Security Research Questions

Viewing 5 reply threads
  • Author
    Posts
    • #6972
      Anonymous
      Participant

      Hi all,

      I wanted to see if someone could shed any light on this subject. How does one do security research without breaking any laws. How do you know that what you are doing may or may not be breaking your local law.

    • #43342
      cd1zz
      Participant

      To be safe, just make sure you’re not doing things on systems or networks you don’t own. Keep it all in house in labs and you’ll be fine. The laws vary depending on where you live.

    • #43343
      MaXe
      Participant

      If you live in the United Kingdom (UK), and a few other countries in Europe, there’s actually a few more laws that applies. In some countries it is e.g., forbidden to write viruses and trojans, even if you’re just researching, and in others it is forbidden to write “hacking tools”, and even have them installed! (Which is kind of a joke as telnet preinstalled in pretty much every OS, can be used for many types of hacking, including but not limited to simple buffer overflows and web application security. The time spent using this program would of course be insane compared to using more adequate and efficient alternatives of course.)  😉

      @cd1zz wrote:

      To be safe, just make sure you’re not doing things on systems or networks you don’t own. Keep it all in house in labs and you’ll be fine. The laws vary depending on where you live.

      Exactly what I would say and recommend  🙂

      References:
      http://tech.blorge.com/Structure:%20/2008/01/03/new-uk-hacking-laws-make-hacking-tools-illegal/
      http://www.theregister.co.uk/2008/01/02/hacker_toll_ban_guidance/

    • #43344
      White ghost
      Participant

      same as MaXe

      you must know what are you doing!!!!!!!!!!!!!!!!!!!!!!!!!

    • #43345
      eth3real
      Participant

      This is a great question.

      I agree with cd1zz and MaXe, never test on networks other than your own, and for your own safety, it’s good to stick to virtual machines, or machines that are setup specifically for your research (you don’t want to unintentionally leak any personal data).

      Some recently pointed out De-ICE images to me, they’re Linux LiveCD images with particular scenarios already setup for you to test your skills. I haven’t been able to give them a shot, yet, but they seem promising. I know there are also websites that provide testing environments for web vulnerabilities.

    • #43346
      Triban
      Participant

      The De-ICE images are pretty cool.  They start “easy” and become much more difficult. 

      Jamie are you looking more for finding 0 day type stuff?  For instance… you are surfing say… Target’s website, and you find a flaw in the site that could allow for leaking of PII or the ability to perform an SQLi or XSS exploit.  You want to notify them but you do not want to be brought up on charges for breaching the site and stealing any information.  You looking for something like that? 

      Otherwise, yes the best method is the lab environment.  If you want to research malware, the lab also applies.  Getting live samples can be a bit of a chore but there are sites out there.  I would advise putting on the invisibility cloak when hunting for them.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?