Fact: Potentially malicious software code (called Jikto) that could be used to turn a Web browser into a Hacker’s tool has been posted to the Internet, after it was downloaded by a quick-thinking individual at the Shmoocon Hacker conference last month.
After reading this, it got me thinking about who else (if anyone) besides the hackers should be held responsible for malicious code making its way onto the Internet? Some background on this: Security researchers do a lot of sharing of information and technology in order to combat Internet security threats. Sometimes this involves the sharing of actual malware samples through specialized channels from one lab to the next. I’m not a malware researcher so I don’t know exactly how it works. But I do know the industry is extremely small and that there are a great deal of interpersonal relationships that exist between researchers. So it is entirely possible that a researcher at company A talks with company B about samples etc. All of this sharing leads to better protection for all of us which in the end is what we all want.
However, this is not what happened at the Shmoocon confernece last month. A so called “Security Consultant” posted the URL to the this malicious code and posted it to Digg.com for a very short period of time. My sources within the security industry call this a very very big “no-no!”. Digg is a user powered content portal where anyone can come to get all types of information, news, videos etc. Why on earth would you publish a link to code that has the potential to make it easier for hackers to gain control of your computer? There is no good reason and despite the individual claiming that he “posted the code because he thought it would be useful to other security professionals looking for ways to illustrate just how dangerous a scripting attack can be”, I don’t buy it!
Despite the short time the code was up on Digg it was downloaded 100 times. We have no idea who downloaded it and what their intent was with the code. What is known is that this posting was outside of norm of security information transfer. When researchers share code they do it over “dirty” networks, so that you and I don’t become infected. They don’t post code on unsecured networks or even worse websites that anyone in the world can access. To me this individual has committed a crime because he has helped (not directly) cyber-thieves with their ability to wreck havoc on the Internet. More than likely a hacker would have discovered this code on their own but it could have been months later. But the fact remains that this person helped malicious code go free onto the Internet and in my opinion violated the 18 U.S.C. § 1030. Fraud and Related Activity in Connection with Computers and/or the Identity Theft and Assumption Deterrence Act of 1998.
At some point we need to hold more people accountable for their actions on the Internet. I’m a firm believer that every Internet user has a set of responsibilities that they must follow in order to be good “net-citizens”. Everyone must have active anti-virus, anti-spyware, and firewall protection on their machines. This means not only installed but up to date! I can’t tell you how many times customers tell me they think they have protection only to discover their security subscription ran out last March. Let’s put it this way, you don’t drive without taking a driving test and learning the rules of the road. Why shouldn’t the same principles apply on the Internet? With cyber-crime yielding about 8 billion dollars a year, this makes perfect sense to me given the enormity of money lost and people's lives ruined. Could you pass the test?