Thursday, March 10, 2011

++ UKUncut breach Computer Misuse Act? ++

Oh dear, UKUncut look to have gone over the edge. They've just put out a press release about how they've "hijacked" a Vodafone website and have been boasting on Twitter too about how they were "leaked" the passwords.

I just spoke to the person on their press release phone number and asked them how they were going to deal with the possibility of having just admitted to committing a crime under the Computer Misuse Act in terms of unauthorised access to systems and could be facing many years in prison.

The response was priceless. "Errrrr ok....errrr...... I'll have to get back to you".

Example hijacking:

Update: UKUncut are now claiming they have a master password.
The question is how will Vodafone respond?

Update II: Statement from Vodafone
We’ve seen a couple of posts on World of Difference winners’ blogs relating to allegations of tax avoidance. Given these are incorrect, they have been removed.

World of Difference winners are doing great things for charities up and down the country. It’s very sad to see how low people will go to further spread misinformation and for the charitable programme to be used as a platform for this kind of protest.
And some more on The Register.

Update III: There seem to be quite a few missing the point and misunderstanding what is and what is not authorised access to a system. These people seem to be under the illusion that because someone who legitimately had a password gave someone else that password that makes the access authorised. However, that only works if the person with the password in the first is the owner of the system and not a user.

In this case they were not. This was the case of a user being given access to a system and that user then giving access to someone else onto the system that was not authorised by the owner. Had UKUncut not acted upon on it then it would be a different matter, but they did act upon it and used credentials gained without authority to access a system that they were not given authority to access.

That is unauthorised access. Whether anyone prosecutes is a different matter.

Update IV (9.30PM): Vodafone have now updated their statement, presumably as a result of the Guardian saying "Vodafone" + "hacked" in the same sentence and the concern that people might think anything more than a basic website was in some way compromised - they did after all lose loads of equipment due to walk-in theft the other week. The statement now has the addition:

Following an investigation, and contrary to some online media reports, we can confirm that there was no hack of our World of Difference web site today. The posts which appeared on two World of Difference winners’ blogs, were published as a result of an individual sharing log in details with a protest group, not as a result of a hack.

There was no risk to World of Difference winners, or Vodafone customers’ personal data at any time.
This confirms that the credentials did have permissions to edit more than just one area of the site (odd security model), and that an individual disclosed these details in order to provide access to others who were not authorised to access the site.

No comments: