Wednesday, July 08, 2009

Eircom hacking shows flaws in Irish computer crime law

Today's Irish Times has a report of an apparent denial of service attack against Eircom:
MANY OF Eircom’s 500,000 internet subscribers have been left offline or experienced delays in web browsing at times this week because of a suspected attack by hackers.

Some customers who tried to connect to popular sites such as RTÉ, Facebook or Bebo were redirected to incorrect websites, often displaying images of advertising or scantily clad women.

The company blamed the problems on “an unusual and irregular volume of internet traffic” directed at its website, which affected the systems and servers that provide access to the internet for its customers.

Internet discussion groups speculated that the problems were caused by a hacker accessing Eircom’s domain name server (DNS) system through a denial-of-service attack.

This involves a target site being saturated with messages and requests to the point it can no longer function properly.
I've said it before but it's worth repeating: Irish law does not adequately deal with computer crime at the moment (with denial of service attacks being one of many areas left without adequate sanctions) and legislation to implement the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is now long overdue.

Here's an excerpt from a chapter I wrote in Reich (ed.), Cybercrime and Security discussing the uncertain Irish law on denial of service attacks:
Whether or not such an attack would amount to an offence under Irish law will vary depending on the precise structure of the attack.

For example, suppose that A sets out to harm B by sending several million emails to B’s server. The effect is not only to use up B’s bandwidth but also to use his disk capacity. In this case, it might be possible to charge A with criminal damage under section 2 of the Criminal Damage Act 1991, on the basis that A has damaged B’s data within the meaning of section 1 by adding to it without lawful excuse.

This result is supported by the English decision in DPP v. Lennon. In that case the defendant was a 16 year old who took umbrage at the circumstances of his dismissal and sent five million emails to his former employer with the expressed intention of “causing a bit of a mess up”. He was charged with unauthorised modification to a computer system with intent to impair the operation of the computer, contrary to section 3(1) of the Computer Misuse Act 1990 (the equivalent provision to section 2 of the Criminal Damage Act 1991). His defence was that the company had implicitly consented to receiving emails and as such he had not made unauthorised modifications. Although the trial judge accepted this argument, on appeal the Divisional Court held that any implied consent did not extend to emails sent for the purpose of disrupting the system. Per Jack J.:
“I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system.”
However, if the facts of a denial of service attack are varied slightly then criminal damage may no longer be an appropriate charge. Suppose for example that C sets out to hinder access to D’s publicly available website, and does so by programming several computers to repeatedly download large pages from the site. The result is to use up D’s bandwidth and ensure that other users cannot get through to the site, though the server itself continues to function. What crime, if any, has been committed?

In this case C would not have damaged D’s data (assuming that C downloaded data only and did not make any modifications to the data on the server). It might be argued that C has committed criminal damage to the server itself given the extended definition of “damage” under section 1, which includes situations where a person “whether temporarily or otherwise, render[s] inoperable or unfit for use or prevent[s] or impair[s] the operation of” property.

Such a charge would, however, prevent some difficulties. It might be successful if the effect of a denial of service attack was to cause the server to crash – that temporary inoperability would certainly seem to constitute damage within the meaning of section 1. In the hypothetical above, however, C has not rendered the server inoperable but merely inaccessible – which would seem to fall outside the scope of the criminal damage offence.

On the other hand, using the reasoning in DPP v. Lennon it might be possible to characterise the attack as unauthorised access contrary to section 5 of the Criminal Damage Act 1991. The argument could be made that while public websites carry with them an implied permission to access the site, this permission does not (to use the words of Jack J.) cover visits which are “the purpose of interrupting the proper operation and use of [the] system”, so that such a visit would constitute operation of the server with intent to access data without lawful excuse.

8 comments:

  1. aside: I don't think it's credible that a DOS can cause porn ads to appear in place of popular websites. My theory is that an attacker is using a high volume of messages to pollute the Eircom nameservers' cache somehow, so that other users will resolve the wrong addresses and be effectively redirected to his sites.

    ReplyDelete
  2. SOEDI - TJ.

    Deficiencies in this area of the Irish Criminal Law will be problematic.

    R.

    ReplyDelete
  3. It wasn't a DoS attack. The DNS servers were poisoned.

    I'm amazed that Eircom will not acknowledge what actually happened.. instead they pass it off as a distributed attack, trying to make out that they could have done nothing about it.

    ReplyDelete
  4. I stand corrected. Next task - thinking about whether DNS cache attacks would be punishable under existing law.

    ReplyDelete
  5. Anonymous14 July, 2009

    The problem with attacks of this nature is the source is impossible to prove in most cases. Typically they involve hundreds of thousands of computers infected by malware, which are under the control of one or more bright people in far away places who know how to cover their tracks. Immune to Irish law.

    If it is an attack on eircom's nameservers, the simple solution is to specify the opendns.org name servers (208.67.222.222 / 208.67.220.220) in one's internet connection properties.

    If the IP number you are assigned by eircom is itself being DDoSed, re-boot the DSL modem and you will be assigned a new IP number.

    The average home computer is probably crawling with malware because the application software on it is not being patched for security vulnerabilities. A good place to check one's PC for vulnerable (out of date) software is www.secunia.dk. Follow the "scan your pc" link. (This will not remove viruses already present on your system - it will help prevent you acquiring new ones).

    ReplyDelete
  6. Anonymous14 July, 2009

    the law isn't the problem here, if the offenders are in fiji or north korea its not going to help. Eircom need to spend money on their network security design. Judging by their lack of investment else where i can only imagine the state of the top end systems.

    ReplyDelete
  7. BT had the same problem (DNS cache poisoning) some two weeks before eircom witnessed it.
    BT patched their systems very quickly limiting any outages down to a couple of hours.

    Eircom did not.

    Cutbacks?

    ReplyDelete
  8. The majority of internet users don't seem to be aware what a DNS server does, or that they themselves can actually change them.

    Recently I was looking into DNS servers. I found a program called 'NameBench' which compares different DNS servers and tells you the details of the better server(s) that you can use.

    You can download 'NameBench' from here.. http://code.google.com/p/namebench

    Going back to the topic in question, it's ironic that Eircom are pleading poverty. Yet their ADSL pricing is much higher than it's competitors. Oh I forgot.. Eircom are in excess of 3 billion in debt ;-p

    ReplyDelete