Legal Issues: Wireless Hacking & Security Tutorial

14.1 Intro to Legal Issues

Let's talk about wireless issues with relation to the law and regulation. And this is very important to discuss because we've been talking about wireless security, we've been talking about wireless penetration testing and hacking. And there are a lot of legal issues that complicate the use of security in wireless networks Now some of the issues we're going to discuss over the next few sessions include compliance, things like Wardriving and reconnaissance. We'll also talk about illegal access to wireless networks. How that could affect you as a penetration tester and as a security administrator. We also talk about unauthorized connections to ISPs. That's one of the many illegal issues that are out there. More issues include data privacy for your customers, your clients, and the people who work in your organization. Also the transmission strength and use of frequencies, those are regulated by law. And we'll also talk about wireless security testing and hacking and there are plenty of other wireless issues out there as well. Some of them will discuss during the course in the next few sessions. And what we want to emphasize to you is that legal issues are very complicated. There's something that worth discuss called liability and this can be liability from the users, the organization, the ISP itself and security professionals who has these liability and how do they get it. Now legal issues can subject and of these entities that we discussed, users, ISP, organization and even you as a security professional to civil law suits, criminal proceedings and fines If you are not doing what you're supposed to do to take care of the wireless network, and to make sure that your users are using it the way it was intended to be. And we'll discuss some of these legal issues with liability and due care and diligence as well. We also discuss compliance issues. Now, compliance stems from not complying, of course, with these regulation laws, and even industry standards. And there's a lot of different things that can happen when you do not comply. Obviously criminal proceedings, fines, censorship from a particular industry. Things of that nature. And we'll discuss these things as we go through here. A couple of caveats that I want to make sure you know about. First of all, anything we discuss is in no way considered legal advice. You need to go to a proper legal authority within your organization or to your corporate lawyer or your personal lawyer or whatever to get sound legal advice. These are just general discussions that we want you to be aware of as a security professional, so don't take any of this as sound legal advice. However, a lot of it does come from standards, laws, regulations, and just general experience from security practitioners all over the world, so just keep that in mind. For your particular organization or for your particular needs, Consult a lawyer. Another thing I'll mention is we are going to discuss laws and regulations, and standards. But there's so many of them we can't possibly talk about every single one of them and how they affect your particular situation on your wireless network. We're just going to give you a basic list. Of the ones that you're probably likely to run into on a day to day basis as a security professional. Obviously remember that there are plenty of laws out there that we can't even begin to discuss because of their sheer numbers. There's also laws Laws that affect your state, local municipalities, countries, different things out there, and it really depends on where you're at and what your particular situation is as to how they affect you. So with those two caveats out of the way, let's go ahead and jump in to discussing laws, regulations, and standards, and the different legal issues that can affect wireless security.

