AUSL Technology & the Law

AUSL Technology & the Law

AUSL Technology & the Law RSS Feed
 
 
 
 
« Anti-Wiretapping Law Revisited
Cyber-activism »

Ethical Hacking

by Jenny Anne T. Dones

Introduction

The internet has become increasingly a lawyer’s portal. Information technology advancement has swept through across all professions including the most rigid and bound by stricter ethical and moral standards such as the legal profession. Many websites today are put up and maintained by lawyers, legal researchers, and law students. Law journals, lawyers’ blog and other forms of legal expressions proliferate in the world wide web. The Supreme Court itself, notwithstanding the fact that the internet is perhaps the most unregulated place in the world, in order to cope with the changing times, launched its very own website making it more accessible to the public and rendering information such as decisions, orders, and announcements reach the public at unparalleled speed than the traditional publication.

The use of computer has been a way of life for lawyers and must form part and parcel of the practice lest lawyers run the risk of extinction for being left behind by lawyers who are adept in new technologies. Incidentally, because this profession is as abovementioned governed by unyielding professional ethical standards, a lawyer must have safeguards in place. Take for instance, the 2003 Bar Examination where a lawyer has been disbarred for leaking out Merchantile Law Bar questions taken from the examiner’s computer connected to a law firm office network. The examiner, who allegedly was not aware of the existence of the network, has been severely reprimanded and was not given his honorarium as an examiner for failing to safe keep the exams. Two things can be deduced from this incident: one, as mandated by the Code of Legal Ethics, a lawyer has to keep abreast of new developments not only within the legal sphere but in every aspect of his practice even those which he thought could remotely affect his license such as the use of computer or information technology for that matter; and, two, once again the Supreme Court went beyond the ordinary application of “ignorantia legis, non excusat” by opining that the examiner’s lack of knowledge of the existence of a network penetrable by other than himself, would not excuse him from liability from such either ignorance or negligence.

Criminal hackers with the use of their skills and imagination could easily perpetrate fraud. The legal profession, of all professions, should protect himself from and be aware of fraudulent practices, or that distinguished prestige accorded to it for thousands of decades be lost by the advent of technology. Add to that, the public presumes that lawyers know everything.

This paper provides an informative discourse on ethical hacking as means of protection for businesses and organizations as well as the government and government agencies. These organizations include law firms and legal establishments who have duties towards protecting confidential client information and above all else, of upholding the law and the Constitution which maybe encroached upon as an incident of negligent use of computers and the internet.

It may as well be mentioned that this humble paper endeavour to correct the misunderstanding in the use of the word hacking, both in the enactment of laws, ponentia of court decisions as well as in other legal writing and expressions, so as to synchronize its use with that of the computer community who as experts in this field, the views should be considered no less than proper.

Criminal Hacking Menace

Computer intrusion or criminal hacking is a perennial problem in the information technology arena. The continued high cost of computers and programs restrict the use of computers which challenged some users to probe into the system by stealing passwords or account numbers.1 They often explore for bugs that could get them past the security devices and can do virtually any unthinkable such as defacing, change the entire program at their pleasure, or modify the limitations. Criminal hacking at its worst could set off an Armageddon by manipulating systems such as water, electrical, traffic lights, government facilities in advanced countries where public utilities are run by computers.

Criminal Hacking is one of the many legal issues relating to networks. Around the globe, several laws have been passed to govern e-commerce as well as laws to prevent, apprehend and prosecute many “cybercrimes against persons, property and government”.2

In the Philippines, the first criminal hacking case that leads to conviction was JJ Maria Giner who pleaded guilty to hacking by defacing the government portal “gov.ph” and other government websites, Criminal Case No. 419672-CR filed at Branch 14 of the Metropolitan Trial Court of Manila under Judge Rosalyn Mislos-Loja. Giner was sentenced to one to two years of imprisonment and was ordered to pay a fine of 100,000 pesos.3

In the legal profession, criminal hacking could cost a lawyer his hard-earned license, deprive him of his means of income not to mention the emotional detriments it brings to himself and his family. If the lawyer is not vigilant, criminal hackers could easily penetrate a lawyer’s computer, blog or website, and do virtually anything which may constitute gross violations of the Code of Legal Professions. Without safeguards in placed, criminal hackers could gain access to privileged client information, post an illegal content on lawyer’s blog and purport as the lawyer’s own expression, change logos to pornographic materials, to name a few.

