is a major new form of criminal offense because it can cause serious damage to the system. For example, serious attacks of privacy may result in when computer misuse exceeds privileges. Heavy Economic loss was also triggered via Computer misuse, while comprehensive figures remain elusive. Experts estimate that computer crimes cause many billions of dollars of loss every year. For example, the virus “I Love You” was spread around the World during the year May 2000 and cause loss to the victims which was estimated to be as high as $10 billion.
The computer misuse act was introduced in August 1990 in the UK. The aim of the Computer Misuse Act was to validate what qualifies as a lawful activity and what does not, as long as getting access and applications of any systems and data was concerned. It may also recognize specific activities that will be treated as crime. For our determinations, a summary of law is discuss elaborating the most common and related points from the ethical hacking viewpoint. The summary is listed as follows:
[Guidance on Computer Misuse Act. 2005.]
[Computer Misuse Act 1990. 2009.]
Computer Misuse Offences:
Unauthorised access to computer resources.
Unauthorised access with intent to commit or facilitate commission of further offences.
Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
3A. Making, supplying or obtaining articles for use in offence under section 1 or 3.
Territorial scope of offences under this Act.
British citizenship immaterial.
Significant links with domestic jurisdiction.
Relevant of external law.
Territorial scope of inchoate offences related to offences under this Act.
Territorial scope of inchoate offences related to offences under external law corresponding to offences under this Act.
Miscellaneous and General:
Saving for certain law enforcement powers.
Proceedings for crimes under Section 1.
Conviction of an offence under Section 1 in proceeding for an offences under section 2 or 3.
Proceedings in Scotland.
Search warrants for crimes under Section 1.
Extradition where schedule 1 to Extradition Act 1989 applies.
Application to Northern Ireland.
7A. Northern Ireland: search warrants for offences under section 1.
Citation, commencement, etc.
The above points shorten the law by emphasizing the key points of the “Computer Misuse Act”. The various forms of data on a computer or on a network can be used for both either for positive or negative purpose. An Ethical hacker can distinguish from the rest which would be a good understanding if the implications of the law on his or her day to day work.
State of the Law:
From the year 1990, the law after its foundation has experienced some modifications in the year 2006. In the year 2006 the modification which took place was actually a side effect of the Police and Justice Act. It was one of the major core laws which were noted in the British Anti-Hacking Law book. The major change that was introduced not only states in undefined terms those ‘denial of service’ attacks are clearly an crime but also addresses source to some computer security related tools. The suggestion of this modification was that if an organization provides some kind of disclosure to vulnerability either by the use of such tool or else by disclosing the vulnerability, then that person would be detained guilty of dropping out security linked vulnerability information which could be misused by criminals for unlawful actions. Also this may give the exact support to the organizations and other foremost software retailers who could be prevented from releasing third party security vulnerabilities to their customers or users. The inoffensive act can actually have a lot of serious legal implications to security experts and ethical hackers when this expert goes to their work daily. The Implication which was explained is been introduced during the year 2006 and it is known as “Computer Misuse Act could ban security tools, 2006”. Some of the implication is clarified below:
Computer Security experts and Ethical Hackers related jobs especially encountered the problem because of this law. Anyhow concept for securing computer data is aided by this law, several hidden implications and if not which may not be outward unless it is carefully studied and understood. The most related problems that computer security experts or ethical hackers may encounter as a result of this law are as mentioned below:
In order to search out the security vulnerabilities that is visible in the network for getting access to applications and data belonging to a different network, this responsibility would involve for hackers while penetrating into the network. The justification in arrears is that any hacker’s aims to appear for vulnerabilities report them and take steps for safeguarding them rather than make incorrect use of the security vulnerabilities to damage the system.
As the law generates unlawful access to computer informations and networks, a far attainment implication for a computer security experts or ethical hackers in the law may delay the freedom with which an hackers can function and can in turn lead to hidden and unsupported security vulnerabilities, all this terms are concerned due to this law.
The law accommodates a wide range of subjects and can have many outwardly hidden and far attainment implications which may not be perfect and may lead to confusions among the parties involved if there is no perfect, strict and printed communication about the declaration of understanding.
From time to time even a very easy slip could cost a non-adherence to the law and can lead to dangerous legal consequences. Consequently, it becomes really important and essential for an ethical hacker to properly know the law and assured things that track from the law.
Essential of being aware of the Law:
The law could put the ethical hackers or security experts into a disadvantage due to the fact that maximum jobs of ethical hacking usually involves dealing with data and applications that belong to other people or organizations and therefore it becomes very essential to have a clear idea about how the law could affect out day to day work and take sufficient care and precautions while dealing with sensitive and confidential data. The main purpose why an ethical hacker should need to be aware of this law and should take precautions can be explained as follow:
For an ethical hacker the most common jobs would involve hacking into an altered networks or getting access to data and applications belonging to a third party. Hence, in this case the hacker should be well known about what is legal to the efficient function and what law is not so going forward he would not have to worry about any implications of the law.
When in other case, the parties elaborate to different countries where these laws could have been implemented exactly personalized to their country and culture, it again becomes necessary for the ethical hacker to understand the specifics of the law of each of the parties involved to avoid a misunderstanding or a miscommunication.
Network and Computer Security setup is a daily developing perception. Accordingly, the laws related to computer misuse could undergo some changes and modifications. If the hackers are not aware about the new law then he may do something wrong that might get him to illegal as per the latest amendments.
Major Points for each Ethical Hacker’s:
As all the main points are been noted but there are some more criteria that every ethical hackers should be ware about same and follow the same every day for their daily job. The major points that each ethical hacker’s must have knowledge about that are as below:
Every ethical hacker’s must be in knowledge about the appropriate law whenever he/she begins for any act that implicates hacking.
Ethical Hackers working with some organization must be conscious of the ethical organization agenda and recognize what is deliberated legally and what is not.
Before beginning any activity related to hacking in which stake holders also includes ethical hacker should take that into account and must clearly collect the data and details of his/her tools that have an effects on any of the intricate privileges of an particular parties and secrecy.
If there is any chance of illegal activity and hacker is in any trouble, he/she must be in contact with someone who can consult for legal clarifications.
Steps to secure him/her from violating the law:
Updated and absolute knowledge related to law could help an ethical hacker to complete his/her job with ample freedom and also helps to protect themselves with legal limitations. Some of the steps that an ethical hacker should follow for protecting them from violating the law are as below:
Ethical hacker should be aware of all relating operating law of the country and he/she must have complete knowledge of how it can affect their job , this is one of the major point which should be consider for preventing them from violating the law.
Before proceeding for any hacking activity, the agreement should in proper terms clarified and approved for procuring and usage of necessary documents and resources. The agreement should be immaculate and formally written documents covering all the legal notice involved.
Previously using any new tools which any ethical hackers may not be aware of, systematic steps about the legal subjects that can ascend and how he/she can protect them from overstepping the law need to be understood.
As we know Security vulnerabilities and related law-breaking will continue to stay and go forward. The Ethical Hacking subjects is therefore very important to notice the security susceptibility of any network or computers as it may get exploited any time. The Ethical hacking is very penetrating subject with lots of legal and social viewpoints. The review of this essay refers to the computer misuse act which is one of the most significant legal activities in subject to computer security. Ethical hacker’s community should be ready to accept this law before any hacking activity. To ensure our network and computer system in control every ethical hackers should follow the exact step by step hacking procedures so as not to disturb the law.