BBC Hijacks PCs to Prove a Point

The BBC's technology programme Click wanted to do a report on how at risk modern PCs still are, but they didn't expect to hijack nearly twenty-two thousand PCs.

Click used a readily available piece of software (which wasn't named) to create the bot-net, which is basically just a network of computers, none of them aware of their function.

With just two email addresses, they set the bot-net to send each address 50 mails. Within an hour, over seven thousand emails had arrived with different subject lines, and according to the BBC, that's not even working at full speed, just enough to keep under the radar of normal upload/download rates.

The email generator inside the infected machines has access to Google, where it can access some of the most popular searches and change the email subject line, allowing it to dodge past spam filters.

As a secondary test, the bot-net attempted a Distributed Denial of Service(DDos) against a friendly target that was expecting it, the security company Prevx. It only took 60 machines to overload the bandwidth.

Satisfied, and a little freaked out by the results, the makers of the program will show the full results on the BBC News service on Sat 14th March at 1130 GMT.

As an end result, the "infected" computers were removed from the bot-net and sent a message by the BBC telling them that their computer was insecure and how to fix it. No personal data was accessed on any of the infected computers.

Source: BBC

Permalink

So there are at least 22,000 people who open emails from people they don't know.

Interesting, if not surprising.

[insert snooty mac/linux bragging here]

That's pretty awesome, but isn't it technically illegal?
It certainly is in the US, but I don't know about the UK.

GRoXERs:
[insert snooty mac/linux bragging here]

That's pretty awesome, but isn't it technically illegal?
It certainly is in the US, but I don't know about the UK.

This country is home to Phorm - we're used to public/private companies being able to install spyware on our computers or at our ISP's without our knowledge.

Gotta love the evilution of the internet.

that's kind of scary...

It's creepy how i'm not surprised by this.

Is it legal to DDOS?

So they attacked a bunch of people with viruses and this is helpful how? Dick move BBC.

I hate to be a kill-joy but what the BBC did isn't good at all.

As is explained on the Sophos blog at http://www.sophos.com/blogs/gc/g/2009/03/12/bbc-break-law-botnet-send-spam/ the Computer Misuse Act makes it an offence in the United Kingdom to access another person's computer, or alter data on their computer, without the owner's permission.

The BBC were not authorised to access those computers - and so they have not only (in my humble opinion) broken the law. They've also managed to film themselves doing it.

A TV report like this can help to raise awareness of the serious problem of computers being controlled by hackers. And that's great. But it is completely wrong for a broadcaster to use innocent people's computers without their permission for the purposes of their experiment.

The security company I work for, Sophos, has been asked many times by the media to take part in TV programmes like this, and has always made clear that we believe their legality to be questionable. Moreover, to our mind, the dubious ethics of such experiments are without question.

The law says you can't mess around with other people's computers without authorisation. The BBC didn't have permission to send those spam mesages. Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right.

And I wonder how Gmail and Hotmail feel about being hit by spam sent by the BBC?

There's enough spam in the world. We don't need more - and we don't need journalists making experiments like this to prove something that can be demonstrated in a legal way.

Regards
Graham Cluley, senior technology consultant, Sophos

GrahamCluley:
Snip

MR. Cluley, they sought legal advise on doing this, it's on their twitter.

And Mr. L33tsauce_Marty, if you read carefully enough (which you didn't) it says "As a secondary test, the bot-net attempted a Distributed Denial of Service(DDos) against a friendly target **that was expecting it**, the security company Prevx."

So as long as they know and agree for testing, it is legal.

The_root_of_all_evil:

As an end result, the "infected" computers were removed from the bot-net and sent a message by the BBC telling them that their computer was insecure and how to fix it.

Icing on the cake--because I only get legitimate e-mails from corporations.

I'm going to rob banks to prove how insecure they are....

Graham Cluely might like to move onto the aspects of this story that could add some value to the customers of the security products from the numerous vendors that completey missed this Botnet infection for several days.

