The Case For Legitimate Hacking

CyberUp is a campaign dedicated to updating the UK 1990 Computer Misuse Act to reflect modern computer security systems and how they are protected from unauthorised access.  They have published a report arguing that some cyber activities that might be seen as illegal should be allowed as these provide a defence or improve the odds of tracking down criminal hackers. Their overarching mantra is that any such act ‘causes no or limited harm and delivers benefit’.  The current UK legislation leaves actors such as ‘bug bounty hunters’ and ‘red team’ groups in a grey area where they could be breaking the law but for the common good.  Activities that have previously been granted privileged access to a system such as penetration testing are considered to be legal.

The CyberUp report is based on only 15 respondents; no matter how well experienced these might be it cannot be regarded as the views of an entire industry.  The following activities were identified as of limited harm but delivering system benefits by a percentage of the respondents:

  • Use of Application Programming Interface (API) keys (82%): API keys allow programs or web interfaces to talk to each other.  They are fundamental to many programmed solutions but unauthorised use could allow a rogue front end to access data bypassing some or all security checks.
  • Banner grabbing (64%): The investigation of networked services running on open ports. These will often be running essential services on well-known ports such as SMTP (mail) on 25. Open ports could allow attackers to exploit system vulnerabilities.
  • Beacons (56%): Programs that send data from a compromised system to an attacker’s IP address. They can also be used to trace the destination of hacked data and hopefully track down the attacker.
  • Implementation of firewalls and network access controls (90%).
  • Use of honeypots (90%): Websites or computer nodes deliberately set up to attract SPAMers or Hackers with the aim of identifying attack vectors and methodologies.
  • Use of open directory listings (73%): Directories without any user/password protection. These might be used to attract attackers in the manner of honeypots.
  • Passive intel (intelligence) gathering (81%): Scanning a network to gather information that is not otherwise protected. This might yield computer operating systems, IP/MAC addresses and publically shared files.
  • Port scanning (73%): Looking for TCP/UDP ports that are in use including open ports.
  • Use of sandboxes / tarpits (100%): Segregated machines or parts of networks that are used to try out or evaluate computer software including potential malware.
  • Server/botnet take down (55%): Removing nodes from a network that are suspected of being part of a malware botnet destined for future or current attacks.
  • Sink holing (73%): Redirecting malicious traffic to a destination where it can be controlled and analysed.
  • Web scraping (64%): Gathering data from webpages including the automated completing of webforms by bots with the aim of gathering data. This is often used to legitimately gather marketing data.
  • Malware analysis (91%): Running malware in a secure and isolated environment to investigate its purpose and how it works.

At the opposite end of the spectrum the following were identified as both intrusive and harmful:

  • Hacking back – accessing attacker infrastructure (too many complications regarding compromised infrastructure, potential access to third party data or systems, and possible unintentional targeting of Red Teams).
  • Conducting a denial of service against an entire organisation or multiple assets that are confirmed to be the origin of a bad actor.
  • Sending of malware especially ransomware.
  • Causing harm to many for the suspected or even confirmed actions of a single or few actors.
  • Breaking into a Critical National Infrastructure.
  • Clearly malicious, fraudulent or otherwise obviously socially undesirable acts where the principal aim is malicious.
  • Social engineering of people or organisations that are suspected to be involved in an incident.
  • Anything available that may (or may not) participate in the validation of exploit or proof of a failed security boundary.

The CyberUp campaign responded to the UK governments call for information on a review of the Computer Misuse Act in June 2021 but no government outcome or response has been published.  The UK is not alone in standing in the shoes of Alice’s Red Queen.  Legislation stays in the same place but the real-world position of security systems marches onwards.  Legitimate actors within the sector have to adapt to keep up with technological developments and less responsible hackers.  This does require an awareness of the grey legal areas that organisations such as CyberUp have identified.

More from Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories