Jump to content
Hak5 Forums

Archived

This topic is now archived and is closed to further replies.

Fallen Archangel

How do I do this legally? (Demonstration)

Recommended Posts

So I'm a student in IT Security, and I live in a really small town. I know most of the members of the local police department. The town is really small, so the police department usually has about eight people working at a time, and the building is about the size of an average convience store or two. Unofficially, they are wanting me to give a demostration of a few things related to hacking and monitoring, stuff that might help them in their line of work, including the WiFi Pineapple Mk5.

I already have a bunch of stuff prepared, but I'm wanting to know where I stand on the legalities of this. Like I said, the entire thing is unofficial, and I could probably launch a couple hundred attacks on their network and no one would care. But just to be safe, I'm not going to be doing that.

I plan on bringing my own network equiptment and pretty much setting up a fake network to demonstrate on. But one thing they do want me to do is get the password of their WiFi connection. I've already made two videos showing different ways to do this, but it was on my own network. They are wanting to see me do it live.

What do I need to do in order to not have this come back and possible haunt me later?

Like I said, they know I'm doing it, and I've been given verbal permission, but I'm just wanting to be safe here. Any advice? Thanks.

Share this post


Link to post
Share on other sites
cooper   

Establish context, or provide your own. In other words, hack your own gear or get a signed statement from them authorizing you to do what you want to do to a specific (!) machine on their network. If it's plural, ensure the signed statement says so. Verify that the person signing has the authority to sign it. To the tune of "If I kill this machine, and I will, and someone decides to investigate it, the person who signs this waiver gets to explain this to someone with a very high pay check."

The best is to just make your own. If they have a procedure for setting up a machine, try to follow that procedure to the letter on your own target machine. Most things, but specifically hacking, which you do to your own devices is legal in any civilised society (and the US :lol:).

For the wifi thing, get a written statement authorizing you to do so and be VERY SPECIFIC. Also, make sure that whatever you do stops right there. You can say "I can now query your network for machines there". You CANNOT query the network for machines there without another signed waiver saying so. Be very aware of what you can and cannot do. Remember: if shit hits the fan over this and they want to pile it on you, that waiver is your stay-out-of-jail-free card. Treat it as such. Meaning get it up front and store it somewhere safe for a while.

Share this post


Link to post
Share on other sites
digip   

I would bring in an extra router, and NOT touch their stuff. Ever. Even with permission. use an extra router or two along with the pineapple, and virtual machines for the rest on whatever laptop you have that can support it, or lug in a desktop for showing them a pentest lab.

Share this post


Link to post
Share on other sites

**WAIVER**

I am not a lawyer and cannot give legal advice. Anything I type is just my opinion

----------------------------------------------------------------------------------------------------------------------

I have looked at laws concerning consent, both federally and locally after reading this blog:

"http://www.securitycurrent.com/en/analysis/ac_analysis/legal-issues-in-penetration-testing"

I have decided that you have to have a lawyer look at a contract you pay a legal writer, to write it up, before doing any of this. Consent from many people must be made if to do this without consent of the entity(*PD).

Share this post


Link to post
Share on other sites

I was going to start a similar topic about law and waivers/contracts. I'm debating getting a lawyer to help write up these documents.

I know state law differs a bunch but if I get a lawyer what federal laws should I make sure he covers and what potential loopholes are there?

I know this isn't legal advice 101, just want a foolproof contract and waiver at least federally to cover my ass legally if I piss some client off.

Share this post


Link to post
Share on other sites
cooper   

It's the lawyer's job to make sure all laws are sufficiently covered and inform you of what loopholes, if any, there are.

So this isn't a question any of us can answer (don't believe there are any lawyers here) but you can use it as a guiding question to see which lawyer is worth your money.

Share this post


Link to post
Share on other sites
Rkiver   

Yea its odd calling up and asking if they cover wireless or hacking law

Don't call it hacking laws. Call it Penetration Testing, it's amazing the difference that just changing it to that can make.

Share this post


Link to post
Share on other sites
cooper   

It's easy enough to explain: A pentester is someone who gets paid to try to break into systems to test their security.

The problem with calling it "hacking" is that it has an air of illegality to it, no matter how undeserved. To the business world, a pentester is someone you hire and a hacker is someone you jail. Don't be surprised if in legalese these same definitions apply.

Share this post


Link to post
Share on other sites
Rkiver   

The question is how many lawyers would know what pen testing is vs common term hacking though.

If the lawyer is not aware of the differences, I would say find a different lawyer.

Yes you could explain the difference, but if you want to make sure you are not running afoul of any laws, dealing with a lawyer who is familiar with the laws would be a good idea.

Share this post


Link to post
Share on other sites
vailixi   

Find a lawyer who needs d0xxing or skiptracing type work done. It's easy work. Make friends and trade services and get the legal paperwork and consultation you need. Have a really specific contract that lays out the scope of the test and what machines are in bounds.

First piece of advice. Stay off the radar.

Don't let anyone know when you will do the penetration test. Just do the hack and report your findings. Destroy any and all forensic evidence that ties you to the action. If they decide you did something illegal they will have a hard time making it stick without ANY forensic evidence.

