A.1.1. Computer Misuse Act
This act was passed in 1990, largely in response to the eventual acquittal of Robert Schifreen and Steve Gold for hacking offences (which at the time were not adequately defined in British legislation). The law as it stood prior to 2006 was very simple. It comprised the following three offences:
Unauthorized access
You need to be able to prove the suspect knew his access was not authorized. The maximum prison sentence is six months imprisonment or £5000 or both.
Unauthorized access with intent to commit or facilitate commission of further offences
You need to be able to prove the suspect carried out the hacking to further some other criminal intention, such as theft. The penalties are the same as for unauthorized access.
Unauthorized modification of computer material
This is aimed at vandals and those who manufacture worms or computer viruses. Carries a five-year prison sentence and an unlimited fine.
This is all pretty clear. So how does it affect penetration testers? Consider the following possibilities:
You are conducting a black-box penetration test that includes an element of computer attack. Due to a miscommunication or an uncertainty about computer ownership, you attack and compromise computers that don't belong to the target. The Computer Misuse Act states that 'the intent need not be directed at any particular computer.' You didn't intend to hack that specific computer but intent was present and therefore you are guilty of an offence.
You break the ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
