ESET Threat Blog

You may have gathered from some of the blogs published here last year that i'm not biggest fan of the BBC's "Click" programme. I regard the Beeb's forays into buying botnets and stolen credit card details and making active use of them as at best naive. I agree that people need to be aware of such issues, but I don't happen to think it's necessary for a public body that prides itself on its high standards to engage in near-criminal activity itself in order to raise awareness, still less to foster unequivocally criminal behaviour by making payments to real criminals. I don't happen to think that the end always justifies the means, especially if the "end" is self-serving self-publicity, which is certainly not an end that justifies any means.

Still, I found myself this morning looking at a "Click" item on Internet scams. There's information on both the item and the availability of the programme in an article called "Net scams profit from desperate jobseekers" by Marc Cieslak:  you can find it at http://news.bbc.co.uk/1/hi/programmes/click_online/8448966.stm.

Some of the detail is a bit misleading: there's nothing new about using "mules" for money laundering, a practice often called mule-driving, that's been around about as long as bank phishing, and there are plenty of job-related scams that have been around much longer (there's a sub-class of 419 that includes some of them). So it's not altogether correct to suggest that this has arisen in response to the recent/current (depending on where you live…) economic downturn and consequent increases in unemployment. Nonetheless, it wouldn't surprise me if such scams have, in fact, increased in volume (and successful deployment) as more people have become unemployed or at least concerned about the possibility of unemployment. If there's one thing I've learned from 20 years in security, it's that there is no romantic notion of honour and Robin Hood hustling among cybercriminals: anyone is considered fair game for a scammer, however badly off the victim may be already.

As I've said quite recently (see http://www.eset.com/threat-center/blog/2009/11/17/no-mules-fool), it's sometimes too easy for those of us who specialize in monitoring and fighting cybercrime to forget that criminal manipulation and social engineering that is old hat to us is nonetheless quite successfully duping innocent (if naive) individuals into engaging in criminal activity. So I'm happy, for once, to be able to recommend a "Click" item that hasn't, to the best of my knowledge, put a single penny into the pocket of a cybercriminal.

You may also find http://www.cyberfraud.org.uk/ worth a look. Its founder, Caroline Coats, apparently set it up after becoming a cybercrime victim herself. [Thanks to Lee for pointing out that that link doesn't work without the www!]

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

This wouldn’t normally be the place to discuss the ongoing decline of the fortunes of the British Government, but there have been several IT-security-related stories coming out of the Mother of Parliaments worth a closer look.

Back on March 10th, The Register reported that MP (Member of Parliament) Alun Michael had reported to the police that he had removed malware from his PC, and complained that he’d received no feedback, not even an acknowledgement. That in itself doesn’t seem so remarkable to me: as I’ve pointed out earlier, law enforcement is rarely concerned with IT security-related incidents unless they involve heavy financial loss. He did have a point, though: when such an incident involves a system within the confines of Parliament itself, you might think it worth someone asking one or two questions just to establish that there was no conceivable threat to national security.

It turns out, though, that there’s more to worry about in the Palace of Westminster than the Alun Michael story suggests: Conficker (yes, it’s that one again) has been stalking the corridors of power. Both El Reg and SC Magazine have reported on the issue, following the Dizzy Thinks blog that leaked an internal memo offering advice and instructions to users connected to the parliamentary network. Pretty scary: the memo implies that there are no restrictions on connecting unauthorized devices, And questions asked by Channel 4 News seem to have inspired far too many "I don’t know" responses.

However, a story on the BBC web site (and I don’t even have to mention the Computer Misuse Act) indicates that there are at least some restrictions in place, since there are filters in place to block access to web sites with "offensive or illegal content or [that] are sources of malicious software." So that’s OK then.

Amusingly (well, it amuses me…) the filtering policy came to light when one MP was unable to access fellow MP Lembit Opik’s column on the Daily Sport web site. For our US readers, I should no doubt explain that the Daily Sport is a UK newspaper with a reputation for somewhat sensationalist and racy content: what the Liberal Democrats think about one of their number writing in "the world’s most outrageous newspaper" isn’t mentioned. My favourite quote from the story, however, is an extract from a notice issued to Commons staff and MPs warning them against "knowingly accessing or transmitting emails, text, images or internet material which might reasonably be considered offensive, unless on official business."

So there it is: it’s official. It really is a politician’s job to be offensive.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence.

The BBC published a self-justification of sorts over the Click fiasco on Friday 13th March: when I came upon it the following morning, I posted a comment there, pointing out Mark Perrow had addressed the issues this industry hadn’t complained about, and ignored the issues that we were concerned about.

