topic Re: Unauthorized Access or Fixing a Technical Complication? in Industry News

Unauthorized Access or Fixing a Technical Complication?

Baechle — Wed, 09 May 2018 19:47:41 GMT

Colleagues,

I'd like to get the community dialog regarding the legal term, "Unauthorized Access". I've seen quite a few articles in recent history that condemn the language in the current set of acts making up Title 18 U.S.C. § 1030 as being too restrictive of computer security researchers by simultaneously being too vague. I've heard very reasonably sounding arguments on both sides that simply fail logic tests.

Georgia recently vetoed a bill proposing language in its state laws defining "Unauthorized Access," (Senate Bill 315, Computer Crimes; create a new crime of unauthorized computer access; penalties, http://www.legis.ga.gov/legislation/en-US/Display/20172018/SB/315). I'm personally confused why we feel the need to define this further than we commonly use the words, unauthoized and access.

In reading the Wired article by Lily H. Newman, A Georgia Hacking Bill Gets Cybersecurity All Wrong (https://www.wired.com/story/georgia-sb315-hacking-bill-wrong/), there was a reference to a prior Wired article from 2014 authored by Kim Zetter, Hacker Lexicon: What is the Computer Faud and Abuse Act? (https://www.wired.com/2014/11/hacker-lexicon-computer-fraud-abuse-act/).In the earlier article, Zetter argues that the language of the current CFAA criminalizes legitimate security research. I've read, and reread this article. I've read numerous other articles making the same claim. Each of them has a similar argument, so I'm only referencing the first and primary one by Zetter here.

In the Zetter article, the argument is made for Prosecutorial abuse by overstretching the language of unauthorized access to mean creating a Sock Puppet account against a service provider's terms of service. Here is my take on this concept. If the person would otherwise have been able to obtain an account by using their true identity and registration details, then this is not an unauthorized access but a breach of terms of a contract. If, on the other hand, the person would not have been able to obtain an account with their true identity and registration details because they had been banned personally or because they are a member of a group that was banned (for example, an employee of a competitor), then this would be unauthorized access. In the first case the use of false identity is simply a misuse of the service, while in the second it's clearly an attempt to circumvent being denied an account.

The Zetter article continues to discuss the proposed "Aaron's Law" amendment to the CFAA that would specifically exempt changing MAC or IP addresses as exemplar methods of circumventing access controls. Here is the essential breakdown. We have one set of security professionals running around saying, Port Security and IP Tables are forms of network Access Control Lists. Then, we have another set of security professionals running around saying that things like circumventing Access Control Lists isn't a method of gaining "Unauthorized Access".

Which side of this argument do you reside?

Re: Unauthorized Access or Fixing a Technical Complication?

JoePete — Wed, 09 May 2018 20:09:04 GMT

Rather than worrying about creating a new concept of "unauthorized access," we could just apply the traditional definition of "trespass" to the digital realm. Broadly, trespassing has been defined as knowingly entering another person's property without permission. In the US we also have case law that further defines trespassing. The problem is legislators and judges think we need new laws because we are dealing with new crimes. These are just old crimes being performed in a new medium.

Re: Unauthorized Access or Fixing a Technical Complication?

Baechle — Wed, 09 May 2018 20:21:35 GMT

Thanks Joe,

I appreciate your input. If my memory serves me right, we used to define "unauthorized access" as "electronic trespass".

@JoePetewrote:
The problem is legislators and judges think we need new laws because we are dealing with new crimes. These are just old crimes being performed in a new medium.

In this case, we have security pros saying that they should have the right to perform security based research and that the wording of the CFAA is so vague that it wraps their activities up in the criminal definition of "Unauthorized Access." For example, an organization that provides WiFi access for their employees limits that access through a combination of static IP assignment and MAC filtering (presumably because 802.1x is currently too expensive to field/maintain with their current budget and staff). The security researchers propose that solely on the basis that these security controls are easy for them to circumvent, then they are legally the equivalent of no security control.

How do you feel about that position?

Re: Unauthorized Access or Fixing a Technical Complication?

denbesten — Wed, 09 May 2018 21:19:23 GMT

@JoePete has the correct analogy.

Should a self-proclaimed "security researcher" have the right to come up to my front door and ring the doorbell? Absolutely. Check if the door is locked? Questionable. Come inside to "see" if my TV is bolted down? Absolutely not. If the "researcher" keeps ringing my doorbell and I ask them to go away, they must do so.

The digital domain needs similar thresholds.

