Published and presented at the 19th National Information Systems Security Conference, Baltimore, MD, October 22-25, 1996 Legal Aspects of Ice-Pick Testing Dr. Bruce C. Gabrielson, NCE Kaman Sciences Corp. Alexandria, VA in Association with Naval Research Laboratory Contract No: M00014-93-C-2033 Abstract The ice-Pick package is a window driven program that provides a multi-layered approach to network testing. The automated tool is used to identify frequently exploited security problems present on well known UNIX based operating systems. Information provided by testing is used to determine what protective mechanisms need to be implemented by network administrators. The paper deals with two issues of primary concern, the user's legal basis for performing vulnerability identification testing, and the consequences of unauthorized use or release of the software itself. It is essential for self protection that the tester understands what he or she can legally do with a tool such as Ice-Pick. The issue of trust can also effect users. Trusting each user to protect Ice-Pick against unauthorized release is essential for absolute control of the technology involved. The structure of this document allows traceability from top level law through applicable Navy regulation. The most important points are the understanding of what monitoring involves, and knowing what the Ice-Pick test tool can be used for. The use of other penetration type testing tools, such as SATAN, will not be discussed, nor will the regulatory requirements of non-Navy organizations. However, the discussion can be applied to using similar test tools in other organizations. Introduction This paper discusses the legal basis for performing Ice-Pick testing in the Navy, and the consequences of unauthorized use or release of the software itself. It's essential for self protection that the tester understands what he or she can and can't do with the tool. Providing the information background for the tester to evaluate test activities is one means of accomplishing affective conditioning. Therefore, the legal basis supporting testing and accountability when using the tool will be derived first. Trusting the user is another issue. Although trust of each user against the unauthorized release of Ice-Pick is assumed, its distribution must be absolutely controlled. Therefore, a discussion of the repercussions of improper release, particularly to the user, will enhance the user's awareness of the problem, as well as provide the legal basis for prosecution should the software find its way into the wrong hands. Background on Ice-Pick Ice-Pick is an unclassified automated tool that can be used for breaking into networks. The Navy developed it to proactively attack its own networks for SST&E purposes. Ice-Pick does what it is intended to do very well. The Ice-Pick user can only test for vulnerabilities. Private information can not be accessed with the Ice-Pick application running. Ice-Pick's software incorporates protection mechanisms to ensure only pre-authorized. The software can be directed to only run on one pre-designated machine. However, these controls are directed at software operation. Using the program requires a certain level of technical skills. The skills required are security sensitive in nature in that the individual using the program could basically become an accomplished "hacker". ....snip... http://www.blackmagic.com/ses/bruceg/legal.html