UK Government Set to Make ‘Hacking Tools’ Illegal

January 11, 2008

[ad]

This is sad news, it seems UK is considering following the lead of the Germans and their recently implemented hacking law 202(c) regarding the making of ‘hacking tools‘ illegal.

It’s almost like making baseball bats illegal because you can hit someone with it, doesn’t matter its made for playing sport and that’s what most people use it for..

The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.

The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.

Sounds pretty ominous to me, even distributing said hacking tools can get you in trouble – that’s bad news for people like me that believe in sharing information, knowledge and hard to find tools.

I agree a revamp of the Computer Misuse Act is needed, but please making tools like Nmap illegal to create or distribute is just plain stupid.

Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that’s subsequently abused by hackers.

The Crown Prosecution Service guidance, published after a long delay on Monday, also asks prosecutors to consider if an article is “available on a wide scale commercial basis and sold through legitimate channels”. Critics argue this test fails to factor in the widespread use of open source tools or rapid product innovation.

It’s pretty messy – it could help malicious hackers be prosecuted effectively and gives a bit more ammo to law. But it also means over zealous lawyers could prosecute security consultants for actions they don’t really understand – which is the scary part for me.

I hope it gets distilled into something useful and fair for both sides.

Source: The Register

Buffer

Comments

James says

January 11, 2008 at 7:42 am

How is making hacking tool illegal going to help? Im a white hat and if this law pass (and if I lived in England, I live in Ireland and im sure the twats here will copy the “Initiative”) I wouldn
Pantagruel says

January 11, 2008 at 11:37 am

I guess the only thing we can hope for sanity to kick in, if not adequate counseling and judge/jury who actually can grasp the security concepts. If not we might end up doing time simple because a software tool also can be used for not so nice things. This rather stupid concept can be applied to lots of real world tools (knife/car/screw driver) which can, depending on the (ab)user have multiple results.
It’s even more sick that spreading knowledge (in the form of software distribution) can be deemed punishable, sick.

It just feels damn silly that legislation is being created that limits a programmers creativity or ingenuity simply because the created software has dual usage properties. Guess we’ll shortly be doing a 7x DoD erase of our computers/laptops, I for sure have enough dual usage tools and do not feel compelled to find out if judge/jury might argue their purpose.
Nobody_Holme says

January 11, 2008 at 12:05 pm

this sounds identical to banning sales of anything that can become an “improvised weapon”, unless its through shops and the like… well, i say sale, if the same was true for objects capable of being used in assaults, say i borrow my dad’s woodcutting axe and go cut a tree in my garden down, my dad can get 10 years for passing it over, and theres no way to defend against it in court, bar that i didnt intend to use it to carry out an assault… which i’m sure a good lawyer could make sound like a lie.
my opinion of british MPs just went down EVEN further, and i didnt think that was possible.
Pantagruel says

January 11, 2008 at 12:59 pm

@Nobody_Holme

Completely true. I better get the bbq back that I gave as a present last summer, god forgive if he skewers something else.
Gob smacked by the fact that they where able to sink even further.
Sir Henry says

January 11, 2008 at 2:32 pm

There needs to be more technical people in higher places who can clearly explain how this would affect things for the UK (or Germany, for that matter). Then again, even with technical people in place, it is that same lot of stodgy bastards who still think the kettle is a modern invention. The same goes here in the US. A fat lot of bloated and ego-maniacal bureaucrats who care not for security, not the ramifications of making such a law. They only care about the lobbyist who is lining their pockets.

Now, I would like to think that, given the number of companies in the US who provide services that, under this law, would be considered “hacker services”, the US would never attempt to pass a law of this sort. But, given that it appears ISPs are blatantly ignoring the FCC and simply stating that they are going to start filtering traffic, who knows what will happen. I do know that if something like this goes into effect in the US, the response will likely be nefarious and brutal. The latter, of course, will not help but to illustrate why the law should be in place.

/rant
Green Data says

January 11, 2008 at 3:13 pm

Come on, this is totally insane!!

How can they differentiate between hacking and non hacking tools. I sometimes use nmap to see what open ports are there in my servers. am I hacking myself then? What about McAfee guys, will they put them into jail for selling Founstone appliances? How about sniffers? Yes you can use them to steal people’s passwords, but on the other hand they are a major building block in one of the most important security tools, which is IDS’s
Bogwitch says

January 11, 2008 at 9:34 pm

Quite ironic, since CESG have used virus generation software for demonstration purposes.
Yeah, sure, we all understand dual use but as the software is distributed as a virus generation software, it’s intended use is obvious. Are CESG likely to end up in court?
goodpeople says

January 11, 2008 at 11:01 pm

Everybody with at least half of a braincell can figure out that this is insane.

The English will of course say that this law is not intended to hunt down the security professionals, but that it will give them an extra ammo to bring down the bad guys.
I don’t know exactly how bad it is in Germany (anyone here who can comment on that?) but I believe that merely the posession of a linux CD/DVD makes you punishable. Has this been in court yet?

