Re: BBC cybercrime probe backfires

["Castigliola, Angelo" <ACastigliola () UNUM COM>]

Using the same technology to spread malicious viruses and worms and apply fixes for the very same exploits they used to 
obtain access to a remote computer is an age old debate. It has been discussed by industry heavyweights such as 
Microsoft Research to college grad students (http://www.newscientist.com/article/dn13318 
<http://www.newscientist.com/article/dn13318> ). Information Week published an informative article last week titled 
"Offensive Computing: A Bad Idea That Never Dies" 
(http://www.informationweek.com/blog/main/archives/2009/03/offensive_compu.html 
<http://www.informationweek.com/blog/main/archives/2009/03/offensive_compu.html> ). The author George Hulme does an 
excellent job of documenting the history of this debate in ideology and discuses the ethics questions surrounding the 
"offensive computing" theory.  

 

The "friendly worm" or "anti-worm" theory has been applied to the field already in October of 2001 with the release of 
the "Codegreen" worm (http://www.vnunet.com/vnunet/news/2115989/anti-worms-fight-code-red-threat 
<http://www.vnunet.com/vnunet/news/2115989/anti-worms-fight-code-red-threat> ). The "friendly worm" intended to spread 
and fix remote computers vulnerable to Microsoft Security Bulletin MS01-033. It is currently detected by anti-virus 
programs as W32/CodeGreen.worm, quarantined then removed.

 

My opinion is that "offensive computing" isn't justified. Vital networks important to the operation of government, 
internet, and private industries are often protected by layers of defenses against conventional hacking attempts. 
Likewise botnets are also an old idea that has been put into practice in the field. More recently sophisticated botnet 
software has been easily obtainable on the internet with very detailed operations manuals. This old idea has now 
manifest to a new threat and the defense layers protecting vital computer infrastructure will eventually be 
reengineered to handle these threats. 

 

By releasing "friendly\anti-worms" you are dictating a patch release scheduled to the internet and enforcing your 
policies with "offensive computing" techniques. Large production business networks often have very detailed patch 
release cycles and procedures for critical patches. These patch release cycles include testing, a pilot release then 
finally a full deployment. These production environments are very controlled and any changes are track through a change 
management system for approvals from various information technology departments that have a steak in ensuring the 
successful uninterrupted operation of these systems. These IT professionals are responsible and sometimes liable for 
the systems in these controlled environments. How would a "friendly\anti-worm" tell if this computer is a part of a 
controlled environment? What happens if the "offensive computing" applications spreads to one of these controlled 
environments because someone was infected at lunch at an internet café then unknowing plugged their infected laptop 
into a controlled business environment?

 

You can slice the debate many ways but ultimately "offensive computing" is software that will consume CPU time and 
additional memory which degrades performance without an operators consent and that is why it is illegal.

 

Angelo Castigliola III
EISRM - Application Security Architecture
Unum
acastigliola () unum com

 

Disclaimer: The opinions expressed are my own personal opinions and do not represent my employer's view in any way.

________________________________

From: full-disclosure-bounces () lists grok org uk on behalf of Ron
Sent: Sat 3/14/2009 10:57 AM
To: Ivan .
Cc: full-disclosure
Subject: Re: [Full-disclosure] BBC cybercrime probe backfires



Ivan . wrote:
> The BBC hacked into 22,000 computers as part of an investigation into
> cybercrime but the move quickly backfired, with legal experts claiming
> the broadcaster broke the law and security gurus saying the experiment
> went too far.
>
> http://www.smh.com.au/news/technology/security/bbc-cybercrime-probe-backfires/2009/03/13/1236447465056.html

They keep saying that the BBC "hacked" 22,000 computers, when in reality
the original articles said the BBC "acquired" or "hijacked" the botnet.
Strawman for the win?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/