Monday, 28 May 2012

the crippling blow.

in our last post, we had see how Trojan and Malware-Embedded Software operates in glimpse.
This post we'll talk on how the laws of Malaysia protects the users threaten by these malicious ware.

Like what have been stated before, we will have a look on The Computer Crimes Act 1997;
under the act we can safely note section 3 of the act,

Section 3- 

(1) A person shall be guilty of an offence if -

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; 

(b) the access he intends to secure is unauthorized; and

(c) he knows at the time when he causes the computer to perform the function that is the case. 

(2) The intent a person has to have to commit an offence under this section need not be directed at -

(a) any particular program or data; 

(b) a program or data of any particular kind; or 

(c) a program or data held in any particular computer. 

(3) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding five years or to both


after looking at this section we can see that the actual words that note Trojan and Malware-Embedded Software are not in use. however, the legislators had turn the other way round by stating the actual workings of the Malicious wares. that fall under sub section (1).

it stated that to be executed, the person doing that offense must have caused the computer to perform to his needs while gaining access, access here meaning that it is obtained but unauthorized and lastly, he knew that the performance of the computer is on for his own purpose- what ever it is intended to.

when we talk about what the person intend to do by his his evil mind, sub section (2) crossed several direction so for to widen the scope of this section.

and in return for the offense, the person behind this Malicious ware can be sanctioned by no greater than Rm50,000.00 or imprisonment up to five years. or both. 

in this post, we can see that Malaysia takes matters seriously in order to create a safe environment in the computerized world, it should be noted that no matter in what form the offenders used for attacks, the laws ensures that justice will prevail.

for more insight you can refer to this site right over here,

no, i mean here.

wait wait. here it is!

-faris aka mikki-

modus operandi.

now in our previous post we had explained one of the main act to made any Trojans and Malware- Embedded Software eligible for an offense.
that is, under the Computer Crimes Act 1997.

specifically speaking, we can refer to Part II of the act; which discuss on Offences.

Section 3-  deals with unauthorized access to computer materials
Section 4- Unauthorized access with intent to commit or facilitate commission of further offence.
Section 5- Unauthorized modification of the contents of any computer.
Section 6- Wrongful Communication
Section 7- Abetments and attempts punishable as offences
Section 8- Presumption

To make a legal issue out of Trojan and Malware-Embedded Software, we must first establish:
1) how will the two activated
2) and once activated, how do they operate that may cause harm to a computer system.
3) and to what extend will the harm caused may affect a computer.

1) after some studies done before this post, it has been found that to activate the Trojan and Malware-Embedded is operational either right after installing or even once a folder to the program is accessed or run.
itt has been shown that these two malice is like land mine waiting to be stepped on.

2) their operation may cause disruption on the overall perfomance of a system, you can see that the computer might be running slow as usual, crashes, in some heavy cases- the cause of blue screen and to serious effect causes the operational of a computer to halt.

3) to one extend, it may cause a heavy damage to the computer, and a huge loss of money to repair or even to buy a new computer.

A legal note, for serious offenders.

After getting some description on what is Hardware Trojans and Malware-Embedded Software.
we will now move on to the legal part of the issue.

That is, to what extend will we put our offender who dispicably speaking had done such things.
and what Laws will Malaysia use in order to control such activities from happening.

to start, Malaysia has enacted the laws related to cyber crime, under the Computer Crimes Act 1997.
any misuse of computer or even cyber-related activities that causes issues can be made actionable under this act.
This act is comprised of three parts, 'Preliminary', 'Offences' and 'Ancillary and General Provisions'

more from this part will right up next.
for now, to have an over-look on what the Computer Crimes Act 1997.

you can refer to this link, RIGHT HERE

- Faris @ Mikki-


In reference to Izzat Al Faris's post titled 'The Food', I would like to further elaborate on one of the ways to solve this problem, which is through the proposed tort of negligent enablement of cybercrime. Firstly, let me correct him. It's actually a 60 page article by two prominent Professors namely; Michael L. Rustad and Thomas H. Koenig. It is not a case between them. They propose a new tort of negligent enablement which will hold software vendors accountable for defective products and services that pave the way for third party cybercriminals who exploit known vulnerabilities. In the present situation, the software industry has externalized the costs of making code safe for its intended environment of use onto its end users through one-sided mass market agreements. Moreover, computer users have no meaningful remedies for injuries such as the theft of personal data, computer viruses, or internet fraud enabled by software failure. The proposed negligent enablement tort fills the void left by the failure of contract law to give meaningful remedies for the unacceptably high levels of risk of computer intrusions due to defective software.

