Legal Aspects of Ice-Pick Testing
Dr. Bruce C. Gabrielson, NCE
Kaman Sciences Corp.
in Association with Naval Research Laboratory
Contract No: M00014-93-C-2033
The ice-Pick package is a window driven program that provides a multi-layered approach to network testing. The automated tool is used to identify frequently exploited security problems present on well known UNIX based operating systems. Information provided by testing is used to determine what protective mechanisms need to be implemented by network administrators.
The paper deals with two issues of primary concern, the user's legal basis for performing vulnerability identification testing, and the consequences of unauthorized use or release of the software itself. It is essential for self protection that the tester understands what he or she can legally do with a tool such as Ice-Pick. The issue of trust can also effect users. Trusting each user to protect Ice-Pick against unauthorized release is essential for absolute control of the technology involved.
The structure of this document allows traceability from top level law through applicable Navy regulation. The most important points are the understanding of what monitoring involves, and knowing what the Ice-Pick test tool can be used for. The use of other penetration type testing tools, such as SATAN, will not be discussed, nor will the regulatory requirements of non-Navy organizations. However, the discussion can be applied to using similar test tools in other organizations.
This paper discusses the legal basis for performing Ice-Pick testing in the Navy, and the consequences of unauthorized use or release of the software itself. It's essential for self protection that the tester understands what he or she can and can't do with the tool. Providing the information background for the tester to evaluate test activities is one means of accomplishing affective conditioning. Therefore, the legal basis supporting testing and accountability when using the tool will be derived first.
Trusting the user is another issue. Although trust of each user against the unauthorized release of Ice-Pick is assumed, its distribution must be absolutely controlled. Therefore, a discussion of the repercussions of improper release, particularly to the user, will enhance the user's awareness of the problem, as well as provide the legal basis for prosecution should the software find its way into the wrong hands.
Background on Ice-Pick
Ice-Pick is an unclassified automated tool that can be used for breaking into networks. The Navy developed it to proactively attack its own networks for SST&E purposes. Ice-Pick does what it is intended to do very well. The Ice-Pick user can only test for vulnerabilities. Private information can not be accessed with the Ice-Pick application running.
Ice-Pick's software incorporates protection mechanisms to ensure only pre-authorized. The software can be directed to only run on one pre-designated machine. However, these controls are directed at software operation. Using the program requires a certain level of technical skills. The skills required are security sensitive in nature in that the individual using the program could basically become an accomplished "hacker".
The problem with the deployment of a proactive test tool is that it is capable of being used both for and against a network. Ice-Pick is simply a tool which has few internal program safeguards, and also needs a certain level of expertise to be used properly. Since it relies on using technologies that could be misused, the tester needs to fully understand both regulation and capability in order to correctly apply tests where they may be legally be used.
General Legal Policy
Two federal laws drive the need for protecting an organization's network and computing resources. The National Computer Security Act requires computer security implementation and training on Government computers in order to provide for information protection. The second law, the Privacy Act, protects private information on individuals. Government organizations should be in full compliance with these and other security and privacy type regulations. In addition, Department of Defense organizations have issued site specific instructions regarding the protection of their sensitive, but unclassified information. Penalties for the unauthorized release of protected information, as well as specific access authorization criteria are well documented.
There is also a personal liability issue. Down time to get an organization's network back on-line, or to simply recover data after a virus attack can be very expensive. Costs can also be high if certain types of data is manipulated to show other than actual information. Therefore, it is important for the tester to understand that unauthorized use of any software for the purpose of manipulating or otherwise destroying data can result in personal legal responsibility for organizational financial loss.
Privacy Act and Federal/Public Law
The top level Federal Statute relating to private information on an individual citizen is covered under the Privacy Act of 1974. This law protects individuals from disclosure of various categories of information, and has significant penalties imposed on violators. A important provision of the Act is shown below:
(b) Conditions of disclosure.--No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be-- (1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties; ....
