st36_CaseStudyIntro.md

 # Ethical Hacking Case Studies

This week we will be looking at various case studies related to Hacking.
We will then discuss the various topics in the forums, and in the Lab Session.

For each case study I want you to consider:

  - What were the **technical details** of the hack itself?
  - What are the **legal** and **ethical considerations** Here?
  - Are there other similar hacks that you have heard of?


# Case Study One:  The Legal Elements of Hacking

While legislation around Cyber security is similar around the world, there are differences.

 - Taking Europe as a baseline, the laws are consistent between
   European countries, as they have to align with European Directives
 - Other jurisdictions may be stricter or less strict.
 - Laws may have similar objectives but different technicalities:
    - Computer Crime and Abuse Act 1996 (USA)
	- Euro Directive on Attacks against information systems 2013


Read the attached articles covering ethical hacking cases in three different countries.
Consider:

	- What were the key interpretations of the Law in each case?
	- How do these Legal differences effect the Ethical hacker?
	- What are your views on the Legal decision?
	   - Were the Judges correct in their findings, or do you disagree?


## The UK:  Mangham Case

https://www.zdnet.com/article/british-student-jailed-for-hacking-into-facebook/

https://www.bbc.co.uk/news/uk-england-york-north-yorkshire-17079853

This case was considered under the Computer Misuse Act (1990).

Mangham considered himself an ethical
hacker, and cooperated with the police during the investigation.
Mangham had previously exposed flaws in Yahoo, and submitted bug
reports under responsible disclosure.

However,  Mangham was sentenced to 8 months imprisonment after breaking
into Facebook and uploading code.

Upon appeal, the sentence was reduced to 4 months.

http://www.bailii.org/ew/cases/EWCA/Crim/2012/973.html

## The EU:  Krol Case


https://www.techdirt.com/articles/20130218/00403422011/dutch-parliament-member-fined-hacking-he-says-he-was-just-exposing-security-flaw.shtml

https://www.csmonitor.com/World/Europe/2013/0115/Should-good-hackers-be-protected-by-law


Krol was fined $1000 for "Hacking" (in this case using a system
password that was available on a Forum), a Dutch medical Lab, and then
revealing the security breach to the press.

The Court ruled that Krol's intentions were good, however:

  - He went to the media at the same time as the company
  - Downloaded and printed more files *than were necessary*

## Al-Khabaz Case (Canada)

https://www.wired.com/2013/01/student-expelled-exposing-flaw/
https://www.infoworld.com/article/2613635/school-that-expelled-student-hacker-may-have-ignored-16-month-old-security-flaw.html

https://www.huffingtonpost.ca/2013/01/22/ahmed-al-khabaz-dawson-hacking-expelled-jobs_n_2529045.html?guccounter=1&guce_referrer_us=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_cs=jxn0B5csVbZhrugW7d3pbA


Al-Khabaz discovered a flaw in a student records system, and reported
it to the College he attended.  Later, he ran a vulnerability scan to
check if the issue had been fixed.  Al-Khabaz was reported by the
hosting company, and subsequently expelled from college.

## Links

- CMA Based Legal Cases
  (http://www.computerevidence.co.uk/Cases/CMA.htm)
	# Ethical Hacking Case Studies

	This week we will be looking at various case studies related to Hacking.
	We will then discuss the various topics in the forums, and in the Lab Session.

	For each case study I want you to consider:

	- What were the technical details of the hack itself?
	- What are the legal and ethical considerations Here?
	- Are there other similar hacks that you have heard of?



	# Case Study One: The Legal Elements of Hacking

	While legislation around Cyber security is similar around the world, there are differences.

	- Taking Europe as a baseline, the laws are consistent between
	European countries, as they have to align with European Directives
	- Other jurisdictions may be stricter or less strict.
	- Laws may have similar objectives but different technicalities:
	- Computer Crime and Abuse Act 1996 (USA)
	- Euro Directive on Attacks against information systems 2013



	Read the attached articles covering ethical hacking cases in three different countries.
	Consider:

	- What were the key interpretations of the Law in each case?
	- How do these Legal differences effect the Ethical hacker?
	- What are your views on the Legal decision?
	- Were the Judges correct in their findings, or do you disagree?


	## The UK: Mangham Case

	https://www.zdnet.com/article/british-student-jailed-for-hacking-into-facebook/

	https://www.bbc.co.uk/news/uk-england-york-north-yorkshire-17079853

	This case was considered under the Computer Misuse Act (1990).

	Mangham considered himself an ethical
	hacker, and cooperated with the police during the investigation.
	Mangham had previously exposed flaws in Yahoo, and submitted bug
	reports under responsible disclosure.

	However, Mangham was sentenced to 8 months imprisonment after breaking
	into Facebook and uploading code.

	Upon appeal, the sentence was reduced to 4 months.

	http://www.bailii.org/ew/cases/EWCA/Crim/2012/973.html

	## The EU: Krol Case


	https://www.techdirt.com/articles/20130218/00403422011/dutch-parliament-member-fined-hacking-he-says-he-was-just-exposing-security-flaw.shtml

	https://www.csmonitor.com/World/Europe/2013/0115/Should-good-hackers-be-protected-by-law


	Krol was fined $1000 for "Hacking" (in this case using a system
	password that was available on a Forum), a Dutch medical Lab, and then
	revealing the security breach to the press.

	The Court ruled that Krol's intentions were good, however:

	- He went to the media at the same time as the company
	- Downloaded and printed more files than were necessary

	## Al-Khabaz Case (Canada)

	https://www.wired.com/2013/01/student-expelled-exposing-flaw/
	https://www.infoworld.com/article/2613635/school-that-expelled-student-hacker-may-have-ignored-16-month-old-security-flaw.html

	https://www.huffingtonpost.ca/2013/01/22/ahmed-al-khabaz-dawson-hacking-expelled-jobs_n_2529045.html?guccounter=1&guce_referrer_us=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_cs=jxn0B5csVbZhrugW7d3pbA


	Al-Khabaz discovered a flaw in a student records system, and reported
	it to the College he attended. Later, he ran a vulnerability scan to
	check if the issue had been fixed. Al-Khabaz was reported by the
	hosting company, and subsequently expelled from college.

	## Links

	- CMA Based Legal Cases
	(http://www.computerevidence.co.uk/Cases/CMA.htm)