14.2 Laws and Regulations pt. 1

In this first part of our discussion, on wireless laws and regulation, we're going to talk about different laws. Specifically US laws, for the time being, that cover illegal access. We'll We'll also later talk about laws that cover a host of other issues. Now we specify US laws. But there are laws that obviously are in other countries that are very similar. They're just a little bit different here and there. They vary in terms of what exactly is a crime and what's not. They also vary in how hard they are to enforce. And it's not only with other countries. There are also laws that are different in each state of the United States. Any even local municipalities. Now the problem with these laws is that some are older laws and address older technologies. They don't adequately cover newer technologies such as wireless and how they're used. For example, some laws that people can be prosecuted under, under wireless criminal acts really cover things like ISPs and the cable company when you Access someone's wireless network and then get further access into their cable modem and get free internet, you're actually violating cable theft laws. So these are all and don't really cover wireless perse but they can be used to prosecute wireless criminal acts. Now all of these laws that we'll discuss cover a wide variety of subjects and we only listed a few of them here. There are probably tons of subjects you could cover under the laws that affect wireless in some small way or another. And I'm talking about things like wireless hardware, obviously, and how it's used. Transmissions frequencies regulation and power output. Access to providers such as, again, the cable company and ISPs. They cover hacking and unauthorized access, and we'll spend a little time on that as well. Some laws cover things like harassment. And that actually can be done over a wireless network, and may peripherally touch that network. There's also things like theft of services. Again, referring you back to stealing cable laws that existed a long time ago. Let's talk about laws that cover illegal access. And one particular I'll mention is 18 US Code Section 29, and this is typically known as the Unauthorized Access Device Statute. And basically what it does is it criminalize possessing, or using, or even developing, counterfeit or unauthorized access devices or equipment. Now what does that mean? That means using things like stolen RSA tokens, stolen smart cards, and even passwords is illegal. It also could mean things like using legitimate equipment for illegal access. And because of that it's very specific on the criteria and definition of these devices. And most of their criteria and definitions Relate to their intended use in the given circumstances. So, if you were to legitimately use a wireless access point to, say, connect to a wireless network for security purposes, and you had permission, that would be okay. But if you used that same wireless client or wireless access point with hacking tools on it and accessed a wireless network illegally, that could be covered under this statute. Now there's also another statue out there that's also a part of the Computer Fraud and Abuse Act and that's 18 USC Section 1030 and if you are a penetration testing professional or ethical hacker, then you probably need to be familiar with this law as well. This act addresses acts that compromise computer network security. And basically it's the Hacking Act, it prohibits unauthorized access to government, financial institution, and selected other computer systems. And all these systems are called. Legally protected systems. They are legally protected systems by the US government. And that's a very shaky definition because what are selected other computer systems. Well, the access that it covers, any computer used in interstate or foreign commerce. Now you may be thinking banking computers. And things of that nature. But really, if you get down to it, that could include the computer in your home that conducts financial transactions with your bank or with a company over the Internet. So it really could be extended down to that far. So hacking into any of those computers could legally be considered a violation of this act. There's also a couple of sections of the Electronic Communications Privacy Act you need to be aware of. Basically, this act protects communications, the transmissions themselves, from unauthorized access. There's two particular acts that we need to be concerned with, the Wiretap Act and the Stored Communications Act. The Wiretap Act covers unlawful interception of transmissions. It also concerns accessing data after it's been transmitted and received and stored. Now this law is very selective, concerning how it defines the words authorized and the words transmissions, unfortunately. And because it's very selective it allows law enforcement and certain other circumstances to be legal to. Have these transmissions intercepted. So really it talks about these in terms of criminal acts and unfortunately wireless hacking could be considered a violation of the Electronic Communications Privacy Act. The last act we'll talk about in this part is the Cyber Security Enhancement Act and it came about to fill in gaps from the previous laws that existed on the books. That weren't very adequate in covering things like hacking, especially wireless hacking and regular computer network hacking. And one important stipulation to it that you need to know is it basically said that there is a life imprisonment possibility if certain cyber crimes are committed that result in death or endangerment. Let me give you an example. Suppose you hacked into a hospital network, simply to gain data, but you interrupted communications with several critical systems that provided life-saving or medical care to patients. If that act resulted in endangerment of those persons, or death. You could be sentence to life in prison for that. So that's basically what this act did, it provided teeth to some of the other acts and filled in some of the gaps. It further defined hacking, it further defined some of the conditions that basically tell what hacking is in the United States and how it's prosecuted.

