Archive for December, 2006

Future BI-Attack Vectors

December 12th, 2006 * Comments(0)

A few months ago David Maynor and Jon Ellch brought “Wireless Device Driver” hacking to our attention. Since then I have seen drivers being exploited all over the show. Now the popular open source “MadWifi” drivers have been targetted and exploited.

Other Wireless drivers that have been hit:
- DLink
- Broadcom
- Netgear
- Apple Airport
See http://projects.info-pull.com/mokb/

What do you do? Stop using Wireless :) Call me old fasioned but I have never liked the idea that my internal network becomes “virtually” accessible 24/7 to complete strangers. Yes, one can implement VPN solutions, blow whistles and swing on a trapezium blind folded, but whether we like it or not Wireless presents an additional entrance point for an “external” attacker.

I don’t believe these are the only future attack vectors, but I do like David Maynor’s words:
“The OS vendors have been hardening the operating system a lot, so now attackers have two choices. They can go up to the application level, or they can go lower to the device driver level..”

UK Hacking Laws

December 02nd, 2006 * Comments(4)

I have seen a few posts on various mailing lists and messaging boards regarding vulnerabilities found on a particular website or applicatation. Is there a danger that security researchers may be convicted in their attempts to discover new vulnerabilities? Even more scary is the new ammendment to the CMA. Having had to review this over the past few weeks, I thought I might summarise the legal “acts” relating to hacking in the United Kingdom and to share some future developments.

CMA - Computer Misuse Act, 1990

This act mentions 3 computer hacking offenses and defines them as follows:
1. Unauthorised access to a computer system.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised modification of computer material.

HRA - Human Rights Act, 1998

The HRA covers our basic human rights and priviledges. Its aim is to “give further effect” in UK law to the rights contained in the European Convention on Human Rights. The area affecting Hacking is the “Right to Privacy”. Storing or sharing personal information about another person without consent could be a breech of the Human Rights Act.

RIPA - Regulation of Investigatory Powers Act, 2000

“It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission…” RIPA basically defines what data can be intercepted and in what circumstances - although this act seems to mainly apply to phone systems and the postal service.

The Future

The CMA is outdated. It does not cover areas like Denial of Service attacks. A number of discussions have taken place this year. However, more interestingly, an ammendment to the CMA will include:

A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article –
(a) intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3 [of the Computer Misuse Act]; or
(b) believing that it is likely to be so used.

References

http://www.opsi.gov.uk/ACTS/acts1990/Ukpga_19900018_en_1.htm
http://www.opsi.gov.uk/ACTS/acts1998/19980042.htm
http://en.wikipedia.org/wiki/Human_Rights_Act_1998
http://www.opsi.gov.uk/Acts/acts2000/20000023.htm

« Previous Page

Recent