Nov. 11, 2009
Child Porn Virus: Threat or Bad Defense?
Larry Magid Addresses Fears that Computer Viruses Can Put Illegal Files on Your Computer
-
(AP / CBS)
-
Section Tech News All about the digital world, from computers and gadgets to industry news and hot tech trends.
Being accused of possessing child pornography can ruin people's reputations, confront them with overwhelming legal bills and, if convicted, deprive them of their freedom for years if sentenced to prison time, and perhaps for life, if they're required to register as sex offenders.
That is why, at least in part, a recent case outlined by the Associated Press raised concerns over computer viruses being used to plant child pornography on people's computers. But the innocent have little to fear, according to experts.
The AP story reported about the case of Michael Fiola, a former Massachusetts state employee whose state-owned work computer was found to contain illegal child pornography images. He was fired and charged with possession of child pornography which, had he been convicted, could have landed him in prison for up to five years, according to the AP.
Sexually explicit images of children - who are often being exploited - are not protected by the First Amendment because they may memorialize, celebrate, or encourage sexual crimes against children deemed defenseless victims. Although Fiola avoided a child porn conviction, he reportedly has suffered related indignities, including death threats and friend abandonment. The AP said he and his wife liquidated their savings and spent $250,000 on legal fees.
Ultimately, charges were dropped after Fiola's defense showed that his computer was infected by a virus that was "programmed to visit as many as 40 child porn sites per minute," something that a human couldn't do, even if he or she tried. Other reports about this case indicate that the antivirus software on Fiola's computer was out of date and therefore was not protecting him against malware.
Could it happen to you?
How likely is a case like Fiola's? If viruses are capable of putting illegal content on people's computers, aren't we all at risk of being arrested for serious crimes we never meant to commit? And if it is possible for this to happen, isn't "the virus did it" claim likely to become the mantra of every defense attorney who represents people accused of possessing child pornography?
To help answer these questions, I spoke with security experts, legal scholars, former prosecutors, and Justice Department officials. The consensus? It is indeed possible for malicious software to plant child pornography - or any other type of file, for that matter - on an innocent person's computer, but being possible doesn't mean it's likely. And forensics experts can detect intention.
"It's quite possible for a malware creator to include child pornography as part of the payload on an infected computer," according to Symantec spokeswoman Marian Merritt, but "such payloads are not typical."
Most malware authors, Merritt said, "are motivated by money, and there's no clear indication as to how planting child porn on an unsuspecting person's computer would help generate money for criminals."
One possible motive for remotely using someone else's computer to store child porn is to make it possible to access the contraband without running the risk of it showing up if your PC is seized or searched. Merritt worries that "this could become a possible use for malware, going forward," but Michael Geraghty, executive director of the National Center for Missing & Exploited Children Technology Services Division, said that, while possible, it's not an effective way to store child porn and remain undetected.
Disclosure: I serve without compensation as a board member at the National Center for missing & Exploited Children, which deals with child porn cases. Still, I don't necessarily agree with all NCMEC policies, nor do I speak on behalf of the organization.
"If you put the images on someone else's computer, you might not be able to retrieve them when you want them," Geraghty said. He pointed out that the zombie machine storing the data would have to be turned on and connected for the malware sender to access it. If it weren't online, or the files had been deleted, the files wouldn't be there to retrieve.
Another deterrent, of course, is a potential digital trail between your computer and the one you're using to store it. Although there are ways to evade detection, forensic investigators do have ways to trace Internet Protocol addresses to catch people in the act of uploading and downloading material.
"I've never seen it where child porn was intentionally placed on someone's computer because of a virus," Geraghty said. He has, however, seen cases where "someone was redirected to a site where it could have entered the cache." If someone were to go to a legal adult porn site, it's possible that the browser would "open 100 different windows," including some that could contain child porn. "As a result of that, any images on any of these sites would be cached, and there would be a record that you had been there."
But Geraghty said investigators can tell the difference between someone who deliberately downloaded such images and someone who may have inadvertently downloaded perhaps thousands of images because of a virus or misdirected Web site.
Totality of evidence
"A good forensics expert would try to determine how (the images) got on the computer and who was responsible for putting them there," he said. "That would be determined by looking at the totality of the evidence, not just the fact that there were images there."
Things a good investigator would look into include whether the suspect was sitting at the computer at the time the images were downloaded. Was he using the computer to send e-mail or visit other Web sites at the time? "There is always some type of trail we can follow to determine if the person were likely actively involved in the process of downloading the material," Geraghty said.
