Life in virtual reality often displaces real existence. Almost every person of the current generation is familiar with social networks, email and any other Internet resources.
Unfortunately, not many people think about the security of their data; they do not follow or even understand the rules for using online accounts. Meanwhile, attackers are not averse to gaining unauthorized access to such data.
Email hacking
Almost every adult and young generation now has email; even the youngest users register it, for example, as a tool for installing applications.
At work, staff have one “box”, at home – another, but each of them can store personal, valuable and even prohibited information for most ordinary people, access to payment systems and social networks. The attacker, naturally, wants to get them for personal gain, often this is extortion with significant financial gain.
The following video will tell you more about such a crime as email hacking:
Concept and criminal legal characteristics
A crime characterized by hacking of an electronic mailbox can be committed under both Article 272 of the Criminal Code of the Russian Federation and Article 138. Let us determine the criminal law for each article:
| 138 of the Criminal Code of the Russian Federation | 272 of the Criminal Code of the Russian Federation | |
| An object | The right to maintain confidentiality of correspondence | Citizen's right to information |
| Objective side | Violation of the integrity of the corresponding object | Illegal access to protected information, if as a result it was changed, copied, blocked and/or destroyed |
| Subject | Adequate individual at least 16 years of age | |
| Subjective side | Direct intent, the degree of which does not affect the severity of the punishment | |
Qualifying features
Crimes in the field of computer security are very diverse. Their composition is quite formal, and an offense is considered committed - recording the fact of hacking an electronic mailbox and classifying it as one of the articles of the Criminal Code of the Russian Federation.
The qualifying features of a crime depend on the conditions under which the crime was committed. If the work box was hacked, then their role will be the use of their official position.
Any action that led to a hack, carried out illegally and without the knowledge of the victim, is considered a qualifying characteristic.
Methods of crime
Many have been led to believe that if no one sees your password, then the system is safe. But this is far from true. The password itself is now a small grain in the process of gaining access to your email account. Mechanical password selection is the last thing to do.
Here are some of the most popular email hacking activities:
- Social engineering - simple passwords containing personal information (date of birth, first and last name, etc.), placing pieces of paper with passwords in visible places on the computer desktop in the form of a text document.
- Spam mailings are a bright letter, most often about a win or a lucrative offer, with a link that turns out to be a malicious site or executable file.
- Phishing is a fake website that copies the design of the original almost 100%, where an inattentive user enters his data.
- Distribution of unlicensed software containing viruses.
Read on to find out which article “shines” for hacking a social network page (for example, VKontakte (VK), Odnoklassniki, etc.).
The following video will tell you more about phishing for hacking email and social network accounts:
Criminal liability for “hacking” of government information resources. Expert opinions
In the near future, the government of the country plans to submit it for consideration to the State Duma of Russia. According to RBC
, in accordance with the bill, it is proposed to supplement the Criminal Code of the Russian Federation with Art. 272.1. The size of the sanction for “hacking” government information resources is proposed to be set at 3 years of imprisonment.
Article 272.1. implies liability for unlawful access to state information systems and (or) state information resources contained in them, and for criminal liability to occur, it will be necessary that such a “hacking” entails the destruction, blocking, modification or copying of information, disruption of the functioning of the state information system.
The same acts committed by a group of persons by prior conspiracy or by an organized group or by a person who has access to state information systems, including those operating as part of critically important facilities, and (or) state information resources contained in them due to his official position, must shall be punishable by imprisonment for a term of 3 to 7 years.
In this case, critically important objects are understood as objects whose disruption or cessation of functioning leads to loss of control, destruction of infrastructure, irreversible negative change or destruction of the economy of a country, a subject of the Russian Federation or an administrative-territorial unit, or a significant deterioration in the safety of life of the population living in these territories, on long term.
TatCenter.ru asked the experts:
- How do you feel about this initiative of the Russian government?
- In your opinion, is this punishment adequate for the crime committed?
Andrey Bakhtin, head of department at the City Information and Diagnostic Center
:
1. Any law preventing the destruction of public resources must be severe. Hacking a government resource does not mean infiltrating the “president’s website.” This means illegally invading databases that may contain confidential data: taxes, income, passport data, and the like.