What is Hacking?

Hacking is defined under the E-Commerce Act (RA 8792) as “unauthorized access into or interference in a computer system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft, loss of electronic data messages or electronic document.”

Hacking is done by person called a hacker. A hacker is originally identified as a highly skilled and dedicated computer programmer who enjoys learning the details of computer systems and how to stretch their capabilities.4 Hackers are group of curios people whose aim is to improve and enhance the system mainly for the benefit of the many as compared with most computer users who are satisfied with learning only the minimum requirements for their own purpose. In the information technology community, being called a hacker is a compliment. The Internet Users’ Glossary, amplifies this meaning as “A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular .”5

The counterpart of hackers or criminal hackers are popularly known as “crackers”. Crackers intrude computer systems by breaking security devices in placed.6 Initially, their intrusions were fairly benign, until the less talented or less careful ones would accidentally bring down a system or damage files.7 Other times, when these intruders were again denied access once their activities were discovered, they would react with purposeful destructive actions.8 Eventually, these destructions became noticeable to earn media mileage as hacking. After then, the definition of hacker has changed radically over the years. With the aid of the mass media, the word has developed a negative connotation rather than the positive one it used to have.9 The media disregarded the attempts of computer experts to correct the misuse of the word hacking to cracking.

It is unfortunate that the Philippines is no exception. In fact, the first law enacted to govern information technology in the country, the E-Commerce Law of 2002 penalizes hacking and equating it with the word cracking with the use of the conjunction or, to wit:

Section 33. Penalties. – The following Acts shall be penalized by fine and/or imprisonment, as follows:

  1. Hacking or cracking which refers to unauthorized access into or interference in a computer system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft, loss of electronic data messages or electronic document shall be punished by a minimum fine of one hundred thousand pesos (P100, 000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;

XXX

By virtue of the above provision hacking in the country is considered a crime. The use of the word “hacking” per se as a crime in the E-Commerce law maybe viewed as a misnomer by professionals in the computer industry because there is what is called “ethical hacking.” In this jurisdiction there could never be an ethical felony or ethical offense. Logically, if hacking is a crime, the term ethical hacking, notwithstanding its awesome benefits cannot not have a place in our legal terms. Although this argument may just be a matter of nomenclature, it is worthy to note that in our rules of statutory construction, use of words in its ordinary industrial context carries a great weight. Thus, criminal hacking or cracking should be distinguished from hacking.

What is Ethical Hacking?

Ethical hacking is essentially the act of unearthing vulnerabilities in a web based application before going live so that they can be fixed before being accessed by anyone. This function is usually undertaken by Vulnerability Assessment (VA) team of organizations such as banks or ISPs to safeguard external facing (internet) applications they host so that they can remediate any vulnerability before a hacker can exploit them.10

Almost all organizations, commercial establishments, and government and agencies wanted to take advantage of the use of computers and the internet but many are anxious about the possibility of intrusion, theft and of course, destruction. In their search for a way to approach the problem, organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals or ethical hackers to attempt to break into their computer systems. This scheme is similar to having independent auditors come into an organization to verify its bookkeeping records. In the case of computer security, these ethical hackers would employ the same tools and techniques as the intruders, but they would neither damage the target systems nor steal information. Instead, they would evaluate the target systems’ security and report back to the owners with the vulnerabilities they found and instructions for how to remedy them.11

An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit.12 To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them.13

Ethical hackers normally have very sharp programming and computer networking skills gained after several years of being immersed in the computer and network industry . They are also expert in the use of operating systems such as UNIX** or Windows NT** used on target systems coupled with detailed knowledge of the hardware and software. 14