I hope that the lawmakers of the EU are smarter.
feversmash says

January 12, 2008 at 1:31 am

they might as well make computers illegal to make or distribute. the can have a dual purpose. you can use them for good or bad. cellphones too. spoons and forks too. this is extremely retarded of them to do. just how do they plan to enforce this law. sounds like complete dictatorship. no more freedom of any kind.
goodpeople says

January 12, 2008 at 1:37 am

@darknet

How does this affect you? You’re based in the uk..
dirty says

January 12, 2008 at 8:35 am

I dont really think it should affect darknet.
Darknet says

January 12, 2008 at 9:40 am

It won’t really effect me – I don’t live in UK and haven’t for the past 4 years. This site is not hosted in the UK either, so for me there should be no issues.
Nobody_Holme says

January 12, 2008 at 11:34 am

Thats a point… will it affect foreign security professionals who try to enter the country? could be annoying, methinks. Maybe i’ll go poke my MP… he at least listens to people some of the time.
Alfred says

January 12, 2008 at 7:05 pm

Its very silly to make a law that they won’t be able to really be able to apply. Although they maybe able to make some “examples” they won’t truly be able to comb through and find everyone. Look at the RIAA they can’t truly stop anyone person. They have made a couple of “examples” that have made headlines but that has died down and people are still doing it. What it has made is a revenue streams for companies to say hey look at me we are doing this legally you only have to pay $xx.xx. Governments kill any creativity. The funny thing is the same tools that are used to “crack” are some of the same tools they use to find the crackers. Thats my rant for the day
>end<
Stu says

January 12, 2008 at 7:22 pm

It is quite mad, and you are all not alone in thinking so. Cambridge University has been working har don this (or at least Richard Clayton has) — see here -> http://www.lightbluetouchpaper.org/category/legal/

They have with other academics, freelancers, and professionals, lobbied the home office. The Criminal Prosecution Services guidance, in my view, seems a little “slap-dash”.

I am studying English Law, my third year, I’m 32 and I have worked as an ethical hacker, a consultant and for the past four years have been managing information security. It is scary on the surface, and we are most definitely right to be worried. The UK was classed as the most observed society in the world in a recent report by privacy international. See here.

..and has very limited privacy laws, if any other than those we are arguably lucky enough to receive from Europe e.g.

Dual-use type tools, such as Perl (or lol, any programming language) can be used for innocent, benign, as well as malicious purposes. NMAP, Netcat etc, are dual use tools, but was is the legal test? – read the article and Richard Claytons work.

..some things to note, why has Open source not been taken into account, has Bill Gates letter from the homebrew computer club in the seventies really screwed things up this much? (tongue in cheek)…

Anyway I waffle on. Interesting times.
mumble says

January 13, 2008 at 8:27 am

That’s it! Bad country – no python for you…. no Nmap, no UnicornScan, no Wireshark, TCPDump, libpcap, libnet….

This is possibly the most insane piece of legislation I’ve seen recently. It’s right up there with the anti-circumvention measures in the US-DMCA for sheer jugheadedness. WTF are they thinking?
Nobody_Holme says

January 13, 2008 at 2:48 pm

Looks like you’ll be okay with anything thats in general use already… but woe betide you if you custom build your pentest tools… *sigh*
goodpeople says

January 13, 2008 at 4:46 pm

Germany already passed this law. I had hoped that by now one, or maybe even a few, of the larger IT companies (like IBM, Microsoft, HP, etc.) would have taken this to trail. That would clear up a lot of the smoke.

Same goes for the UK. The minute this law is passed, it should be taken to court.
hpavc says

January 14, 2008 at 1:50 am

Seems pretty odd, commercial products seem to have some escape mechanism and then those based on OSS would have oddities as well.
eM3rC says

January 14, 2008 at 6:35 am

The best way to fight hackers seems to use their tools to see how they get in and find a way to block it. Its like banning beer and expecting the number of drunks to immediately go down, especially for something that will be almost impossible to stop.
mumble says

January 14, 2008 at 8:18 am

I’m not quite sure what you would use as overriding law if you were trying to get this struck down in the UK. In the US, you can make arguments on constitutional grounds, but the UK is a parliamentary system, so I’m not sure that you have any worthwhile legal argument. This in only to say that while is is unquestionably batty, its kookiness may not prevent it from being enforcible.

In the US, there is the “code as speech” argument – where the freedom of expression aspects of writing code can sometimes override other considerations. There are fairly decent arguments here, but it’s far from settled law on either side. (See Bernstein v. United States for details)
Nobody_Holme says

January 15, 2008 at 1:02 pm

The crowbar comment is a good way of putting it.
crk says

January 16, 2008 at 8:27 pm

Who cares? The Uk police are cr*p. They are useless. Just dont get caught. They will never catch you. Useless bunch of uk police.
Nobody_Holme says

January 17, 2008 at 12:55 pm

You think that, then you try to use such a tool while going about your daily buisness, and theres a copper investigating something else right behind you. Or the cyber-crime division are in at the same time you got called in to do your thing making people secure, and want to see how you do things. ka-boom, jail for you.