Another indicator is the time lapse between image downloads. A virus or Trojan horse is likely to download multiple images at a time, sometimes faster than might be humanly possible to do manually. A person who collects child pornography typically acquires it over a period of time, and a forensic investigation of the computer should reveal that.
Phil Malone, a clinical professor at Harvard Law School and director of its Berkman Center Cyberlaw Clinic, agrees that a good forensic investigator should be able to tell the difference between files placed by a virus and ones deliberately downloaded.
"It's the excuse of the moment for defendants," he said. "Lots of child porn defendants try to blame (images found on their computers) on viruses, but it's almost never true. You can actually figure this out. In the handful of cases that have been problematic, it looks as if everyone moved too quickly. The agency discovered material and immediately jumped to conclusions." Malone added that "good, solid forensics would be able to tell in virtually every case."
Malone agreed with Geraghty, of the National Center for Missing & Exploited Children, that it's fairly common for someone, when viewing adult pornography on a Web site, to inadvertently receive pop-ups that may include images of child porn.
"It's possible to tell if something was opened or saved to a file from the cache," Malone said. Investigators can usually figure out if an image was downloaded intentionally, based on other activity that took place on the computer at the time, he said, adding that it's incumbent on both prosecutors and defense attorneys to launch a thorough investigation that includes analyzing a copy of the hard drive to determine not just which images are stored within, but also how they got there.
Geraghty said it's important to look at other factors. "The computer holds a lot of information about the searches that someone runs. If there were none of those searches and nothing else but some images in the cache, you would question how they got there. You would look for collaborating evidence such as intent to visit the site (and capability) of visiting the site. Did he have knowledge?"
A good investigation will look for exculpatory evidence to see if there are other explanations for the images. That investigation, Geraghty said, should start with making one or more exact copies of the suspect's hard drive and examining those copies to look for evidence of malicious software that could be responsible for the images. Defense attorneys can also gain access to a copy of the drive, but because it may contain illegal child porn images, their experts will probably have to examine the drive at the police station or prosecutor's office; possession of those images--regardless of the reason--is illegal for anyone other than personnel granted immunity.
Burden of proof
"In each case, the prosecution will need to prove (that) the defendant knowingly and intentionally possessed, received, or distributed child pornography," according to Drew Oosterbaan, chief of the Child Exploitation and Obscenity section of the Justice Department. "The proof starts with establishing that the images involved are child pornography and ends with establishing that the person charged is criminally responsible for it. We prove the latter in myriad ways."
Oosterbaan said that when someone is charged with possessing child pornography on his computer, "the computer is, in many ways, a crime scene, and the forensic examination of that computer is critical to meeting the elements of proof in the prosecution." He added that "it's important to remember that in every case, the government carries the burden of proof."
Oosterbaan said he is not aware of any cases in which botnets were used to plant child porn on other people's computers.
A former federal prosecutor now working for a technology company, who requested anonymity, said this may become a bigger issue as we enter the era of cloud computing, in which more and more data is stored on Internet servers instead of hard drives.
"There is no question that perpetrators are going to look for places to hide their criminal activity, including child porn, because they're increasingly aware that if law enforcement comes to their house, they will see the material," the former prosecutor said, adding that companies in the cloud storage business need to be aware that their systems could be used for illegal purposes. "They should reach out to the National Center for Missing & Exploited Children to implement a system to compare uploaded files against hash marks (digital fingerprints) of known child porn images."
As with any other security issue, the best defense is to protect your machine against intrusions. This includes:
• Making sure that your operating system and regularly used software are up-to-date.
• Using good software addressing malware, phishing attacks, and/or spam, and keeping it up to date. Subscriptions to paid programs should be renewed.
• Being cautious about spam and about providing information to sites you navigate to from links within even the most legitimate-appearing e-mails.
Note: This article originally appeared on CBSNews.com's sister site, CNET.com.
© MMIX, CBS Interactive Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed.
