This is the un-edited version of an article sent in by Diana Quaver, which we published earlier in a reduced form. Diana has been closely following this story, which should be of great interest to the on-line community:
I have recently followed the trial of Daniel Cuthbert. This was the gentleman who was accused of “hacking” into the website of the Disasters and Emergency Committee. He was recently found “regretfully” found guilty under section 1 (a) of the Computer Misuse Act 1990. He never even lived in Whitechapel. This was the BBC story a few months ago:
Charge over tsunami ‘hacking’ bid
A man has been charged over an alleged attempt to hack into a website set up to raise funds after the Asian tsunami.
Daniel Cuthbert, 28, of Whitechapel, east London, has been charged with one offence under the Computer Misuse Act.
Scotland Yard said the charge followed an alleged unauthorised access of the Disasters and Emergency Committee site on New Year’s Eve.
Mr Cuthbert is due to appear at Horseferry Magistrates’ Court next Thursday.
The disaster fund has raised an estimated £250m to help victims of the tsunami.
Tens of thousands of people used its web pages to offer money to those caught in the Boxing Day tragedy.
Today, Daniel Cuthbert was found guilty.
Daniel Cuthbert saw the devastating images of the Tsunami disaster and decided to donate £30 via the website that was hastily set up to be able to process payments. He is a computer security consultant, regarded in his field as an expert and respected by colleagues and employers alike. He entered his full personal details (home address, number, name and full card details). He did not receive confirmation of payment or a reference and became concerned as he has had issues with fraud on his card on a previous occasion. He then did a couple of very basic penetration tests. If they resulted in the site being insecure as he suspected, he would have contacted the authorities, as he had nothing to gain from doing this for fun and keeping the fact to himself that he suspected the site to be a phishing site and all this money pledged was going to some South American somewhere in South America.
The first test he used was the (dot dot slash, 3 times) ../../../ sequence. The ../ command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allows you to move three times. It is not a complete attack as that would require a further command, it was merely a light “knock on the door”. The other test, which constituted an apostrophe( ‘ ) was also used. He was then satisfied that the site was safe as his received no error messages in response to his query, then went about his work duties. There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.
20 days later he was arrested at his place of work and had his house searched. In the first part of his interview, he did not readily acknowledge his actions, but in the second half of the interview, he did. He was a little distraught and confused upon arrest, as anyone would be in that situation and did not ask for a solicitor, as he maintained he did nothing wrong. His tests were done in a 2 minute timeframe, then forgotten about.
He was prosecuted under the Computer Misuse Act 1990, which was signed in 1989 when perms were just going out of fashion and mobile phones were like bricks and cost £1000 and we were still using green type on a black background. The word “ Computer” was not even defined as they realised that this area was moving at light speed so they wanted to keep it open. Sadly, it has become open to willy-nilly interpretation and the magistrate decided there was intention to access data as stated in section 1(a), although I may be biased, it is an incorrect interpretation.
Cuthbert was prosecuted under the Computer Misuse Act 1990, and convicted under Section 1 (a) of this Act. The relevant section of the Act is:
Section (1) of the Act states:
(1) A person is guilty of an offence if –
a. he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
b. the access he intends to secure is unauthorised; and
c. he knows at the time when he causes the computer to perform the function that that is the case.
As an expert, if he had true intent (as the judge deemed he did, which is an incorrect analysis) he would have been more than capable of “hacking” and gunning that door down with a digital version of a point-blank range AK47, but he did not. He maybe should not have done the tests that are beyond the knowledge of a regular user and a caution would have sufficed, there was no need for a trial and certainly not 10 months of waiting time. The policeman was smug as he got his browny points and the CPS prosecutor was what one can expect of a CPS prosecutor, patronising, pedantic and uninteresting but sadly successful.
The ../ sequence triggered of the alarm which was set up as “high” for this sort of “attack” at the donate.bt.com website that was set up by the DEC website. This alerted someone that there was something potentially suspicious, this was then passed up to someone who reported it to the police. They found their suspect through the IP address and were able to trace it to his laptop. Well, the Computer Crime Unit (known in the industry as “Muppets”) were very happy they got their man.
Mr Cuthbert was convicted under S. 1 (a) of the Computer Misuse Act 1990. It will be almost impossible for him to work in IT, the security industry being totally based on trust and reputation, as they are all freelancers and rely on contacts. That simply is not right. Justice is not always synonymous with legality.
When someone tells you, “whatever you do, do not press the red button” and you are almost compelled, in just that way, I am feverishly tempted to type in the ../../../ sequence in the Ministry of Defence website, and see what happens. Maybe not.