(oh, and also, crk, police > you. kthx)
Mike says

January 17, 2008 at 6:06 pm

The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called
durpsquat says

January 18, 2008 at 4:20 am

by looking at the application time-stamp? you dumfucked nimwhit….
Darknet says

January 18, 2008 at 7:39 am

[sarcasm] Yah OS time-stamps are infallible – they can’t be changed. [/sarcasm]
Nobody_Holme says

January 18, 2008 at 5:19 pm

*hands Darknet a cookie* nicely put.
goodpeople says

January 20, 2008 at 1:33 pm

WHAT?!?!?!!?

can timestamps be changed?????

HOW?!?!?! Tell us.. Please! :-)
mumble says

January 20, 2008 at 8:34 pm

Timestomp:
http://www.forensicswiki.org/wiki/Timestomp

There are Linux/BSD/Unix utilities which do essentially the same thing.

In DOS, I used to use a dumb little program which stored the system time/date, set the date/time to [whatever], munged timestamps, and restored the date/time.

Not, of course, to mention the fact that the filesystem documentation and a hex editor can have interesting effects…. :-) but that’s really oldskool.
Darknet says

January 21, 2008 at 2:52 pm

There’s even (very simple) Windows tools to do it..it’s not hard. Most rootkits/log wipe programs have timestamp tampering ability too so you can set back .bash_history or the log files to the previous pre-tampered modification dates.
goodpeople says

January 22, 2008 at 12:40 am

‘cmon guys, you don’t actually believe that I didn’t know this.. don’t you?
Darknet says

January 22, 2008 at 9:35 am

Stranger things have happened :P
Nobody_Holme says

January 22, 2008 at 3:13 pm

I’ve got to say… phrased like that? mind you, there are people out there who dont know this kind of stuff, so i guess its useful education. *frowns at durpsquat*
eM3rC says

February 7, 2008 at 5:29 am

Wow… Talk about hypocritical…

I just got back from vacation and I saw in a future post about the German police trojan.

All I can say is trying to outlaw something like this will be impossible. It is like trying to outlaw alcohol (looks at the passing of the 18th and 21st amendment for the US). Hacking software can be downloaded from anywhere and as a result would be impossible to monitor. It seems the only way one could control this on such a large scale is to destroy every computer in the UK and create terminals which store their information on some government server (which is constantly scanned for hacking software).

Another point I thought of is programming. Even if the government was somehow able to ban all the software, programmers could just write more. And what about the hackers working for the government? No new hackers could be hired due to a lack of experience resulting in the country being defe4nseless against hacke r attacks from other countries.
zupakomputer says

February 10, 2008 at 6:34 pm

Just hack into their machines and delete all their files on any prosecuting cases. Take over their networks anyway. This drill is known.
mumble says

February 10, 2008 at 7:20 pm

@zupakomputer
PAPER – you know the heavy, mostly white dead tree carcasses that legal cases are made out of.
Pantagruel says

February 10, 2008 at 8:21 pm

@mumble

Yep, you might consider it a waste all those chopped down trees

@zupakomputer

Guess you’ll have to resort to arson as well ;)
zupakomputer says

February 10, 2008 at 11:01 pm

Paper? That’d be printed off their Word apps (and yes, no doubt it won’t be 100% recycled nor tree-free). I wasn’t meaning by individual case, I was meaning crippling the whole thing.

As everyone here knows anyway – anyone who has any knowledge at all of computer security, ‘hacking tools’ are just modified versions or same versions of security tools. So they’d effectively be outlawing securing a computer or network properly – or do they expect people to use only old programs they downloaded prior to a law being passed, or use only tools people in other countries have written.

That’d be no use, you can’t rely every time on a tool written by someone else – and here I’m thinking in terms of also modifying open source OS code so that you have customised secure OSs – would this also then be illegal, say if you made it sniff out any intruders automatically so you could see who was wanting in. And old programs! – they go out of date fast when it comes to security. Businesses and so on would be staying on 20-year-old OSs because they’re not allowed to secure any new versions.

It’s insane to suggest such a legislation – what they mean to say is, they want it illegal to compromise a network or machine that you don’t own / haven’t permission to be on. Which is…..already illegal anyway. So – they don’t know anything about the topic and they’re trying to remove tools from everyone else so they know as little as possible also.
They would seem to believe that rather than do their job monitoring, they can take various tools away – yet, to monitor that means…..monitoring all network traffic, in the entire country, so tightly that every transaction is logged and checked – in case it was a hack tool being down or uploaded. Do they plan on renting out ECHELON for this? I hear they’re a bit busy chasing messages that might contain terrorist plans.
Do they really have the means to monitor the internet traffic in the UK to that extent – when they can’t monitor it to check for any actual intrusions.