My comment is number 14, if you’re interested, but if so, you might want to hurry up, before the BBC delete it. Graham Cluley also commented, very politely and very comprehensively, and the comment was deleted. According to the mail they sent him and the web page itself, (see comment number 47), this was because he broke the house rules.

You can see the comment he made reproduced in his blog here, and the BBC’s house rules are published here,

If you can see what rule it was that he broke, please let him (and me) know, as he’s as puzzled as I am. I’m pretty sure that embarrassing the BBC isn’t against the rules.

So, since I’m almost as fed up with the topic as the BBC seem to be, let’s think about what this programme really achieved.

• It raised public awareness of the botnet issue, and that’s a Good Thing, though I doubt that a programme that was confined to the BBC’s news channel reached as many of the people who need to know about the issue as some of its defenders are assuming.
• Nearly 22,000 people were informed that they had a bot problem. We don’t know how many were actually able to see the message, or took any remedial action, but if any of them did, that’s a Good Thing.
• A botnet of nearly 22,000 machines was taken down. Of course, we don’t know how many of the systems involved were completely cleaned, how many were still infected by other malware, how many were damaged by the cleaning, and how many cleaned machines were re-infected almost immediately. But if any of them are now safer and cleaner than they were before the BBC’s actions, that’s a Good Thing.
• The BBC and its legal department are probably now better acquainted with the Computer Misuse Act, and perhaps the Click programme is a little more aware of its responsibility to its viewers and those of us who help to fund it. That’s certainly a Good Thing, though it might have been better if they’d researched better for they started filming. Or was this a case of "too good an angle to check"?

The question is, what was achieved that couldn’t have been achieved by legal, ethical means, avoiding the need for the criminal fraternity to become a little richer while experiencing no apparent negative impact at all? Apart, of course, from a story that attracted notoriety rather than universal admiration…

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

The Tech Herald have brought it to our attention that Comodo, a security company who include an antivirus product in their range, have backed the BBC’s action in buying and exploiting a botnet for the Click programme’s story. This is clearly swimming against the tide – virtually all the mainstream anti-malware companies who’ve commented have indicated their disapproval of the BBC’s actions.

Melih Abdulhayoglu, Comodo’s CEO, regards buying a botnet as good use of taxpayers’ money, but doesn’t explain why using a real botnet to carry out simulated attacks is better than using legal means, and doesn’t even mention in justification the one thing the BBC did half-right: they did at least try to alert the owners of the compromised systems that they had a problem, although the means of communication (unauthorized modification of data, i.e. desktop wallpaper) was at best inappropriate.

Abdulhayoglu is entitled to his opinion, of course. I wonder, though, whether mainstream companies who planned on attending a security forum organized by Comodo later this month will now be considering whether they can afford to be seen to align with such radical views on the need to conform with the rule of law and, arguably, its own guidelines on what is acceptable in terms of conducting business with criminals?

Historically, the anti-virus industry (as we used to call ourselves)  has always been fastidious about maintaining ethical and legal standards, and sometimes this has hampered our effectiveness against the bad guys, who have no such scruples. Vendors whose roots are in other security sectors, though, are sometimes more overtly sympathetic to vigilante action, even if they don’t engage in it themselves.

However, I think the point that many people are still missing is that the BBC didn’t lynch any cybercriminals. On the contrary, they gave them a little extra pocket money. They didn’t uncover anything new: they simply publicised the problem.

So while I’m prepared to give them one rather subdued cheer for bringing the botnet issue to the attention of more people, I’m far from convinced that the way they did it could not have been done just as effectively without flouting the law. I don’t say it isn’t appropriate for some investigations to be carried out under "deep cover": it saddens me, though, that "the public interest" continues to be used as a defence for sensationalist reporting and unnecessary comfort to the enemy.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

And still the controversy rages: several people have pointed out that it’s unlikely that the PCs in the BBC’s botnet are all in the UK, suggesting that there could be additional legal issues relating to other jurisdictions. The H reiterated the point that Ofcom regulations state that payment shouldn’t be made to "convicted or confessed criminals… for a programme contribution by the criminal … relating to his/her crime/s." It appears that there is only a possible exception where it is in the public interest .

So it’s not only law enforcement who have to be convinced that the purity  of the BBC’s intent nullifies any question about the legality of their actions.

