Be clear on access rights, warns hacker case expert

IT managers have been urged to make "crystal clear" what access is
allowed on company systems, in the wake of the trial of a teenage
hacker who posted thousands of credit card details on the InternetNeil
Barrett, technical director at Information Risk Management, who was an
expert witness for the prosecution, said IT managers should be
"crystal clear" on what access is allowed on their systems and what
constitutes unauthorised access.
"The main crux of Gray's defence was that the Web sites had not made
clear that access to those areas was unauthorised," he explained.
Under the 1990 Computer Misuse Act - the main form of legal protection
against computer crime in the UK - "unauthorised access" refers to a
hacker bypassing a user name and password screen. However, on most of
the servers attacked by Gray he saw no passwords and used no hacking
tools. Essentially, he relied on the failure of the companies to
remove default scripts before going live.

Be clear on access rights, warns hacker case expert
by Daniel Thomas.

Last Friday, 19-year-old Raphael Gray, who pleaded guilty to 10
charges of computer fraud, was sentenced to three years' probation and
put on a course of psychiatric treatment by Swansea Crown Court. He
had been charged with illegally obtaining 23,000 credit card numbers
and obtaining services by deception.
The self-styled "saint of e-commerce" posted thousands of credit card
numbers on the Web, a move he said was an attempt to highlight the
dangers of Internet shopping and to force companies to improve their
online security. His actions led to £4m in fraudulent credit card
charges and caused two companies to close down.
Barrett said the Act as it stands is inadequate and called for a
"dramatic reconstruction" of computer crime legislation in the UK.

SNP.