If this does go ahead, I predict a huge increase in interest in encryption tools and digital signatures.
zupakomputer says

February 10, 2008 at 11:41 pm

Let me tell ye something else besides: I recently checked with the cops and with some government folks about tracking online stalkers – so they knew that serious crime’s been committed, and (important point coming up here) they said that nothing could be done – because it was online. They had no way of checking any logs from any websites, even when given precise exact details of where to look and who to go to about it. Completely powerless, and they didn’t have a clue about the internet at all. They directed me to a website about – cyber-bullying, stuff like kids taking camera phone videos of them bullying other kids then putting it online.

Look – if an allegation is made against someone that they have tried to hack into something, then proof of that of some kind needs to be presented. Otherwise you can go around saying ‘so and so tried to hack into the Pentagon’ and they have to chase every one of these claims up, seize the computers and check them for any data, get court orders to your ISP to read all their logs…..it’s the same as it is now – if you’re caught trying to get in a network and they (whoever runs / owns the network) try to prosecute you, then you’d get into bother.

– as for distribution….well, who are these advisors here, and what do they know about security; about as much as many govt. advisors know on any subject they provide info on (like drugs for example) – and that’s either nothing, or it’s that they are blacker-than-black-hats. They stand to gain – usually financially – by outlawing something or otherwise encouraging stupidity to reign.
eM3rC says

February 11, 2008 at 9:06 am

@zupacomputer

Good points. The volume of computer traffic, software and computers in general they would have to monitor would be so immense that it might be considered impossible. Considering there is 1 computer per person for every household in the UK would take either an extremely large work force or a program to run through every computer. Also an operation this big would require a pretty large grace period between a computer being scanned and by doing so would result in free time to hack whatever you like after downloading hacking software from some site based in a country other than the UK.

I would like to also say that police laws are very very different when comparing places like the US to the UK. I don’t know if anyone was around during the oil embargo, but, the government (in Britain at least) decided to ration the oil. Unlike the US where police must get a warranty to search a person’s property, the British police were able to walk right in and check the thermostat for “excessive use of natural resources”.

I think it would be amazingly difficult, if not impossible, but I wouldn’t be surprised if the government tried.
Pantagruel says

February 11, 2008 at 11:28 am

If the bureaucrats think it’s a remotely viable option they will give it a shot . It’s not like they are paying it from their own pocket (it’s only the tax payers money, in the NL we’ve had some stupid idea’s worked out costing sizeable amounts of money).

They will always find a reason for more active interferance (martial law alike circumstances) and bend the laws to their liking to generate enough room to perform a search.

Al over Europe laws have been or are being passed concerning data retention on communications. So far it’s only data on who contacted whom (phone/fax/internet). As soon as it turns out that this is manageable they will start prompting for retention of the content of the communiction itself. Harddisk space is relatively cheap as most geeks know and official would very much like to be able to prove the actuall malicious nature of a communication.
J. Lion says

February 11, 2008 at 10:58 pm

I could be wrong but isn’t making hacking tool illegal kinda like asking policemen to give up their guns and batons.
eM3rC says

February 12, 2008 at 2:34 am

@J. Lion
In Japan guns are outlawed for both police officers and citizens and that has been working almost flawlessly. It would be possible, just very very hard to do.

@Pantagruel
I see what you are saying about the politicians not losing anything for experimenting with this idea. They have nothing to lose.

I would also like to take a different perspective on this. Because of the size of traffic the government would be getting if they passed this law, is it possible that they are only doing this because they wish to have a way to persecute people who are caught hacking? For example if you take some of the famous mafia leaders during the prohibition in the US, they were not arrested for murder or smuggling, but tax evasion. By allowing the police forces to actually persecute black hacks for their deeds rather than some other minor crime. (I know it is a stretch but let me know how it sounds)

@Darknet
Post more controversial stories like these please! I really love discussing it with the community.
Pantagruel says

February 12, 2008 at 3:29 pm

Well the British MP’s are really getting up to steam and are about to really put ‘Big Brother’ into place

http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article3353387.ece

People who illegally download films and music will be cut off from the internet under new legislative proposals to be unveiled next week.

Internet service providers (ISPs) will be legally required to take action against users who access pirated material, The Times has learnt.

Users suspected of wrongly downloading films or music will receive a warning e-mail for the first offence, a suspension for the second infringement and the termination of their internet contract if caught a third time, under the most likely option to emerge from discussions about the new law.
J. Lion says

February 12, 2008 at 5:48 pm

@eM3rC

It’s a matter of cultural differences. If everyone is law abiding and has high respect to law and government – we won’t be discussing this issue at all.
J. Lion says

February 12, 2008 at 5:58 pm

@eM3rC

It’s a matter of cultural differences.

—
Making something illegal does not make it go away. It only makes it harder to find/acquire. With the internet (where almost everything is available – how do you propose that?)

