Ethical Hacking Case Studies
This week we will be looking at various case studies related to Hacking. We will then discuss the various topics in the forums, and in the Lab Session.
For each case study I want you to consider:
- What were the technical details of the hack itself?
- What are the legal and ethical considerations Here?
- Are there other similar hacks that you have heard of?
Case Study One: The Legal Elements of Hacking
While legislation around Cyber security is similar around the world, there are differences.
- Taking Europe as a baseline, the laws are consistent between European countries, as they have to align with European Directives
- Other jurisdictions may be stricter or less strict.
- Laws may have similar objectives but different technicalities:
- Computer Crime and Abuse Act 1996 (USA)
- Euro Directive on Attacks against information systems 2013
Read the attached articles covering ethical hacking cases in three different countries. Consider:
- What were the key interpretations of the Law in each case?
- How do these Legal differences effect the Ethical hacker?
- What are your views on the Legal decision?
- Were the Judges correct in their findings, or do you disagree?
The UK: Mangham Case
https://www.zdnet.com/article/british-student-jailed-for-hacking-into-facebook/
https://www.bbc.co.uk/news/uk-england-york-north-yorkshire-17079853
This case was considered under the Computer Misuse Act (1990).
Mangham considered himself an ethical hacker, and cooperated with the police during the investigation. Mangham had previously exposed flaws in Yahoo, and submitted bug reports under responsible disclosure.
However, Mangham was sentenced to 8 months imprisonment after breaking into Facebook and uploading code.
Upon appeal, the sentence was reduced to 4 months.
http://www.bailii.org/ew/cases/EWCA/Crim/2012/973.html
The EU: Krol Case
https://www.csmonitor.com/World/Europe/2013/0115/Should-good-hackers-be-protected-by-law
Krol was fined $1000 for "Hacking" (in this case using a system password that was available on a Forum), a Dutch medical Lab, and then revealing the security breach to the press.
The Court ruled that Krol's intentions were good, however:
- He went to the media at the same time as the company
- Downloaded and printed more files than were necessary
Al-Khabaz Case (Canada)
https://www.wired.com/2013/01/student-expelled-exposing-flaw/ https://www.infoworld.com/article/2613635/school-that-expelled-student-hacker-may-have-ignored-16-month-old-security-flaw.html
Al-Khabaz discovered a flaw in a student records system, and reported it to the College he attended. Later, he ran a vulnerability scan to check if the issue had been fixed. Al-Khabaz was reported by the hosting company, and subsequently expelled from college.
Links
- CMA Based Legal Cases (http://www.computerevidence.co.uk/Cases/CMA.htm)