What makes an ethical hacker different from others is described by CC Palmer in his thesis that “good candidates for ethical hacking have more drive and patience than most people. Unlike the way someone breaks into a computer in the movies, the work that ethical hackers do demands a lot of time and persistence. This is a critical trait, since criminal hackers are known to be extremely patient and willing to monitor systems for days or weeks while waiting for an opportunity. A typical evaluation may require several days of tedious work that is difficult to automate. Some portions of the evaluations must be done outside of normal working hours to avoid interfering with production at “live” targets or to simulate the timing of a real attack. When they encounter a system with which they are unfamiliar, ethical hackers will spend the time to learn about the system and try to find its weaknesses. Finally, keeping up with the ever-changing world of computer and network security requires continuous education and review.”15

Ethical hackers perform a public service when performing hacking activities geared towards determining system vulnerabilities. In that manner, an ethical hacker is able to determine the flaws in the system, fix potential problems and perhaps enhance system’s performance.

Ethical Hacking Tools and Utilities

Although the discussion below is very technical, it pays to be informed specially knowing that these tools are available in the web sometimes for free including the basic know-how on its usage. Furthermore, several of these hacking tools usually have dual used either for both ethical and criminal hacking depending on what purpose the hacking tools and utilities will be used. Some of these tools may actually be used by a legal practitioner to safeguard his own computer files, systems or his web postings. This may also be another aspect which lawmakers should take into consideration in the promulgation of laws regulating the cyberspace.
These tools like any technologies are fast changing and one tool maybe rendered obsolete with the development of new more sophisticated ones. Currently, Brandon Boyce (2007) posted the following Top 15 Security Hacking Tools and Utilities, on top of the many tools available in the industry:16

  1. Nmap (”Network Mapper”) is a free open source utility for network exploration or security auditing. It can rapidly scan large networks, and can work against single hosts. It uses raw IP packets in innovative ways to determine what hosts are open on the network, what services those hosts are offering, what operating systems they are running, the type of packet filters/firewalls are in use, and other characteristics. Nmap runs on most types of computers.
  2. Nessus Remote Security Scanner now a closed source, but is still essentially free. Works with a client-server framework. It is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide to audit business-critical enterprise devices and applications.
  3. John the Ripper a fast password cracker, currently available for Unix, DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords.
  4. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
  5. SuperScan is a powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.
  6. P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system. Basically, it can fingerprint anything, just by listening, it does not make any active connections to the target machine.
  7. Wireshark (Formely Ethereal) Wireshark is a GTK+-based network protocol analyzer, or sniffer, can capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.
  8. Yersinia is a network tool designed to take advantage of some weaknesses in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
  9. Eraser is an advanced security tool (for Windows), which allows complete removal of sensitive data from hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.
  10. PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4×0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.
  11. LCP Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.
  12. Cain and Abel Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.
  13. Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
  14. NetStumbler a decent wireless tool for Windows although not as powerful as its Linux counterparts.
  15. Hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping is not only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

When Ethical Hacking Becomes Unethical

While testing the security of a client’s systems, the ethical hacker may come across confidential information. Massive financial losses could result in case of publication of this information with real intruders breaking into the systems. During an evaluation, the ethical hacker often holds the “keys to the company,” and therefore must be trusted to exercise tight control over any information about a target that could be misused.17

Another problem with ethical hacking of employed experts is that the “company whose computer was hacked into cannot tell the difference between hacker who entered to exemplify the security flaw, or whether the hacker was involved in some form of espionage. By the time the system’s manager is aware of the illegal entry, it is too late to figure out.”18

The sensitivity of the information gathered during an evaluation in computer security testing requires that strong measures be taken to ensure the security of the systems being employed by the ethical hackers themselves: limited-access labs with physical security protection and full ceiling-to-floor walls, multiple secure Internet connections, a safe to hold paper documentation from clients, strong cryptography to protect electronic results, and isolated networks for testing.19

Foremost requirement in availing the services of ethical hackers is that the hired person must be very trustworthy. A contract might be of great help to forestall attempts to divulge confidential information or any other malicious acts of the employed ethical hacker. Execution of contract though in this field do not seem to be yet an industry practice.

