Feeds

BBC asks nicely to run second hacking demo

Lovely manners make new Trojan attack a happier experience

Beginner's guide to SSL certificates

The BBC has followed its recent controversial botnet demonstration with a new filmed demo of how a Trojan attack works - except this time it made sure to ask nicely.

In a clear change from the earlier exercise, which provoked intense ethical debate, this time around the corporation has gone out of its way to make clear it sought the permission of the owner of a PC before hacking into it. The latest demo, which appeared on the BBC news website on Monday, illustrates how a single spyware-infected PC creates a means for cybercrooks to nab passwords or watch users of infected PCs, providing the machine uses a webcam.

The BBC sought the assistance of Jacques Erasmus of PrevX in both the latest small-scale exercise and earlier, larger experiment - the difference of course being that none of the computer users in the botnet caper were asked for their permission. BBC researchers changed the wallpaper on compromised machines to alert victims that their machines were infected, but only after running and filming its security demo.

In the latest case the demo clearly states at the beginning, via captions, that "this simulation depicts acts that are illegal", and later: "This time the 'victim' knew we had control of his laptop."

The same courtesy was not extended when BBC Click used licence-payers' money to buy access to more than 21,000 already compromised computers, in order to send spam to Hotmail and Gmail accounts. The botnet - which BBC Click acquired on the stipulation that compromised machines were located in neither the US nor UK - was also used to flood a test site established by PrevX with junk traffic, simulating a denial of service attack.

BBC Click, by its own account, paid "a few thousand dollars... to buy a botnet from hackers in Russia and the Ukraine".

Several security experts and an IT lawyer contacted by El Reg reckoned the botnet demonstration broke UK law, which prohibits unauthorised access or modification to computers. The BBC, which congratulated itself on the BBC Click programme as a breakthrough piece of investigative journalism, responded by saying its lawyers had cleared the programme to air.

Mark Perrow, executive producer at BBC Click, said "there was the strongest public interest in not just describing what malware can do, but actually showing it in action" in a blog post here. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, told us this "powerful public interest" argument is irrelevant when considering whether an offence had occurred under UK computer hacking law.

Graham Cluley, senior technology consultant at Sophos and one of the fiercest critics of the original programme, responded to the BBC's argument with a post to the same BBC theeditorblog arguing that it was unnecessary to risk breaking the law in order to demonstrate the problem of botnets. His post was deleted by the BBC, much to Cluley's indignation.

The minority of security vendors - and the majority of Reg commentards - supported the BBC's exercise as something that raised awareness about the growing problem of compromised computers in a far more accessible way than any government information security awareness campaign.

PrevX's Erasmus, who assisted the BBC in both exercises, couldn't be reached when the BBC Click botnet experiment aired back in March because he was on holiday, fishing in Namibia. But when we caught up with Erasmus at last month's Infosec show he told us that he'd told BBC Click researchers that their exercise was illegal, at least in his opinion. Erasmus's role was to talk BBC click researcher Spencer Kelly through the technical side of the exercise, which Kelly (not Erasmus) carried out.

This time around the BBC seems to have learnt a lesson from its earlier botnet caper by going out of its way to obtain permission before hacking, signalling an apparent change in the BBC's editorial policy. Perhaps the corporation listens, after all. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.