Through the Bashdoor

Computer hacking is nothing new but as attacks become more common, is our law ready for them?

Computer hacking is not old as the world itself but it is surely becoming a common occurrence. The latest incidents involving the Bash bug has again highlighted the fact that irrespective of all our information security investments, we are still at risk. But whilst the attacks against computer systems change, the law remains constant. Can the law on its own sort out the Bashdoor mess?

Bashdoor, also known as Shellshock, is a security bug in the Unix Bash shell only discovered in September 2014. Unix Bash, which is also adopted in Linux and Mac OS environments, is very commonly used in a myriad of applications such as web servers and the latest bug discovery has exposed such applications to malicious code that can be run through the Bash command line or script and which, simply put, can open up such applications or systems to unauthorised access and modification through rogue code injection. Millions of computers, tablets, smartphones and other central systems are at risk. Credit card details, whole databases can be stolen.

Once Bashdoor reached the public domain, cybercriminals reacted very quickly and within hours they were already creating botnets on affected computers in order to launch DDOS attacks from such compromised machines. By the end of September, it was reported that around 1.5 million daily attacks and probes were being tracked through honeypots.

Bash, a free Unix based command-line shell software, has been available since around 1992 and its incredible how this bug, or coding flaw, remained undiscovered for almost 22 years! Thousands of servers have been compromised in a matter of days. The ease with which Bashdoor can be utilised, and the simple ability to run injected code in various systems and servers has made Bashdoor far more lethal than Heartbleed bug which was originally reported earlier this year which circled around a flaw in Open SSL encryption. Differing from Heartbleed which enabled hackers to spy on machines, Shellshock enables hackers to take over the whole system and modify them at will. It can potentially grant hackers access to every device connected to the internet. Scary indeed.

Various foreign government agencies also reacted quickly and rated Bashdoor as a high possible threat also in light of the fact that several critical national infrastructures make use of the Bash software and therefore make them immune to the threat. Software patches to try and minimise the impact of the bug have been released but some of these patches were incomplete and it will always be unclear how many systems will not be updated with the latest patches and will remain vulnerable.

The possibilities posed through the utilization of the Bashdoor bug for unauthorised access and modification of computing devices is almost unprecedented. But whilst security companies are scrambling to patch all systems and software, our criminal law is very clear in relation to such activities. In this sense, the Bashdoor threat is not introducing anything novel on the legal front but the mere scale of the technical vulnerability cannot be underestimated.

The unauthorised access or modification of computing systems, software and data is regulated under Article 337C of our Criminal Code. Introduced in 2001, this Article largely replicates the provisions contained in the Council of Europe Cybercrime Convention which Malta only fully ratified in 2012.

Article 337C is very exhaustive and encapsulates various actions which could lead to the unauthorised access and modification offence. In fact, this Article stipulates that an offence would occur if anyone, without proper authorisation, uses a computer or any other device or equipment to access any data, software or supporting documentation held in that computer or on any other computer, or uses, copies or modifies any such data, software or supporting documentation. The same Article also includes the criminalisation of any unauthorised activity aimed at preventing or hindering access to any data, software or supporting documentation as well as the hindering or impairment of the functioning or operation of a computer system, software or data including the actual taking over or making use of any data, software or supporting documentation. The installation, alteration, damage, destruction, variation or addition to any data, software or supporting documentation without prior authorization is also a criminal offence under the same Article 337C of our Criminal Code.

The ‘beauty’ of Article 337C lies in its technological neutrality in the sense that irrespective of the technology used, including the latest attacks such as Shellshock, the law criminalises the act itself. The way that Shellshock works, that is through remote code injection and execution, is pretty simple and scary. However our criminal laws already sufficiently cater for such situations, irrespective of how technological complex (or simple) these attacks are carried out.

The reality alas is far more complex than the word of the law and this this particularly applies in the field of information technology. The real challenge lies not in whether criminal laws would apply but whether the law enforcement agencies have sufficient resources to prosecute the ever increasing number of cybercrime incidents being reported. In the meantime, you’d better patch up.