Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Legality of WEP Cracking

from [Matthew Webster] Network Security [Permanent Link]
Subject: Re: Legality of WEP Cracking
Date: Fri, 18 May 2007 15:12:30 -0400 (EDT) 
Richard,

     Your email address is a UK address so I'm assuming you are from the UK.  I 
can only speak to US law on this matter so I apologize if my information is not 
accurate for UK law.  First, there is a good chance they will act belligerently 
and sue you everything you are worth for attempting to crack private data - 
even if you are doing so passively.  People may question your intent.  Second, 
there are at least a couple of different (US) laws which may come into play.  
First, even passively, you are using their access point -- collecting data off 
of it and saving it.  This is far different from just surfing for a legal 
access point to use while sitting in Starbucks.  No data is saved to the system 
and you are not attempting to crack their encryption scheme (however poor WEP 
may be).  While writing policy for laptop use, I came across the following web 
site which I found useful;

http://www.cybercrimelaw.org/category/10/Hacking.html

   It details a few wireless cases and several US laws.  Yes, it does say that 
war driving can get you in jail.  The whole site is filled with good 
information about US cybercrime laws.

    Also, think about this from a PR stance.  How will reporters look at this 
if they find out that a company is "hacking" other systems in order to drum up 
business.  They will not make the fine tuned arguments that you will make and 
it will be negative publicity (which can be a good thing in some cases 
admittedly).

   So, from my limited perspective, legally, ethically, and from a PR stance, I 
would never attempt to do anything like what you suggest.  I would only do what 
I am authorized to do an no more.  That is the prime distinction between a 
pen-tester and a cracker.  I would not delve into the gray areas at all (even 
if there is some legal gray space in your country), but that is me keeping my 
white hat on.

Just me 2 cents...

Matt

-----Original Message-----

From: Richard Brinson <richard@kanoo-uk.com>
Sent: May 18, 2007 5:32 AM
To: pen-test@securityfocus.com
Subject: Legality of WEP Cracking

During an internal business development meeting yesterday we were discussing
new ways of picking up pen testing clients. One of our junior engineers
suggested that we go war driving, crack some WEP keys and then approach each
company offering services to make them more secure. The idea was put down
straight away on the basis that without prior approval we would be breaking
the law. However, upon further discussion a case was made that (moral issues
aside) provided we only captured traffic passively, and as long as we did
not try to connect or send any packets to any devices - would the law be
broken?  

Does the law state anywhere that we can not analyse air traffic that is
broadcast into the public domain? (if so surely we would all be breaking the
law every time we picked up a network other than our own) and is it against
the law to know someone else's WEP key when they have not made that
information available to you?

What are your thoughts on this?

Kind regards,

Richard Brinson
Kanoo Ltd

This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------






------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Sneaking a peek on Wlan in airports, Erin Carroll
Next by Date:  Re: Sneaking a peek on Wlan in airports, Toby Barrick
Previous by Thread:  RE:Legality of WEP cracking, scott
Next by Thread:  Re: Re: Legality of WEP Cracking, cwright
Indexes:  [Date] [Thread] [Top] [All Lists]