Some are proclaiming the value of its "investigation", but the BBC are not law enforcement, and don’t have any automatic rights to special treatment before the law. They didn’t really investigate anything in a forensic sense: law enforcement agencies and the security industry have, for many years, known more than the programme "revealed". What they did was demonstrate known phenomena for the benefit of their viewers.

Here are a few more interesting links: 

• Legal view from Robert Carolina for Computer Weekly and his 15 questions that the BBC should answer
• Succinct summarization of the ethical issue by Paul Ducklin
• Marshal8e6 think that the BBC deserves a bouquet of flowers: not only have they missed the point re ethics and legality, they managed to suggest that it was all down to the failure of signature detection. Sigh… http://www.scmagazineuk.com/BBC-should-be-applauded-for-raising-awareness-of-botnet-attacks/article/128827/
• Prevx, prominently featured in the Click programme and contributors of the server that was targeted by the Beeb’s DDoS attack, defended its position aggressively by attempting to divert attention away from the legal issues by proclaiming the inadequacy of the anti-malware industry and Sophos in particular.  http://www.scmagazineuk.com/Prevx-defends-itself-over-Click-botnet-experiment-as-CEO-attacks-Sophos/article/128828/
• Commentary by Asavin Wattanajantra for IT Pro: http://www.itpro.co.uk/610182/should-the-bbc-botnet-have-hijacked-22-000-computers

Of course, it’s perfectly reasonable to -inform- the public about these issues in the public interest: that’s not the same as trying out criminal techniques. Sometimes journalists will, technically, break the law in order to demonstrate that it’s possible or even easy to do so, and sometimes that public interest argument can be made quite convincingly. The question here is whether the public interest was served any better by the BBC’s sailing close to the legal wind than it would have been by an entirely legal simulation.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

[update] Commentary by Larry Seltzer for eWeek:   http://www.eweek.com/c/a/Security/The-British-Botnet-Corporation-324874/

I don’t promise that this is my last word on the subject, but, having now seen the full Click programme and the BBC’s response to some of the criticism they’ve received, I found I had a few more things to say on the topic.

If you aren’t thoroughly fed up with the whole issue, you can read it on the (ISC)2 blog page.

I also thought it might be useful to recap on some of the other posts and resources relevant to this incident:

• Computer Misuse Act: http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1 
• Click’s recommendations on self-protection: http://news.bbc.co.uk/1/hi/programmes/click_online/7940100.stm
• BBC Editorial blog defending Click’s actions (Comment 14 is mine): http://news.bbc.co.uk/1/hi/programmes/click_online/7940100.stm
• Expansion of some interviews conducted for and featured in the Click program: http://www.bbcworldnews.com/Pages/ProgrammeFeature.aspx?id=18&FeatureID=999
• The article and video clip that started this off for me: http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm
• Graham Cluley’s blog on the topic: http://www.sophos.com/blogs/gc/g/2009/03/12/bbc-break-law-botnet-send-spam/
• Legal commentary from Pinsent Mason: http://www.out-law.com/page-9863
• My comment on the legal commentary: http://www.eset.com/threat-center/blog/?p=713
• John Leyden’s article for The Register: http://www.theregister.co.uk/2009/03/12/bbc_botnet_probe/
• Dan Raywood for SC Magazine: http://www.scmagazineuk.com/BBC-Click-botnet-attack-criticised-by-industry-experts/article/128686; http://www.scmagazineuk.com/BBC-may-face-legal-challenges-over-Click-programmes-hacking-feature/article/128741/
• My blog at Securiteam: http://blogs.securiteam.com/index.php/archives/1261
• My first blog at ESET on the topic: http://www.eset.com/threat-center/blog/?p=710

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Update: several nice, thoughtful blogs on the subject from John Graham at http://john-graham.me.uk/.

International law firm Pinsent Mason’s Struan Robertson seems to agree (at least in part) with commentatory in the security industry that the BBC have broken the UK’s Computer Misuse Act. Robertson, focused on the Click program’s unauthorised access to 22,000 bot-compromised PCs in order to use them to send "spam" to email accounts set up by the program.

In fact, Click’s mail-out doesn’t really meet any meaningful technical definition of spam, but the point here is the proof of the concept, not the content of the messages. The essential point that Robertson makes here is that

" It does not matter that the emails were sent to the BBC’s own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer…It does not matter that the BBC’s intent was not criminal or that someone else created the botnet in the first place".

However, he disagrees with the contention that the Act was broken by the unauthorised modification of the infected systems, on the grounds that:

"The offence of unauthorised modification requires a recklessness or an intent that I don’t think the BBC has displayed."