Feeds

BBC Click paid cybercrooks to buy botnet

Your licence fees at work

3 Big data security analytics techniques

BBC Click has admitted paying cybercrooks thousands of dollars to buy access to a botnet as part of a controversial cybercrime investigation, broadcast over the weekend.

In a website story accompanying the heavily-promoted report, BBC Click reporter Spencer Kelly explains how licence fee payers' money was used to buy access to virus-infected machines under the control of hackers in Russia and the Ukraine.

After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine.

The process began in chatrooms where hackers advertise their services. You have to earn their confidence, then negotiations take place in instant messaging applications.

Once a service and a price have been agreed, payment is made using a money transfer to keep both sides anonymous.

BBC Click used the botnet of 22,000 machine to send spam to webmail addresses it established and launch a denial of service attack against a test website by security firm PrevX which advised on the investigation. It then changed the wallpaper on compromised machines with a message of its own, advising affected users to clean up.

The BBC reckons its actions were legal, but specialist technology lawyers contacted by El Reg disagreed. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, said that the BBC's actions were likely to have breached the unlawful access provision of the Computer Misuse Act, the UK's anti-hacking law. He added that there was no public interest defense against CMA offences.

All parties agree that there's unlikely to be a prosecution, even if the BBC inadvertently interfered with Pentagon computers. Infected computers on US military systems are hardly unknown, and BBC Click failed to make any checks on whose computers it was hacking into - so it could well be that some of the zombie machines used during the exercise were on US military networks.

Aside from the legality of the scheme, the exercise raises troubling ethical questions. Security firms are almost unanimous in saying the behaviour of infected machines could have been illustrated without hacking into the machines of innocent victims.

Much of what BBC Click found was already common knowledge in security circles, if not to the wider public. The idea that botnets are used to send spam or run DDoS, that access to them is sold through underground forums and that control tools are growing in sophistication, have been the staples of information security stories in the technology press and reports from vendors for months.

BBC Click said the programme was six months in the making.

Many security have described the exercise as misguided, unnecessary and unethical. Kaspersky, AVG, McAfee, FaceTime, Sophos and F-Secure all agreed that the BBC had behaved badly. Over the weekend Sunbelt Software joined the attack, which Sophos has spearheaded, against the programme's tactics.

Some security firms disagree with this consensus view, most notably PrevX, which participated in the programme. CEO Mel Morris, chief exec at PrevX, suggested that security researchers and the police routinely break the law to investigate botnets in a statement (below):

Prevx's input to the BBC Click Botnet experiment saw us providing our test site as a target for their DDoS attack and giving some comment and advice on the technical implications of what they were doing. In terms of what the BBC learnt the experiment highlighted some interesting facts - not least that their Botnet reached 9,000 computers over several days before it was detected by any of the major anti-virus or Internet security products.

Because of the nature of the market we operate in, and the ever growing risks of cyber-crime, every internet security company has to understand the ways in which the enemy operates. What the BBC did with this experiment is just taking that lesson to the broader public. Every day, most security companies, and law enforcement agencies investigating botnets and information stealers break the law to investigate and uncover stolen information and techniques - It goes with the turf!

Other supporters include security firm Marshal8e6 which issued a statement to "applaud the BBC Click programme for its interesting and informative piece which hopefully will assist in raising the public’s awareness of these issues".

The BBC Click programme was broadcast on BBC 1 on Saturday morning and the BBC News Channel on both Saturday or Sunday at 11:30. Those in the UK can catch up with the show through iPlayer, via the BBC Click site here. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.