Feeds

BBC asks nicely to run second hacking demo

Lovely manners make new Trojan attack a happier experience

SANS - Survey on application security programs

The BBC has followed its recent controversial botnet demonstration with a new filmed demo of how a Trojan attack works - except this time it made sure to ask nicely.

In a clear change from the earlier exercise, which provoked intense ethical debate, this time around the corporation has gone out of its way to make clear it sought the permission of the owner of a PC before hacking into it. The latest demo, which appeared on the BBC news website on Monday, illustrates how a single spyware-infected PC creates a means for cybercrooks to nab passwords or watch users of infected PCs, providing the machine uses a webcam.

The BBC sought the assistance of Jacques Erasmus of PrevX in both the latest small-scale exercise and earlier, larger experiment - the difference of course being that none of the computer users in the botnet caper were asked for their permission. BBC researchers changed the wallpaper on compromised machines to alert victims that their machines were infected, but only after running and filming its security demo.

In the latest case the demo clearly states at the beginning, via captions, that "this simulation depicts acts that are illegal", and later: "This time the 'victim' knew we had control of his laptop."

The same courtesy was not extended when BBC Click used licence-payers' money to buy access to more than 21,000 already compromised computers, in order to send spam to Hotmail and Gmail accounts. The botnet - which BBC Click acquired on the stipulation that compromised machines were located in neither the US nor UK - was also used to flood a test site established by PrevX with junk traffic, simulating a denial of service attack.

BBC Click, by its own account, paid "a few thousand dollars... to buy a botnet from hackers in Russia and the Ukraine".

Several security experts and an IT lawyer contacted by El Reg reckoned the botnet demonstration broke UK law, which prohibits unauthorised access or modification to computers. The BBC, which congratulated itself on the BBC Click programme as a breakthrough piece of investigative journalism, responded by saying its lawyers had cleared the programme to air.

Mark Perrow, executive producer at BBC Click, said "there was the strongest public interest in not just describing what malware can do, but actually showing it in action" in a blog post here. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, told us this "powerful public interest" argument is irrelevant when considering whether an offence had occurred under UK computer hacking law.

Graham Cluley, senior technology consultant at Sophos and one of the fiercest critics of the original programme, responded to the BBC's argument with a post to the same BBC theeditorblog arguing that it was unnecessary to risk breaking the law in order to demonstrate the problem of botnets. His post was deleted by the BBC, much to Cluley's indignation.

The minority of security vendors - and the majority of Reg commentards - supported the BBC's exercise as something that raised awareness about the growing problem of compromised computers in a far more accessible way than any government information security awareness campaign.

PrevX's Erasmus, who assisted the BBC in both exercises, couldn't be reached when the BBC Click botnet experiment aired back in March because he was on holiday, fishing in Namibia. But when we caught up with Erasmus at last month's Infosec show he told us that he'd told BBC Click researchers that their exercise was illegal, at least in his opinion. Erasmus's role was to talk BBC click researcher Spencer Kelly through the technical side of the exercise, which Kelly (not Erasmus) carried out.

This time around the BBC seems to have learnt a lesson from its earlier botnet caper by going out of its way to obtain permission before hacking, signalling an apparent change in the BBC's editorial policy. Perhaps the corporation listens, after all. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.