To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/government/0,39024677,39169556,00.htm

CPS hack attack guidelines: 'Confused'
Distribution differs from intent…

By Tom Espiner

Published: Friday 04 January 2008

Guidelines published this week by the Crown Prosecution Service (CPS) on how to interpret amendments to the Computer Misuse Act (CMA) have been branded "confused" by a renowned security expert.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

The CMA amendments criminalise the production, distribution and use of software for malicious attack. Richard Clayton, a security researcher at the University of Cambridge, said while much of the guidance from the CPS on how to interpret the amendments was "extremely sensible", there were still "significant difficulties" in dual-use tool distribution offences.

The problem as Clayton sees it is many software tools, such as network vulnerability scanning tools, are dual-use or can be used for both malicious and benign purposes.

The CPS guidance gives an example of basing a decision to prosecute a suspect on the amount of thought that has gone into how a tool has been distributed. Distribution to a "closed and vetted list of security professionals" should be viewed differently from dual-use tools "posted openly". Clayton argued this was too restrictive.

Clayton said: "For almost all [CMA] offences the prosecution has to prove intent - they have to show you are a bad person. The problem with the guidance on distribution offences is that it catches someone that doesn't write or use [dual-use tools] but merely provides the program on a website. Most security tools are general purpose - they are like Swiss Army knives. Most people use Swiss Army knives for jobs like taking the stones out of horses' hooves. We tend to prosecute the people who use [the knives] to stab other people. We don't prosecute shop keepers for selling Swiss Army knives in the first place."

The CPS guidance, published on Monday, states prosecutors should be aware there is a legitimate security industry that uses dual-use tools. However, the guidance states they should in part base a decision to prosecute on the likelihood of the distributed tool being used for malicious purposes.

Clayton criticised this CPS provision, saying the meaning for something being "likely" to be used for criminal purposes remains unclear.

He said: "It's all a bit confused. There's no discussion of what 'likely' might mean. Is this a greater than 50 per cent probability [that the tools will be used maliciously]? This is not the crystal clear guidance we were promised."

Clayton added specific programs, such as penetration testing tools, were designed with the express purpose of hacking into systems and that the distribution of such tools would be limited by UK law.

The amendments to the CMA were brought into UK law in the Police and Justice Act 2006.

The CPS declined to comment on Clayton's specific criticisms at the time of writing. However, a CPS spokesperson stated: "In accordance with usual practice, prosecutors will consider each case on its own merits. Legal guidance provides prosecutors with pertinent aspects to consider in respect of a potential prosecution."

Tom Espiner writes for ZDNet.co.uk