Besides wasn;t there a motto – you are never guilty if you are never caught
Pantagruel says

February 12, 2008 at 10:41 pm

@J. Lion

You’re innocent until proven guilty, but I guess they already start gathering evidence just in case they ever need to put you away behind bars for a yet to be determined reason. You might argue that if you’ve got nothing to hide you will have nothing to fear. I argue that if there is nothing worth recording why record it (waste of money, resources,space, trees,etc..) . This type of operation only serve one goal: gather info to be used in the nearby or distant future without a clear motive to do so.
eM3rC says

February 13, 2008 at 2:19 am

@Pantagruel
I just saw that article on the BBC and thought it was a really interesting approach to eliminating piracy. Only problem is, what if little 8 year old Timmy decides to download a song illegally and gets his internet cut and now his parents have no way to work on the computers (work). I know you could say the parents should be watching the kids but a lot of adults do not have a clue about illegal downloading.
eM3rC says

February 13, 2008 at 2:24 am

@J. Lion
You pretty much said the same thing in two different ways. People are not perfect and will never be perfect. We will always be greedy, violent and self centered.

Just the fact that something is illegal does not make it less wanted. Take illegal drugs for example. The drug lords are filthy rich and the crime rates are still just as high. Plus there’s the factor that many people do the drugs just for the rush of doing something bad.

Anyone wanna take up my perspective in the previous post?
eM3rC says

February 13, 2008 at 2:26 am

Sorry, didn’t see Pantagruel’s post for some reason. Good point and I’m glad someone else has a similar view to my own. Only downside is the cost of resources when comparing it to the amount of damage that will be reduced from hackers.

Fun fact
Russia is now the spam capitol of the world (as in where the masters of spam are)
zupakomputer says

February 13, 2008 at 6:08 pm

I’m suprised the ISPs haven’t explained that they can’t feasibly be expected to monitor the download and upload contents of all data traversing their networks……or if they have so explained how impossible that’d be, it’s the usual pseudo-news reporting style that doesn’t bother to properly detail what the real story is.

Even on a tightly secured LAN, it’s only feasible to go as far as the likes of packet sniffers on routers – they can check for suspect frames going by their headers (senders, recievers, etc) and the size of packets, but even in that scenario they can’t actually have a router and/or separate server to check the contents of data packets or download them first, open them up and examine them (and then how do they determine if it is actually an illegal share?!), then forward them on to the actual file requester…..or they can – but these are like Fort Knox places with black-budget billions (from drug money, arms money, and taxes) to spend on dedicated 40GB fibre lines and 20 RAID 0 SCSIs so there’s no massive bottlenecks in their network cause they have to download and check everything before sending it on…

Another interesting aside to this – given it’s perfectly do-able to conceal data within other forms of data (like within an image file for example), how do they expect to check for things like that.

nb – comparing this to what Germany is doing overall with their networks isn’t a true comparison, because there it is not likely you’ll get free or unprotected wireless access, plus they are security-conscious in educational establishments and have switched over to Linux. The UK won’t be doing that!
zupakomputer says

March 8, 2008 at 3:41 pm

So, does anyone know if these idiots have been informed yet that their legislation plans effectively make it illegal to secure any network, or check to see if a network is secure?

Are they going to issue certificates to security people, something like “So-and-so: licensed to pen-test”. Are they intending to fill up the courts with people having to explain why they have several pen drives all set to live boot varying OSs.
Pantagruel says

March 8, 2008 at 7:40 pm

@Zupakomputer

I hope they where or will be informed, but I guess they will have a hard time getting to grips with the info. They usually are very capable of listening to spin-doctors but with real world info they tend to be a bit slow/find it rather incomprehensive
eM3rC says

March 9, 2008 at 5:11 am

Well I see Pantagruel and zupakomputer are really posting up a storm. Been working really hard the last couple of days so thats my excuse for not posting. Anywho, the conversation.

I’m sorry for any repeated points from previous posts but here’s what I believe. Passing legislation would be like the Patriot Act but much more deadly. With a law like this, the government would technically have an excuse to monitor anyones internet without a good reason (terrorist vs 8 year old downloading music… hrmmm… Who to watch…). Like zupakomputer said, actually tracking the data would be nearly impossible as well as classifying illegal content. There have been a lot of problem with groups such as child pornography people hiding their pics within encrypted files so it becomes amazingly hard to track. I also agree with the overflow in the courts with the odd explanations for the multiple OSs. Overall, it seems like allowing police to check any car they wish to make sure the car is working properly.

As one of my government teachers used to say “the best way to argue a point, is to argue both sides”. Here is my argument for a method of doing something like this, taxes. In the US at least, taxes are audited. For those of you who might know what this means, this is a rough translation. The government will randomly select tax forms and look at all the paperwork to make sure people are not cheating on their taxes. If caught the person gets huge fines as well as being forced to pay interest on the money they cheated. Relating this to the internet, the government could simply select random computers (yes I know there would be a lot of variables involved but bare with me). Another method would be flagging the torrenting/warez sites and when a computer visits those sites a certain number of times the government has enough reason to pay a little visit to the computer.

Feel free to argue both points although I bet it will be the outrageousness of this proposition (which I personally support).
zupakomputer says

March 9, 2008 at 12:57 pm

Don’t argue both sides! That’s a ploy ‘They’ use cause they can’t think up their own ideas – so they encourage well-meaning folks to do it for them.

