Assignment 4.1 "Hacking" Laws - JNichollsCyber/SEC-335-Eth-Hacking-Pen-Testing GitHub Wiki
Assignment 4.1 - Hacking Laws
Throughout the course we will be exploring the legal and ethical implications of hacking and what that means for pen-testers.
1. Review the excerpt of the Computer Fraud and Abuse Act (CFAA) found at https://www.law.cornell.edu/uscode/text/18/1030Links to an external site.
It can be hard to follow, but read sections (2) "Intentionally access a computer with..." to (7) "With intent to extort from any person..."
Deliverable 1. Write a paragraph or two on how you think those conditions should be interpreted by Pen-Testers and what measures must testers have in place to avoid violating the CFAA.
These conditions should be interpreted as always having clear intentions and not try to gain access to any system you do not have access to. These should also be interpreted as the pen tester should avoid any systems you do not have explicit written permission to exploit. These conditions should also be interpreted as not accessing any information they are not authorized to see.
The measures that testers need to have to avoid these include a clear outlined scope including specific systems and data they can access, confirming the individual giving you access has the authority to do so, and having a clear timeframe for these tests. Having a clearly defined scope prevents you from attempting to access systems that hold classified data. Confirming the person giving you access has the authority to do so can prevent jail time. There have been situations where testers didn't confirm this was the case and ended up in jail as a result. Having a clear time frame for the tests allows tests to be completed in an effective manner which protects the testers as well.
2. Vermont's state law (Title13 Crimes, Chapter 87 Computer Crimes) is much more straightforward:
http://legislature.vermont.gov/statutes/fullchapter/13/087Links to an external site.
With particular attention to Sections 4102-4105:
Deliverable 2. Write a paragraph or two on how you think those conditions should be interpreted by Pen-Testers and what measures must testers have in place to avoid violating Vermont Title 13.
These conditions should be interpreted as, always needing written definite approval before exploiting any system or network. As mentioned above, a clearly defined scope is essential to this field of work because it protects both you and your employer from legal trouble. Having this clearly defined can help testers from violating Vermont Title 13.
3. Research on the FBI Cyber Most Wanted:
Deliverable 3. Visit the FBI Cyber Most Wanted Page: https://www.fbi.gov/wanted/cyber and select one individual/group to research and answer the following:
-
Brief Description of Crimes (Short Paragraph)
-
What was there motive (Why do you think that carried out their activity- short paragraph)?
-
What was their intent (what did the hope the intended outcome was - short paragraph)?
The individual I chose to write about is named Kim Il. He stands being accused of conspiray to commit wire fraud and bank fraud as well as conspiracy to commit compter related fraud. This attacker is allegedly state sponsored by North Korea and is part of those responsible for some of the costliest computer intrusions throughout history. He is rumored to be a part of the "Lazarus Group". His motive was likely out of general hatred for the west and their way of life, heavily contrasting the way of life in North Korea. The likely intent was likely exactly what happened, to cause American companies/agencies to lose a very large amount of money. The goal doesn't seem to be to keep the money for themselves, just for the US to lose it.
Sources
https://www.law.cornell.edu/uscode/text/18/1030