Tue 27 Jan 2004
Mark Rasch, Security Focus, writes:
According to Greek mythology, the seer Laocoon, a priest of Apollo, warned the residents of Troy against accepting into their city the giant wooden horse designed by Odysseus and created by the architect Epeius. His famous warning, “Trojans, trust not the horse. Whatever it be, I fear the Greeks, even when bringing gifts,” applies equally today to importing unknown files as it did to the Trojans 4,000 years ago.
We think we know all about the dangers of Trojan horses, but there is a new and more dangerous legal wrinkle to consider. In the past few months, a couple of people in England were acquitted based upon the so-called “Trojan defense” — what we criminal lawyers used to call the “SODDI” defense: Some Other Dude Did It.
The Trojan defense presents two equally frightening problems: the possibilities of acquitting the guilty, or convicting the innocent.
In the first case, given the nature of electronic evidence, virtually all computer crime prosecutions rely on “circumstantial” evidence. To prove that John Doe, for example hacked into ABC company, you collect IP history logs and other corroborating data, maybe engage in an IRC chat with John Doe, get a warrant or subpoena for his ISP information, show a pattern of activity consistent with the hacking, and then (if you are a law enforcement agent) get a warrant to kick in Mr. Doe’s door and seize his computer. If the forensic examination of the computer shows hacking files, access to hacking sites, relevant e-mail, and even versions of the malicious code, it’s a slam-dunk case for conviction. Right?
Trouble in the UK
But what if, in addition to all of this “evidence,” you also find the existence of a Trojan horse server — say, a version of Optix Pro or another remote access program. Does the mere existence of such a program provide a Get Out of Jail Free card? Probably not. However, given the ephemeral nature of electronic evidence, and the fact that it can always be altered, how confident would you be that Doe was in fact guilty beyond a reasonable doubt?
The higher the hacker’s profile, the more attractive a target he or she may make for other hackers. And after all, if you were a hacker, would you want to store your contraband files on your own machine, or, like the cuckoo, would you keep your eggs in another bird’s nest? Such “file parking” strategies have been used by hackers for years.
In October, 2002 Julian Green was arrested in Devon, England after police searched his home PC and found examples of child pornography. ISP had logs identified Green as the person responsible for the downloads, and the existence of the child porn on his PC seemed to be all the corroboration the constable would have needed to obtain a conviction.
However, a defense forensic expert also found evidence that there were Trojans planted on Green’s computer that were designed to piggyback his browser, and log into porn sites. The Trojans probably were downloaded as e-mail attachments — made all the more likely by the fact that Green had a teenage son. Unable to definitively prove that Green knowingly and intentionally downloaded the files, the prosecution dismissed the charges.
Similarly, Aaron Caffrey, a 19-year-old hacker, was charged in Southwark Crown Court with carrying out a denial of service attack on the computers of the port of Houston, Texas on September 20, 2001 — less than two weeks after the 9/11 attacks. The port’s webserver was frozen, and ISP logs traced the source of the attack to Caffrey’s computer.
Unlike Green’s case, a forensic audit of Caffrey’s computer showed no trace of a Trojan. At his trial, Caffrey simply argued that a Trojan could have been responsible, and that the government could not prove its case beyond a reasonable doubt. The jury agreed, and acquitted Caffrey in October, 2003.
Trojan Extortions
In late December, 2003 companies around the world began to report a new kind of cyber-attack that had been apparently going on for about a year. Cyber extortionists (reportedly from Eastern Europe) threatened to “plant” child pornography on their computers and then call the cops if they didn’t agree to pay a small fee. Unless the recipient pays a nominal amount ($30), the hacker claims he will either wipe the hard drive or plant kiddie porn. The possibility of Trojans and the relative ease with which they could be used to promulgate just such an attack made the threats credible.
The two British cases illustrate the problems with the Trojan defense: not only does it make it difficult to definitively prove guilt with electronic evidence, but it is relatively easy to manufacture and plant electronic evidence consistent with guilt. In fact, with a few skills and tools, not only could you plant such evidence, but you could do so in such a way as to be virtually undetected, and so that it would be virtually impossible to determine that your target was not guilty.
The very Trojan planted to launch the attack or download the incriminating files may be designed to self destruct and wipe itself from the hard drive. It would be almost impossible to overcome the circumstantial evidence pointing to your guilt. With sentencing guidelines becoming ever more draconian for computer related offenses, it is only a matter of time before not only cyber extortion but cyber set-ups become reality, if they aren’t already.
Of course, good information security practices help in this regard. Preventing the Trojans from entering in the first place, scanning for malware, monitoring for unusual activity and spam filtering all can help. Audit logging and reviewing can also help. Similarly, strong authentication and access control might prevent such activity. Yet another reason to do what the security professionals have been arguing for years.
As for Laocoon, the first to issue an advisory on the Trojan horse danger, his warning to the Trojans violated the wishes of Poseiden, so the gods sent serpents to kill him and his sons. This proved another axiom in law: no good deed goes unpunished.