The public policy rationale for imposing secondary tort liability on software publishers who aid and abet cybercriminals is to reduce the rate of cybercrime. The proposed negligent enablement tort draws upon well established principles of the Uniform Commercial Code (UCC) Article 2. Article 2 > warranties, premises liability, and negligence-based product liability to construct a modified duty of care to produce safe software suitable for its environment of use.

This Article examines the elements of duty, breach, causation, and damages for the proposed negligent enablement tort as well as defenses, procedure, and possible policy-based objections. The number of detected software vulnerabilities has increased rapidly over the past decade.

In addition, the Federal Trade Commission estimated in 2003 that personal data from approximately ten million Americans was stolen that year, resulting in direct losses of $5 billion to consumers and another $48 billion in losses to the business community. This proposed way argues that a software vendor should be secondarily liable to consumers and other third parties for a new tort(the tort of negligent enablement of cybercrime)

Furthermore, courts should recognize a modified duty of care on the part of software licensors to incorporate reasonable security into their products and services. A claim of negligent enablement requires proof of the following elements:

(1) a duty of care owed by the software vendor to its customer;

(2) conduct below the applicable standard of care that amounts to a breach of that duty;

(3) an injury or loss;

(4) cause in fact; and

(5) proximate or legal cause.

Once the software publisher owes the licensee a legal obligation to conform to a reasonable standard of conduct, the question is whether the duty has been breached. Software vendors are the “cheapest cost avoider” because they have superior information about known or developing vulnerabilities in their products or services. The rapid pace of technological change has exposed a fundamental weakness in the civil justice system. With cybercrimes skyrocketing and an ever-increasing amount of sensitive information being exchanged on the internet, the development of robust and trustworthy computer systems is a necessity.

Thus, the new tort of negligent enablement brings good sense to software law for the millennium.

Hardware: Defined as "Goods"

        As we purchased any hardware in the market, we are exposed to the probability of having an unoriginal hardware in such a way that its functionality is altered to become a hardware that is out of our expectation and needs. This process of altering hardware specification is called Hardware Trojan horses (HTHs). HTH are the malicious altering of hardware specification or implementation in such a way that its functionality is altered under a set of conditions defined by the attacker.
           It is quite difficult to find a proper case in our legal system as a reference for legal issues related to Hardware Trojans Horse. However, it might be relevant to refer to Consumer Protection Act 1999 and Sale of Goods Act 1957. This is due to the fact that hardware is purchased and acquired in a tangible and physical state.
            This is in accordance with definition of “goods” under Section 2 of Sale of Goods Act 1957 which reads:

“goods” means every kind of movable property other than actionable claims and money; and includes stock and shares, growing crops, grass and things attached to or forming part of the land which are agreed to be severed before sale or under the contract of sale;

            Then, we also can refer to the Section 3(1) of the Consumer Protection Act 1999 which reads:
"goods" means goods which are primarily purchased, used or consumed for personal, domestic or household purposes, and includes –
(a) goods attached to, or incorporated in, any real or personal property;
(b) animals, including fish;
(c) vessels and vehicles;
(d) UTILITIES; and
(e) trees, plants and crops whether on, under or attached to land or not, 
but does not include choses in action, including negotiable instruments, shares, debentures and money.

            Then, for a clearer definition, we can refer to the St Albans City and District Council v International Computers Ltd, where Sir Iain Glidewell has ruled that:

In both the Section 61 of Sale of Goods Act 1979 and Section 18 of the Supply of Goods and Services Act 1982 the definition of "goods" is "includes all personal chattels other than things in action and money ...." Clearly a disc is within this definition. Equally clearly, a program, of itself, is not.