Penetrating deep into the state electronic storage cannot be done by accident - there is always a certain intent: from profit to disclosing state secrets. Such acts must be punished by law and very severely.
The existence of a law will make it possible to initiate criminal cases and conduct investigative measures to find the source of information leakage. When counterfeit money is discovered, they look not only for the counterfeit bills and their distributors, but also for the machine that printed them. The same should be true in the case of disclosure, for example, of a database of cell phone numbers distributed in markets. You need to look not only for disks, but also for the unscrupulous employee who downloaded them, and other “weak points” in information security systems.
Some may see this law as an attack on democracy. But democracy is not anarchy. The stealing or destruction of state resources, and in the 21st century, including electronic resources, only weakens democratic institutions. Another thing is that the concepts of “state (municipal, etc.) information resource” must be defined as precisely and specifically as possible.
2. If there was intent, then the punishment should be the most severe. Databases, just like the “secrets” of an ordinary building, have several degrees of protection. And if a person was able to penetrate into the very core of an information resource, just as if, having overcome all barriers, he penetrated into a safe, this speaks of his most direct intention.
The appearance in the Criminal Code of the Russian Federation of a law related to the intangible property of the state suggests that electronic government and state information resources are today becoming an integral part of the institutions of state power, and IT technologies are the natural environment of society. The 21st century is coming...
Boris Maslov, legal lawyer:
1. Whether the bill will be adopted in the form in which it exists now is still a question. Currently, the Criminal Code has three types of crimes in the field of computer information. The fact that the number of crimes in this area is now expanding is, in my opinion, very good. Internet technologies are developing very quickly and the law must keep up with this development; we must work ahead of the curve. Although, of course, it is too early to say what the final version of the law will be like.
2. Punishment for “hacking” government information sites depends on the consequences that will follow the “hacking.” The severity of the punishment will depend on whether the information on the site is distorted or deleted. The average sentence under the Criminal Code is now five years. This is the strictest deadline compared to European laws. By awarding a long term, the court hopes to reduce the number of crimes, but this does not always work. In order for citizens to live in peace, it is necessary to punish for every offense, and not increase the term. In principle, a punishment of imprisonment for a term of 3 to 7 years for “hacking” government information sites is an average term. Since the site is state-owned, then the punishment should be of appropriate severity.
Mikhail Samusenko, head of the legal department of Softline:
1. In my opinion, the initiative of the Russian government is timely and is a logical continuation of a series of innovations related to the computerization of government information flows.
At the same time, changes to the Criminal Code of the Russian Federation should be considered only in conjunction with amendments to the Federal Law “On Information...” and the Code of Administrative Offenses. All of these changes are provided for by the draft federal law “On Amendments to Certain Legislative Acts of the Russian Federation on Ensuring the Security of Use of State Information Resources.” So, for example, the Federal Law “On Information...” provides for updating the definition of the Internet itself, introducing detailed definitions of a domain name, website, network node, etc.
It should be noted that the main idea of the above changes, in addition to establishing the rules of relationships within the network Internet, is to allocate state information resources into a separate category and increase penalties for illegal activities of “hacking” them.
2. In light of the manifestation of trends in the state posting information on the Internet, as well as the possible consequences of its unlawful use, this step seems justified, and the punishment provided for in Art. 272.1. The Criminal Code of the Russian Federation is adequate.
Dmitry Sokolov, information security department analyst at TaxNet-Service CJSC:
1. Of course, the improvement of legislative measures for cybercrimes in itself can only be welcomed, because our laws in this area are too soft and generalized. But in this particular case we are talking about shifting the focus of the protective mechanisms of the law to government organizations. So, now the stability of the functioning of the private sector of the economy is not a priority for the state? This is at least unfair, and at most short-sighted. Let's then draw the following line throughout the Criminal Code of the Russian Federation: for theft from the state - one sentence, for business and citizens - another.
2. The fact of the matter is that this paragraph does not provide the desired differentiation of responsibility according to the severity of the crime committed. If, say, the Sayano-Shushenskaya hydroelectric power station was subject to a hacker attack, resulting in what happened, would it be correct to punish the attacker with only three years in prison, equating him to an ordinary hacker? Indeed, in terms of the severity of the consequences, such an atrocity would be tantamount to terrorism.