Add a Comment
- Yeah the expert doth protest way too much. The fact is that it is judge will not pay money to do any kind of forensic test. (other than actually finding porn)because all they care about is making a conviction. If you read the AP article you will note that they look for evidence such as emails. Such evidence, such as forging an email or placing hundreds of thousands of files on a host computer is almost painfully easy for someone to do. Emails are optional of course. In this case there were no emails or any other evidence that the family put the porn on their computer. Still there defense cost .25 million. There are others with valid claims who don't have .25 million for their defense rotting in jail right now. that AP article says that saying that someone else put files on your computer is called the "lottery defense" among prosecutors. It isn't going to work (unless you have millions to do your own forensic tests). I would guess the reason that the government is unwilling to accept that someone else could put files on your computer is that this is a perfect way to put dissidents in prison with no questions ask. If has the added benefit of discrediting the person so they have no say in society. With the coming downturn in America I expect to see this used more and more often as they will need more and more bodies for their labor camps to replace the dead ones. Brant
- Reply to this comment
- possession kiddie porn is not the problem
it's only pixels on a screen
the problem is the people who make it and sell it - Reply to this comment
- With the problems of malware and viruses doing all kinds of things to peoples computers, I would only be convinced that a person intended to engage in child porn if I witnessed them in the act, or if they had copied and stored the images on a CD/DVD or USB stick. That would be convincing evidence. Just finding it somewhere among the millions of files on a computer would not be convincing to me.
- Reply to this comment
- Even though my child's account has parental controls once when doing a search for schoolwork a picture popped up of a very nude woman. I believe it fooled the parental controls because it was only a picture, no words or any association with sex. At least it wasn't anything perverted.
- Reply to this comment
- It is theoretically possible for virus authors to create such malware for a profit motive. In this story the claim is asserted that there can be no monetary gain had by distributing child pornography via malware. However, this is incorrect.
Theoretically, where the malware acts as a kind of peer-to-peer filesharing package, it would be possible for malicious parties to use an unsuspecting computer as a dead-drop for distributing pornography. In this case, the computer owner's computer is infected with the package, which downloads images for subsequent distribution to third parties. As the internet IP address assigned to the infected computer is most likely dynamic, the infecting (control) and pornography source computers would be isolated from subsequent discovery within a timeframe likely to result in the apprehension of the pornographer. Meanwhile, as it is not likely for the infected computer to be identified and cleaned for some time, it will continue acting as a distribution point for significantly longer. If identified by law enforcement, the true pornographer will not be arrested. Instead the computer owner will face the consequences.
Initially in my experiments on this subject, I tested this theory using two computers secured behind separate firewalls, creating my own 'model internet.' This network operated with four hosts: infector (webserver), source (file repository), distribution point (infected target) and end-user. The initial test media was a text file representing music files and other copyrighted material.
In the test scenario, the infector was a third party (unknown) site which was compromised by one of the many attacks which can be conducted to inject malicious code into a web server. The source was a simple webserver with a static IP but no DNS records. The third system (target) accessed a page on the infector, which caused the target to prompt the user to install a file claimed to be a 'codec' (coder/decoder software for viewing video or listening to audio). In fact, this 'codec' was an executable (.exe) file which would install the malicious package to the target computer. Once the package was installed in the hypothetical scenario, the package was designed to operate as a background program (or service). This service would begin to download files from the source computer and to make the same files available to other systems for distribution. This distribution is made by 'announcing' the computer's location to a 'tracker' web page on the infector computer. (Note: due to a limited number of computers, I had to reuse the infector computer. In practice the 'tracker' would be a link posted almost anywhere online, including on other subject-related sites.). The service on the infected computer must keep the open port to the tracker alive by periodic HTTP transmissions. This allows the end user to access the 'tracker' link on the web page and gain access to the illicit content on the infected distribution system. (Note: many details are ommitted to prevent any third-party from benefiting from this comment. The 'tracker' aspect of this theory is the hardest challenge to overcome.)
It is possible that malicious parties could develop proprietary protocols for distributing information between source computers and the infected distribution channels. This could include encrypted network communications to avoid detection as well as many other tactics. During this experiment, the solution to detect the activity was to proactively monitor the network devices. In this scenario all traffic used HTTP (Port 80). Since virtually no desktop computer has reason to show signs of inbound HTTP requests, the baseline was assumed to be zero inbound HTTP traffic. Network administrators could develop baselines for all devices at first installation and later compare their network traffic to these baselines for faster detection of these attacks. This was how the problem was 'identified' in this scenario. Yet computer criminals understand that in many cases network security is a low priority. Further, the man-power to manually monitor security logs is costly and the talent to configure automated systems for monitoring traffic is hard to find. Until then, a good anti-virus package and the commonsense of the public is all we have.
--Sam Caldwell (mail@samcaldwell.net) - Reply to this comment
