WWW.DISSERTATION.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Dissertations, online materials
 
<< HOME
CONTACTS



Pages:   || 2 | 3 | 4 |

«Cassandra Kirsch* “Borders and boundaries pose no obstacles for hackers. But they continue to pose obstacles for global law enforcement, with ...»

-- [ Page 1 ] --

THE GREY HAT HACKER: RECONCILING CYBERSPACE REALITY AND

THE LAW

Cassandra Kirsch*

“Borders and boundaries pose no obstacles for hackers.

But they continue to pose obstacles for global law

enforcement, with conflicting laws, different priorities, and

diverse criminal justice systems. With each passing day, the

need for a collective approach—for true collaboration and timely information sharing—becomes more pressing.” Robert Mueller Director of the Federal Bureau of Investigation (2012)

I. INTRODUCTION

From the Sony Media “data breach war” with LulzSec to the hacktivist breaches of the Arab Spring, media and security experts have coined 2011 as “The Year of the Hack.”1 During the year, hacking and data breaches flooded the headlines––at least “58 highly-publicized hacking attacks occurred in 2011 with victim organizations around the world ranging from law enforcement agencies, Fortune 500 companies, and governments to defense agencies and military contractors.”2 Prior to 2011, few people knew about the Guy Fawkes mask wearing hacker group “Anonymous”3 or even fathomed hackers being able to topple entire corporate and government computer networks. Despite much of the media attributing the incidents to “Anonymous,” the Year 2011 revealed vast * J.D., University of Denver Sturm College of Law (2013); B.A., The University of Texas (2008). The author would like to extend special thanks to Professor John T. Soma, the Executive Director of the Unive

–  –  –

diversity and motivations among numerous hacking subgroups, including LulzSec and AntiSec.4 In light of these breaches and a burgeoning cyber crime industry, the Federal Bureau of Investigation (“FBI”) has invested considerable resources over the last few years into the FBI’s Cyber Division in an attempt to address today’s increasingly sophisticated and evolving cyber threats.5 Once a tertiary priority for the FBI, cyber crime stands to overtake terrorism in rank.6 Nonetheless, rather than subside, hacking incidents continue to increase in number and scope.7 The 2013 Target breach affected nearly a third of the U.S. population,8 and the FBI

4. See Chloe Albanesil, Did Anonymous Hack Sony’s PlayStation Network or Not?, PC MAG.

(May 4, 2011, 5:15 PM), http://www.pcmag.com/article2/0,2817,2384919,00.asp; Agence FrancePresse, Hacker group AntiSec declares ‘war’ on U.S. police, THE RAW STORY (Aug. 6, 2011, 6:15 PM), http://www.rawstory.com/rs/2011/08/06/hacker-group-antisec-declares-war-on-u-s-police/;

Hao Li, Sony hacked again, LulzSec claims, INT’L BUS. TIMES (Jun. 2, 2011, 4:26 PM), http://www.ibtimes.com/sony-hacked-again-lulzsec-claims-287969; Kevin McCaney, AntiSec hackers expose data from 74 sheriff’s offices, GCN (Aug. 8, 2011), http://gcn.com/articles/2011/08/08/antisec-hack-74-sheriffs-data.aspx; Jason Schreier, Sony Hack Probe Uncovers ‘Anonymous’ Calling Card, WIRED (May 4, 2011, 2:08 PM), http://www.wired.com/gamelife/2011/05/sony-playstation-network-anonymous/. During 2011, media organizations were quick to label any hack as an attack by Anonymous. For example, the now infamous hack of the Playstation Network was first attributed to Anonymous, but was really organized by LulzSec. Compare Schreier, supra note 4., with Albanesil, supra note 4, and Li, supra note 4. AntiSec, similarly, has been called a “wing” of Anonymous, although it has taken on its own hierarchy and separate hacking exploits. See McCaney, supra note 4; Ryan Gallagher, Anonymous splinter group AntiSec wages war on ‘profiteering gluttons,’ THE GUARDIAN (Feb. 27, 2012, 6:00 PM), http://www.theguardian.com/technology/2012/feb/27/anonymous-splinter-groupantisec-waging-war.

5. See Ian Freedman, National Cyber Security: FBI unveils Next Generation Cyber Initiative, EXAMINER (Nov. 2, 2012), http://www.examiner.com/article/national-cyber-security-fbi-unveilsnext-generation-cyber-initiative.

6. See FBI Director: Cybercrime will eclipse terrorism, CNN MONEY (Mar. 2, 2012, 7:55 AM), http://money.cnn.com/2012/03/02/technology/fbi_cybersecurity/index.htm (statement of FBI Director Robert Mueller) (“Terrorism does remain the FBI’s top priority, but in the not too-distantfuture we anticipate that the cyberthreat will pose the greatest threat to our country.”).