Authorized red teams protect themselves with a contract that explicitly includes scope-of-work, safeword provisions and authorization to proceed. If a self-proclaimed security researcher wants this level of protection, they need a similar legal instrument. I understand that getting permission from "everyone" is difficult and perhaps impossible, but that hurdle should not shield them from damage claims if they cause harm.

That said, we likely need to enumerate the digital equivalents of "ringing the doorbell" through legislative action before case law does it for us.

Re: Unauthorized Access or Fixing a Technical Complication?

JoePete — Wed, 09 May 2018 21:25:29 GMT

@Baechlewrote:

I appreciate your input. If my memory serves me right, we used to define "unauthorized access" as "electronic trespass".

Good point.

In this case, we have security pros saying that they should have the right to perform security based research and that the wording of the CFAA is so vague that it wraps their activities up in the criminal definition of "Unauthorized Access."

Two aspects of physical trespass recognized in many US states are

Some sort of intent - you know you're not supposed to be there but you go there anyway.
The property owner has to give you some sort of warning.

For security researchers, let's say someone is just probing different networks, access points, I think we need to define at one point you in fact trespass vs. you are just looking around. If you manage to obtain an IP address on a network that could be an important distinction. But if all I am doing is intercepting, examing WiFi traffic or doing a port scan of an Internet facing server, to me that is the equivalent of standing at the edge of someone's property and looking. Arguably even gaining an IP from a poorly secured network might not be unauthorized access any more than stepping onto to private property that isn't marked or secured as such is physical trespassing. I think there is also a concept of "abandoned" property. Just as if I am walking down the street and I see on the curb a TV, I can assume someone has left it there for the trash or to be picked up for free, if I come across a network or device on a network that lacks any reasonable care - never been patched, poorly secured, can I assume it is abandoned and free for exploration or use? Certainly that raises issues. Ethically, you should never enter a network without permission, but in broader legal context, it raises and interesting defense.

Re: Unauthorized Access or Fixing a Technical Complication?

vt100 — Wed, 09 May 2018 22:12:50 GMT

It is an interesting question.

I posit that the definition and qualification of "Security Researcher" should be defined in addition to the "Unauthorized Access".

If you are registered, qualified and are subject to the code of conduct with repercussions for violations, you should be able to perform research that, as well as reporting of its findings, are governed by law.

Should the above be omitted, we'll be at the mercy of the foreign crime perpetrators that seldom care about our interpretation of the terms.

Re: Unauthorized Access or Fixing a Technical Complication?

Baechle — Fri, 11 May 2018 13:46:17 GMT

Joe,

@JoePetewrote:
Two aspects of physical trespass recognized in many US states are
Some sort of intent - you know you're not supposed to be there but you go there anyway.
The property owner has to give you some sort of warning.

One of the problems that I think we run into is that we often attempt to describe the online world through physical parallels and analogies without running them to their end. As you point out, in the physical world trespass often requires notice and then willful disobedience of the notification.

The problem with applying this physical parallel to the online world is that we often stop here. The logical translation of this parallel to the online world means that there has to be some banner announcement or click-wrap agreement telling someone they're not welcome to meet the online version of "notice."

We've failed to fully apply the custom from the physical world in that context. In the physical world we equate certain physical barriers (like a locked door) with notice. For example, a locked door doesn't mean we can crawl in through the bathroom window or smash the front windows with a brick. It generally means "go away"; or at most, come back and try [to open the front door normally] again later. A host that answers the door, telling you the business is closed for a private party for township residents doesn't mean you can then lie about your home address (or IP address) to gain admittance. Knowingly providing materially false information (an address) that is relied upon to confer a benefit (admittance) is the textbook definition of fraud.

@JoePetewrote:
For security researchers, let's say someone is just probing different networks, access points, I think we need to define at one point you in fact trespass vs. you are just looking around. If you manage to obtain an IP address on a network that could be an important distinction. But if all I am doing is intercepting, examing WiFi traffic or doing a port scan of an Internet facing server, to me that is the equivalent of standing at the edge of someone's property and looking.

I'm with you here, but you also changed the scenario. This is less on par with the arguments that were being made by security researchers, and more on par with a civil case involving Google mapping WiFi hot-spots. Google eventually won in appeals.

Let's talk about looking around. We can't throw a brick through the window; or send a destructive packet without invoking the CFAA's damage clause. So, let's assume that we sent data but it's just getting dropped. We might make an assessment that the target is using 802.1x, MAC or IP filtering. In my opinion, that's as far as looking around goes. That is the equivalent of seeing something that looks like a bathroom window on the side of the building.

