BBC Hijacks PCs to Prove a Point

Feb 13, 2008
19,430
0
0
BBC Hijacks PCs to Prove a Point


The BBC's technology programme Click wanted to do a report on how at risk modern PCs still are, but they didn't expect to hijack nearly twenty-two thousand PCs.

Click [http://news.bbc.co.uk/1/hi/programmes/click_online/] used a readily available piece of software (which wasn't named) to create the bot-net, which is basically just a network of computers, none of them aware of their function.

With just two email addresses, they set the bot-net to send each address 50 mails. Within an hour, over seven thousand emails had arrived with different subject lines, and according to the BBC, that's not even working at full speed, just enough to keep under the radar of normal upload/download rates.

The email generator inside the infected machines has access to Google, where it can access some of the most popular searches and change the email subject line, allowing it to dodge past spam filters.

As a secondary test, the bot-net attempted a Distributed Denial of Service(DDos) against a friendly target that was expecting it, the security company Prevx. It only took 60 machines to overload the bandwidth.

Satisfied, and a little freaked out by the results, the makers of the program will show the full results on the BBC News service on Sat 14th March at 1130 GMT.

As an end result, the "infected" computers were removed from the bot-net and sent a message by the BBC telling them that their computer was insecure and how to fix it. No personal data was accessed on any of the infected computers.

Source: BBC [http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm]

Permalink
 

Nimbus

Token Irish Guy
Oct 22, 2008
2,162
0
0
So there are at least 22,000 people who open emails from people they don't know.

Interesting, if not surprising.
 

GRoXERs

New member
Feb 4, 2009
749
0
0
[insert snooty mac/linux bragging here]

That's pretty awesome, but isn't it technically illegal?
It certainly is in the US, but I don't know about the UK.
 

Skrapt

New member
May 6, 2008
289
0
0
GRoXERs said:
[insert snooty mac/linux bragging here]

That's pretty awesome, but isn't it technically illegal?
It certainly is in the US, but I don't know about the UK.
This country is home to Phorm - we're used to public/private companies being able to install spyware on our computers or at our ISP's without our knowledge.
 

GrahamCluley

New member
Mar 12, 2009
3
0
0
I hate to be a kill-joy but what the BBC did isn't good at all.

As is explained on the Sophos blog at http://www.sophos.com/blogs/gc/g/2009/03/12/bbc-break-law-botnet-send-spam/ the Computer Misuse Act makes it an offence in the United Kingdom to access another person's computer, or alter data on their computer, without the owner's permission.

The BBC were not authorised to access those computers - and so they have not only (in my humble opinion) broken the law. They've also managed to film themselves doing it.

A TV report like this can help to raise awareness of the serious problem of computers being controlled by hackers. And that's great. But it is completely wrong for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment.

The security company I work for, Sophos, has been asked many times by the media to take part in TV programmes like this, and has always made clear that we believe their legality to be questionable. Moreover, to our mind, the dubious ethics of such experiments are without question.

The law says you can't mess around with other people's computers without authorisation. The BBC didn't have permission to send those spam mesages. Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right.

And I wonder how Gmail and Hotmail feel about being hit by spam sent by the BBC?

There's enough spam in the world. We don't need more - and we don't need journalists making experiments like this to prove something that can be demonstrated in a legal way.

Regards
Graham Cluley, senior technology consultant, Sophos
 

Somethingfake

New member
Oct 22, 2008
316
0
0
GrahamCluley said:
MR. Cluley, they sought legal advise on doing this, it's on their twitter.

And Mr. L33tsauce_Marty, if you read carefully enough (which you didn't) it says "As a secondary test, the bot-net attempted a Distributed Denial of Service(DDos) against a friendly target **that was expecting it**, the security company Prevx."

So as long as they know and agree for testing, it is legal.
 

TheWickerPopstar

New member
Dec 6, 2007
117
0
0
The_root_of_all_evil said:
As an end result, the "infected" computers were removed from the bot-net and sent a message by the BBC telling them that their computer was insecure and how to fix it.
Icing on the cake--because I only get legitimate e-mails from corporations.
 

MelMorris

New member
Mar 12, 2009
1
0
0
Graham Cluely might like to move onto the aspects of this story that could add some value to the customers of the security products from the numerous vendors that completey missed this Botnet infection for several days.

Botnets exist primarily because of an abject failure of the PC security industry to adequately protect consumers from such threats. It is a myth, albeit a popular and industry serving myth that Botnets only infect PCs with little or no security. Users with well respected brands of fully up to date PC antivirus and so called internet security products are infected every day while their PC security product tells them they are clean. Maybe that's a larger public injustice and one Graham and his team of very capable guys should focus a little more on than trying to pose as a legal expert.

