WebApp Sec mailing list archives
RE: Off topic: what is sensitive information on a website?
From: Michael Silk <michaelsilk () gmail com>
Date: Sat, 29 Jan 2005 11:44:02 +1100
My opinion would be if you think you are doing something wrong, then it probably are. I.e. consider the Irishman named "O'reilly", if he types that in as his username, and causes an error code, is he performing an illegal act? No. But say you do it, "with intent" to causing an error, which would then provide you with more information which you intend to use to break into the system, then yes - you are performing an illegal act. Anyway, what answer are you looking for here? The best person to ask here is a lawyer (even if you think they don't know what they are talking about), because if you get into trouble, they will be the ones representing you :) -- Michael
-----Original Message----- From: Dave Ryan [mailto:dave () mongers org] Sent: Friday, 28 January 2005 11:25 PM To: webappsec () securityfocus com Subject: Off topic: what is sensitive information on a website? Hi list, This is possibly off topic, but I figured that the technical experts in the field were better positioned to offer a helpful answer/opinion to my questions. In the course of accessing a website (which, for our purposes, we will consider as "the platforms necessary to deliver the services provide") what constitutes legal and illegal access to information? 1. Is an authentication and authorisation procedure required to grant access to what $SITEX deems sensitive? What is the minimum requirement for distinguishing between public/sensitive information? At what point must a user be notified about this? 2. Must information be classified? Must users of the site, regardless of whether they are authorised to access sensitive information be notified that certain information is stored on the site and authorisation must be granted prior to accessing? (again, this relates to 1) 3. In the absence of an authentication/authorisation procedure, what constitutes as protection for the information? For example if I attempt to inject SQL into a database to return data, but this data has not been marked sensitive (i.e. the site security policy is not communicated to the user) am I committing a crime? I suppose other laws come into play at this point (DPA). But if am unaware as to the nature of the data, is the site in olation by not affording the information adequate protection? (At this point I suppose I should report this to the DP Commissioner, but what is my legal position?). 4. What if I attempt to validate the controls in place, i.e. I do not attempt to exploit a weakness but I do check for the existence of one (e.g. I test for error codes;). In this instance, have I committed a crime by putting the system into a state where it generates an error code (assume the system has not been damaged/modified/etc due to this activity). Many real word analogies to this one (e.g. checking a door to see if it is locked), etc. I suppose the underlying question is: What is misuse and must I be informed of what constitutes misuse on each website I visit? As a reference, I offer section Section 1 of the Computer Misuse Act, 1990 (c. 18) [UK] states: Unauthorised Access to Computer Material 1. - (1) A person is guilty of an offence if - (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case (2) The intent a person has to have to commit an offence under this section need not be directed at - (a) any particular program or data; (b) a program or data of any partciular kind; or (c) a program or data held in any particular computer Thanks in advance for your opinions (or pointers to the obvious answers I may have missed). Kind Regards, Dave. -- http://dave.mongers.org
Current thread:
- Off topic: what is sensitive information on a website? Dave Ryan (Jan 28)
- Re: Off topic: what is sensitive information on a website? Griffiths, Ian (Jan 28)
- Re: Off topic: what is sensitive information on a website? Martin Mačok (Jan 28)
- Re: Off topic: what is sensitive information on a website? focus (Jan 28)
- <Possible follow-ups>
- RE: Off topic: what is sensitive information on a website? Michael Silk (Jan 28)