I can see the value in honing in on the actual providers of the shared files (that said – piracy used to mean making money off other people’s work, whereas now it’s given away for free..) but any kind of random searches are an awful breach of privacy. Why should anyone be expected to be monitored or checked out based purely on a lottery.
fever says

April 8, 2008 at 7:15 pm

impossible to enforce.
grav says

July 1, 2008 at 7:21 pm

The definition of a hacking tool is at best, blurred.
Can the UK take away your screwdriver?
It can be used for hardware hacking : )
or it can be used to make a fence.

Would that mean that the MSDOS would be banned as well?
Hacking can be done with just about any tool.
razta says

July 1, 2008 at 11:18 pm

Theres a great podcast on this topic over at http://www.sploitcast.com/
Navin says

July 2, 2008 at 9:10 am

@ grav
Isn’t tht the point?? aren’t all thes so called hacking tools made for pen-testing rather than to fkcu up corporate servers?? ITs kinda stupid to launch such programmes/initiatives….instead the government should work more on catching crooks and punishing them more severely in order to send out a proper message to malicious hackers…..

But in the end wht can we do??U’d better start hiding your screwdrivers!!

# Download from GitHub Releases # https://github.com/n3rada/MSSQLand/releases # For operators compiling from source # Requires Visual Studio with .NET Framework 4.8 SDK git clone https://github.com/n3rada/MSSQLand.git cd MSSQLand # Open MSSQLand.sln in Visual Studio and build for x64 Release

MSSQLand.exe <host> [options] <action> [action-options] # Connection test only (no action executed) MSSQLand.exe localhost -c token # Execute specific action MSSQLand.exe localhost -c token info MSSQLand.exe localhost:1434@db03 -c token info # Linked server chain traversal # Format: server:port/user@database or any combination # Semicolon (;) separates servers, forward slash (/) specifies impersonation MSSQLand.exe localhost -c token -l SQL01;SQL02/admin;SQL03@clients info # Configuration Manager actions (cm- prefix) MSSQLand.exe sccm-db.corp -c token cm-devices MSSQLand.exe sccm-db.corp -c token cm-scripts # CSV output for automation MSSQLand.exe localhost -c token --format csv --silent procedures > procedures.csv

Stolen credentials are now the single most reliable entry point into enterprise networks. Compromised credentials accounted for 22% of all confirmed data breaches in the period covered by Verizon’s extended credential stuffing analysis accompanying the 2025 DBIR, making it the most common initial access vector for the third consecutive year. Credential stuffing, the automated replay of stolen username-password pairs at scale, requires minimal skill, costs almost nothing to run, and succeeds at rates that make it economically rational to run campaigns against thousands of targets simultaneously. Multi-factor authentication (MFA) remains the single most effective control against it, yet deployment gaps persist across sectors that should know better.

The Credential Supply Chain

Credential stuffing depends on a supply chain that runs from infostealer malware through dark web markets to attack tooling. Malware families, including Lumma, RedLine, StealC, and Acreed, scrape browser password vaults, saved cookies, and autofill data from compromised machines. The harvested data is identical to what tools like DumpBrowserSecrets extract during post-exploitation: saved passwords, session cookies, OAuth refresh tokens, and autofill entries pulled directly from Chrome, Edge, Firefox, and every other major browser. Attackers package that raw material into structured files known as combolists, formatted as email: password pairs, cleaned of duplicates, and categorised by service type or geography before selling them on.

Combolists trade freely across dark web forums, Telegram channels, and dedicated cracking communities. The initial access broker ecosystem documented throughout 2025 has normalised validated credentials as a commodity. Fresh lists built from recent infostealer logs command significantly higher prices than aged database dumps because they have higher validity rates. The Verizon analysis found that only 49% of a user’s passwords across different services are distinct. That figure is what makes credential stuffing economically viable: breach one service, and there is roughly a 50% chance the same password works elsewhere. Across millions of accounts, that probability becomes near-certainty.

The tooling that drives attacks is openly available. OpenBullet and its successor, SilverBullet, are credential-stuffing frameworks originally released as penetration testing utilities, now standard tools in account-takeover (ATO) operations. They automate the full attack loop: loading combolists, rotating through residential proxies to dodge rate limiting and IP blocks, sending login requests that mimic legitimate browser behaviour, and logging successful hits. Attackers also buy and sell custom configuration files, known as configs, that define the authentication flow for specific target services. Unofficial marketplaces offer configs for specific banking portals, SaaS platforms, and enterprise single sign-on (SSO) providers alongside combolists and proxy subscriptions.

Three Case Studies from 2025

In late March 2025, coordinated credential stuffing attacks hit five major Australian superannuation funds simultaneously: AustralianSuper, Rest Super, Hostplus, Australian Retirement Trust, and Insignia Financial. As BleepingComputer reported on the coordinated attacks, attackers compromised over 20,000 accounts across the five funds, with four AustralianSuper members losing a combined AUD 500,000. The attackers used combolists from prior unrelated breaches. AustralianSuper offered MFA but did not enforce it at login, a gap that regulators identified as the primary enabling factor. Retirement funds make attractive targets because account balances are high, withdrawals are slow to reverse, and many members check their accounts infrequently.

