Computer Misuse Act

[Stephosticks]

Hello,

I am doing my final year University Project and have chose to do 'vulnerabilities and simulation of web server applications'. The part I am wondering about most right now is the simulation part, which is why I'm asking this question.

Under this act, if I was to make a webpage connected to a server and tested the vulnerabilities from it, would I be liable for prosecution? Also, if I was to host this on a second machine held by me (my own property) and tested it, would I be liable for prosecution?

The only reason I'm asking is, as my tutor said, simulating this practically could very well become illegal, so he suggested to do it in a software based way. So finally if the first two questions would be illegal, how would you go about simulating this in a software based way?

Thanks.

Tl;dr:

Does the computer misuse act apply under a website application you own but on a server if you are testing the vulnerabilities?

Would it apply if you hosted it off a separate machine you own and tested the vulnerabilities?

How would you go about simulating a web server application in a software based way?

 

[Bahawolf1]

Disclaimer: Any advice that you receive over the internet should be taken with a grain of salt when it comes to the law. I can provide my own interpretation of this law, but at the end of the day, it is advised that you seek a second opinion from your instructor or a lawyer. I can not (and will not) be held liable should you choose to proceed after reading my advice and interpretation of the law. You proceed forward at your own risk, and at your own discretion.

That being said (disclaimer out the way), I believe you should be fine after reading over the law. If you are simulating the event within a controlled environment, where you are interacting only with machines owned by yourself, you are not breaking the law. The law (as per Wikipedia) mentions three infractions...

unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale" (currently £5000);
unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment;
unauthorised modification of computer material, subject to the same sentences as section 2 offences.

In each instance, the word 'unauthorized' is used. By doing this on your own machines, even in a simulation, you are providing yourself authorization to do so. That being said, you could also setup virtual machines (using VMWare for example) and do the simulations on those.

Thanks!

 

[_michaelm]

Disclaimer (insert same as Bahawolf here).

I agree with bahawolf to an extent, the unauthorised aspect is definitely stressed. However, I do believe that simply 'owning' a domain name (not technically a website as the OP referred to it - the wesbite is simply the content that is hosted at the domain,the domain is what is important) does not grant you the right to attack the server it is hosted on. That server could be (and probably is!) in a virtualised hosting environment which means any compromise of that hardware could (however unlikely) affect the services of the other guests running on the same host at that time.

Since you do not own that hardware, nor the other guest services I believe you would then be liable under this law. If you want to get really pedantic, then you don't technically own the domain name either - the registrar does (e.g. VeriSign) - you're just renting it for 1/2/3 years.

In summary, I'd strongly recommend building an entire offline server, client and any other infrastructure you require for your project using virtual machines (or physical ones if you have loads of hardware to play with). Aside from this law, doing so makes it considerably easier to configure, validate things function as you expect and monitor what happens when you launch attacks etc. (and reset the machine to the same state using snapshots to retry the method and/or tweak things).

Good luck with your project.

 

[root]

It's difficult to talk about the exact nature of security without getting overly too cautious. I'll caveat this by saying that this is NOT legal advise.

However, where I work we do resell some server/hosting space, and do both internal security and penetration testing, and have third parties come and verify this.

so here is the deal:

setting up your OWN website, and running your OWN server, hosted in your OWN home and launching attacks or exploits on your OWN network. (ie... attacking PC and victim server are on the same local network segment)

Is perfectly fine and legal.

setting up your OWN website, and running your OWN server, hosted in your OWN home and launching attacks or exploits from another network. (ie... attacking PC is in Starbucks and victim server is attacked via the internet).
Starts getting a bit dodgy, you are unlikely to be prosecuted, but you could find that an attack that you perform uses excessive bandwidth and degrades other households on your local ADSL loop. so whilst you won't be prosecuted your utility provider (ISP) may not be happy.

setting up your OWN website, and running your OWN server, hosted in a colo datacenter home and launching attacks.
suffers the same problem as above, it may be against the terms of your colo -who's bandwidth you're using to do this, also attacking either from your house or a starbucks may be against the terms of service.

(if you bought your own ISP connection to your DC presence then you;d need to check the terms, if they exist at all)

setting up your OWN website, and running a shared server, hosted wherever, attacking from anywhere).

you're attacking someone else's property and this is almost certainly not within the law.

If you're attacking your own website on a dedicated server (where you don't own the server, but it's dedicated to you and not shared) it really comes down to TOS. what is your hosting providers stance on the matter.

if you're attacking websites that are nothing to do with you, hosted on servers that are nothing to do with you that's also bad.


Tl;dr:

Does the computer misuse act apply under a website application you own but on a server if you are testing the vulnerabilities?
>yes for sure if that's a shared server (as you're also testing vulnerabilities against applications that are not yours). for dedicated servers check TOS.

Would it apply if you hosted it off a separate machine you own and tested the vulnerabilities?
>the act is likely not to apply, you own the server and application and can authorise your own access to do anything. (beware disobeying TOS of middlemen), e.g. load testing your application by organising DDOS is likely to cause suspension of service from your ISP.

How would you go about simulating a web server application in a software based way?
Get VMware. (or hyper-V, or virtualbox)