Feeds

UK bans denial of service attacks

That'll stop 'em

SANS - Survey on application security programs

A law was passed last week that makes it an offence to launch a denial of service attack in the UK, punishable by up to ten years in prison.

There had been concern that Britain's Computer Misuse Act, written in the days before the World Wide Web, allowed denial of service attacks to fall through a loophole. These are attacks in which a web or email server is deliberately flooded with information to the point of collapse.

The 1990 legislation described an offence of doing anything with criminal intent "which causes an unauthorised modification of the contents of any computer"; the question was whether that covered denial of service attacks. When a court cleared teenager David Lennon in November 2005 on charges of sending five million emails to his former employer – because the judge decided that no offence had been committed under the Act – the need for amendment seemed obvious.

Lennon's lawyer had successfully argued that the purpose of the company's server was to receive emails, and therefore the company had consented to the receipt of emails and their consequent modifications in data. District Judge Kenneth Grant concluded that sending emails is an authorised act and that Lennon had no case to answer, so no trial took place. That ruling was overturned and Lennon was sentenced to two months' curfew with an electronic tag. But by that time, amendments to the 1990 legislation were already included in the Police and Justice bill.

It was passed yesterday, becoming the Police And Justice Act 2006. The Act also increased the penalty for unauthorised access to computer material from a maximum of six months' imprisonment to two years.

The 2006 Act expands the 1990 Act's provisions on unauthorised modification of computer material to criminalise someone who does an unauthorised act in relation to a computer with "the requisite intent" and "the requisite knowledge."

The requisite intent is an intent to do the act in question and by so doing:

  • to impair the operation of any computer,
  • to prevent or hinder access to any program or data held in any computer, or
  • to impair the operation of any program or data held in any computer.

The intent need not be directed at any particular computer or any particular program or data.

The wording is wide enough that paying someone else to launch an attack will still be a crime, with a maximum penalty of 10 years in prison. Supplying the software tools to launch an attack or offering access to a botnet could be punished with up to two years in prison.

See: The Police and Justice Bill(the relevant clauses are 33 to 36; the Act was not available at the time of writing)asHTML or as a 145-page / 633KB PDF.

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.