You may have heard of Daniel Cuthbert, the “Tsunami web hacker”, who was recently convicted under the UK Computer Misuse Act 1990 of hacking into the Asian Tsunami appeal website.
The London Metropolitan Police are using this victory to reassure the public that detection systems and legislation are providing protection against hackers. But were Cuthbert’s actions truly malicious? And was the time and money spent investigating and prosecuting him commensurate with his actions?
If we look more closely at this case it reveals that perhaps Cuthbert, a respected and experienced IT security consultant, was acting through concerns that the website he had donated to may have been a spoofed website designed to extort money and information from well-meaning members of the public.
In an attempt to reassure himself that his personal details and money were not at risk he performed a number of simple tests, designed to find more information about the site and whether it was secure.
These tests are carried out by IT security professionals, including myself, frequently when conducting assessments of websites.
It was judged that his actions constituted “unauthorised access to computer material” under section 1 of the CMA.
The actions in themselves do not necessarily constitute an attack or an attempt to gain unauthorised access but are often used just to gather more information about the systems on which a website is hosted.
An actual attack would consist of further more aggressive requests made to the website following the initial information gathering.
If you a spot a man knocking on the door of a house are you correct to assume he is checking to see if anyone is home before breaking in?
So why were the authorities alerted in Cuthbert’s case? The intrusion detection systems monitoring the website picked up his tests, but were they serious enough to warrant notifying the police?
I would expect that an experienced, well-trained operative would have dismissed these alerts as a commonly occurring minor probe, or at most would have marked them for future monitoring in case further attempts were made.
Reporting this sort of incident is like an over-zealous neighbourhood watch member phoning the police every time a stranger knocked on their neighbour’s door.
If there has been a spate of burglaries, their paranoia could be forgiven but was there any evidence of a real threat?
Should we be concerned that the Metropolitan Police was willing to follow this up and attempt to prosecute based on the evidence provided.
Would the neighbour’s report be sufficient evidence that the stranger intended to burgle the house? Especially considering that the so-called burglar left his name, address and credit card details in a note on the door.
In this case it seems it was and this implies the CMA itself is at fault, if a possibly innocent action results in a prosecution. If there is nothing wrong with the law maybe the people responsible for enforcing it require better knowledge or advice to enable them to make more informed decisions.
Some may argue that Cuthbert as a security professional should not have performed the tests knowing that they may trigger some intrusion detection systems.
But even knowing this, I am sure he would never have expected to be sentenced in court 10 months later and that he would lose his job as a result of his actions.
Wherever the fault lies in this case I do not feel justice has been served. If the CMA continues to be interpreted in this way by its enforcers I do not believe that the public will benefit or that they should feel any safer.
It is possible that more people may unwittingly or accidentally fall foul of the CMA as it stands even when their intentions may be entirely innocent.
By Mark Rowe of Pentest, an IT security company that provides independent security consultancy services to organisations across the UK, Europe and North America. www.pentest.co.uk