If you then change your MAC or IP address to gain access, you have done the equivalent of walking up and opening the window on the precipice of going inside; or lied about your home address and age to the bouncer at the front door. In the physical world you can stop there and turn away. You can open the window (presumably without sticking your fingers inside - known as crossing the threshold) or lie to the bouncer, and then never actually go inside the building. In the online world you can't well separate the preparatory act of transmitting the spoofed-MAC/IP packet (either opening the window or lying to the bouncer) with the functional act of accessing the network (going inside the building).

EDIT: These acts online simultaneously cross the threshold and place the actor inside the network. In my opinion therefore, an actor just gained Access to the system using the common definition of access. Because they had to lie about the origin of their traffic by masking their MAC or IP Address, circumventing an Access Control List, then it was Unauthorized. Hence, Unauthorized Access.

Re: Unauthorized Access or Fixing a Technical Complication?

Baechle — Wed, 09 May 2018 22:51:33 GMT

@vt100wrote:
I posit that the definition and qualification of "Security Researcher" should be defined in addition to the "Unauthorized Access".

If you are registered, qualified and are subject to the code of conduct with repercussions for violations, you should be able to perform research that, as well as reporting of its findings, are governed by law.

It sounds like you are in favor of a formal licensing scheme for computer security practitioners, something on the order of Private Investigators, Accountants, Engineers, Doctors, etc.?

I personally don't think we need to go any further in defining what unauthorized access is. I believe that we need to start spending more time thinking critically about what defines "unauthorized" in the online world. I think based upon several conversations with folks that have admitted to hacking, that the problem is we psychologically devalue the stress and cost of gaining unauthorized access to a computer because it's usually not in-person. We don't see the nonverbal cues of annoyance, anguish, violation in a person's facial expressions or body language like we might if we happened to crawl in through someone's side window and silently peer at all their personal belongings, flip through their wedding album and check book, then silently leave again without stealing anything.

I believe the definition of "unauthorized access" is fine in its common form. What I think we need to do is to think more critically about what the impact of various online actions are.

Re: Unauthorized Access or Fixing a Technical Complication?

Baechle — Wed, 09 May 2018 23:11:19 GMT

William,

@denbestenwrote:

Authorized red teams protect themselves with a contract that explicitly includes scope-of-work, safeword provisions and authorization to proceed. If a self-proclaimed security researcher wants this level of protection, they need a similar legal instrument.

I think you hit the nail on the head with this statement. If you are going to attempt to gain access to a system, that you don't otherwise have authorization to access then you should have an agreement or other contract permitting you to do so. The agreement is then you're authorization.

@denbestenwrote:

That said, we likely need to enumerate the digital equivalents of "ringing the doorbell" through legislative action before case law does it for us.

I think that these standards already exist. I believe where we are getting into trouble is by failing to put enough time into critically thinking about the consequences of various online actions.

I don't want to start a religious discussion but another parallel is in order. Many of my friends argue over religion, and one of the tools that they use is cherry picking their arguments from the religious texts. Cherry picking involves taking the portion of a statement that supports their claim and leaving the portion out that either would negate or refute their claim. I believe this is what we as a community have been doing with our Online to Physical analogies.

The discussion about "notice" under trespass rules is a perfect example. We often stop at defining notice for the online world meaning something a person has to read and agree to, in order to move on. Lacking a notice, a person has free range.

What we forgot to do is apply the common understanding that other scenarios are equivalent to "notice". A locked door is equivalent to notice. A qualifier check that you don't meet is equivalent to notice, ie. a bouncer that refuses you access because of your age or residency status; or an IP address filter that drops traffic from your range.

If you know that you have to lie about the origin of your traffic to gain admittance, then you have been properly notified (or given the knowledge) that traffic from your IP address is unwelcome... and logically you would have had to have been notified for you to have acted on that knowledge in circumventing that access control.

Re: Unauthorized Access or Fixing a Technical Complication?

Lamont29 — Wed, 09 May 2018 23:35:44 GMT

I think that the proponents of either side have either misinterpreted or stretched the meaning of authorized/unauthorized access. The word ‘access’ is so normalized in the information security profession, I barely know how to break it down any further. Maybe the law clerks or lawyers who are writing these laws have a poor understanding of information systems? These are poor semantics and misinterpretations as far as I can tell. I might dig deeper later.

Re: Unauthorized Access or Fixing a Technical Complication?

denbesten — Fri, 11 May 2018 05:18:10 GMT

@Lamont29wrote:
The word ‘access’ is so normalized...

I think the more relevant discussion is around the word "Unauthorized" (or authorized).

An interesting thought exercise is at what point does "bobby tables" cross the line from authorized to unauthorized access? As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.

It also raises the question of negligent software design, but that is a whole different conversation.