Botnets exist primarily because of an abject failure of the PC security industry to adequately protect consumers from such threats. It is a myth, albeit a popular and industry serving myth that Botnets only infect PCs with little or no security. Users with well respected brands of fully up to date PC antivirus and so called internet security products are infected every day while their PC security product tells them they are clean. Maybe that's a larger public injustice and one Graham and his team of very capable guys should focus a little more on than trying to pose as a legal expert.

Meanwhile the market engineering of security products from 10 of the top vendors heads further towards mutual exclusivity, meaning that consumers and businesses are denied the opporunity of using two or more products to provide additional protection. These top products are not adequate and customers need to double up on their security.

Finally, I assume from Graham Cluely's comments that Sophos are, by their own standards, unable to investigate the workings of Botnets, information stealers or to retrieve details of stolen information which might bring the real criminals and terrorists to justice. After all to do their job thoroughly Sophos might need to access a criminal's web site or database. Or is that OK Graham? -- when it suits you!! Or do you call them and ask for a login and permission to access? Your customers might like to ponder this point from their own perspective. How do you do this Graham? Has Sophos never trawled malicious web sites to seek out new malware to protect its customers proactively without permission from the web site owner? Of they have. How is this different, legally?

Never mind a snowball fight with Kaspersky and trying to be lawyers, let's focus on the real fight that threatens our customers and our industry too. At the moment we are all, simply not doing anywhere near enough to educate people of the real risks. The risks that are ever present in spite of running up to date so called PC security.

Come into the real World Graham, it's a dirty place and the bad guys are winning by a country mile!!!!!

Back to you, for a legal, ethical, or technical opinion which might in some small way add value to the people we are supposedly trying to protect.

Sincerely,

Mel Morris
CEO Prevx

Somethingfake:

GrahamCluley:
Snip

MR. Cluley, they sought legal advise on doing this, it's on their twitter.

Yes, I've seen that claim.

However, there are independent lawyers (please see the report on Out-law.com here: http://www.out-law.com/page-9863 ) who say that the BBC *did* break the law.

So maybe the BBC Click team need to consult better lawyers next time they access other computer users' computers without authorisation? What next? Reporters breaking into people's houses without permission to show that their front door locks are rubbish?

Please note: I have nothing wrong with the BBC raising awareness of botnets. That's a noble thing to do. I just don't believe it's necessary to break the law to do it.

And by the way, the guys at Kaspersky, AVG, FaceTime, F-Secure and ClearText agree with me.

MelMorris:
Graham Cluely might like to move onto the aspects of this story that could add some value to the customers of the security products from the numerous vendors that completey missed this Botnet infection for several days.

We have no way of knowing which security products those 22,000 computer users were running (or not running), just as we haven't been told which countries around the world they are based in (and which country's laws may have broken by accessing them), or whether any of them were disrupted by the BBC's experiment.

But I'd actually like to keep the conversation on topic - was what the BBC did against the law or not? This isn't about right or wrong - it's about legality.

Note that I have no issue at all with raising awareness about computer security, but I do have a problem with the BBC breaking the law when it was clearly utterly unnecessary.

I know that PrevX was intimately involved in the BBC report and so may be feeling sensitive about this, and maybe that's colouring your message to me a little.

Did PrevX realise that the BBC was planning to break the law? Did you tell them what they were planning to do was illegal? Can you see that there are ways to explain the botnet problem in the media without breaking the Computer Misuse Act?

Cheers
Graham Cluley, Sophos

ElArabDeMagnifico:
I'm going to rob banks to prove how insecure they are....

They already pay people to do that.

All I can say to that is "thank you". I'm writting an essay on this for my Cybercrime module and this fits in perfectly with my point :D

The Escapist, now also helping you do work ;)

MelMorris:

Mel Morris
CEO Prevx

GrahamCluley:

Graham Cluley, Sophos

Gentlemen, while I appreciate your erudite approach to this discussion, I can only give you the details that I could find from the BBC itself. Having talked to some of my techy friends tonight, they were also of the opinion of Mr. Cluley in that it seems to be a misuse of the CMA; if not from the botting, but from the spamming of Gmail.