14.3 Laws and Regulations pt. 2

In part two of our discussion on laws and regulations that affect wireless security, we'll talk about a few that covers specifically the federal government. First, there's the It's a Federal Information Processing Standard or FIPS and that's FIPS 140-2. It' a little bit of an older regulation and actually it's going to be subplanned by another one 140-3 coming up probably the next year so and it basically will provide more up to dated standards. Now 140-2 is published by the secretary of commerce. Under the hospices annies. And we've talked about the National Institute of Standards and Technologies before and we will again but they cover the fifths 140-2. Now what it actually talks about are standards for cryptography Cryptographic modules, so standards such as TKIP, AES, and so forth are covered by FIPS. Now FIPS are mandatory for Federal agencies, in other words, the Department of Defense, the Department of Commerce, the Department of Education. And so forth. They have to comply with FIPS so any equipment and standards they use for encryption has to comply with FIPS. Now it's quasi-mandatory for others. And when I say quasi-mandatory it's kind of an interesting little meaning there. While you can't enforce FIPS on agencies outside of the federal government, You can make it so that, in a contract with another agency or another law, may specify that someone, say for example like the WiFi Alliance, has to create standards in equipment that's compliant with FIPS. So by extension, you're extending the FIPS requirement to those outside organizations. So if another law requires strong encryption or strong cryptographic standards as part of equipment bills then they may say that you have to comply with FIPS. So I say quasi-mandatory but it may actually turn out to be actually mandatory. Another regulation that affects the Federal Government, one of many obviously, is the Department of Defense Instruction 8420.01. And this is from 2009. Now this regulation is mandatory for Department of Defense agencies only. And what it does is it covers the use of wireless equipment and wireless technologies in both unclassified and classified. classified DoD environments. It talks about security measures and controls whenever you're using commercial wireless LAN technologies, devices, systems, and so forth. So, this basically mandates how DoD Will implement wireless networks. Well it's mandatory for DoD, it actually should be used as a useful guideline for other entities such as commercial and private entities. And even other parts of the federal government, because there's some good information in there on securing wireless networks using commercial technologies. Another section of the law and regulation that we'll talk about is what the Federal Communications Commission, or FCC does. Now it would be too lengthy of a discussion to talk about the many laws that are out there that the FCC enforces that affect wireless networks. But one important one that I'll discuss with you is the Communications Act of 1934. And You're probably thinking, 1934? Well we didn't even have computers back then. But it actually effects radio transmissions. And by extension, it has been extended into other areas, even more modern technologies, such as GP Yes, personal communication services, cellular Wi-Fi and so forth. So it actually still relevant even though its a very old Act. Now, what it does is it prohibits the operation, marketing, or sale Of any time of jamming equipment, including devices that interfere with cellular and personal communication services, police radar, GPS, and even wireless networking services, or WiFi. Now. Obviously, the act's been updated several times to include these different devices and technologies. It's also been interpreted several times in legal cases to be relevant to these particular technologies. But let's say, for example, that you're using something like Fake AP to broadcast out a million Access points falsely to other networks. That could be considered jamming because you're jamming the wireless airwaves with non sensical data to prevent communications. So even doing something like that could be technically a violation of this act. So when you're doing your wireless security testing, you actually have to be careful about those things. But it makes particular equipment illegal, in other words it can't be sold especially in the United States and those particular acts are investigated, anytime there's a reported active jamming. It's investigated by the FBI. Or owning or selling that kind of equipment so be careful of this and be aware of it. And understand that this probably more relevant to the particular circumstances involved. Just because a piece of equipment is capable of jamming, doesn't mean it's necessary legal, it really depends on how you use it. Another standard we'll discuss is not a law but it's the Payment Card Industry Standard or PCI. And this basically an organization And it addresses processing of credit and debit cards by different merchants and banks. So personal credit cards. This is actually a very well enforced industry. They are really on top of security because of all the different allegations of card fraud over the years, and so forth, and misuse. It calls out several wireless security controls specifically. In its PCI Data Security Standard so that actually mentions wireless prominently in its security standards. Now it provides for censure of different organizations and manufacturers as well as merchants if this standards are not met or if they are violated. So if a merchant doesn't play by the PCI rules, they can get censured And not a lot of processed car payments anymore. So it's very interesting. There is a lot of regulation with the payment card industry these days. And wireless standards are in there as well. So this is just part two of our discussion on wireless laws and regulations. And we've covered both some federal laws, as well as an industry standard, the PCI standard. And we'll continue our discussion with part three.

