The Giant Wooden Horse Did It!

Not me, guv

  • alert
  • submit to reddit

SANS - Survey on application security programs

Introducing a new legal defense to computer crime charges - one that's all the more frightening because it could be true, says SecurityFocus columnist Mark Rasch.

According to Greek mythology, the seer Laocoon, a priest of Apollo, warned the residents of Troy against accepting into their city the giant wooden horse designed by Odysseus and created by the architect Epeius. His famous warning, "Trojans, trust not the horse. Whatever it be, I fear the Greeks, even when bringing gifts," applies equally today to importing unknown files as it did to the Trojans 4,000 years ago.

We think we know all about the dangers of Trojan horses, but there is a new and more dangerous legal wrinkle to consider. In the past few months, a couple of people in England were acquitted based upon the so-called "Trojan defense" -- what we criminal lawyers used to call the "SODDI" defense: Some Other Dude Did It.

The Trojan defense presents two equally frightening problems: the possibilities of acquitting the guilty, or convicting the innocent.

In the first case, given the nature of electronic evidence, virtually all computer crime prosecutions rely on "circumstantial" evidence. To prove that John Doe, for example hacked into ABC company, you collect IP history logs and other corroborating data, maybe engage in an IRC chat with John Doe, get a warrant or subpoena for his ISP information, show a pattern of activity consistent with the hacking, and then (if you are a law enforcement agent) get a warrant to kick in Mr. Doe's door and seize his computer. If the forensic examination of the computer shows hacking files, access to hacking sites, relevant e-mail, and even versions of the malicious code, it's a slam-dunk case for conviction. Right?

Trouble in the UK

But what if, in addition to all of this "evidence," you also find the existence of a Trojan horse server -- say, a version of Optix Pro or another remote access program. Does the mere existence of such a program provide a Get Out of Jail Free card? Probably not. However, given the ephemeral nature of electronic evidence, and the fact that it can always be altered, how confident would you be that Doe was in fact guilty beyond a reasonable doubt?

The higher the hacker's profile, the more attractive a target he or she may make for other hackers. And after all, if you were a hacker, would you want to store your contraband files on your own machine, or, like the cuckoo, would you keep your eggs in another bird's nest? Such "file parking" strategies have been used by hackers for years.

In October, 2002 Julian Green was arrested in Devon, England after police searched his home PC and found examples of child pornography. ISP had logs identified Green as the person responsible for the downloads, and the existence of the child porn on his PC seemed to be all the corroboration the constable would have needed to obtain a conviction.

However, a defense forensic expert also found evidence that there were Trojans planted on Green's computer that were designed to piggyback his browser, and log into porn sites. The Trojans probably were downloaded as e-mail attachments -- made all the more likely by the fact that Green had a teenage son. Unable to definitively prove that Green knowingly and intentionally downloaded the files, the prosecution dismissed the charges.

Similarly, Aaron Caffrey, a 19-year-old hacker, was charged in Southwark Crown Court with carrying out a denial of service attack on the computers of the port of Houston, Texas on September 20, 2001 -- less than two weeks after the 9/11 attacks. The port's webserver was frozen, and ISP logs traced the source of the attack to Caffrey's computer.

Unlike Green's case, a forensic audit of Caffrey's computer showed no trace of a Trojan. At his trial, Caffrey simply argued that a Trojan could have been responsible, and that the government could not prove its case beyond a reasonable doubt. The jury agreed, and acquitted Caffrey in October, 2003.

Trojan Extortions

In late December, 2003 companies around the world began to report a new kind of cyber-attack that had been apparently going on for about a year. Cyber extortionists (reportedly from Eastern Europe) threatened to "plant" child pornography on their computers and then call the cops if they didn't agree to pay a small fee. Unless the recipient pays a nominal amount ($30), the hacker claims he will either wipe the hard drive or plant child porn. The possibility of Trojans and the relative ease with which they could be used to promulgate just such an attack made the threats credible.

The two British cases illustrate the problems with the Trojan defense: not only does it make it difficult to definitively prove guilt with electronic evidence, but it is relatively easy to manufacture and plant electronic evidence consistent with guilt. In fact, with a few skills and tools, not only could you plant such evidence, but you could do so in such a way as to be virtually undetected, and so that it would be virtually impossible to determine that your target was not guilty.

The very Trojan planted to launch the attack or download the incriminating files may be designed to self destruct and wipe itself from the hard drive. It would be almost impossible to overcome the circumstantial evidence pointing to your guilt. With sentencing guidelines becoming ever more draconian for computer related offenses, it is only a matter of time before not only cyber extortion but cyber set-ups become reality, if they aren't already.

Of course, good information security practices help in this regard. Preventing the Trojans from entering in the first place, scanning for malware, monitoring for unusual activity and spam filtering all can help. Audit logging and reviewing can also help. Similarly, strong authentication and access control might prevent such activity. Yet another reason to do what the security professionals have been arguing for years.

As for Laocoon, the first to issue an advisory on the Trojan horse danger, his warning to the Trojans violated the wishes of Poseiden, so the gods sent serpents to kill him and his sons. This proved another axiom in law: no good deed goes unpunished.

Copyright © 2004, SecurityFocus logo

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Suspected paedophile cleared by computer forensics
Caffrey acquittal a setback for cybercrime prosecutions

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.