Meanwhile the market engineering of security products from 10 of the top vendors heads further towards mutual exclusivity, meaning that consumers and businesses are denied the opporunity of using two or more products to provide additional protection. These top products are not adequate and customers need to double up on their security.

Finally, I assume from Graham Cluely's comments that Sophos are, by their own standards, unable to investigate the workings of Botnets, information stealers or to retrieve details of stolen information which might bring the real criminals and terrorists to justice. After all to do their job thoroughly Sophos might need to access a criminal's web site or database. Or is that OK Graham? -- when it suits you!! Or do you call them and ask for a login and permission to access? Your customers might like to ponder this point from their own perspective. How do you do this Graham? Has Sophos never trawled malicious web sites to seek out new malware to protect its customers proactively without permission from the web site owner? Of they have. How is this different, legally?

Never mind a snowball fight with Kaspersky and trying to be lawyers, let's focus on the real fight that threatens our customers and our industry too. At the moment we are all, simply not doing anywhere near enough to educate people of the real risks. The risks that are ever present in spite of running up to date so called PC security.

Come into the real World Graham, it's a dirty place and the bad guys are winning by a country mile!!!!!

Back to you, for a legal, ethical, or technical opinion which might in some small way add value to the people we are supposedly trying to protect.

Sincerely,


Mel Morris
CEO Prevx
 

GrahamCluley

New member
Mar 12, 2009
3
0
0
Somethingfake said:
GrahamCluley said:
MR. Cluley, they sought legal advise on doing this, it's on their twitter.
Yes, I've seen that claim.

However, there are independent lawyers (please see the report on Out-law.com here: http://www.out-law.com/page-9863 ) who say that the BBC *did* break the law.

So maybe the BBC Click team need to consult better lawyers next time they access other computer users' computers without authorisation? What next? Reporters breaking into people's houses without permission to show that their front door locks are rubbish?

Please note: I have nothing wrong with the BBC raising awareness of botnets. That's a noble thing to do. I just don't believe it's necessary to break the law to do it.

And by the way, the guys at Kaspersky, AVG, FaceTime, F-Secure and ClearText agree with me.
 

GrahamCluley

New member
Mar 12, 2009
3
0
0
MelMorris said:
Graham Cluely might like to move onto the aspects of this story that could add some value to the customers of the security products from the numerous vendors that completey missed this Botnet infection for several days.
We have no way of knowing which security products those 22,000 computer users were running (or not running), just as we haven't been told which countries around the world they are based in (and which country's laws may have broken by accessing them), or whether any of them were disrupted by the BBC's experiment.

But I'd actually like to keep the conversation on topic - was what the BBC did against the law or not? This isn't about right or wrong - it's about legality.

Note that I have no issue at all with raising awareness about computer security, but I do have a problem with the BBC breaking the law when it was clearly utterly unnecessary.

I know that PrevX was intimately involved in the BBC report and so may be feeling sensitive about this, and maybe that's colouring your message to me a little.

Did PrevX realise that the BBC was planning to break the law? Did you tell them what they were planning to do was illegal? Can you see that there are ways to explain the botnet problem in the media without breaking the Computer Misuse Act?

Cheers
Graham Cluley, Sophos
 

Volucer

New member
Sep 4, 2008
413
0
0
All I can say to that is "thank you". I'm writting an essay on this for my Cybercrime module and this fits in perfectly with my point :D

The Escapist, now also helping you do work ;)
 
Feb 13, 2008
19,430
0
0
MelMorris said:
Mel Morris
CEO Prevx
GrahamCluley said:
Graham Cluley, Sophos
Gentlemen, while I appreciate your erudite approach to this discussion, I can only give you the details that I could find from the BBC itself. Having talked to some of my techy friends tonight, they were also of the opinion of Mr. Cluley in that it seems to be a misuse of the CMA; if not from the botting, but from the spamming of Gmail.

TBH, I don't think we have all the information yet, although Mr(s?) Morris is likely to have more information than most. I hope to get more solid information over the next few days, and your continued discussion is most helpful.

Root
 

Lord_Ascendant

New member
Jan 14, 2008
2,909
0
0
My supercomputer has a lot of bandwith. Except Crysis is STILL glitchy as heck!

On topic, I think they proved a point. Not all you have got is enough to keep bad stuff off your computer. Although if someone hacks my computer they will get a big surprise of all of my evil plans of evil.