14.4 Laws and Regulations pt. 3

In our final part of our discussion on wireless laws and regulations, we'll just mention a few other laws, standards, and regulations and so forth that are out there, that exist, that may cover wireless or networking. Now some of these don't specifically cover wireless or even networking, but they're very important for the security professional. As well as the network administrator because they can cover issues that may peripherally involve wireless networks and the organization. So you really need to be aware that these exist also. Some of these laws could determine criminal or civil liability if networks were used to commit a crime or to even cause harm to someone. And when we say cause harm we're not just talking bodily harm. We're talking financial harm, harm of reputation, harm to business, and so forth. Frequently if you can prove those things in civil cases then you can sue and get money out of the organization or shut them down. So you really want to be careful of those things as an organization. We'll just briefly touch on some of these things. Again, they don't always cover wireless specifically. Things like the Digital Millennium Copyright Act, which was an enacted to stop piracy. Now you may think, what's that got to do with wireless networking, but a lot of people, professional piraters as well as. Home users use wireless networks to download pirated materials or to upload them to sharing sites. So the act basically covers copyright. However, it effects wireless networks because if your company's network, for example, is being used to do this, that makes you liable. The Patriot Act, which I'm sure most of you are familiar with. Basically adds teeth to some of the other acts that we discussed. Some other communication acts and so forth. It gives teeth to them and allows the government, the US government specifically to monitor communications. It allows them to do these things without a court order in some cases It also requires people like ISPs to report suspected violations of the Patriot Act. And that can affect your networks as well because again if someone's doing this things over your company network it could make you liable. GBLA and SOX are both financially related acts that concern data privacy And communication protection and so forth. While they don't specifically call out wireless or even wired networks, they talk about the security measures that a company has to take in order to protect its data and protect the audit trails of data access and use. So these could potentially affect your organization and your networks. You may have to do things that are compliance with these acts in order to secure your network. Things like retaining your audit trails, even on wireless devices, for example. Auditing wireless access, all of these things could affect your networks and may be in direct support of these acts. Also HIPAA The health regulation that covers health information and privacy can affect wireless networks as well. While HIPAA does not cover wireless and wired networks specifically, the privacy rules does cover security controls and measures that must be taken In order to secure protected health data. So again this could force you to impose requirements on your wireless networks that you might not otherwise have to. So it does affect them to a certain degree. Even though we've talked about different DoD regulations, such as 8420 and so forth there are other regulations out there that cover How wireless networks will connect within DOD networks and to even DOD contractor networks and how it will be controlled and secured. So those are regulations that you may need to be aware of as well. Another regulations that's out there, again, that really affects the federal government is the Privacy Act of 1974 that affects, again. protecting private information of individuals. Again, it doesn't really cover anything having to do with wireless networks, but it may impose requirements that you have to put on your networks, in order to protect the data and meet the regulatory Compliance. These publications aren't requirements but in some cases, an organization may make a NIST standard mandatory. And we've already discuss several NIST publications that deal with wireless, they're very good publications but an organization could make those standards mandatory Throughout the organization. Wi-Fi Alliance standards, are again, not legal requirements, but in order to play in the Wi-Fi Alliance arena, you have to comply with their standards. You have to create equipment that's compliant, and use protocols and services that are compliant, and failure to do this May make it so that you're equipment is not blessed or adapted by the Wi-Fi Alliance. FCC regulations, we already discussed one, the Communications Act of 1934 that covers jamming. And there are plenty of other ones out there that talk about wireless security and access and so forth. And basically that covers primarily transmission and reception. Basically hardware empowered so forth. So not necessarily protocols. There are also European standards that we didn't discuss, that are probably just as relevant to wireless security as United States laws are. Some of them are enforced differently, and may have different requirements, and some things may consider some acts a crime. And some not, for example in Great Britain, it's typically illegal to possess any device that could be used to illegally access a network. Some devices that are illegal in Great Britain aren't illegal in other places, for example. There are also state and local laws in the United States that may not necessarily conflict with other laws but may tighten them down further. These may be laws that cover access to cable services or Internet service provider services, for example. There have been cases of people being charged with theft of cable services who illegally connect to wireless networks and get supposedly free Internet out of them. So you need to be aware of those things. There's a security professional Be aware of all these Laws and Regulations and how they affect your environment and your wireless network.

