Feeds

The Giant Wooden Horse Did It!

Not me, guv

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Introducing a new legal defense to computer crime charges - one that's all the more frightening because it could be true, says SecurityFocus columnist Mark Rasch.

According to Greek mythology, the seer Laocoon, a priest of Apollo, warned the residents of Troy against accepting into their city the giant wooden horse designed by Odysseus and created by the architect Epeius. His famous warning, "Trojans, trust not the horse. Whatever it be, I fear the Greeks, even when bringing gifts," applies equally today to importing unknown files as it did to the Trojans 4,000 years ago.

We think we know all about the dangers of Trojan horses, but there is a new and more dangerous legal wrinkle to consider. In the past few months, a couple of people in England were acquitted based upon the so-called "Trojan defense" -- what we criminal lawyers used to call the "SODDI" defense: Some Other Dude Did It.

The Trojan defense presents two equally frightening problems: the possibilities of acquitting the guilty, or convicting the innocent.

In the first case, given the nature of electronic evidence, virtually all computer crime prosecutions rely on "circumstantial" evidence. To prove that John Doe, for example hacked into ABC company, you collect IP history logs and other corroborating data, maybe engage in an IRC chat with John Doe, get a warrant or subpoena for his ISP information, show a pattern of activity consistent with the hacking, and then (if you are a law enforcement agent) get a warrant to kick in Mr. Doe's door and seize his computer. If the forensic examination of the computer shows hacking files, access to hacking sites, relevant e-mail, and even versions of the malicious code, it's a slam-dunk case for conviction. Right?

Trouble in the UK

But what if, in addition to all of this "evidence," you also find the existence of a Trojan horse server -- say, a version of Optix Pro or another remote access program. Does the mere existence of such a program provide a Get Out of Jail Free card? Probably not. However, given the ephemeral nature of electronic evidence, and the fact that it can always be altered, how confident would you be that Doe was in fact guilty beyond a reasonable doubt?

The higher the hacker's profile, the more attractive a target he or she may make for other hackers. And after all, if you were a hacker, would you want to store your contraband files on your own machine, or, like the cuckoo, would you keep your eggs in another bird's nest? Such "file parking" strategies have been used by hackers for years.

In October, 2002 Julian Green was arrested in Devon, England after police searched his home PC and found examples of child pornography. ISP had logs identified Green as the person responsible for the downloads, and the existence of the child porn on his PC seemed to be all the corroboration the constable would have needed to obtain a conviction.

However, a defense forensic expert also found evidence that there were Trojans planted on Green's computer that were designed to piggyback his browser, and log into porn sites. The Trojans probably were downloaded as e-mail attachments -- made all the more likely by the fact that Green had a teenage son. Unable to definitively prove that Green knowingly and intentionally downloaded the files, the prosecution dismissed the charges.

Similarly, Aaron Caffrey, a 19-year-old hacker, was charged in Southwark Crown Court with carrying out a denial of service attack on the computers of the port of Houston, Texas on September 20, 2001 -- less than two weeks after the 9/11 attacks. The port's webserver was frozen, and ISP logs traced the source of the attack to Caffrey's computer.

Unlike Green's case, a forensic audit of Caffrey's computer showed no trace of a Trojan. At his trial, Caffrey simply argued that a Trojan could have been responsible, and that the government could not prove its case beyond a reasonable doubt. The jury agreed, and acquitted Caffrey in October, 2003.

Trojan Extortions

In late December, 2003 companies around the world began to report a new kind of cyber-attack that had been apparently going on for about a year. Cyber extortionists (reportedly from Eastern Europe) threatened to "plant" child pornography on their computers and then call the cops if they didn't agree to pay a small fee. Unless the recipient pays a nominal amount ($30), the hacker claims he will either wipe the hard drive or plant child porn. The possibility of Trojans and the relative ease with which they could be used to promulgate just such an attack made the threats credible.

The two British cases illustrate the problems with the Trojan defense: not only does it make it difficult to definitively prove guilt with electronic evidence, but it is relatively easy to manufacture and plant electronic evidence consistent with guilt. In fact, with a few skills and tools, not only could you plant such evidence, but you could do so in such a way as to be virtually undetected, and so that it would be virtually impossible to determine that your target was not guilty.

The very Trojan planted to launch the attack or download the incriminating files may be designed to self destruct and wipe itself from the hard drive. It would be almost impossible to overcome the circumstantial evidence pointing to your guilt. With sentencing guidelines becoming ever more draconian for computer related offenses, it is only a matter of time before not only cyber extortion but cyber set-ups become reality, if they aren't already.

Of course, good information security practices help in this regard. Preventing the Trojans from entering in the first place, scanning for malware, monitoring for unusual activity and spam filtering all can help. Audit logging and reviewing can also help. Similarly, strong authentication and access control might prevent such activity. Yet another reason to do what the security professionals have been arguing for years.

As for Laocoon, the first to issue an advisory on the Trojan horse danger, his warning to the Trojans violated the wishes of Poseiden, so the gods sent serpents to kill him and his sons. This proved another axiom in law: no good deed goes unpunished.

Copyright © 2004, SecurityFocus logo

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Suspected paedophile cleared by computer forensics
Caffrey acquittal a setback for cybercrime prosecutions

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.