BBC hack 22,000 computers

Started by DarkStar, Mar 12, 2009, 16:05:29

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

DarkStar

Story here:

http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm

I notice it says that the users were notified after wards, bet it doesn't make any difference though, they will still carry on using out of date AV and unpatched Windows etc.  :o
Ian

Rik

The interesting thing, Ian, is did the BBC breach the Misuse of Computers Act. :)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

Also the Data Protection act
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Mmm. Could be a nice earner for the lawyers.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

DarkStar

Another report on it here:

http://www.sophos.com/blogs/gc/g/2009/03/12/bbc-break-law-botnet-send-spam/

I don't think the BBC will get into trouble - they tell the government what to do don't they (along with BT)  :whistle:
That's the impression I have had for a long time now.
Ian

Sebby

Quote from: Rik on Mar 12, 2009, 16:08:18
The interesting thing, Ian, is did the BBC breach the Misuse of Computers Act. :)

You'd have thought they would have considered that, but who knows?

Lance

The bbc will probably use 'educating internet users' as justification for extra funding!
Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.

Noreen

Quote from: Rik on Mar 12, 2009, 16:15:54
Mmm. Could be a nice earner for the lawyers.
From the article
QuoteThe programme did not access any personal information on the infected PCs.

If this exercise had been done with criminal intent it would be breaking the law.

Rik

Is it not criminal to intend to send spam, though?
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

The Computer Misuse Act

The Act introduced three criminal offences:

    1(1) A person is guilty of an offence if:

        a) he causes a computer to perform any function with intent to secure access to any program or data held in a computer;
        b) the access he intends to secure is unauthorized; and
        c) he knows at the time when he causes the computer to perform the function that this is the case.


    1(2) the intent a person has to commit an offence under this section need not be directed at

        a) any particular program or data
        b) a program or data of any particular kind; or
        c) a program or data held in any particular computer.

    1(3) a person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5, on the standard scale or both.

    2(1) a person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorized access offence") With intent

        a) to commit an offence to which this section applies; or
        b) to facilitate the commission of such an offence (whether by himself or by any other person) and the offence he intends to commit or facilitate is referred to below in this section as the further offence.

    2(2) this section applies to offences

        a) for which the sentence is fixed by law; or
        b) for which a person of twenty one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or in England and Wales might be so sentenced but for the restrictions imposed by section 33 of the Magistrates Courts Act 1980).

    2(5) a person guilty of an offence under this section shall be liable

        a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or both; and
        b) on conviction on indictment, to imprisonment for a term not exceeding five years, or to a fine, or both.

    3(1) A person is guilty of an offence if

        a) he does any act in a way which causes the unauthorized modification of the contents of any computer; and
        b) at the time when he does so the act he has the requisite intent and the requisite knowledge.

    3(2) for the purposes of subsection 3(1)b above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing

        a) to impair the operation of any computer;
        b) to prevent or hinder access to any program or data held in any computer; or
        c) to impair the operation of any such program or the reliability of any such data.

    3(3) the intent need not be directed at

        a) any particular computer;
        b) any particular program or data or a program or data of any particular kind; or
        c) any particular modification or a modification of any particular kind.

    3(4) For the purpose of subsection 1b above, the requisite knowledge is knowledge that any modification he intends to cause is unauthorized. 3(5) it is immaterial for the purposes of this section whether an unauthorized modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.[3]

http://en.wikipedia.org/wiki/Computer_Misuse_Act
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

I would have thought the highlighted text above would cause concern for the BBC
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

That would seem conclusive, as they would have had to access a program, albeit one the owners didn't know they had.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.


mrapoc

Studied this today in organisational system security.

Although it was unethical and probably illegal, at least they did not set up their own botnet, merely tapped into someone elses then deleted it afterwards freeing the computers from the "zombie state"

Mind you im in a zombie state and in need of sleep

so i bid you goodnight :)

Rik

I'm always in a zombie state, Sam, I thought you knew. :)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

drummer

Well, I for one am dead chuffed that the Beeb has used its resources to educate thousands of users about (their lack of) internet security.

I've seen lots of posts here and elsewhere about how people need to be educated about internet security.  What a brilliant way to do it - publicly and unembarrassed.  Full marks to the Beeb for taking the initiative without compromising any machines except by alerting the owner that a malicious attack would've been a piece of cake on their computer.