            Thus, from the above definition, we can conclude that hardware is included in the definition of “goods”. Next, we refer to the Section 32 of Consumer Protection Act 1999 for the implied guarantee as to acceptable quality.

Section 32. Implied guarantee as to acceptable quality
(1) Where goods are supplied to a consumer there shall be implied a guarantee that the goods are of acceptable quality. 
(2) For the purposes of subsection (1), goods shall be deemed to be of acceptable quality -
     (a) if they are -
          (i) fit for all the purposes for which goods of the type in question are commonly                  supplied; 
          (ii) acceptable in appearance and finish; 
          (iii) FREE FROM MINOR DEFECTS; 
          (iv) safe; and 
          (v) durable; and 
    (b) a reasonable consumer fully acquainted with the state and condition of the goods,                       including ANY HIDDEN DEFECTS, would regard the goods as acceptable having           regard to -
          (i) the nature of the goods; 
          (ii) the price; 
          (iii) any statements made about the goods on any packaging or label on the goods; 
          (iv) any representation made about the goods by the supplier or the manufacturer; and 
          (v) all other relevant circumstances of the supply of the goods. 
(3) Where any defects in the goods have been specifically drawn to the consumer's attention before he agrees to the supply, then, the goods shall not be deemed to have failed to comply with the implied guarantee as to acceptable quality by reason only of those defects. 
(4) Where goods are displayed for sale or hire, the defects that are to be treated as having been specifically drawn to the consumer's attention for the purposes of subsection (3) shall be defects disclosed on a written notice displayed with the goods. 
(5) Goods shall not be deemed to have failed to comply with the implied guarantee as to acceptable quality if 
     (a) the goods have been used in a manner or to an extent which is inconsistent with the manner or extent     
          of use that a reasonable consumer would expect to obtain from the goods; and
    (b) the goods would have complied with the implied guarantee as to acceptable quality if they had not
          been used in that manner or to that extent.
(6) A reference in subsections (3) and (4) to a defect is a reference to any failure of the goods to comply with the implied guarantee as to acceptable quality.

            Therefore, as a remedy, the consumer can refer to Part VI of Consumer Protection Act 1999:

Part VI - Rights Against Suppliers In Respect Of Guarantees In The Supply Of Goods
Section 39. Consumer's right of redress against suppliers
This Part gives a consumer a right of redress against a supplier of goods where the goods fail to comply with any of the implied guarantees under sections 31 to 37.

Legal Liabilities on the Creator of Trojan Horse Virus and Malware

Nowawadays, we live in a world that depends on the Internet 100%, thus there can be always people that take advantages on such dependence on the internet,this is because criminals now are able to commit more high-technology crimes too and its becoming more and more complex as they never ceases finding ways to bypasses different computer security system. Terrorists are using the net to plan attacks against the United States and with the aid of encryption, these messages are likely to be transmitted without being able to be tracked. This makes it more difficult for law enforcement officials as the Internet allows for instant and anonymous communications. Cyber crime can take many forms including the release of a virus which may cause the destruction of a computer system.

We have seen the ability of terrorists' attacks in the September 11 episode that led to mass killings of innocent civilians in a developed country. We have seen how the creation of the 'I Love You Bug', 'Melissa Virus' and the 'Bugbear' caused the destruction of data and loss of protected information across the world and in various industries with the facilitation of the Internet. We have seen and heard of the dangers of information being stolen by company employees that led to the downfall of giant multinationals across the globe resulting in damages totalling billions of dollars. Consider these different aspects of technology related crime and we can see that they all have an element in common which is for the compromise or destruction of computer data.(Ravin Vello, 2006) This is the list 10 top among more of dangerous and popular viruses that once had spread world-wide. (10_deadly_computer_viruses_that_shook_the_world)

Do take note that Viruses on Microcomputers such as Trojan Horses, bugs and worms are merely a method or technique in which hackers are using to gain an unauthorized access on other people's computer system and crackers would then made malicious modifications on the data secured by them through such viruses and worms. Thus, this post would discuss on the legal liabilities on the hackers involved behind viruses of Trojan Horses and malware on two perspectives based on Computer Crimes Act 1997 which is unauthorized access and modifications.

