Feeds

BBC asks nicely to run second hacking demo

Lovely manners make new Trojan attack a happier experience

Secure remote control for conventional and virtual desktops

The BBC has followed its recent controversial botnet demonstration with a new filmed demo of how a Trojan attack works - except this time it made sure to ask nicely.

In a clear change from the earlier exercise, which provoked intense ethical debate, this time around the corporation has gone out of its way to make clear it sought the permission of the owner of a PC before hacking into it. The latest demo, which appeared on the BBC news website on Monday, illustrates how a single spyware-infected PC creates a means for cybercrooks to nab passwords or watch users of infected PCs, providing the machine uses a webcam.

The BBC sought the assistance of Jacques Erasmus of PrevX in both the latest small-scale exercise and earlier, larger experiment - the difference of course being that none of the computer users in the botnet caper were asked for their permission. BBC researchers changed the wallpaper on compromised machines to alert victims that their machines were infected, but only after running and filming its security demo.

In the latest case the demo clearly states at the beginning, via captions, that "this simulation depicts acts that are illegal", and later: "This time the 'victim' knew we had control of his laptop."

The same courtesy was not extended when BBC Click used licence-payers' money to buy access to more than 21,000 already compromised computers, in order to send spam to Hotmail and Gmail accounts. The botnet - which BBC Click acquired on the stipulation that compromised machines were located in neither the US nor UK - was also used to flood a test site established by PrevX with junk traffic, simulating a denial of service attack.

BBC Click, by its own account, paid "a few thousand dollars... to buy a botnet from hackers in Russia and the Ukraine".

Several security experts and an IT lawyer contacted by El Reg reckoned the botnet demonstration broke UK law, which prohibits unauthorised access or modification to computers. The BBC, which congratulated itself on the BBC Click programme as a breakthrough piece of investigative journalism, responded by saying its lawyers had cleared the programme to air.

Mark Perrow, executive producer at BBC Click, said "there was the strongest public interest in not just describing what malware can do, but actually showing it in action" in a blog post here. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, told us this "powerful public interest" argument is irrelevant when considering whether an offence had occurred under UK computer hacking law.

Graham Cluley, senior technology consultant at Sophos and one of the fiercest critics of the original programme, responded to the BBC's argument with a post to the same BBC theeditorblog arguing that it was unnecessary to risk breaking the law in order to demonstrate the problem of botnets. His post was deleted by the BBC, much to Cluley's indignation.

The minority of security vendors - and the majority of Reg commentards - supported the BBC's exercise as something that raised awareness about the growing problem of compromised computers in a far more accessible way than any government information security awareness campaign.

PrevX's Erasmus, who assisted the BBC in both exercises, couldn't be reached when the BBC Click botnet experiment aired back in March because he was on holiday, fishing in Namibia. But when we caught up with Erasmus at last month's Infosec show he told us that he'd told BBC Click researchers that their exercise was illegal, at least in his opinion. Erasmus's role was to talk BBC click researcher Spencer Kelly through the technical side of the exercise, which Kelly (not Erasmus) carried out.

This time around the BBC seems to have learnt a lesson from its earlier botnet caper by going out of its way to obtain permission before hacking, signalling an apparent change in the BBC's editorial policy. Perhaps the corporation listens, after all. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.