Wednesday, 18 April 2007

Wireless hijacking under scrutiny

Wireless hijacking under scrutiny

Following on the heels of the report of the District Health Board insecurely providing access to its network through a wireless port....

Just in case you think there should be a law against it, there is! Accessing other peoples networks seems pretty well covered in New Zealand by Section 249 Accessing computer system for dishonest purpose of the Crimes Act 1961
[Part 10] [Crimes against rights of property] (s [217 to s 305) which shows the forethought of the legislators in describing a computer system by

computer system


(i)a computer; or

(ii)2 or more interconnected computers; or

(iii)any communication links between computers or to remote terminals or another device; or

(iv)2 or more interconnected computers combined with any communication links between computers or to remote terminals or any other device; and

(b)includes any part of the items described in paragraph (a) and all related input, output, processing, storage, software, or communication facilities, and stored data.]

The BBC reports a British case in which Gregory Straszkiewicz had "piggybacked" on a wireless broadband network of a local Ealing resident, using a laptop while sitting in his car and was fined £500 and sentenced to 12 months' conditional discharge.

The penalties here in NZ (up to 7 years imprisonment) may discourage wholesale assaults on WiFi networks as a pastime but do not absolve the network owner from taking precautions.

The same report also addresses the issue of responsibility for what was done by the unauthorised user of the network where the network is inadequately protected

"There have been incidences where paedophiles deliberately leave their wireless networks open so that, if caught, they can say that is wasn't them that used the network for illegal purposes," said NetSurity's Mr Cracknell.

Such a defence would hold little water as the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography.

So, if you expose your network deliberately or by negligence to a bad person who manipulates it (perhaps by denial of service attack) so that bad things happen to others , you could carry the can for it legally as well as morally.

Kim Cameron touched on the issue of responsibility for preventing bad people doing things in your name or through your means
There was a security flaw in WordPress 2.0.1 that was exploited to post something in my name .

By what logic was I responsible for it? Because I chose to use WordPress - along with the other 900,000 people who had downloaded it and were thus open to this vulnerability?

I guess, by this logic, I would also be responsible for any issues related to problems in the linux kernel operating underneath my blog; and for potential bugs in MySQL and PHP. Not to mention any improper behavior by those working at my hosting company or ISP.

Clearly this is unlikely to be a black/white issue but a matter of judgement on what the reasonable person could be expected to do in the circumstances.

No comments: