Pen Testing to be made illegal in the EU

[-0-]

http://www.europarl.europa.eu/news/nl/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence

Cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee on Tuesday. Possessing or distributing hacking software and tools would also be an offence, and companies would be liable for cyber attacks committed for their benefit.

The proposal, which would update existing EU legislation on cyber attacks, was approved with by 50 votes in favour, 1 against and 3 abstentions.



REF. : 20120326IPR41843

One step forward, seven hundred steps back.

LoLth: please dont quote full articles or The SS will scoop out your eyes while you sleep and replace them with lumps of coal. Users that wish to read the full article please click on the link provided at the start of the post. Yes, I know its sh.itty but better safe than Sherloc...ehhh I mean sorry...

Jumpy

Not sure how Pen testing is being made illegal.

Ethical via agreement still seems ok. Its criminal they are targeting.

The tools might be an issue. But it states those used for an offense.

[-0-]

Jumpy wrote: »

Not sure how Pen testing is being made illegal.

Ethical via agreement still seems ok. Its criminal they are targeting.

The tools might be an issue. But it states those used for an offense.

This doesn't worry you?

The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.

LoLth

The contract of employment detailing the scope and scale as well as the rules of engagement for the pentest should cover the pen-tester (ie: its not hacking if you have the system owner's permission).

however, yes the bit on tools of the trade is concerning. Ireland was considering legislation on "dual use" tools last year, no idea how that turned out but essentially distributing or sellign JtR would be considered illegal as would writing your own brute force password guesser (production).

Perhaps what's needed is a regulatory body for pentesters in Ireland. if you want to pentest in Ireland you have to be accredited (like chartered accoutnants or auditors) and you have to follow a code of ethics as well as display a level of competency in one of several fields (network, widnows, unix, webapp pentesting). In return you get a license that allows you to buy/produce/store/use dual use tools under specific circumstances - eg: while under contract you can nmap a clients servers but not the hosting network if there are other clients in the same subnet.

The UK has CREST. I think we should have something similar (nominal licensing fee, the idea would be to regulate pentesters and their claims, not gouge until it becomes an elitist occupation where only a company can afford to pay the professional fees).

Then the possession/use of dual use tools could be used as an additional charge to discourage criminal hacking. "no, I cant prove you hacked the bank but the exploit was launched from your IP address (yes, I know) at this time when you were here in the office and you have the exlpoit code on your PC in the folder created by you, signed by you and whats this? a credit card payment receipt from Bob who bought the software from you. you're nicked mate and I'v eno idea why I just suddenly joined scotland yard thirty years ago......"

dahamsta

Out of curiousity, why can't the OP quote the full piece? It's a press release posted on behalf of a public body.

LoLth

dahamsta wrote: »

Out of curiousity, why can't the OP quote the full piece? It's a press release posted on behalf of a public body.

while it may well be a public service announcement from a public website, I'm not going to check the source of every article that gets posted so, for the foreseeable future at least, maximum 1 paragraph copy/pasta. Users can go read the full article themselves if they are interested.

at least this way, if all articles are treated the same it'll avoid unintended offense when one post gets edited by accident because it links to a public document that isnt obviously a public release or, easier again, it links to an article where the poster is the copyright holder in real life but we have no way of knowing and/or verifying.

[-0-]

LoLth wrote: »

while it may well be a public service announcement from a public website, I'm not going to check the source of every article that gets posted so, for the foreseeable future at least, maximum 1 paragraph copy/pasta. Users can go read the full article themselves if they are interested.

at least this way, if all articles are treated the same it'll avoid unintended offense when one post gets edited by accident because it links to a public document that isnt obviously a public release or, easier again, it links to an article where the poster is the copyright holder in real life but we have no way of knowing and/or verifying.

I quoted the full piece initially to allow reads on mobile phones to be able to read it. I didn't realize it wasn't allowed. Apologies.

Martel

My understanding is that this is covered under Amendment 22:

Member States shall take the necessary measures to ensure that the production, sale, procurement for use, import, distribution or otherwise making available of the following is punishable as a criminal offence when committed intentionally and without right for the clear purpose of committing any of the offences referred to in Articles 3 to 6:

LoLth

[-0-] wrote: »

I quoted the full piece initially to allow reads on mobile phones to be able to read it. I didn't realize it wasn't allowed. Apologies.

no worries at all and ordinarily I'd be fine with it. However, in these dark days we are being extra extra careful until we have a clearer idea of what ramification mr. Sherlocks wonderfully worded actually means for boards.ie

syklops

[-0-] wrote: »

This doesn't worry you?

Tbh, that does worry me a bit. When I first got interested in Pen Testing(admittedly I was about 15), the defacto tool was Core Impact, and it was priced at about 10k per copy to stop it from getting into the hands of petty criminals. That was the excuse used anyway.

One would have thought petty criminals would have found it rather easy to get their hands on 10k.

I worry for a time when downloading metasploit might get me in trouble with the law. Particularly if my intent is to hack my own systems or to use them on a clients system with their prior consent. I also worry about Pen testing becoming the pervue of solely the big companies. Ernst and Young, Price Waterhouse Coopers etc. Preventing one man organisations from getting into or continuing work in the field.

I also worry about who will be deciding what tool is "illegal" and what isnt. From a python shell I can manipulate packets, scan for open ports, inject SQL, and send shellcode. Could python be considered a hacking tool? Yes. Could python become illegal? I bloody well hope not.

They say a little knowledge is a dangerous thing and they are right. All you need for SQLi, XSS and CSRF attacks, is a web browser. All you need for a DOS attack is lots of upload bandwidth. All you need to build a botnet is a knowledge of IRC protocols. All you need to break into someones house is a sledgehammer.

Are sledgehammers illegal?