7. See HP Research: Cybercrime Costs Rise Nearly 40 Percent, Attack Frequency Doubles, HP NEWS (Oct. 8, 2012), http://www8.hp.com/us/en/hp-news/press-release.html?id=1303754#.

UMp1cqwzSxY. The 2012 Cost of Cyber Crime Study by Hewlett-Packard “revealed a 42 percent increase in the number of cyberattacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010.” Id.

8. Elizabeth A. Harris & Nicole Perlroth, For Target, the Breach Numbers Grow, N.Y. TIMES (Jan. 10, 2014), http://www.nytimes.com/2014/01/11/business/target-breach-affected-70-millioncustomers.html?hpw&rref=business&_r=1. Over eight years, Hackers allegedly targeted 15 financial institutions, including JPMorgan Chase & Co., Citigroup Inc., and E-Trade, as part of a nearly two-year-long scheme to hack into customer accounts online to steal at least $15 million and 160 million credit and debit card numbers; see Daniel Beekman, Hackers hit companies like Nasdaq, 7-Eleven for $300 million, prosecutors say, N.Y. DAILY NEWS (July 26, 2013, 12:41 PM ), http://www.nydailynews.com/news/national/russians-ukrainian-charged-largest-hacking-spree-u-shistory-article-1.1408948; see also Dave Paresh, Chase, Citigroup among bank reportedly hacking in $15-million heist, L.A. TIMES (June 13, 2013), http://articles.latimes.com/2013/jun/ 13/business/la-fi-mo-banks-allegedly-hacked-in-cyberheist-20130613; World’s Biggest Data 2014] THE GREY HAT HACKER 385 warns that attacks similar to the Target breach “will continue to grow in the near term” despite its efforts.9 FBI officials admit the agency is losing the “War on Hackers:”10 it is no longer a question of who will be hacked, but when.11 Due to the low entry costs into the cyber crime market,12 number of computers involved in transnational commerce, and shortage of available law enforcement,13 cyber crime has become a growth industry.14 Effectively combating cyber crime requires existing laws and the roles of federal and local officials to evolve. In building the nation’s collective capabilities to fight the cyber threat, we “need to look at alternative architectures that are more secure... that allow critical infrastructure owners and operators to better spot threat actors and to provide information to law enforcement to track and to catch them.”15 Given the complexities of investigating and regulating cyber crime, law enforcement and the legislature should take note from some progressive corporate vendors and consider an unlikely ally in the hacker community: the grey hat hacker.





To the general public, “hacker” is a term synonymous with a member of the cyber criminal underground, but not all hacking is created equal. Indeed, the purpose, techniques, and intent of hackers differ greatly within the international Breaches, INFO. IS BEAUTIFUL, http://www.informationisbeautiful.net/visualizations/worlds-biggestdata-breaches-hacks/ (last updated Dec. 31, 2013). In 2013, over 70 million U.S. customers were affected by the Target breach and another 38 million in the Adobe hack. See Adobe Breach Impacted At Least 38 Million Users, KREBSON SECURITY, http://krebsonsecurity.com/2013/10/ adobe-breach-impacted-at-least-38-million-users/ (last updated Oct. 29, 2013, 9:26 PM); Harris & Perlroth, supra note 8.

9. Anjli Raval, FBI warns retailer of more cyber attacks, FIN. TIMES (Jan. 24, 2014, 12:14 AM), http://www.ft.com/intl/cms/s/0/e52517f8-8480-11e3-b72e-00144feab7de.html#axzz2xrKor42x. The Recent Cyber Intrusion Events Directed Toward Retail Firms report confirms that 20 hacking cases in 2013 involved the same kind of malicious software used against Target Corp; Jim Finkle & Mark Hosenball, Exclusive: FBI warns retailers to expect more credit card breaches, REUTERS (Jan. 24, 2014, 12:53 AM), http://uk.reuters.com/article/2014/01/24/us-target-databreach-fbiidUKBREA0M1UF20140124. The report provides details the risks posed by “memory-parsing” malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines found in store checkout aisles. Id.

10. Devlin Barrett, U.S. Outgunned in Hacker War, WALL ST. J. (Mar. 28, 2012, 10:31 AM), http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html.

11. Robert S. Mueller, III, Dir., Fed. Bureau of Investigation, Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies, Address at the 2012 RSA Cyber Security Conference (Mar. 1 2012), available at http://www.fbi.gov/news/speeches/combating-threats-inthe-cyber-world-outsmarting-terrorists-hackers-and-spies.