Network Monitoring and Privacy
How are privacy and network monitoring related? When dealing with a computer tool, several items are considered. For example, will using the tool result in keystroke monitoring or packet detection, or will it allow real-time communications detection. Related to electronic monitoring, privacy rights are found in the Electronic communications Privacy Act of 1986, and are embedded in the US Constitution. The Electronic Communications Privacy Act of 1986 (ECPA) provides additional privacy protection against monitoring. Title I of the ECPA includes electronic communications and protection. Title II on the statute protects stored communications. The Fourth Amendment of the Constitution provides that:
As indicated, compromising one's privacy is a serious issue, requiring both a formal process and probable cause. In other words, legal action is necessary to compromise an individual's privacy.
Accessing Stored Communications
Both real time and stored communications could be considered private. Section 2701 of Title 18 of United States Code makes it a criminal offense to unlawfully access stored communications. It is a violation of this section to intentionally access without authorization a facility through which an electronic communication service is provided; or to intentionally exceed an authorization to access that facility and thereby obtain, alter, or prevent authorized access to a wired or electronic communication while it is in electronic storage in such systems. This is a criminal statute and fines and imprisonment can result.
If an individual has a reasonable expectation of privacy in his or her computer (hardware or software), there must be some legal safeguards put in place before a search and seizure of the computer or communications can take place. It the action is part of a criminal investigation, then a warrant is required. Note that even in situations where government employers or supervisors seek access to an employee's computer (or office, desk, etc.) There must be, in the absence of a warrant, a reasonableness determination and a balancing of the employee's privacy interests that will withstand judicial security. Determining what level of constitutional protection a government employee has in a work-setting depends on the circumstances and whether the employee has a reasonable expectation of privacy.
On the issue of reasonableness, one issue of privacy relates to the practice of network monitoring by individual Government organizations. Neither a warrant nor a reasonableness determination is required where there is no reasonable expectation of privacy, or where the individual has consented to intrusion. Within the Department of Defense, all DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official US Government authorized information only. US Government telecommunications systems and information systems (ISs) are subject to periodic security testing and monitoring without prior notification to ensure proper functioning of equipment and systems including security devices, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Use of any Government network or equipment constitute consent to monitoring.
Monitoring notices indication that there is no right to privacy in the system by any user is advantageous relative to reasonableness. Some Government agencies (such as the Navy) have complete control over their network and include a monitoring notice such as that shown below which appears every time a user logs onto many networks.
Unfortunately, implied consent isn't always accepted by an employee. In addition, not every organization can claim they have the legal right to gain access to an individual's personal files. Since testing may result in access, one of the initial concerns a testing organization has is their legal basis for testing.
Lets examine closely what a penetration test tool really does. Remember that the tool works by actually attacking a network. If the attack is successful, the information can also be used as an initial step in the monitoring process. Public Law 99-474 applies to those who knowingly access a computer without authorization, or to those who exceed their authorization. Additionally, the site users are normally pre-warned, the actual testing of a particular user's machine must be accomplished with sensitivity to both the user and the system manager responsible for the network being tested to avoid any misunderstandings.
There also may be site/organization specific legal issues in accessing sensitive non-classified information which may include private information. However, informed consent of the user (the login banner) minimizes legal issues persented to the system administrator by using tools such as Ice-Pick. An organization should not perform network testing unti it can certify that 100% of the computers to be tested display the proper monitor banner. Additionally, some system administrators choose to use a formal user's agreement which lays out the same type of information contained in the banner, and contains the user's signature acknowledging an understanding of the banner.
In spite of the implied consent provided by the use of login banners, understand that formal computer monitoring is allowed only in very limited situations and only when pre-approved at the appropriate level. For the Department of Defense, Communications Security (COMSEC) monitoring is under the cognizance of the National Security Agency, who then delegates to service cryptological elements.
Use Within DoD
The Computer Security Act established the guidelines and rules for the protection of Government computing assets. Within the Department of Defense (DoD), security rules have been established to protect computer systems which process classified or sensitive but unclassified information. These rules are intended to provide guidance for both manufacturers and for users. Computers that meet the National Computer Security Center's (NCSC's) trusting criteria have integrated safeguards into their operation such that only the users "trusted" to have access to the restricted data can actually gain access.
The rules are described in a series of documents known as the Rainbow Series. Currently there are six levels of Trusted Computer classifications as described in the Orange Book. Requirements for software/hardware security policy, accountability, assurance, and documentation vary depending on the level of security to be achieved.
>From the initial Rainbow Series documents, various DoD organizations established and developed their own programs to implement information security rules.