An advocate & solicitor, Sulaiman Azmil on CRIMES ON THE ELECTRONIC FRONTIER -- SOME THOUGHTS ON THE COMPUTER CRIMES ACT 1997 ([1997] 3 MLJ lix), mentions about unauthorized access offence or "hacking" with distinction of "cracking" where based on SE Miller which the author cited, distinguish between the two terms based on the intention of the hackers. It was believed that hackers are more noble than crackers as hackers may not necessarily have a malicious intention on other people computer system or informations and those with such intentions are actually the "crackers".  Competitions are also formally and widely made in universities and schools throughout the world based on "Hacking" ability as they are recognized to identify and also helps in improving computer system. This was emphasized by Mr Lim Kit Siang MP that argues of amendments on the Computer Crimes act to insert a clause of distinction between the two but was disagreed by AG's Chambers as an act of unauthorized access whether by a hacker or a cracker, is still an act to be the same as 'entering someone's house without permission'. ((raised by Mr Lim Kit Siang during a cyberlaw briefing organized by the Parliamentary Inter-Party Committee for Information Technology on 25 April 1997. In proposing the lowering of the fines to be imposed on hackers convicted of the offences under the Bill (as it then was), Mr Lim noted that the very high penalties (in the Bill) would stifle creativity of computer experts -- creativity which was important to boost IT development in Malaysia. Computer experts, it was argued, broke into systems to experiment, learn or demonstrate the low security of different systems: New Straits Times, 26 April 1997))

Thus, unauthorized access offence is set out in s 3(1) of Computer Crimes Act 1997. The provision states that a person shall be guilty of an offence if:

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorized; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

The intent a person has to have to commit an offence under this section need not be directed at any particular program or data, a program or data of any particular kind or a program or data held in any particular computer.

Under s 2(2), a person is said to secure access to any program or data held in a computer if, by causing a computer to perform any function, he:

(a) alters or erases the program or data;

(b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;

(c) uses it; or

(d) causes it to be output from the computer in which it is held whether by having it displayed or in any other manner, and references to access to a program or data and to an intent to secure such access shall be construed accordingly.

For the purposes of the Act, access of any kind by any person to any program or data held in a computer is unauthorized if:

(a) he is not himself entitled to control access of the kind in question to the program or data; and

(b) he does not have consent or exceeds any right or consent to access by him of the kind in question to the program or data from any person who is so entitled.

Thus, based on (Sulaiman Azmil, 1997) ,he explains based on two divided criminal elements. actus reus of unauthorized access he said that it must be when the accused specifically "Causes a computer to perform any action". Thus any action on reality such as the reading of computer printout, the reading of data
displayed on the CRT monitor and 'computer eavesdropping' are out of the said section.

However, on the mens rea, it consists of two limbs,

1) there must be intent on the part of the defendant to secure access to any program or data held in any computer.

2) the defendant must know at the time when he causes the computer to perform the function that the access which he intends to secure is unauthorized.

Which both are neither specifically explained in the Computer Crime Act or the Penal Code. Intentions are observed as important by the author as reckless or negligent conduct in accessing any program or data cannot be charged under this act. Knowledge however are said to be difficut to prove as claiming someone to access an unsecured site may not necessarily be known by him that it was not authorized.

Thus, the prosecution may have to figure out the answers for the questions that need to be asked:

1) whether the access is authorized;

2) whether the party obtaining or seeking to obtain access to any programs or data had knowledge that this was not authorized; and

3) whether there was intention to commit the offence

Besides that, another issue to be looked at was on the phrase of 'any program or data held in any computer' in para (a) of s 3(1) which is explained in s 2(6) to include a reference to any program or data held in any removable storage medium that was inside the computer. It seems that the commission of offence under this act may only occur when the medium ( e.g disc, diskette, pen-drive, etc) was inside the computer. Thus, any other means of destruction or editing of the removable storage medium that was done to it outside the computer does not apply to this act.