Alexander Yurtaev, Head of the Information and Analytical Department of the Office of the Cabinet of Ministers of the Republic of Tatarstan
:
1. I have an unequivocal positive attitude towards the initiative of the Russian government. Imagine that your apartment or car was hacked, naturally this will cause a completely negative reaction, especially since we are talking about the resources of government agencies. Hacking the Ministry's information resource is like breaking down its door. Nowadays, virtual representations of government bodies are no different from “real” ones. They are endowed with the same powers, have official status, and are levers of control. Any intrusion must be considered a crime.
2. Of course, specialists and professionals with extensive experience in legal practice should prescribe penalties for intrusion into the information resources of government agencies. At the same time, for me, who is closely involved in e-government issues, it makes no difference what kind of hacking we are talking about: the Internet site of the Government or an office in its building, the measure should be equally strict. Any person has the opportunity from any computer to use official information posted on the Internet on the websites of government agencies; one can only imagine what consequences hooligan interference in this resource could lead to... And, not only representatives should have an adequately negative attitude towards such actions state power, but also for the whole society.
Photo - website www.aif-nn.ru
Hacking a social network account
Penetration of authorization on social networks is most often a consequence of hacking of mailboxes. In addition, users make many mistakes, which leads to disastrous consequences. Criminals fall into the hands of personal photographs, unwanted messages and details from life, and much more that they would like to hide from the eyes of prying eyes.
You need to know that at the moment it is much easier to hack a social network account than to bypass the protection of fairly well-known email services. Therefore, it is not enough to protect one thing; a set of measures is necessary. The best defense is prevention and vigilance.
Concept and qualifying characteristics
Since the essence of the crime of hacking a mailbox and a social network account is almost the same, their criminal legal characteristics are the same. In the modern world, even a business can be organized through a social network, so it cannot be said that hacking one or another object will be more important than another.
Hacking of social networking accounts is also subject to the formality of a crime. Let's note something important - hacking is often a consequence of the user's banal inattention; leaving an open profile in an Internet cafe or at a friend's house, it will be difficult to tell you about the criminal element of the crime.
Methods of crime
You can add to the above methods of obtaining a password:
- Unclosed sessions on social media Networks;
- Transfer of data to third parties;
- Using unverified Wifi networks.
How can a researcher reduce the risk of liability?
Liability can be excluded in situations where the researcher’s actions do not violate the law, rights and legitimate interests of third parties. For example, the risks of liability can be reduced when the research is conducted with the knowledge and consent of the owner (copyright holder) of the software product being studied. This may be a written consent on his part (a bilateral agreement or another written form of consent, at least electronic correspondence), or it may be a general agreement to conduct such activities (the Bug Bounty program will be just such an agreement). The main thing is that the researcher has evidence to support consent.
In addition, the research must not cause harm to the person or property of other third parties, or violate copyright. It is also worth reading the terms of use of the product under study: they may contain provisions that could lead to additional troubles for the researcher if he is sued. This recommendation also applies to Bug Bounty programs: after all, they can sometimes present surprises.
And of course, we should not forget that everything depends on specific circumstances, so in different cases the answers to the same questions may differ.
How to prove hacking?
The whole difficulty of information crimes lies in proving the guilt of the criminal. It is extremely difficult to hold a specific person accountable, especially if he is a complete stranger to you. There are very few ways to prove hacking:
- Send a letter to the managers of a mail service or social network with a request to provide a list of IP addresses that accessed your account;
- Some social networks in the settings allow you to track your latest activities;
- If other users receive spam on your behalf, your profile is unavailable, or the resource administration has contacted you, then the likelihood of hacking is maximum.
Read more about liability under the article of the Criminal Code of the Russian Federation for hacking an email or a social network account.
Is there any responsibility at all for researching and hacking someone else’s program, service, or network?
If we talk about current Russian laws, then yes, there are. When a researcher tests someone else's product for vulnerabilities or penetrates someone else's network without the owner's knowledge and consent, his actions may be considered illegal. And the consequence of such actions may be the onset of various types of liability: civil, administrative and criminal.