Re: Unauthorized Access or Fixing a Technical Complication?

denbesten — Fri, 11 May 2018 05:37:07 GMT

@JoePetewrote:
I think there is also a concept of "abandoned" property. Just as if I am walking down the street and I see on the curb a TV, I can assume someone has left it there for the trash or to be picked up for free.

If it is next to the trash can on trash day, that seems a reasonable presumption. However, if it were a kids bike on some other day, it is much more likely to be mislaid property, which you have an obligation to return to the true owner. Check out wikipedia for more comprehensive insight.

Re: Unauthorized Access or Fixing a Technical Complication?

Baechle — Fri, 11 May 2018 17:06:36 GMT

William,

EDIT: I apologize, I had to edit this reply. It was apparent when I reread your example, you were clearly stating that this was not an example of "Unauthorized Access". This example however, does pick one of the handful of clauses of the CFAA (18 USC § 1030) that deals with causing or attempting to cause damage, regardless of the level of access.

So, I'm leaving my original reply with the caveat that it is off topic.

@denbestenwrote:
An interesting thought exercise is at what point does "bobby tables" cross the line from authorized to unauthorized access?

I absolutely love this example. Not only is it cute, but it also subtly illustrates what I believe is an input to the problem. Computer folks, especially security professionals, and hackers likely the most of all, think they’re clever.

Let me break this cartoon down using legal analysis. The mother names her son using the construct of an SQL injection. It’s clever because it causes data destruction and presumably avoids a penalty because the school staff are the ones that entered the command.

@denbestenwrote:
As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.

If I understand your conjecture right, you either think (a) this doesn't meet the definition of "Unauthorized Access"; or (b) you believe that this type of behavior is legitimate. I agree with (a), but completely disagree with (b).

The problem is that that the same example shows knowledge and intent to cause damage, meeting the conditions of 18 USC § 1030(a)(5)(A). First, you might presume that the child’s name was just a random happenstance except that it was specifically the exact syntax needed to cause an SQL injection, the likelihood of such a random occurrence being so low as to be unreasonably a coincidence. Second, the mother then confirms she understood the concept of SQL commands and tables, SQL syntax, and input sanitization; effectively stating that she knew or should have known that the name had a high probability of causing a damage-inducing SQL injection. And putting in process a chain of events so as to cause another person to input the data qualifies under 18 USC § 1030(a)(5)(A) . So, it is not as clever as originally thought.

Re: Unauthorized Access or Fixing a Technical Complication?

Baechle — Fri, 11 May 2018 17:21:39 GMT

Lamont,

I appreciate you weighing in on this!

@Lamont29wrote:
The word ‘access’ is so normalized in the information security profession, I barely know how to break it down any further. Maybe the law clerks or lawyers who are writing these laws have a poor understanding of information systems?

I respectfully request that you re-read the thread with the understanding that the claims on either side are being made by security professionals – not lawyers and law clerks. There is a divide in our own profession.

We are talking specifically about the active evasion or circumvention of a security control. Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control.

Where do you sit on this debate?

Re: Unauthorized Access or Fixing a Technical Complication?

Lamont29 — Fri, 11 May 2018 17:49:58 GMT

@Baechlewrote:

We are talking specifically about the active evasion or circumvention of a security control. Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control.

Where do you sit on this debate?

Okay,

I have a better understanding now. The only issue to consider is the ‘intent’ as a matter of legality. We as information security professionals are also required to consider common laws, criminal laws and other forms of regulations and the spirit of those laws and regulations. A hacker cannot offer a defense in court “because it was so easy…” and expect to be exonerated for breaching that access. If I wanted to legally mitigate a perpetrator’s action of making my yard a short-cut, then the I only need to post “Do Not Trespass” signs. There’s nothing etched in law that requires me to build a 10-foot high, razor, electric fence around my property the prisoners would admire.

I may choose to set up a small business network utilizing Windows NT (easy to break). Yet, if I put in the security controls, the banners, and do my due diligence to keep the information residing in my NT network from prying eyes, no court will step out of the box and say, “Well you could have used BSD, LINUX or Windows 2008 or higher for better security!” The answer to this question that well all ought to adopt is clearly stated in our code of ethics as ISC2 professionals: “Act honorably, honestly, justly, responsibly, and legally.”

Maybe we can offer better advice to discourage poor security configurations, but we should never use our knowledge, skills, and ability to do harm.

Re: Unauthorized Access or Fixing a Technical Complication?

denbesten — Fri, 11 May 2018 21:21:15 GMT

A more realistic example are the last names O'Conner and den Besten. Often times, they will error-out a web site that does not sanitize data inputs, or the web site will corrupt them into Oconner, Denbesten, or Besten.

