We investigate the controversy that was stirred up recently when the FBI in the US used malware to fight malware.
The Feds accessed remote access webshells left behind after the recent Hafnium attacks to remove the webshells themselves, after a court order said they could.
As helpful and as community-minded as this sounds, not everyone agreed that it was a good idea:
Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.
Why not join us live next time?
Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.
We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).
Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.
Jack Wilborn
Duck, great job… I’m also suspicious that those ‘sites’ that were ‘fixed’ are logged and watched now more than others, typical low hanging fruit for the government, so to speak… IMHO it’s out of the scope of the police.
Take care…
Paul Ducklin
I think you can make a case that says removing obvious public-facing security holes like this is a bit like cops investigating a house that seems to have been burgled and trying to secure it to prevent a follow-up crime.
As for whether the companies identified and “helped” in this case are more likely to get scrutiny in future… I take your point (in the same way that once you get onto a spammer’s list you tend to sty there until that person either goes out of business or gets busted) but I suspect that the Feds would just use automated scanning tools to build a fresh list each time. If you can just rescan every server in the world, more or less, each time then there’s not much point in starting with the list from last time.
Where “increased future scrutiny” usually comes in seems not to be from investigative bodies like the FBI or their equivalent in other countries, but from regulatory ones, such as those data breach settlements that the FTC does where companies agree to open the doors for an annual audit for N years.