It's a serious issue though and deserves better than people using it just to sound off about the BBC in general.

A school kid could achieve the same as Click because it's that flipping easy.  Don't blame the messenger for proving the fact.

It's public service broadcasting at its very best.

An honest legal opinion would probably be something along the lines of: "I don't have the faintest idea but I'll give you a quote which then makes me an 'expert' on untested legislation".
To stay is death but to flee is life.

Gary

I haver noticed many newer security suites now use the Secunia vulnerability scanning tool, tring to get people to patch not just windows but also other programs, people forget how easy it is to get caught by a malicious security hole, The new Eset smart security version 4 along with Kaspersky and I think Norton all do that, not sure about Norton but I'm guessing they would. Trouble is peopel do not see this as useful and seem to want to turn those features off as patching is either to much like hard work, or daunting  :shake:
Damned, if you do damned if you don't

talos

Quote from: drummer on Mar 12, 2009, 23:15:22
Well, I for one am dead chuffed that the Beeb has used its resources to educate thousands of users about (their lack of) internet security.

I've seen lots of posts here and elsewhere about how people need to be educated about Internet security.  What a brilliant way to do it - publicly and unembarrassed.  Full marks to the Beeb for taking the initiative without compromising any machines except by alerting the owner that a malicious attack would've been a piece of cake on their computer.

It's a serious issue though and deserves better than people using it just to sound off about the BBC in general.

A school kid could achieve the same as Click because it's that flipping easy.  Don't blame the messenger for proving the fact.

It's public service broadcasting at its very best.

An honest legal opinion would probably be something along the lines of: "I don't have the faintest idea but I'll give you a quote which then makes me an 'expert' on untested legislation".

:iagree:            This was done with good intent, and I believe it should be done regulaly to shock some of these users out of their complacency,  the criminals who infect computers for personal gain are the ones to "have a go at ",   just the basic security will stop many, not to use it is stupidity, esp since there are many good free ones out there.   Well done BBC this time you got it right, its what "public broadcasting" is all about. :thumb:

Tacitus

Interesting piece here by Charles Arthur about how people are inured to malware.  The vast majority of people take it as 'the way it is', nothing you can do about it, etc etc.

It never ceases to amaze me the amount of effort it takes to keep a modern PC standing.  You imagine that at some point people would begin to wake up and realise the problem is not PCs, it's Windows which is simply not up to the task. 

They say Windows 7 will cure it all, but I've been hearing MS cry 'the next version will solve all problems' since the days of DOS3.3



Rik

I know just what you mean, Tac. I wonder, though, if the world moved to Macs, how long it would take for them to become vulnerable.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

somanyholes

I have to say i disagree strongly with the way the bbc have approached this subject. Sure they should bring attention to the subject and user education is also good, however does the bbc go into people's homes unannounced because they have left their front door open? No it doesn't and would likely get punched if they did. I profess i have not looked into this in detail but no doubt it will advise the usual anti-virus, patch your system , don't click on emails with attachment's etc leading to a false sense of security .....

They broke the law with this and should be dealt with accordingly

Rik

Hi, So, long time no see, are you well? :)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

talos

Quote from: somanyholes on Mar 13, 2009, 12:26:58
I have to say i disagree strongly with the way the bbc have approached this subject. Sure they should bring attention to the subject and user education is also good, however does the bbc go into people's homes unannounced because they have left their front door open? No it doesn't and would likely get punched if they did. I profess i have not looked into this in detail but no doubt it will advise the usual anti-virus, patch your system , don't click on emails with attachment's etc leading to a false sense of security .....

They broke the law with this and should be dealt with accordingly

I disagree, the law was not broken, this could easily be done by somebody with criminal intent.  I sincerely hope it wakes up some of the dozy individuals who by their own negligence keep the perpetrators of these crimes in business.


somanyholes

as Glen stated below the law was clearly broken. If access was allowed before entry then fair enough, but as far as I'm aware it wasn't, please correct me if i'm wrong....

Quoteb) the access he intends to secure is unauthorized; and
        c) he knows at the time when he causes the computer to perform the function that this is the case.