In April 2025, VF Corporation notified customers of a credential-stuffing attack against the North Face online store. BleepingComputer’s coverage of the April incident confirmed that attackers used credentials from earlier unrelated breaches to access accounts and exfiltrate names, email addresses, shipping addresses, phone numbers, purchase history, and dates of birth. Payment card data was not exposed, as a third-party provider handles payment processing. The April attack followed a March incident that exposed 15,700 accounts across The North Face and Timberland. It was the fourth credential stuffing incident against VF Corporation brands since 2020. The pattern reflects a structural problem: tens of millions of customer accounts, high password reuse rates, and authentication systems not designed to detect low-and-slow validation campaigns.

The Change Healthcare breach in February 2024 remains the most consequential recent example of credential-based initial access. The ALPHV/BlackCat ransomware group entered UnitedHealth’s Change Healthcare subsidiary through compromised Citrix credentials on a remote-access portal without MFA, as confirmed in Congressional testimony from UnitedHealth’s CEO. The attackers moved laterally through the billing network and deployed ransomware that shut down payment processing for healthcare providers across the United States for weeks. The incident produced a $22 million ransom payment and an estimated $872 million in reported disruption costs in the first quarter alone. One set of valid credentials on one unprotected endpoint caused one of the largest healthcare-sector disruptions in US history.

Detection and Evasion Techniques

Modern credential stuffing campaigns specifically target the detection mechanisms most organisations have deployed. Attackers bypass velocity-based controls that flag high volumes of failed login attempts from a single IP by rotating through residential proxies. They distribute attempts across thousands of IP addresses so each one generates only a handful of requests, staying below alert thresholds. Third-party CAPTCHA-solving services handle challenge pages, some of which are automated via machine learning and others through human labour farms. Tools that emulate legitimate browser environments, including correct JavaScript execution, realistic mouse movement patterns, and authentic request timing, defeat browser fingerprinting.

The MITRE ATT&CK framework categorises credential stuffing under T1110.004 (Brute Force: Credential Stuffing). Defenders should monitor for several specific signals: unusual geographic distributions of authentication requests, spikes in failed logins spread across a wide IP range rather than concentrated at a single source, and successful logins from IP addresses tied to residential proxy services. Account logins from devices or browsers with no prior history on the account also warrant investigation. The Verizon analysis found that credential stuffing accounted for a median of 19% of all authentication attempts across SSO providers, meaning roughly one in five login attempts was not legitimate.

One underappreciated detection gap is the window between credential exposure and organisational awareness. Dark web monitoring tools available to enterprise teams in 2025 make it operationally achievable to track stealer log markets and paste sites for corporate email domains. Many organisations still treat that monitoring as optional rather than a core detection layer. Credentials circulate in combolists for months before the affected organisation becomes aware, and attackers exploit that window systematically.

Regulatory Response

The 23andMe case produced the most visible regulatory outcome tied directly to credential stuffing. A 2023 attack using combolists accessed approximately 6.9 million customer records. The UK Information Commissioner’s Office fined the company £2.31 million for failing to implement adequate security, specifically the absence of mandatory MFA for accounts holding sensitive genetic data. In March 2025, as Wired reported in its coverage of the 23andMe bankruptcy, the company filed for Chapter 11, with the credential stuffing incident and its downstream legal consequences cited as contributing factors. Regulators in the UK and EU now reference the case as evidence that weak authentication controls constitute a material governance failure, not a technical oversight.

CISA’s 2024 guidance on phishing-resistant MFA explicitly identifies credential stuffing as a primary threat driver. It recommends hardware security keys and passkeys using the WebAuthn standard as the only controls that fully eliminate the credential reuse vector. SMS one-time passwords and Time-based One-Time Password (TOTP) codes provide partial protection but remain vulnerable to adversary-in-the-middle (AiTM) interception, a technique increasingly applied against accounts whose value justifies the extra effort.

CISO Playbook

Phishing-resistant MFA enforced across all externally facing authentication endpoints, including VPN portals, SSO providers, and remote desktop services, eliminates the primary path for exploitation. Password screening against known-breach corpora at login and account creation, using services such as the Have I Been Pwned API, removes credentials already circulating in combolists before attackers can validate them. Rate limiting and progressive account lockout on all authentication endpoints, including API login flows that teams frequently overlook, cuts the volume of attempts that reach the validation stage.

Bot detection that analyses behavioural signals, including request timing, device fingerprint consistency, and session cookie behaviour, provides a second line of defence against campaigns that have already bypassed IP-based controls. For organisations on legacy identity infrastructure, a full platform replacement is not the immediate priority. Enforcing MFA on the externally facing authentication layer, regardless of what sits behind it, addresses the highest-risk exposure first. The Change Healthcare incident is the clearest available proof of what one unprotected endpoint costs at scale.