Conclusion:

Most people, including legal practitioners maybe under the mistaken impression that their website or computers would not be an easy target by criminal hackers. They would reason out that there is nothing interesting in their systems or in their site that could instigate criminal hackers to intrude. The reality however is that everything is a target for the criminal hackers, oftentimes for a very juvenile reason such as to become well known to their friends or fellow criminal hackers by doing something spectacular or just to show that they can hack.

Yet, the prevailing E-Commerce law was found inadequate to protect the public against cybercrimes determined in the Budapest Convention on Cybercrimes, namely:20

  1. Title 1: Offenses against confidentiality, integrity and availability of computer data and systems which include illegal access, illegal interception, data interference, system interference, misuse of devices;
  2. Title 2: Computer-related offenses which include computer-related forgery and computer-related fraud;
  3. Title 3: Content-related offenses as child pornography;
  4. Title 4: Offenses related to infringement of copyright and related rights.

The law being insufficient, it is imperative that practitioners must know what are the available security measures in order to protect himself to the end of upholding or maintaining the prestige it carries in the society. Although ethical hacking requirements that maybe performed by lawyers and other legal practitioners may not be as intensive as that of other businesses particularly by large banks and financial institutions, it remains to be the best protection they got at this point in time. Prevention is still the best tool against malicious attacks or intrusions into the computer or networks. Because criminal hackers and hacking tools are becoming very sophisticated nowadays, simple protective infrastructure such as encryption, passwords to name a few may no longer be adequate for very sensitive information or for files involving accounts and finances.

This era where security issues and concerns previously confined in the physical world is now extended to the virtual world of information technology, the role of ethical hacking and ethical hackers must be accorded due recognition in the society as much we have given recognition to accountants, auditors, and all other professions. Giving them due recognition would entail enactment of laws to protect their rights as individuals, provisions for government support, and perhaps licensing requirements for the benefit of the companies who hired them. This could forestall ethical hackers from being tempted to becoming unethical for his personal ends. Through this, the benefit of computers and the breakthroughs in information technology would be enjoyed by the society to its fullest extent.

Endnotes

  1. CC Palmer. Ethical Hacking, April13, 2001. http://www.research.ibm.com/journal/sj/403/palmer.html. (Accessed 12 December 2008) []
  2. Rutab, Kristin P. The Proposed House Bills on CyberCrime Prevention, 28 April 28th, 2008. itlawjournal.arellanolaw.net/favicon.ico. (Accessed 4 April 3, 2009) []
  3. http://www.pinoytechblog.com/archives/govph-hacker-convicted-pleads-guilty []
  4. Amador, Vicente. The E-Commerce Act and other Laws of the Cyberspace. 2002 edition. []
  5. Computing and society | Hacking (academia). Wikipedia, Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Hacker_ethic” (Accessed 12 December 2002) []
  6. http://www.stallman.org. (Accessed 31 March 2009). []
  7. Ibid. []
  8. Ibid. []
  9. http://www.computerworld.com (Accessed 31 March 2009) []
  10. Computing and society | Hacking (academia). Wikipedia, Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Hacking_tool. (Accessed 31 March 2009) []
  11. Ibid. []
  12. http:/www.SearchSecurity.com. (Accessed 31 March 2009) []
  13. Ibid. []
  14. Ibid. []
  15. Ibid. []
  16. Boyce, Brandon. Top 15 Security/Hacking Tools and Utilities. 23 July 2007. http:/www.teckh.com/?p=143.(Accessed 3 April 2009) []
  17. Ibid. []
  18. Ibid. []
  19. Ibid. []

April 4th, 2009 | Category: SY08-09b | Subscribe to comments | Leave a comment | Trackback URL

Leave a Reply