I’m deliberately changing the details to protect the guilty, but I’m nearly certain the essence of the situation are legally the same as what I describe below.
Suppose a cyber security professional (CSP) obtained the username and password credentials of a bad guy (BG) who had poor operational security. The BG didn’t intend to reveal the credentials but the CSP has them and knows the BG is in the process of obtaining credentials via deceptive means from the organization the CSP works for.
The CSP, by using the credentials of the BG, can rapidly mitigate damage done by the deceptively obtained corporate credentials.
While everyone on the CSP’s team sees this as morally justified, one team member (WB) throws a wet blanket on the CSP’s plan to use the BG’s credentials to get information the BG’s intended to keep private and use for ill gotten gains. WB claims that, legally, the BG credentials have been “stolen” and should the CSP use them to surreptitiously access the BG’s data the CSP would be committing a crime.
I’m almost certain this is a crime, if not the U.S. then some other countries which may or may not be involved. And, if the CSP were do this, I’m almost certain it would never be prosecuted. But committing felonies you think you are going to get away with doesn’t seem like a particularly good item to put on your resume or even admit to others.
What do you guys think of this?
Doctrine of Competing Harms.
It’s generally unlawful to shoot another human being. But if that human being is causing or you reasonably fear they are immediately about to cause a worse harm, it’s permitted to shoot him to prevent that worse harm.
While it’s generally illegal to steal login credentials and then use them to access a computer system you don’t have permission to access, the Doctrine of Competing Harms says that you can commit the lesser offense to prevent the greater offense.
This reminds me of a home invader shot by a homeowner who’s had a beer. Yes, handling a firearm while under the influence, but the greater good…
Before the doctrine of competing harms, you had better be able to substantiate the claim that the action taken is against an actual bad guy.
You’ll need to get your ducks lined up before taking that kind of action.
Attribution is hard, and I have no bona fides in that arena – except that it’s been stated any number of times by any number of people that it’s a difficult task.
Assuming that you have ironclad info that you’ve passed by a lawyer, I suppose you could proceed, but interventions like that, like strike back efforts, are risky.
Kurt
In this case, the BG would likely never know his system had been compromised. He would only know that the credentials he deceptively obtained stopped working minutes after he obtained them.
I think that the key question is “credentials to what?” If it’s creds to your systems or systems you have permission to work on, it’s fine. Otherwise you are probably in technical violation of USC 1030.
I have a friend who was an fbi informant who got put in jail when his 0-day exploit test compromised an Air Force computer, even though he wrote a report about it for them and was truly working with them to warn them of the scope of the issue. It’s a little different because he was compromising normal systems and not a badguy, and also because he was someone who the fbi wanted leverage on to try to push him to do more stuff for them, but he was doing work for the “good guys” and still got zapped.
If you like, I could put you in contact with a friend who knows how they handled this at mandiant and crowdstrike.
They are credentials to a system the BG has legal expectations of being private to him. The CSP would not be able to get access in the normal course of business.
Thank you, but a Mandiant representative was in on the discussion.
Disregarding the technical side for a moment, prudence dicates the need to engage, deeply, heavily and in excruciating detail, with extremely high level legal authorities on both sides of the issue well prior to Any. Other. Step.
This is not “run it by the lawyers.” There is a very, very, very small oasis of legal wizardry where members competently have a foot in both legal and technical fields with both feet firmly planted on bedrock. “100% competence in law, “90% competence in tech” is not the correct answer unless one wishes detailed and prolonged engagement with groups of federal employees. None of whom, by the way, seem much above the “75% law / 50% tech” ratio, and that especially includes the electable, appointed and black robe sets.
You may know precisely and accurately of what you speak and of exactly what transpired, with accompanying highly detailed documentation, but you will not put yourself in deep jeopardy. They will because they will not understand it and are unable to relate and conjoin the two disparate but overlapping fields of endeavor.
Run, Forrest, run, run away fast. RFN. This stuff ain’t white hat in Vegas type stuff, it’s real serious life. You can be as right as rain and as pure as the newly fallen snow all the way to the dock at Devil’s Island.
Your advice closely matches my most recent actions.
Almost sounds like they were setting someone in the CSP team to be a fall guy for something. A very dicey legal area to tread if a person doesn’t absolutely have to.
The arena of cybersecurity and the law is still evolving. One would best consult with an attorney knowledgeable about such things before getting involved. As the criminals in power love to point out….ignorance of the law is no excuse…except for them.
The harm of the compromised corporate credentials can be mitigated without using the black hat’s credentials. I’m assuming the only benefit would be determining the exact set of corporate credentials that need to be changed, rather than forcing an update of the complete set.
But the information retrieved this way isn’t a trusted source–what if additional credentials had been compromised but isolated from your discovery? Then you’re worse off. You’re also worse off if the black hat has actually constructed a honeypot to observe and even exploit your attempts at mitigation.