There is no technical solution that eliminates credential stuffing entirely. Password reuse persists, infostealers continue operating at scale, and combolists will keep growing. The practical objective for defenders is to raise the cost of a successful attack on their specific environment above what attackers can profitably tolerate, and to detect the attempts that do succeed before they compound into something worse. Given that 22% of breaches in 2025 started with a valid credential, organisations that treat authentication hygiene as routine maintenance rather than a strategic priority are already in the breach statistics.

Frequently Asked Questions

What is credential stuffing, and how does it differ from brute force?

Credential stuffing uses real username-password pairs stolen from previous breaches and automatically replays them against other services. Brute force generates password guesses from scratch. Stuffing is faster, quieter, and far more effective because it exploits password reuse rather than attempting to crack unknown passwords. A combolist of 10 million verified credentials will outperform any brute-force dictionary attack against the same target.

What is a combolist, and where do attackers get them?

A combolist is a structured file of email-and-password pairs compiled from data breaches, infostealer malware logs, and dark web markets. Attackers source them from initial access broker forums, Telegram channels, and dedicated credential marketplaces. Fresh lists derived from recent infostealer campaigns are the most valuable because their owners have not yet rotated the credentials.

How do attackers bypass rate limiting and CAPTCHA during credential stuffing?

Attackers use residential proxy networks to distribute login attempts across thousands of IP addresses, keeping per-IP request volumes below detection thresholds. CAPTCHA challenges are handled by third-party solving services, either via automated machine-learning methods or by human labour farms. Tools such as OpenBullet and SilverBullet emulate realistic browser behaviour, including JavaScript execution and mouse-movement patterns, to evade browser fingerprinting controls.

Does multi-factor authentication stop credential stuffing?

Phishing-resistant MFA using hardware security keys or passkeys under the WebAuthn standard fully eliminates the credential reuse vector. SMS one-time passwords and TOTP codes reduce exposure but remain vulnerable to adversary-in-the-middle interception. The Change Healthcare breach, which resulted in $872 million in disruption costs, occurred on a Citrix portal with no MFA. Enforcing MFA on every externally facing authentication endpoint is the single highest-impact control available.

What are the most common targets for credential stuffing attacks?

Enterprise SSO portals, VPN gateways, e-commerce account login pages, financial services platforms, and healthcare provider systems are the most frequently targeted. Retirement and superannuation funds have emerged as high-value targets in 2025 because account balances are large, members check accounts infrequently, and MFA enforcement has historically been optional rather than mandatory.

How can organisations detect credential stuffing attacks in progress?

Key signals include spikes in authentication requests distributed across a wide IP range rather than concentrated at a single source, successful logins from residential proxy IP addresses, account access from devices or browsers with no prior history, and unusual geographic distributions in login activity. Continuous monitoring of dark web stealer log markets for corporate email domains provides early warning before credentials are actively exploited. The Verizon 2025 DBIR found that credential stuffing accounts for a median of 19% of all SSO authentication attempts, so baseline volume analysis is also a viable detection layer.

This article covers techniques used by both attackers and defenders for educational and research purposes. The tools and marketplaces described are documented by security researchers and law enforcement agencies.

Usage: DumpBrowserSecrets.exe [options] Options: /b:<browser> Target Browser: chrome, edge, brave, opera, operagx, vivaldi, firefox, all (default: system default browser) /o <file> Output JSON File (default: <browser>Data.json) /all Export All Entries (default: max 16 per category) /? Show This Help Message Examples: DumpBrowserSecrets.exe Extract 16 Entries From The Default Browser DumpBrowserSecrets.exe /b:chrome Extract 16 Entries From Chrome DumpBrowserSecrets.exe /b:firefox /all Export All Entries From Firefox DumpBrowserSecrets.exe /b:brave /o Output.json Extract 16 Entries From Brave To Output.json DumpBrowserSecrets.exe /b:all /all Extract All From All Installed Browsers

name: Heisenberg Health Check on: pull_request: paths: - "**/poetry.lock" - "**/uv.lock" - "**/package-lock.json" - "**/yarn.lock" - "**/requirements.txt" - "**/go.mod" permissions: contents: read pull-requests: write issues: write jobs: deps-health: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Detect changed manifest id: detect run: | git fetch origin ${{ github.base_ref }} --depth=1 LOCK_PATH=$(git diff --name-only origin/${{ github.base_ref }} | \ grep -E 'poetry.lock$|uv.lock$|package-lock.json$|yarn.lock$|requirements.txt$|go.mod$' | head -n1 || true) echo "lock_path=$LOCK_PATH" >> $GITHUB_OUTPUT - name: Heisenberg Dependency Health Check uses: AppOmni-Labs/heisenberg-ssc-gha@v1 with: package_file: ${{ steps.detect.outputs.lock_path }}

UK Government Set to Make ‘Hacking Tools’ Illegal

Related Posts:

Most Viewed Posts

Search

Recent Posts

Related Posts:

Reader Interactions

Comments

Footer

Most Viewed Posts

Search

Recent Posts

Tags