Tuesday, March 04, 2008
The great Trojan war
The Austrian Police has become the latest European agency to express its intention to use specially-crafted Trojans to remotely monitor criminal suspects. DIRT (Data Interception by Remote Transmission) Trojan, with which law-enforcement agents can secretly monitor a suspect's computer, is the latest on police's cards.
According to reports in Austrian media, the Minister of Justice Maria Berger and Interior Minister Gunther Plater, have drafted a proposal that will be amended by legal experts and the cabinet with the intention of allowing police to carry out such surveillance legally with a judge's warrant.
There doesn't appear to be a defined timescale for such a law and it is not clear whether the move would face the legal challenges encountered by the German authorities in the last year as they attempted to get a similar law off the ground. According to Berger, Trojans would only be used in cases of serious crime, such as terrorism and organised racketeering. The Swiss authorities have declared the intention of using the same controversial technique, but only in cases of the most extreme nature, such as terrorism.
One formidable hurdle is that opinion in the security software industry is almost universally hostile to the idea. You don't have to dig far to find negative reaction.
"I'm sure the Austrian Secret Service will develop some pretty ingenious software to infect users' PCs, but there is a real danger that the package could leak into the hacker community," said Geoff Sweeney of security outfit Tier-3. "That scenario would create a serious free-for-all on the industrial espionage and identity theft fronts as legitimate Trojans are redirected to create an even more hostile environment for organisations to defend against," he said.
The authorities have been keen to portray the use of Trojans as similar to phone-tapping, a long established police practice the world over. However, Trojans are different on one important respect from phones and this is where the anti-malware companies sense trouble.
"How should anti-virus companies react to the existence of such malware? Detect it? Avoid detecting it on purpose? Avoid detecting hacking software used by Governments of which country? Germany, USA, Israel, Egypt, Iran?," commented F-Secure's Mikko Hypponen in a blog earlier this year.
The Austrian, German and Swiss Governments have yet to explain how they would circumvent security programs that might be used by criminals to protect themselves, whether this would involve collusion with security software companies and what would happen if such software-busting Trojans were subsequently reverse engineered and deployed by criminals themselves.
"The anti-virus companies aren't going to turn a blind eye to State-endorsed Trojan horses," said Graham Cluley of Sophos, himself a good barometer of likely industry opinion.
"We're going to add detection for them just like any other spyware. So, if the cybercops think they can give us a funny handshake, a wink and buy us a pint for not adding detection for the Trojan they're using to spy on their suspect they're mistaken.
"The reason why we take that policy is that we can't know if the Trojan has been placed there by the cops or a criminal. It's unlikely that the Trojan will say 'Copyright (c) FBI 2007'," he said.