In a UK case that we can consider is on the case of Attorney-General's Reference (No 1 of 1991) [1994] 1 QB 547, the defendant was an employee of a wholesale locksmith. After he finished his duty for the day, he returned to the premise wanting to purchase an item of equipment. Details of the sales transaction were entered into a computer terminal. The defendant, previously a sales assistant in the organization, had knowledge with the use of the system and, taking advantage of a moment when the terminal was left unattended, entered a code into the system. This resulted in the computer giving a 70% discount on the sale. The invoice which was subsequently generated hence charged the sum of £204.76 instead of the normal price of £710.96. The defendant was charged with an offence under the UK Computer Misuse Act 1990. At trial, the judge dismissed the charge, holding that the phrase in s 1(1)(a)63 referring to obtaining access to 'any program or data held in any computer' required that one computer should be used to obtain access to a program or data held on another computer.

Therefore, either techniques of hacking by writing trojan horse virus and malware, this two ways among many more can be viewed as techniques on gaining unauthorized access to other people computer system as they does not ask for the permission of the computer users first , to jeorpadized the computer system with the trojan horse virus or spied on the informations and datas inside any computer from the malware placed.

The second issue in which are vital to the topic is on the unauthorized modification offence which is an activity involved in damaging computers that ranges from unauthorized deletion of data to to denial of access (DoS) to authorized users. These activity are based on creating viruses, worms, logic bombs, malware and any other disabling programs. The very first famous viral infections was on 1988 which was called Brain.a. This virus which was written into software spreads to computer networks around the world and in the united states alone, it infected over 100,000 MS-DOS computers and disks.

Section 5(1) provides that a person shall be guilty of an offence if he does any act which he know will cause unauthorized modifications on the content of any computer.

For the purposes of the Act, a modification of the contents of any computer takes place if, by the operation of any function of the computer concerned or any other computer:

(a) any program or data held in the computer concerned is altered or erased;

(b) any program or data is introduced or added to its contents; or

(c) any event occurs which impairs the normal operation of any computer, and any act that contributes towards causing such a modification shall be regarded as causing it.

Under s 2(8), any modification referred to in sub-s (7) is unauthorized if:

(a) the person whose act causes it is not himself entitled to determine whether the modification should be made; and

(b) he does not have consent to the modification from any person who is so entitled.

At the simplest level, any deletion or addition of data can amount to modification. As previously noted, for the purposes of constituting the offence, there must be knowledge on the part of the perpetrator that the act performed will cause unauthorized modification of the contents of any computer.

Under s 5(4), a person guilty of an offence under this section shall, on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding seven years or to both; or be liable to a fine not exceeding RM150,000 or to imprisonment for a term not exceeding ten years or to both, if the act is done with the intention of causing injury as defined under the Penal Code.

Therefore, whenever modifications made by a trojan horse virus which it was programmed to do so, the cracker behind such virus should be tracked down to held them responsible for the damages brought by such modifications made by their trojan horse viruses.


From the last post, I had gave you a set of problems. So in this post, I will give you the main idea to solve all of these problems.

Firstly, we could see that from problem 1 and 3, the problem caused when the new software been installed. When inspected, it is true that the software itself contains malware.

For both of these problems, the ones that liable for the damages is the producer for the software. The producer of the software may be the company or the programmer himself.  

It is not a problem to trace the producer for problem 1, as the software bought is a tangible item. It is easy to seek remedies as you have the proof that cause the damages. However, for the problem 3, it is quite hard to proof as it is an intangible product.

In Malaysia, the definition of software itself is still open for discussion. However, some of the Acts had define the goods as:

Electronics Commerce Act 2006
This act does not define "good" for the purpose of electronic commerce transition. The act caters to software available through ESD (electronic software download) as opposed to bundle software.

Consumer Protection Act
...transaction now can be use by means of electronic..

