inside the man

Tuesday, October 11, 2005

IT security: dangerous professionals or dangerous legislation?

The Register ran a story today regarding the conviction of Daniel Cuthbert, a respected IT security expert, for attempting to bust into a tsunami relief donation site in order to determine if it was a phishing scam. Cuthbert was found guilty even though he did not gain access, and the judge accepted that his motives where not malicious. What is interesting about the Register's story is that it provides a little - and only a little - more detail about what exactly Cuthbert did to try and "test" the site in question.

"On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories. After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action. In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police. A witness for BT confirmed that the attack would have had no effect on its server, running Unix Solaris, even if it had not been detected by the IDS. The Crown also accepted that there was no malicious motive in Cuthbert's actions."

The story mentions "two tests" but only describes a pretty trivial directory traversal attempt. What was the other test, I wonder?

No comments:

Blog Archive

About Me

My photo
Edmonton, Alberta, Canada
Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.

CC Developing Nations
This work is licensed under a Creative Commons Developing Nations license.

Site Meter