The Giant Wooden Horse Did It!

Not me, guv

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Introducing a new legal defense to computer crime charges - one that's all the more frightening because it could be true, says SecurityFocus columnist Mark Rasch.

According to Greek mythology, the seer Laocoon, a priest of Apollo, warned the residents of Troy against accepting into their city the giant wooden horse designed by Odysseus and created by the architect Epeius. His famous warning, "Trojans, trust not the horse. Whatever it be, I fear the Greeks, even when bringing gifts," applies equally today to importing unknown files as it did to the Trojans 4,000 years ago.

We think we know all about the dangers of Trojan horses, but there is a new and more dangerous legal wrinkle to consider. In the past few months, a couple of people in England were acquitted based upon the so-called "Trojan defense" -- what we criminal lawyers used to call the "SODDI" defense: Some Other Dude Did It.

The Trojan defense presents two equally frightening problems: the possibilities of acquitting the guilty, or convicting the innocent.

In the first case, given the nature of electronic evidence, virtually all computer crime prosecutions rely on "circumstantial" evidence. To prove that John Doe, for example hacked into ABC company, you collect IP history logs and other corroborating data, maybe engage in an IRC chat with John Doe, get a warrant or subpoena for his ISP information, show a pattern of activity consistent with the hacking, and then (if you are a law enforcement agent) get a warrant to kick in Mr. Doe's door and seize his computer. If the forensic examination of the computer shows hacking files, access to hacking sites, relevant e-mail, and even versions of the malicious code, it's a slam-dunk case for conviction. Right?

Trouble in the UK

But what if, in addition to all of this "evidence," you also find the existence of a Trojan horse server -- say, a version of Optix Pro or another remote access program. Does the mere existence of such a program provide a Get Out of Jail Free card? Probably not. However, given the ephemeral nature of electronic evidence, and the fact that it can always be altered, how confident would you be that Doe was in fact guilty beyond a reasonable doubt?

The higher the hacker's profile, the more attractive a target he or she may make for other hackers. And after all, if you were a hacker, would you want to store your contraband files on your own machine, or, like the cuckoo, would you keep your eggs in another bird's nest? Such "file parking" strategies have been used by hackers for years.

In October, 2002 Julian Green was arrested in Devon, England after police searched his home PC and found examples of child pornography. ISP had logs identified Green as the person responsible for the downloads, and the existence of the child porn on his PC seemed to be all the corroboration the constable would have needed to obtain a conviction.

However, a defense forensic expert also found evidence that there were Trojans planted on Green's computer that were designed to piggyback his browser, and log into porn sites. The Trojans probably were downloaded as e-mail attachments -- made all the more likely by the fact that Green had a teenage son. Unable to definitively prove that Green knowingly and intentionally downloaded the files, the prosecution dismissed the charges.

Similarly, Aaron Caffrey, a 19-year-old hacker, was charged in Southwark Crown Court with carrying out a denial of service attack on the computers of the port of Houston, Texas on September 20, 2001 -- less than two weeks after the 9/11 attacks. The port's webserver was frozen, and ISP logs traced the source of the attack to Caffrey's computer.

Unlike Green's case, a forensic audit of Caffrey's computer showed no trace of a Trojan. At his trial, Caffrey simply argued that a Trojan could have been responsible, and that the government could not prove its case beyond a reasonable doubt. The jury agreed, and acquitted Caffrey in October, 2003.

Trojan Extortions

In late December, 2003 companies around the world began to report a new kind of cyber-attack that had been apparently going on for about a year. Cyber extortionists (reportedly from Eastern Europe) threatened to "plant" child pornography on their computers and then call the cops if they didn't agree to pay a small fee. Unless the recipient pays a nominal amount ($30), the hacker claims he will either wipe the hard drive or plant child porn. The possibility of Trojans and the relative ease with which they could be used to promulgate just such an attack made the threats credible.

The two British cases illustrate the problems with the Trojan defense: not only does it make it difficult to definitively prove guilt with electronic evidence, but it is relatively easy to manufacture and plant electronic evidence consistent with guilt. In fact, with a few skills and tools, not only could you plant such evidence, but you could do so in such a way as to be virtually undetected, and so that it would be virtually impossible to determine that your target was not guilty.

The very Trojan planted to launch the attack or download the incriminating files may be designed to self destruct and wipe itself from the hard drive. It would be almost impossible to overcome the circumstantial evidence pointing to your guilt. With sentencing guidelines becoming ever more draconian for computer related offenses, it is only a matter of time before not only cyber extortion but cyber set-ups become reality, if they aren't already.

Of course, good information security practices help in this regard. Preventing the Trojans from entering in the first place, scanning for malware, monitoring for unusual activity and spam filtering all can help. Audit logging and reviewing can also help. Similarly, strong authentication and access control might prevent such activity. Yet another reason to do what the security professionals have been arguing for years.

As for Laocoon, the first to issue an advisory on the Trojan horse danger, his warning to the Trojans violated the wishes of Poseiden, so the gods sent serpents to kill him and his sons. This proved another axiom in law: no good deed goes unpunished.

Copyright © 2004, SecurityFocus logo

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Suspected paedophile cleared by computer forensics
Caffrey acquittal a setback for cybercrime prosecutions

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.