BBC Click has admitted paying cybercrooks thousands of dollars to buy access to a botnet as part of a controversial cybercrime investigation, broadcast over the weekend.
In a website story accompanying the heavily-promoted report, BBC Click reporter Spencer Kelly explains how licence fee payers' money was used to buy access to virus-infected machines under the control of hackers in Russia and the Ukraine.
After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine.
The process began in chatrooms where hackers advertise their services. You have to earn their confidence, then negotiations take place in instant messaging applications.
Once a service and a price have been agreed, payment is made using a money transfer to keep both sides anonymous.
BBC Click used the botnet of 22,000 machine to send spam to webmail addresses it established and launch a denial of service attack against a test website by security firm PrevX which advised on the investigation. It then changed the wallpaper on compromised machines with a message of its own, advising affected users to clean up.
The BBC reckons its actions were legal, but specialist technology lawyers contacted by El Reg disagreed. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, said that the BBC's actions were likely to have breached the unlawful access provision of the Computer Misuse Act, the UK's anti-hacking law. He added that there was no public interest defense against CMA offences.
All parties agree that there's unlikely to be a prosecution, even if the BBC inadvertently interfered with Pentagon computers. Infected computers on US military systems are hardly unknown, and BBC Click failed to make any checks on whose computers it was hacking into - so it could well be that some of the zombie machines used during the exercise were on US military networks.
Aside from the legality of the scheme, the exercise raises troubling ethical questions. Security firms are almost unanimous in saying the behaviour of infected machines could have been illustrated without hacking into the machines of innocent victims.
Much of what BBC Click found was already common knowledge in security circles, if not to the wider public. The idea that botnets are used to send spam or run DDoS, that access to them is sold through underground forums and that control tools are growing in sophistication, have been the staples of information security stories in the technology press and reports from vendors for months.
BBC Click said the programme was six months in the making.
Many security have described the exercise as misguided, unnecessary and unethical. Kaspersky, AVG, McAfee, FaceTime, Sophos and F-Secure all agreed that the BBC had behaved badly. Over the weekend Sunbelt Software joined the attack, which Sophos has spearheaded, against the programme's tactics.
Some security firms disagree with this consensus view, most notably PrevX, which participated in the programme. CEO Mel Morris, chief exec at PrevX, suggested that security researchers and the police routinely break the law to investigate botnets in a statement (below):
Prevx's input to the BBC Click Botnet experiment saw us providing our test site as a target for their DDoS attack and giving some comment and advice on the technical implications of what they were doing. In terms of what the BBC learnt the experiment highlighted some interesting facts - not least that their Botnet reached 9,000 computers over several days before it was detected by any of the major anti-virus or Internet security products.
Because of the nature of the market we operate in, and the ever growing risks of cyber-crime, every internet security company has to understand the ways in which the enemy operates. What the BBC did with this experiment is just taking that lesson to the broader public. Every day, most security companies, and law enforcement agencies investigating botnets and information stealers break the law to investigate and uncover stolen information and techniques - It goes with the turf!
Other supporters include security firm Marshal8e6 which issued a statement to "applaud the BBC Click programme for its interesting and informative piece which hopefully will assist in raising the public’s awareness of these issues".
The BBC Click programme was broadcast on BBC 1 on Saturday morning and the BBC News Channel on both Saturday or Sunday at 11:30. Those in the UK can catch up with the show through iPlayer, via the BBC Click site here. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Palo Alto Networks