Re: "Nimda"?

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 02/28/02 

Date: Fri, 01 Mar 2002 10:05:44 +1200
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: incidents@securityfocus.com

Greg Williamson <n120476@phaedrus.national.com.au> wrote:

> Summary type email (like that in ARIS) is good, but for something that leaves an
> open door behind it (such as Code Red) it can be better to use that back-door to
> your advantage. With CodeRed, I cobbled together an automated response that
> notified the netblock administrator, but also used the root.exe hole to put a
> WinPopup box on the infected machine. That was fairly effective.

Aside from more serious charges in some jurisdictions (such as the
possibility it is tampering with a crime scene, as already suggested
by others), that approach is fundamentally wrong.

Under almost all jurisdictions that have have some form of computer
crime statutes, doing what you suggest is unauthorized access to,
*and* unauthorized modification of, a computer system. That you gain
such access through a backdoor planted as the result of previous
offenses of the same nature and that the administrators of the system
(perhaps) do not know that mechanism is present is irrelevant.

Until people claiming to be members of the "computer security
industry" or "security professionals" stop suggesting such clearly
inappropriate actions (which, by the way, they are even if they were
not illegal most places) in response to perceived problems such as
this, the industry as whole will continue to have its down-and-dirty
wild-west look and feel.

...
Finally, I note that Greg seems to work for (or be in some way
affiliated with) the National Bank of Australia. If so, perhaps he
should brush up on his employer's privacy policy, as linked from its
home page:

   http://www.national.com.au/About_Us/0,,2692,00.html

Although that document is clearly aimed at reassuring the bank's
customers that any personal information about them held by the bank
will be properly guarded and "respected", it is clear that the bank
wishes to be seen to not only uphold the letter of the Australian
law relating to such issues, but to be seen to be exemplary in the
way it does so. In light of this, I wonder how the bank can have an
internal policy for IT staff that clearly shows little, if any,
respect for Australian computer law. If the bank does not have such
a double standard, does that mean Greg should now (or may soon) be
facing disciplinary action within the bank?

Let's be generous and assume that when Greg said "With CodeRed, I
cobbled together ... but also used the root.exe hole to put a
WinPopup box on the infected machine" he was talking about something
he did outside the bank and that did not in any way involve bank
time, computers or network resources. Can the National Bank of
Australia afford to be publicly seen to be associated with someone
freely admitting to what almost surely was a criminal act in at least
one country where at least one machine Greg "notified" resided?

I'm impressed that Greg has such faith in his conviction that
knowingly doing wrong in the face of other (trivial) wrongdoing is
proper behaviour that he publicly identifies himslef with the belief.
I wish him well should that faith cause him any strife, but I cannot
agree with him on either issue nor condone his action. 

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages