Computer Misuse Act
1990
The
Computer Misuse Act 1990 is an Act of the Parliament of the United Kingdom,
introduced partly in response to the decision in R v Gold & Schifreen
(1988) 1 AC 1063 (see below). Critics of the bill complained that it was
introduced hastily and was poorly thought out. Intention, they said, was often
difficult to prove, and that the bill inadequately differentiated
"joyriding" hackers like Gold and Schifreen from serious computer
criminals. The Act has nonetheless become a model from which several other
countries, including Canada and the Republic of Ireland, have drawn inspiration
when subsequently drafting their own information security laws, as it is seen
"as a robust and flexible piece of legislation in terms of dealing with
cybercrime”.
The
Act introduced three criminal offences:
1.
Unauthorized access to computer material,
punishable by 6 months' imprisonment or a fine "not exceeding level 5 on
the standard scale" (currently £5000);
2.
Unauthorized access with intent to commit or
facilitate commission of further offences, punishable by 6 months/maximum fine
on summary conviction or 5 years/fine on indictment;
3.
Unauthorized modification of computer material,
subject to the same sentences as section 2 offences.
Note: Nothing to make DOS attacks
illegal. DDOS via botnets illegal as you have unauthorized access. Ensure you
have written permission to attack systems and ensure you do not go out of scope
(follow redirects?).
Data Protection Act 1998
The
Data Protection Act controls how personal information is used by organizations,
businesses or the government.
Everyone
who is responsible for using data has to follow strict rules called ‘data
protection principles’. They must make sure the information is:
1. Used fairly and lawfully
2. Used for limited, specifically stated purposes
3. Used in a way that is adequate, relevant and not excessive accurate
4. Kept for no longer than is absolutely necessary
5. Handled according to people’s data protection rights
6. Kept safe and secure
7. Not transferred outside the UK without adequate protection
2. Used for limited, specifically stated purposes
3. Used in a way that is adequate, relevant and not excessive accurate
4. Kept for no longer than is absolutely necessary
5. Handled according to people’s data protection rights
6. Kept safe and secure
7. Not transferred outside the UK without adequate protection
There
is stronger legal protection for more sensitive information, such as:
2. Political opinions
3. Religious beliefs
4. Health
5. Sexual health
6. Criminal records
Human Rights Act 1998
The
Human Rights Act 1998 is an Act of Parliament of the United Kingdom, which
received Royal Assent on 9 November 1998, and mostly came into force on 2
October 2000. Its aim is to "give further effect" in UK law to the
rights contained in the Convention for the Protection of Human Rights and
Fundamental Freedoms, but more commonly known as the European Convention on
Human Rights. The Act makes available in UK courts a remedy for breach of a
Convention right, without the need to go to the European Court of Human Rights
in Strasbourg.
2. Right to respect for private and family life.
3. Everyone has the right to respect for his private and family life, his home and his correspondence.
4. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Police and Justice
Act 2006
The Police and Justice Act 2006 is an Act of the Parliament
of the United Kingdom. As at August 2007 many of the provisions are not yet in
force. The majority of the Act extends only to England and Wales.
2. Sections 35-38 http://www.legislation.gov.uk/ukpga/2006/48/part/5/crossheading/computer-misuse
3. Increased penalties of Computer Misuse Act. (Makes unauthorized computer access serious enough to fall under extradition)
4. Made it illegal to perform DOS attacks.
5. Made it illegal to supply and own hacking tools.
6. Be careful about how you release information about exploits!
"The current Home Office line appears to be a balance
of probabilities argument, that a court decide whether it is more likely than
not each individual instance of the article will be used to commit an offence,
ie the offence is only committed if it will be used criminally more than
legally." openrightsgroup.org
Most hacking tools are normal tools used in a slightly
different manner. It is possible to fully compromise a machine using a standard
web browser with SQL injection etc. You probably don't want to write a proof of
concept exploit that deletes the whole file system rather than just loading
calc.
References:
· http://en.wikipedia.org/wiki/Computer_Misuse_Act_1990
· https://www.gov.uk/data-protection/the-data-protection-act
· http://en.wikipedia.org/wiki/Human_Rights_Act_1998
· http://www.justice.gov.uk/downloads/human-rights/human-rights-making-sense-human-rights.pdf
· http://en.wikipedia.org/wiki/Police_and_Justice_Act_2006
· http://rewtdance.blogspot.co.uk/2012/04/relevant-penetration-testing.html
· http://www.legislation.gov.uk/ukpga/1998/42/schedule/1/part/I/chapter/7
· http://en.wikipedia.org/wiki/Computer_Misuse_Act_1990
· https://www.gov.uk/data-protection/the-data-protection-act
· http://en.wikipedia.org/wiki/Human_Rights_Act_1998
· http://www.justice.gov.uk/downloads/human-rights/human-rights-making-sense-human-rights.pdf
· http://en.wikipedia.org/wiki/Police_and_Justice_Act_2006
· http://rewtdance.blogspot.co.uk/2012/04/relevant-penetration-testing.html
· http://www.legislation.gov.uk/ukpga/1998/42/schedule/1/part/I/chapter/7
