Feeds

Child porn case highlights browser hijack risks

Cautionary tales

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Browser hijacking programs can redirect users to pornographic websites. But could these malicious programs also lead to false accusations of possession of child pornography?

Malware such as CoolWebSearch (AKA CWS) can change browser start-up and search pages and generate pop-up pages - often punting illegal pornographic websites - on infected PCs. The program exploits IE vulnerabilities to slither onto unpatched PCs. Users would normally have to visit dodgy websites to get infected but it's easy to see how xxx rated spam email received and auto-executed through unpatched versions of Outlook could result in unwitting infection.

The end result would be the URL of borderline-criminal websites appearing in the history file of Net users. And how are spouses or employers to interpret this?

Wired this week carried an illuminating article, quoting several people who claimed their good reputation was threatened because browser hijacking programs had left indications of visits for porn websites on their PCs.

In one case, a Russian-born US resident called 'Jack' (not his real name) said he was forced to confess to child pornography offences on the basis of material he claims may have been deposited on his PC by a browser-hijacking program.

Jack may well have been railroaded in the case and there are issues about how evidence was handled. The chain of custody of the suspect PC, for example, is one area of particular concern. Wired quotes the conclusion of Brian Rothery, a former IBM systems engineer who researched Jack's claims, that "evidence wasn't handled properly".

However, the browser hijack explanation fails to adequately explain how some of the images appeared in locations not used for normal browsing sessions, Wired reports. The location of material and access times of content gives vital clues for investigators. If material is accessed after it is downloaded, especially at a time when a PC is offline, then this points towards a suspect's guilt.

It is straightforward to determine if the possession of illegal content is caused by browser hijacking, according to Neil Barrett, technical director of security consultancy IRM, and a veteran expert witness in numerous computer crime cases.

"Unless there is an exploit, material would only appear within the browser context. If illicit material was found on a PC a prosecution could be initiated but analysis is straightforward. It would leap up at a computer forensics expert that a pop-up was responsible for the content found," he said.

Police won't be blindsided

Some child pornography cases have been dismissed after suspects testified that a Trojan horse infection on their PCs could have downloaded without their knowledge (example here and here). According to Barrett, police were unable to counter defence arguments that a Trojan was responsible for the dodgy content found on a PC in these cases because they didn't know enough about what it did. This won't happen again in future. he said.

UK police now routinely check for Trojans on seized computers. In future, police will take virus infection into account in preparing evidence for court. Just because a virus is found on a PC doesn't mean someone is innocent of a computer crime and doesn't necessarily undermine the value of any other evidence recovered. "Police won't be blindsided by any Trojan defence in future," Barrett said.

So skilled and ethical investigators can determine if malicious code - and not salacious urges - explains the presence of dodgy content on PCs. Relying on this safety net is hardly sensible, though. The best approach for Joe Punter is to prevent such content getting onto his PC in the first place. This is yet another reason to use an updated version or IE and Outlook or (easier) to consider using alternative browsers and email clients. ®

Related link

Jack's story

Related stories

Trojan hijacks web browsers
Trojan serves porn off home PCs, not many dead
Trojan defence clears man on child porn charges
Suspected paedophile cleared by computer forensics

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.