Feeds

DoS and distributed hacking tools finally criminalised

Computer Misuse Act updated

Website security in corporate America

A law criminalising denial of service attacks and the supply of hacking tools has been brought into force in England and Wales after a number of delays. The law was already in force in Scotland.

Denial of service (DoS) attacks involve the simultaneous sending of millions of messages or page requests to an organisation's servers. The sudden, massive deluge of information can render website and email servers inoperable.

The UK's main cybercrime law is the Computer Misuse Act, passed 18 years ago. Its application to denial of service attacks had been the subject of some confusion.

In 2005, charges were brought under that Act against teenager David Lennon who sent his former employer five million emails at once. The massive volume of email disabled the office server. A Magistrates' Court said that Lennon had no case to answer because the employer's system was designed to receive email. But the High Court later said that the original judge had erred in that ruling. Lennon eventually pleaded guilty and, in 2006, he was sentenced to two months' curfew with an electronic tag.

The first attempt to amend the Computer Misuse Act, to put the illegality of DoS attacks beyond doubt, dates back six years. A Private Member's Bill to amend the Act was introduced by the Earl of Northesk in 2002, but like most Private Members' Bills, it failed to become law.

Changes were made to the Computer Misuse Act in 2006 but they were not made live at the time. In October 2007 they were adopted in Scotland, but not in England and Wales.

The Home Office said that the changes would be brought into force in April 2008, but they were not. The Statutory Instrument to bring them into force was finally passed on 24th September and the changes came into effect for England and Wales on 1st October 2008.

The changes make it a criminal offence to conduct DoS attacks. The original legislation included offences of unauthorised access to computer material and of unauthorised modification of computer material. There is now a new offence of doing anything without authorisation with intent to impair, or with recklessness as to impairing, the operation of a computer.

The new offence carries a maximum penalty of 10 years' imprisonment and a fine. It replaces the more limited offence of unauthorised modification, which carried a five-year maximum sentence.

The changes also increase the maximum penalty for unauthorised access to computer material from six months' imprisonment and a fine to two years' imprisonment and a fine.

The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is "likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification or DoS] offence". It is also an offence to supply an article "believing that it is likely" to be used to commit such an offence.

The meaning of "article" includes any program or data. The provisions would cover the supply of DoS or virus toolkits. Anyone convicted of breaking this section of the Act could be jailed for up to two years.

This part of the law has been controversial because security researchers have said that it could impede their work.

"The difficulty in the Act is that it says 'any item' and people are worried that that might include information about a piece of software's security vulnerability," Cambridge University security researcher Dr Richard Clayton previously told OUT-LAW.COM. "If you distribute information about a security vulnerability and the bad guys use it to attack it then the information about that vulnerability might qualify."

The Statutory Instrument which came into force this October amends the Police and Justice Act of 2006. The Instrument makes live provisions in that Act which in turn amend the Computer Misuse Act.

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.