TBH, I don't think we have all the information yet, although Mr(s?) Morris is likely to have more information than most. I hope to get more solid information over the next few days, and your continued discussion is most helpful.

Root

My supercomputer has a lot of bandwith. Except Crysis is STILL glitchy as heck!

On topic, I think they proved a point. Not all you have got is enough to keep bad stuff off your computer. Although if someone hacks my computer they will get a big surprise of all of my evil plans of evil.

It silly how easy stuff can infiltrate even well guarded systems.

*waits patiently for quantum-state encryption*

EDIT: Sweet Jebus, got the name wrong. Actually called "Quantum Key Distribution."

If I found out I was a victim of this, I would (attempt to) prosecute the BBC for every dollar/pound I could.
The law is the law.
NOBODY is above the law.

Well, fuck.
The BBC is using troll tactics!

The BBC is doing it right. I generally like grey methods like this.

I love how the corporate PR agents have stepped in to have a quick banter - Prevx and Sophos are both highly respected, I use tools from both companies, but this is the first time I've seen such a public skirmish-of-sorts between them. Quite entertaining.

Nimbus:
So there are at least 22,000 people who open emails from people they don't know.

Interesting, if not surprising.

Certain virus programs known as worms don't need you to open the email for it to attack your computer. Instead they search through emails for more addresses to spread to.

Samah:
If I found out I was a victim of this, I would (attempt to) prosecute the BBC for every dollar/pound I could.
The law is the law.
NOBODY is above the law.

This would not, of course, stop it from having been your fault that your PC was owned by your poor security decisions.

Though it might give you the money you need to source an adequate security product for the future.

Labyrinth:
Certain virus programs known as worms don't need you to open the email for it to attack your computer. Instead they search through emails for more addresses to spread to.

If the worm is spread via email, you need to open it (albeit if there was, say, an issue with the subject line you would just need to download it). A complete worm is autonomous in so far as it doesn't require user interaction, but like hacker, the term worm has come to cover far more than it properly should.

Something like Melissa, or the I Love You virus, should have been considered a trojan and/or a network-aware virus, a worm was something like SQL Slammer, which was set and forget and required no interaction by a user.

Edit: And is the BBC going to be punished for this cracking action?

If I walked up to a network, cracked the key and breached the LAN because they were sitting their wireless in the DMZ with a stupid alcatel box, but didn't touch anything sensitive and took my logs straight to them would I be reported the the police, or would I not. Hard to say. Now imagine that I do this for 50 companies or, say, 22,000 people, and publish my findings in the local news.

The BBC is huge, so my bet is they won't be punished, but what's the difference between them and me? I've got just as many verifiable morals as a bunch of people who select which words and questions they will use for an interview, or what images they will show for a report, but it's the little guy who is going to get prosecuted.

My thoughts on that side of things anyway.

Is this any different from the Gov't showing two dead bodies mangled in a alchol induced wreck? They did nothing malicious and nothing that will effect these peoples computers.

They may have 'bent' the rules but they did it with good will in mind and are doing it for 'uneducated' people's benefit.

This is also the UK and not the US. So an American commenting on this is about as usefull as me trying to explain why my neighbour needs shotguns and an AR15....

The BBC is one of the greatest news networks in the world with, in my mind, the greatest level of reporting. If they have done this they will have known it wont of broken any laws.

As for the company that they spammed to death. They had agreed to do it and were aware it was coming. So hats off to them for trying to further the war on Internet Spam Merchants.

Wow. Well, if some people would only use their email for personal/buisness things, this would be entirely avoidable.

Erana:
Well, fuck.
The BBC is using troll tactics!

they always did

Lets just hope that the 22.000 people who were dumb enough to open random mail sent to them learns never to open mails unless its from a valid source.