My intended observation was that entering malicious input through the published web interface is likely "authorized access", whereas mucking about with the page to bypass an input validator is much more likely to be "unauthorized".

You correctly highlight that even being authorized access, the cartoon taken at face value likely would run afoul of other laws, but that is not the point of Bobby Tables. It's goal is to remind developers to skeptically handle inputted data, and does so in an engaging fashion that a techie can quickly grasp.

@Baechlewrote:
The mother names her son using the construct of an SQL injection. It’s clever because it causes data destruction and presumably avoids a penalty because the school staff are the ones that entered the command.

@denbestenwrote:
As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.

If I understand your conjecture right, you either think (a) this doesn't meet the definition of "Unauthorized Access"; or (b) you believe that this type of behavior is legitimate. I agree with (a), but completely disagree with (b).

The problem is that that the same example shows knowledge and intent to cause damage, meeting the conditions of 18 USC § 1030(a)(5)(A). First, you might presume that the child’s name was just a random happenstance except that it was specifically the exact syntax needed to cause an SQL injection, the likelihood of such a random occurrence being so low as to be unreasonably a coincidence. Second, the mother then confirms she understood the concept of SQL commands and tables, SQL syntax, and input sanitization; effectively stating that she knew or should have known that the name had a high probability of causing a damage-inducing SQL injection. And putting in process a chain of events so as to cause another person to input the data qualifies under 18 USC § 1030(a)(5)(A) . So, it is not as clever as originally thought.

Re: Unauthorized Access or Fixing a Technical Complication?

Flyslinger2 — Wed, 16 May 2018 15:47:29 GMT

"We are talking specifically about the active evasion or circumvention of a security control. Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control."

I need to learn the quoting methodology here!

Just because the security "professional" knows more then the Geek Squad kid who knows just enough to keep his 70 year old customer safe is not license to step beyond the border of the elderly person's enclave. Both physically and logically that border is defined by an IP/Mac combination (logic) and NIC/FIOS Gateway (physical). I don't think FIOS would agree with the security "professionals" definition of probing their network to see which gateway units are stock or modified with tighter controls.

This is not subjective. We professionals that do take security seriously, that have scruples and respect the intent of others even if they aren't as knowledgeable as us, are duty bound to continually educate those in our sphere of influence on new trends in securing themselves and the issues that are out there.

I do this with my facebook community and those that I lead in church.

Re: Unauthorized Access or Fixing a Technical Complication?

Baechle — Wed, 16 May 2018 16:46:32 GMT

Mark,

@Flyslinger2 wrote:
I need to learn the quoting methodology here!

I recently got schooled in this also. 🙂

@Flyslinger2 wrote:

Just because the security "professional" knows more then the Geek Squad kid who knows just enough to keep his 70 year old customer safe is not license to step beyond the border of the elderly person's enclave. Both physically and logically that border is defined by an IP/Mac combination (logic) and NIC/FIOS Gateway (physical). I don't think FIOS would agree with the security "professionals" definition of probing their network to see which gateway units are stock or modified with tighter controls.

I completely agree with your assessment. Knowledge of how to circumvent a security control != authority to then circumvent that control. Using that logic, the attackers' mere knowledge of a method to circumvent a security control invalidates that security control as a legal barrier to entry.

Many public facing web sites use products that have vulnerabilities in them specifically, or in the combination of several products working together. Someone with the knowledge to tamper with variables in a URL/URI should know the difference between sending "&strip=1" in a Google query and sending "&record=[someone else's private data]" after realizing site is passing database queries through the browser, is exceeding their authorized access.

What are your thoughts on the last example? I concede that we've moved beyond unauthorized access to exceeding authorized access in the discussion.

Sincerely,

Eric B.

Re: Unauthorized Access or Fixing a Technical Complication?

Flyslinger2 — Thu, 17 May 2018 11:47:13 GMT

Many public facing web sites use products that have vulnerabilities in them specifically, or in the combination of several products working together. Someone with the knowledge to tamper with variables in a URL/URI should know the difference between sending "&strip=1" in a Google query and sending "&record=[someone else's private data]" after realizing site is passing database queries through the browser, is exceeding their authorized access.

What are your thoughts on the last example? I concede that we've moved beyond unauthorized access to exceeding authorized access in the discussion.

Sincerely,

Eric B.

In this example you are authorized, by publication, to access the website. You are NOT authorized to put your expert knowledge to the test to see what controls they have in place. Only the contractor that has all the rules in place for their pen testing has that right.