What laws are we talking about?
To a greater extent, the study of vulnerabilities (as well as possible liability in the event of illegal acts) concerns those laws that are listed below. Please note that this is not the entire list: this article does not address issues related to personal data, secrets protected by law (state, medical, banking, etc.) and some other issues. For now we will talk about the following three laws:
- Civil Code;
- Code of Administrative Offences;
- Criminal Code.
In what cases will a bughunter be held liable?
It all depends on the specific circumstances of the case, as well as on the consequences that arose after a specific study (testing, hacking). Depending on them, it will be determined whether such actions of the baghunter are an offense or not, a crime or not, whether he is subject to liability of the appropriate kind or not.
Punishment and responsibility
For convenience, we will use the table and consider the types of punishment for hacking a social account. networks or mail:
| Type of punishment | Article 138 of the Criminal Code of the Russian Federation | Article 272 of the Criminal Code of the Russian Federation |
| Fine | 100-300 thousand rubles | Up to 500 thousand rubles |
| Mandatory work | Up to 480 hours | Not assigned |
| Correctional work | Up to a year | Up to a year |
| Forced labor | Up to four years | Up to 5 years |
| Arrest | Up to four months | Not assigned |
| Restriction of freedom | Not assigned | Up to four years |
| Deprivation of liberty | Up to four years | Up to seven years |
The following video will tell you in detail what kind of responsibility awaits an attacker for hacking an account on a social network:
What are the administrative responsibilities?
The Code of Administrative Offenses of the Russian Federation contains an extensive list of possible violations in the field of information protection, among which two points can be distinguished.
The first is engaging in activities in the field of information protection (except for information constituting a state secret) without obtaining a special permit (license) in the prescribed manner, if such a permit (such license) is mandatory (mandatory) in accordance with federal law - Article 13.13 of the Code of Administrative Offenses . Possible liability: an administrative fine of up to one thousand rubles with or without confiscation of information security means for individuals, up to three thousand rubles for officials and up to twenty thousand rubles with or without confiscation of information security means for legal entities.
The second point is the disclosure of information, access to which is limited by federal law (except for cases where the disclosure of such information entails criminal liability), by a person who has gained access to such information in connection with the performance of official or professional duties - Article 13.14 of the Code of Administrative Offences. Possible liability: an administrative fine of up to one thousand rubles for individuals and up to five thousand rubles for officials.
Administrative liability may be imposed separately from civil liability. That is, some violations do not lie in the civil law plane, so you can also be brought to administrative liability if the corresponding offense is provided for in the Code of Administrative Offenses.
What do hackers hack?
One of the most common types of hacking in a computer environment is penetration into someone else's email , which all users usually have, since it is necessary to have it to register on websites and applications on a smartphone.
Access to it can also mean access to other resources of a citizen, which is why it so often becomes the subject of crime. The same applies to enterprise mail, which is common to all employees, and therefore easier prey for offenders.
Sometimes this is done for the purpose of subsequent extortion of money if criminals have found some personal information of a citizen or gained access to company secrets.
Often, a consequence of email hacking is penetration into other people's social networks. By getting into the user's account, the attacker gains access to his personal life, photographs and information that he would like to leave undistributed.
Hacking websites or blogs is also very popular. This is done either for selfish purposes (blackmail), or to simply mock the site owner.
Brief content of the article. 272 of the Criminal Code of the Russian Federation with comments
Responsibility for hacking is provided for under Art. 272 of the Criminal Code of the Russian Federation, consisting of 4 parts and 2 notes. The first part talks about those preventive measures that are prescribed for illegal access to computer information if this entails any changes or copying.
The first note defines the term computer information. This is information that is presented in the form of electrical signals, regardless of the type of storage or processing.
The following parts indicate the penalties that are imposed for this offense, taking into account the presence of certain aggravating circumstances:
- in part 2 - when causing major damage (note No. 2 states that major damage starts from a million rubles ) or when committed for personal gain;
- in part 3 - if the criminals were united in a whole group of people who planned the offense in advance, or if the person used his official position (having access to general email or special company information);
- in part 4 - about the same crimes, but if they entailed serious consequences for the injured party or their threat.
