Security professionals fear the Crimes Amendment Bill could make their jobs harder.
The bill, currently working its way through the select committee process, now includes clauses relating to the possession of technology for hacking and system interception.
Systems integrator gen-i plans to make a submission to the government opposing limits to the use of monitoring and intrusion detection systems. “The bill means it may be difficult for us to do any kind of investigation, detection and response work,” says security architecture specialist David Hudson.
Gen-i is doing more detection work and running regular scans for companies. “Security is people processes [as well as] design and architecture. No one seems to have thought about the security industry,” Hudson says.
Brett Moore of Auckland-based Software Creations says “intent” may save the day for security firms, but he fears the “good guys” will have to go without, while the “bad guys” have all the tools and information.
The bill’s definitions are “far too wide”, he says. “The point about ‘having a program that can be used to obtain unauthorised access to a system means that everybody will need to delete Microsoft Internet Explorer, FrontPage, any ftp program and telnet, as those all can be used for this purpose. Does this mean that everybody is going to be a criminal?” Moore says.
Clause 252, prohibiting the possession or selling of software that could help in hacking, is a further concern. Computer Associates senior technical consultant Srinivasan Vanamali says he carries hacking tools all the time. “How do you prove criminal intent?”
Vanamali says he expects the law will make probing networks or penetration a criminal act, but says so-called ethical or “white hat” hacking should be fine, if carried out with the client’s consent.
“I think the big hole in this would be a scenario where hackers compromise weak hosts and distribute slave trojans which would conduct a denial of service attack on a target. The Code Red and last year [distributed denial of service attacks] on eBay and Amazon.com were conducted by using these slave trojans.
He says it would be futile for law enforcement people to go after people because they didn’t secure their network and it was used to launch an attack without their knowledge.
Co-Logic director Arjen De Landgraff agrees but warns scanning can be done using an anonymising mechanism, making the “whole law issue around scanning really a farce”.
The issue of who was responsible for security breaches, right down to the software companies, the security company and even the media reporting security issues, could also be an issue under the proposed bill, he says.