12. See Anthony Wing Kosner, Target Breach Of 70 Million Customers’ Data Used Bargain Basement Malware, FORBES (Jan. 15, 2014, 11:44 PM), http://www.forbes.com/sites/ anthonykosner/2014/01/15/blackpos-malware-used-in-target-attack-on-70-million-customersretails-for-1800/ (noting that the malware used in the Target breach, BlackPOS, is available on underground cyber crime forums for as low as $1,800).

13. Mueller, supra note 11.

14. See Tony Bradley, Cybercrime: A Recession-Proof Growth Industry, PC WORLD ( Feb. 5, 2011, 8:44 PM), http://www.pcworld.com/article/218850/cybercrime_a_recession_proof_growth_ industry.html.

15. Mueller, supra note 11.

386 NORTHERN KENTUCKY LAW REVIEW [Vol. 41:3 hacking community. From political hacktivists, to the hacker posting software security flaws on a public forum, to the Paypal hackers selling personal information on the black market, people hack for a number of reasons. Within these various subgroups of hacking, hackers largely fall into three “shades” of hats recognized by the security industry: white hat, black hat, and grey hat.16 White hats are members of the security industry hired specifically to find security flaws, whereas black hats break into systems for no other reason than to commit a crime of some sort or to profit.17 Somewhere in between the two extremes is the grey hat hacker, operating on the fringe of civil and criminal liability to report security vulnerabilities.18 Although largely absent from the 21st century mainstream hacker narrative, grey hat hacking has been around since at least the mid-1990s.19 Collectively, “grey hats” form a sort of neighborhood watch in cyberspace, contributing an essential element of self-governance and consumer protection.20 Enlisting the assistance of technologically-savvy individuals who are disproportionately exposed to risk may influence the safety of the Internet in ways that other legal solutions, primarily criminalizing certain behavior, cannot.21 Corporate vendors, such a Google and PayPal, have already begun tapping into this security resource through incentivizing reports of security flaws through their bug bounty programs.22 However, this sub-group of the hacking community operates, regardless of participation in bug bounty programs, under exceedingly low thresholds for both criminal and civil liability.23 The intersection between grey hat hacking activities and legal realities resurfaced in 2012 with the controversial and heavily publicized verdict of United States v. Auernheimer.24 Andrew “Weev” Auernheimer and Daniel Spitler, members to the “grey hat” group Goatse Security, published on the Gawker website a vulnerability affecting over 100,000 iPad customers on

–  –  –

AT&T’s website.25 The vulnerability would leak e-mail addresses to anyone who typed a ICC-ID into the URL bar (search bar).26 In other words, any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier: no password, cookie, or login procedure was required to bring up a user’s private information. Nonetheless, the two were charged under the Computer Fraud and Abuse Act (“CFAA”) for “unauthorized access” and the verdict was returned against them.27 The verdict has been heavily criticized by security professionals: the verdict of Auernheimer disincentivizes cyber security researchers from finding security flaws, which in turn makes the rest of us less safe on the Internet and frustrates the efforts of corporate bug bounty programs.28 This paper focuses not only on the current state of the law regarding grey hacking, but also what a legal regime that recognizes grey hacking as a legitimate part of the security industry could and should be. Part I examines the history and motivations within the grey hat hacking community. Part II discusses the legal implications of recent interpretations of the CFAA on the grey hacking community, and Part III looks at recent corporate endeavors to incorporate grey hacks into their security regime and whether doing so provides a feasible alternative to the status quo. Part IV looks ahead and proposes a Congressional response to resolve the inconsistencies between cyber space realities and jurisprudence by updating the language of the CFAA and creating a safe harbor provision for the grey hat community. Through establishing proper incentives and safe harbors for the grey hat hacker, private and public entities can take better advantage of the wealth of untapped talent and initiative behind much of the technological progress on the Internet.

–  –  –



Pages:   || 2 | 3 | 4 |


Similar works:

«Murphy’s Law is Alive and Well: Clausewitzian Friction on the Modern Battlefield E. P. Visco August 2012 Introduction More Than You Ever Wanted to Know About Clausewitzian Friction Or Why War is Different From the Analysis of War? Or On the Battlefield, Is Murphy Still Alive and Well? Why should you be interested in Friction on the battlefield? Why examine Friction on the battlefield? What is Friction on the Battlefield? Can Friction be considered in analysis of the battlefield? There is...»

«Draft Constitution of the Kingdom of Thailand 2016 Unofficial English Translation This unofficial translation is provided as a public service through a collaboration of: Office of the United Nations Resident Coordinator in Thailand This unofficial translation was made possible through the collaboration and contributions of International IDEA (Australia), International Commission of Jurists (Thailand) and the Office of the United Nations Resident Coordinator in Thailand (Thailand). Additional...»

