Feeds

Security pros savage Tsunami hacker verdict

Could conviction divide police and IT professionals?

Beginner's guide to SSL certificates

Analysis Last week Daniel Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in costs. As an IT security consultant, it will be a long time before Cuthbert's reputation is restored and it is possible he will never work in the industry again.

But it is going to take just as long for the police to recover their reputation amongst much of the IT security community. The decision to prosecute Cuthbert might be "good PR", as one officer told the Register last week, but it could make it harder for police to chase computer criminals in the future. Some observers believe it will damage the relationship between the police and the security professionals they rely on for information and advice.

Cuthbert, a 28 year old from Whitechapel, London, was a security consultant at ABN Amro, a job he lost as a result of his arrest. He also lectured at Westminster and Royal Holloway universities - ironically he taught some members of the Computer Crime Unit.

On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories.

After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action.

In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police. A witness for BT confirmed that the attack would have had no effect on its server, running Unix Solaris, even if it had not been detected by the IDS. The Crown also accepted that there was no malicious motive in Cuthbert's actions.

The police were able to track Cuthbert down because of the donation he made just before running the tests. He was arrested, brought in for questioning and subsequently charged with breaking the Computer Misuse Act.

Feedback to our story on Cuthbert's conviction last week was mostly sympathetic to Cuthbert though some felt he had overstepped the boundaries.

One reader said: "There are occasions where criminal damage charges could be used under this act, but it seems this wasn't one of them. The damage this will have done to the relationship between the police and information security specialists is absolutely immeasurable."

Some have questioned the Met's claim that the verdict, "sends a reassuring message to the general public". One reader said, "the message it sends to the public is that the Met are inhumane and without compassion. They should have exercised discretion and better judgement."

Peter Sommer, a security expert who gave expert evidence for the defence last week, said: "Mr Cuthbert has a lot of friends in the security community - friends the police need contact with - they will certainly feel more wary after this verdict."

But not everyone agreed - Dr Neil Barrett, a computer crime expert recently appointed to advise the EC on Microsoft issues, said: "...the access was unauthorised. He came to a site for which he did not have permission to exceed the normal user levels of access and attempted to elevate that access. Now, it's true that security professionals do such things - on penetration tests - but that's where permission has been given." Barrett does not believe the verdict will have much impact on the security community.

Dr Helg Janicke at De Montfort University said that in the past feedback from users and security professionals had been welcomed by webmasters but that might change.

"We are moving from an informal world to a more formal and regulated one," said Janicke. "It is dangerous for individuals to play with these kind of things." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.