Feeds

Security pros savage Tsunami hacker verdict

Could conviction divide police and IT professionals?

Next gen security for virtualised datacentres

Analysis Last week Daniel Cuthbert was convicted of breaking the Computer Misuse Act, fined £400, and ordered to pay £600 in costs. As an IT security consultant, it will be a long time before Cuthbert's reputation is restored and it is possible he will never work in the industry again.

But it is going to take just as long for the police to recover their reputation amongst much of the IT security community. The decision to prosecute Cuthbert might be "good PR", as one officer told the Register last week, but it could make it harder for police to chase computer criminals in the future. Some observers believe it will damage the relationship between the police and the security professionals they rely on for information and advice.

Cuthbert, a 28 year old from Whitechapel, London, was a security consultant at ABN Amro, a job he lost as a result of his arrest. He also lectured at Westminster and Royal Holloway universities - ironically he taught some members of the Computer Crime Unit.

On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories.

After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action.

In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police. A witness for BT confirmed that the attack would have had no effect on its server, running Unix Solaris, even if it had not been detected by the IDS. The Crown also accepted that there was no malicious motive in Cuthbert's actions.

The police were able to track Cuthbert down because of the donation he made just before running the tests. He was arrested, brought in for questioning and subsequently charged with breaking the Computer Misuse Act.

Feedback to our story on Cuthbert's conviction last week was mostly sympathetic to Cuthbert though some felt he had overstepped the boundaries.

One reader said: "There are occasions where criminal damage charges could be used under this act, but it seems this wasn't one of them. The damage this will have done to the relationship between the police and information security specialists is absolutely immeasurable."

Some have questioned the Met's claim that the verdict, "sends a reassuring message to the general public". One reader said, "the message it sends to the public is that the Met are inhumane and without compassion. They should have exercised discretion and better judgement."

Peter Sommer, a security expert who gave expert evidence for the defence last week, said: "Mr Cuthbert has a lot of friends in the security community - friends the police need contact with - they will certainly feel more wary after this verdict."

But not everyone agreed - Dr Neil Barrett, a computer crime expert recently appointed to advise the EC on Microsoft issues, said: "...the access was unauthorised. He came to a site for which he did not have permission to exceed the normal user levels of access and attempted to elevate that access. Now, it's true that security professionals do such things - on penetration tests - but that's where permission has been given." Barrett does not believe the verdict will have much impact on the security community.

Dr Helg Janicke at De Montfort University said that in the past feedback from users and security professionals had been welcomed by webmasters but that might change.

"We are moving from an informal world to a more formal and regulated one," said Janicke. "It is dangerous for individuals to play with these kind of things." ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?