Feeds

BBC asks nicely to run second hacking demo

Lovely manners make new Trojan attack a happier experience

The Power of One eBook: Top reasons to choose HP BladeSystem

The BBC has followed its recent controversial botnet demonstration with a new filmed demo of how a Trojan attack works - except this time it made sure to ask nicely.

In a clear change from the earlier exercise, which provoked intense ethical debate, this time around the corporation has gone out of its way to make clear it sought the permission of the owner of a PC before hacking into it. The latest demo, which appeared on the BBC news website on Monday, illustrates how a single spyware-infected PC creates a means for cybercrooks to nab passwords or watch users of infected PCs, providing the machine uses a webcam.

The BBC sought the assistance of Jacques Erasmus of PrevX in both the latest small-scale exercise and earlier, larger experiment - the difference of course being that none of the computer users in the botnet caper were asked for their permission. BBC researchers changed the wallpaper on compromised machines to alert victims that their machines were infected, but only after running and filming its security demo.

In the latest case the demo clearly states at the beginning, via captions, that "this simulation depicts acts that are illegal", and later: "This time the 'victim' knew we had control of his laptop."

The same courtesy was not extended when BBC Click used licence-payers' money to buy access to more than 21,000 already compromised computers, in order to send spam to Hotmail and Gmail accounts. The botnet - which BBC Click acquired on the stipulation that compromised machines were located in neither the US nor UK - was also used to flood a test site established by PrevX with junk traffic, simulating a denial of service attack.

BBC Click, by its own account, paid "a few thousand dollars... to buy a botnet from hackers in Russia and the Ukraine".

Several security experts and an IT lawyer contacted by El Reg reckoned the botnet demonstration broke UK law, which prohibits unauthorised access or modification to computers. The BBC, which congratulated itself on the BBC Click programme as a breakthrough piece of investigative journalism, responded by saying its lawyers had cleared the programme to air.

Mark Perrow, executive producer at BBC Click, said "there was the strongest public interest in not just describing what malware can do, but actually showing it in action" in a blog post here. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, told us this "powerful public interest" argument is irrelevant when considering whether an offence had occurred under UK computer hacking law.

Graham Cluley, senior technology consultant at Sophos and one of the fiercest critics of the original programme, responded to the BBC's argument with a post to the same BBC theeditorblog arguing that it was unnecessary to risk breaking the law in order to demonstrate the problem of botnets. His post was deleted by the BBC, much to Cluley's indignation.

The minority of security vendors - and the majority of Reg commentards - supported the BBC's exercise as something that raised awareness about the growing problem of compromised computers in a far more accessible way than any government information security awareness campaign.

PrevX's Erasmus, who assisted the BBC in both exercises, couldn't be reached when the BBC Click botnet experiment aired back in March because he was on holiday, fishing in Namibia. But when we caught up with Erasmus at last month's Infosec show he told us that he'd told BBC Click researchers that their exercise was illegal, at least in his opinion. Erasmus's role was to talk BBC click researcher Spencer Kelly through the technical side of the exercise, which Kelly (not Erasmus) carried out.

This time around the BBC seems to have learnt a lesson from its earlier botnet caper by going out of its way to obtain permission before hacking, signalling an apparent change in the BBC's editorial policy. Perhaps the corporation listens, after all. ®

Designing a Defense for Mobile Applications

More from The Register

next story
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.