14.5 Liability

To end our discussion on wireless laws and regulations, let's discuss liability in relation to wireless networks. Now, liability means that an individual or an organization, or any other entity, is liable for damage. Liability can be determined for any individuals or organizations that don't comply with security laws, or regulations, or standards. Especially if they had a duty or requirement to do so. And if anything they do whether directly or indirectly results in negligence, and this negligence is deemed to be responsible for any crimes or harm to others. And I mean not only bodily harm but financial harm or harm to reputation so forth. If this happens through their networks or systems they could be considered liable in a court of law. So the bottom line for this is wireless networks are a liability risk. That doesn't mean you don't have them, it means you control them and secure them. Them. Let me give you a few examples of what could be consider liability depending upon the circumstances. Let's say a home wireless network is not secured and it allows a perpetrator or hacker for example, to use it to get free internet access or to get into the cable company. Okay. Let's say, you have charter of Comcast or in the other dozens of internet service providers to the cable company. They get free Internet access and let's say they also use that access to hack into another network. Well, when the FBI or whoever comes and tracks down where this attack originated, they may come knocking on your door, for example, and you could be held liable because you didn't take the steps to secure your, Wireless network, now you might be saying well I don't really have to legally. Well if you look at the agreements that you may have between you and your internet service provider such as the cable company, there might be a little paragraph in there somewhere that says that you should or that you have to. And that any damage is caused you will be held liable if so. There's an example there. Probably a far reaching example but it has happened. Let's give you another example, A corporate wireless network is not secured very well and this allows the hacker to come in the network and steal data or even worse further attack another network kind of leap frog to another network. The corporation or organization could be liable because they had a duty A To protect data especially personal or confidential or sensitive data and B they had a duty to secure the network and because their network was used to attack another one they could be liable for that. So it really depends upon the circumstances surrounding it, and how the court is going to look at it. Let me give you another example. Again some of these could be far reaching examples, but they are possible. A security professional certifies or says that a wireless network is secure. And then later on that same network is used to hack into another one, or steal or destroy data. That security professional could be held liable. Maybe in a civil court, maybe in a criminal court, for failure to do their job, for failure to perform their duty to secure that wireless network, especially if they were contracted out. And the contract may even specify that they can be held liable if the There work did not meet the standard of securing the network, such that things like this wouldn't happen. So they could be sued for that. Now, granted, again, these may be far-reaching examples, but they have actually happened out there in the real world. With variations, obviously. And a lot of these examples do depend a great deal upon many different factors that are out there, the nature of the event, how it happened, who was involved, and so forth. There are other factors it could depend on as well. Due diligence, due care, and duty are three factors that we'll discuss in a moment. That definitely affect liability. Also intent and obligation of the entities involved. Intent could be a factor simply because if a person does something accidentally on the wireless network it may not be considered a crime. The obligation of the entities involved might be to report an incident To self report or to report to law enforcement or to protect the data maybe that was stolen or a network that was infiltrated. So, obligation comes into play there, too, and we'll talk about that when we talk about duty. The point is, there are many other factors that are very specific to the circumstances involved that may determine liability. Let's talk about three of those key factors that we mentioned. Duty, due care, and due diligence. A duty is the legal or professional obligation that an entity has to perform certain acts or to take certain measures. So a company that deals with personal data has a legal duty and obligation. To protect that data for example, they also have a legal duty to protect other networks if they connect to those networks. Let's talk about due care. Due care is often confused with due diligence and sometimes they are used interchangeably but they're not really the same definition. Due care means the degree of care which is expected from a reasonable person under the circumstances. So you would expect that a company that takes due care would encrypt personal data, it would implement access control to protect access to that data, and so forth. So that would be due care because a reasonable person would do that. And that can be difficult to prove in a court of law, but it has been proven before. Now, lets talk about due diligence. This relates to both of those other definitions we just discussed. Due diligence is a responsibility to act in accordance with the requirements of an issue or risk, very carefully, very thoroughly and on a timely basis. So due dilligence. If a company is not diligent and they allow personal data to be stolen, or allow their wireless network to be used to hack another network, for example. Then they are not performing their due diligence and they can be considered liable because they have a responsibility to act in accordance with the requirements. of security, for example. In accordance with the requirements of securing a wireless network. Or requirements of the law. Whatever, they have a responsibility, and that's where due diligence comes in. Where as what you expect a reasonable person to do Due Diligence is a responsibility for doing it. To those things obviously contribute to liability both with an individual or an organization and as a security professional you need to be aware of these things and cognizant of what can happen if liability is out there.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*