The Navy's computer security program structure ifollows the guidelines established by DoD 5200.28, plus has incorporated the requirements of newer laws and directives, including the Privacy Act. The Navy's current program is based on the requirements of SECNAVINST 5239.3 dated 14 July 1995. Policy will be further implemented by the OPNAVINST 5239.X currently in draft form. Specific to the type of protection addressed by Ice-Pick testing, the following paragraphs relate directly, with bold type indicating the specific wording:
IS Security Program Implementation
The Information System (IS) Security Program developed by Government organizations is designed to provide end-users with good security practices as well as comply with current Government requirements. This practice establishes good habits within the local community and narrows the possibility of: disclosure of data, equipment loss, and misuse of government resources.
The Navy's IS Security Program is designed to ensure the confidentiality, integrity, and availability of its computing assets. It is driven by a primary need. The need to maintain configuration management controls over equipment that may be susceptible to identified threats.
The potential risks to Navy computers posed by potential threats establishes the basis for controlling the configuration management of all IS which process classified and unclassified but sensitive information. The Navy has chosen to address this control need through the establishment of a Risk Management Program.
The ultimate recognition of the potential hacker/cracker threat resulted in an expansion of the existing risk management program as well as the implementation of a network oriented security system testing & evaluation (SST&E) program.
Navy networks are constantly bombarded by off-site hacker/cracker penetration attempts. In the Navy's network monitor and test role, an active evaluation, test, and continual upgrade of network security protection measures are necessary throughout the IS's life cycle.
Security System Test and Evaluation (SST&E)
The SST&E function is the active auditing part of the Navy's ADP security configuration management procedure. SST&Es gather empirical data on individual systems and are examined by the DAA in the evaluation procedure. This process evaluates the effectiveness of in-place countermeasures against incidents that would effect the networked IS in a negative manner. If the in-place countermeasures are inadequate, the SST&E will uncover this fact so they can then be rectified.
SPAWAR Security Program Compliance
Within the Navy, the Chief of Naval Operations (CNO) has appointed the Director, Space and Electronic Warfare, as the Navy's Senior Information Systems Security Manager (SISSM). Among the SISSM's tasks are maintaining the OPNAVINST 5239.X and its supplements, and maximizing the use of automated security related tools. As the following document describes, Ice-Pick is considered by name as one of these tools.
The local site may also have an audit type monitoring tool requirement imposed on network test activities. This control function would then automatically provide a check on the testers activities as well as protecting the test authorizing organization from access liability. If such an audit tool is required, it is the responsibility of the host organization to provide it to the Ice-Pick tester.
Inappropriate Use of Government Resources
What can happen to a tester if Ice-Pick is used in an unauthorized manner? Accessing, manipulating or otherwise using Government owned or leased equipment in an unauthorized manner, or on Government time, will be considered a misappropriation of public resources. Further, it is contrary to published Navy policy. If routine monitoring by the IS Security organization reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If auditing or monitoring reveals violations of security regulations of unauthorized use, employees who are responsible may be subject to appropriate disciplinary action. The burden of responsibility rests directly on the user's shoulders should a potential legal issue develop later during an actual test.
Predicting what would happen if a new vulnerability test tool was released without controls is difficult. Judging by what has transpired relative to the issuance of security advisories when similar programs were released, at thevery least network attacks could noticeable increase. However, Ice-Pick's first line of defense is its internal program safeguards. The application is limited internally before distribution to pre-coded net masks.
The second line of defense relates to the trust safeguard. Unlike other available test tools, the Ice-Pick program is U.S. Government property and is strictly controlled for Official Government Use Only. Unauthorized use, distribution, reproduction, or possession may be grounds for criminal prosecution including imprisonment. As custodian of the Ice-Pick software, it is the user's responsibility to protect it.
How can user culpability be ensured. Through the use of training. Ice-Pick training covers applicable legal requirements as well as proper procedures and controls for tool application. Such manditory training is also intended to reduce the possibility of accidental misuse as well as instill the importance of maintaining strict control of the software package.
The complete Ice-Pick package is a powerful security tool, useful for the system administrator to identify and fix potential vulnerabilities in Navy networks. If not protected, it could prove to be as useful to an unwanted perpetrator.