«PLEADING PATENTS: PREDICTING THE OUTCOME OF STATUTORILY HEIGHTENING PLEADING STANDARDS ARJUN RANGARAJAN† ABSTRACT The tension between an extremely barebones Federal Rules of Civil Procedure Form 18 for patent infringement lawsuits and Supreme Court case law through Twombly and Iqbal has made it difficult for courts to dismiss frivolous patent litigation at the complaint stage. In this article, I look at the Federal Circuit’s treatment of Twombly and Iqbal, empirically evaluate 12(b)(6)...»

«Lobbying, Pandering, and Information in the Firm Adam B. Badawi* I. INTRODUCTION In their classic and insightful article on team production in corporate law, Margaret Blair and Lynn Stout identify the minimization of rent-seeking as one of the chief benefits of vesting ultimate authority over a firm with the board of directors.1 In their analysis, this problematic rent-seeking arises when parties need to divide the gains from production after the fact. The squabbling that is likely to ensue may...»

«bs_bs_banner 167 Making Way: Legal Mobilization, Organizational Response, and Wheelchair Access Jeb Barnes Thomas F. Burke Questions of how and why organizations respond to legal rights are analyzed in several sociolegal research traditions, including studies of legal mobilization, regulation, and neo-institutionalist accounts of the diffusion of organizational structures. Using original qualitative and quantitative data, this article examines the responses of ten organizations to wheelchair...»

«Journal of KONES Powertrain and Transport, Vol. 18, No. 4 2011 PASSING BEAM VISIBILITY DISTANCE TECHNICAL POSSIBILITIES, LEGAL REQUIREMENTS AND ROAD SAFETY Tomasz Targosi ski Motor Transport Institute Jagiello ska Street 80, 03-301 Warszawa, Poland tel.:+48 22 8113231 ext.157, fax: +48 22 8110906 e-mail: tomasz.targosinski@its.waw.pl Abstract Night-time visibility is essential for road traffic safety. It depends mostly on quantity of light falling on the objects important to be seen to avoid...»

«ALSO BY CHRIS JERICHO AND PETER THOMAS FORNATALE: A Lion’s Tale: Around the World in Spandex Undisputed: How to Become the World Champion in 1,372 Easy Steps GOTHAM BOOKS Published by the Penguin Group Penguin Group (USA) LLC 375 Hudson Street New York, New York 10014 USA | Canada | UK | Ireland | Australia | New Zealand | India | South Africa | China penguin.com A Penguin Random House Company Copyright © 2014 by Chris Jericho All photographs courtesy of Chris Jericho unless otherwise...»

«Rules for the conduct of Field Trials for Pointers and Setters (Effective from 1st January 2009) Approved by the Australian National Kennel Council 27/9/1968 Revised 24/9/1971 24/9/1977 21/9/1982 21/9/1987 15/10/1992 7/11/1993 9/10/1996 20/10/2001 25/10/2008 RULES FOR FIELD TRIALS FOR POINTERS AND SETTERS Pointers, English Setters, Gordon Setters, Irish Setters and Irish Red and White Setters. Other applicable Gundog breeds will be added as imported. Registered (Main and Limited) de-sexed dogs...»

«© Copyright 2016 by Surrender to the Alpha Publishing All rights reserved. In no way is it legal to reproduce, duplicate, or transmit any part of this document in either electronic means or in printed format. Recording of this publication is strictly prohibited and any storage of this document is not allowed unless with written permission from the publisher. All rights reserved. Respective authors own all copyrights not held by the publisher. Kahara Lords Collection Box set Books 1 to 10 By:...»

«THAILAND Executive Summary The constitution and other laws and policies protect religious freedom and, in practice, the government generally respected religious freedom, although it restricted the activity of some groups. The government did not demonstrate a trend toward either improvement or deterioration in respect for and protection of the right to religious freedom. There were some reports of societal abuses based on religious affiliation, belief or practice. In the southernmost border...»

«NOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law o f the United States (title 17, U.S. Code) governs the making o f photocopies or other reproductions o f copyrighted material. Any copying o f this document without permission of its author may be prohibited by law. Automating Knowledge Acquisition For Aerial Image Interpretation David M. McKeown,Jr.,Wilson A. Harvey January 28,1987 CMU-CS-87-102 Invited Paper Presented At The DARPA Image Understanding Workshop Los Angeles,...»

«ECB-PUBLIC DANIÈLE NOUY Chair of the Supervisory Board Frankfurt am Main, 24 March 2016 Public guidance on the recognition of significant credit risk transfer To: The management of significant banks I. LEGAL BACKGROUND 1 According to Article 4(1)(d) of Council Regulation (EU) No 1024/2013 (‘SSM Regulation’), the ECB is to ensure compliance with the legal acts referred to in the first subparagraph of Article 4(3) of the SSM Regulation, which impose prudential requirements on credit...»





 
<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.