Posted: 12th Mar, 2009 By: MarkJ
Bizzarely the BBC has admitted to hijacking (hacking) 22,000 personal computers without user consent. The computers were then turned into a botnet, though allegedly no personal information was accessed on any of the infected systems.
The
BBC News Online summary reports that the effort was made as part of an investigation into global cyber crime and to raise awareness about security. They claim that had the "
exercise" been done with criminal intent then it would have broken the law:
[BBC] Click ordered its PCs to send out spam to two specific test e-mail addresses set up by the programme. Within hours, the inboxes started to fill up with thousands of junk messages.
By prior agreement, Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx. Click then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.
Amazingly, it took only 60 machines to overload the site's bandwidth. DDoS attacks are used by extortionists who threaten to knock a site offline unless a hefty ransom is paid.
The BBC claims to have now destroyed its botnet and informed owners of the unprotected PCs involved. It's certainly a very interesting, if somewhat legally questionable, way of exposing a well known problem with online security.