Use a junker refurbished computer. Use the wifi to get on the network or log in from some place public with no cameras around and laptops are pretty commonplace like a coffee shop.

If a person were concerned about legal issues. Be a ninja. Treat it like a real hack.

Share this post


Link to post
Share on other sites
i8igmac   

You could purchase identical hardware, what kind of wireless router is being used...

Installing on your identical hardware and software. You can spend weeks messing around...

Share this post


Link to post
Share on other sites
i8igmac   

You could purchase identical hardware, what kind of wireless router is being used...

Install identical hardware and software. You can spend weeks messing around...

Share this post


Link to post
Share on other sites
digip   

Find a lawyer who needs d0xxing or skiptracing type work done. It's easy work. Make friends and trade services and get the legal paperwork and consultation you need. Have a really specific contract that lays out the scope of the test and what machines are in bounds.

First piece of advice. Stay off the radar.

Don't let anyone know when you will do the penetration test. Just do the hack and report your findings. Destroy any and all forensic evidence that ties you to the action. If they decide you did something illegal they will have a hard time making it stick without ANY forensic evidence.

Use a junker refurbished computer. Use the wifi to get on the network or log in from some place public with no cameras around and laptops are pretty commonplace like a coffee shop.

If a person were concerned about legal issues. Be a ninja. Treat it like a real hack.

I think hacking the police and then presenting it is offering yourself up on a platter. To quote the movie hackers that's just "universally stupid". Contracted services with permission or don't bother. You'd be setting yourself up for failure no matter how good your intentions.

Share this post


Link to post
Share on other sites
vailixi   

I think hacking the police and then presenting it is offering yourself up on a platter. To quote the movie hackers that's just "universally stupid". Contracted services with permission or don't bother. You'd be setting yourself up for failure no matter how good your intentions.

I tend to agree. I just wasn't going to say it. I don't want to shoot down anyone's dreams. :cool: kek

Share this post


Link to post
Share on other sites
Urieal   

"So I'm a student in IT Security, and I live in a really small town. I know most of the members of the local police department. The town is really small, so the police department usually has about eight people working at a time, and the building is about the size of an average convience store or two. Unofficially, they are wanting me to give a demostration of a few things related to hacking and monitoring, stuff that might help them in their line of work, including the WiFi Pineapple Mk5.

I already have a bunch of stuff prepared, but I'm wanting to know where I stand on the legalities of this. Like I said, the entire thing is unofficial, and I could probably launch a couple hundred attacks on their network and no one would care. But just to be safe, I'm not going to be doing that.

I plan on bringing my own network equiptment and pretty much setting up a fake network to demonstrate on. But one thing they do want me to do is get the password of their WiFi connection. I've already made two videos showing different ways to do this, but it was on my own network. They are wanting to see me do it live.

What do I need to do in order to not have this come back and possible haunt me later?

Like I said, they know I'm doing it, and I've been given verbal permission, but I'm just wanting to be safe here. Any advice? Thanks."

Let's look at what you've written a little more closely...

in your opening statement to this forum you have used words like "Unofficially" "Unofficial" "Hundreds of Attacks" "There Network".

"Verbal Permission".

You want advice? Well I'm about to give you some.

Just say no.

First of all, if you actually knew what you were doing you wouldn't be asking us for advice on how to proceed legally. You'd know that part of the initial scoping call and

pre-engagement meeting where it's defined what exactly you're going to be doing, that you'd also have obtained whats commonly referred to as a "Get Out of Jail Free" card.

This "card" is signed paperwork that has a clearly defined scope, context, and signing officers that prevents you from being held liable or responsible for any "issues" that may occur

so long as what you were doing was within the "scope" as "defined" in the "pre-engagement" and "scoping" meetings.

Secondly, in an environment such as law enforcement it's highly unorthodox for them to seek out "non-professional" assistance from someone who is still "learning. In fact

the only thing more expensive than hiring an expert is an amateur - if you're suggesting that we provide assistance, support, direction, or advice on how to perform a penetration

test / show & tell I'd encourage you to stop dead in your tracks - put your best foot forward, and pursue no more.

Third - There is far more to "Training & Information" than just the pineapple. Any half breed, potato head knows that Wireless vs Wired should be separated. If you think

exposing them to what the PineApple can do then you're not really doing them any justice. If they really want to know whats "out there" theres things like

BlackHAT - Now that will be an eye opener!

If you're still hellbent on not following my advice or anyone else that's trying to steer you in the clear then keep in mind that the biggest fear for law enforcement is data breach.

So technologies like drop-boxes, rogue access points, detection and suppression, SIEM / USM's, hardware key loggers both wired and wireless, layer 3 switches with DAI engaged

are things you'd want to talk about.

My point in all of this is your limited knowledge of the entire "threat landscape" is not going to serve them any justice. When we talk wireless, are they using 802x Radius,

WPA2-Personal? Is it Two Stage, is it Voucher Based, do they already have detection systems in place. I mean the list really does go on and on and on...

In the end, you do what you feel is right - but my advice, as someone who does this for a living...

If you have to ask how to do it "legally" - you don't do it period.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×