Sale of Good Act
They define goods as every kind of "movable property". Therefore  it is illogical to put software under this act definition of "goods"

Because of this, the remedies for the damages happened in the matter of software is hard to gain.
This is true as stated in the case of Gammasonics Institute for Medical Research v Comrad Medical (an Australian case), the court itself not reluctant to stretch the inclusive nature of the definition of goods. Here we can see that the court wanted to force the legislature body to give the new definition of goods that include software as one of its. On of the best example that Malaysia can follow is from the New Zealand as in their Consumer Guarantees Act, to avoid doubt, they definition of goods include the computer software.

Move on to the problem 2, it is quiet easy to gain an answer for that as surely the producer of the hardware, ZBOX will be held liable as they are also the owner for the online operating system of ZBOX. In the problem 2 it is not hard to proof the liability as it consist of something tangible, which is the console.

I think I should also stated here the remedies for the damages on the hardware or the software.

There are three types of remedies can be gained which is:
  1. Contractual civil remedies which are derived from the law of contract.
  2. Stand alone civil remedies which do not rely on statutory provisions, but still can be enforced and;
  3. Civil and criminal prosecutions 
We should know that when the software we bought is embedded with Malware, the contract for purchasing the software is voidable. We can this matter clearly in the case of  ProCD, Inc. v. Zeidenberg. In this case, the enforceability of "shrink wrap license" are being questioned. The court held that Zeidenberg did accept the offer by clicking through. The court noted, "He had no choice, because the software splashed the license on the screen and would not let him proceed without indicating acceptance." The court stated that Zeidenberg could have rejected the terms of the contract and returned the software. This is the reason why the EULA (End User License Agreement) contract is a voidable contract if there is a Malware embedded in it.

We as the consumer is well protected by the law. The law put the liability to the producer of the software as it is stated in the case of Rustad v Koenig.

Even though in Malaysia there still no ruckus happen because of all these matters (as lot of problems settled quietly), we should educate ourselves with these matter to become a good consumer for ourselves. 


Back to our main topic, the legal issues related to hardware trojans and malware embedded software, we should discuss here what to do when this situations happen:

1. You bought a software from an IT Store, then you going back home and install the programs. Unfortunately the programs caused your whole system to crash and when inspected, the software you just bought contains malware and that the main cause for the crash. You wanted a remedy for the damage happened. Who hold the liability for that?

2. You bought a new console of gaming, a ZBOX. The console use an online operating system to purchase the games for the console. You had entered your credit card number for purchasing matter. Suddenly, one day, you got your credit card bill and the amount you use is unreasonable. You called the credit card company and then when you asked about the matter they said the bill come from the console company. However, you does not purchase all the item listed in your bill. When inspected, your credit card had been hacked by the other user of ZBOX. Whose to blame?

3. You purchased a new program called FotoShoppe from an online market. However the programs contains malware that caused your computer to crash. Who you would seek for the remedies of the damages happpened?

All of these situation are ordinarily happened to people nowadays. Even though in Malaysia there are no cases listed on this matter, things actually still happened. It just not being brought to the upper level like the court as it is still not the culture of Malaysian to bring matters to court. You are opened to give your idea for all of the problems stated above and for the next post I will give the answers from the perspective of law.  


Computer Law fellow classmate's blog site

Dell finds the hard way to solve malware problem

Two years ago Dell faced a big problem which was its products were infected by malware. Hence, Dell contacted some customers directly concerning this matter. Dell also made appointments for them to change their motherboards that contain malware with a new malware free product. The malware was founded in the embedded server management firmware of replacements motherboards sent out for certain models of server. Even so, they cannot detect what firmware was involved and also what type of spyware was. Dell does say that the spyware is Windows-specific and that non-Windows systems are not vulnerable. New R410 systems are also not affected, just replacement motherboards. Some other reports have described this as a "hardware trojan" of the sort that has been theorized recently, but it is not. This is malware embedded in firmware, and firmware is simply software in a ROM. It's only slightly unconventional.

Update: Dell provided a statement:
"Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers - PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 - and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software. This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware. Customers can find more information on Dell's community forum." - Forrest Norrod, vice president and general manager of server platforms at Dell.

Wednesday, 23 May 2012

Hardware Trojan Horse (HTH)

Hardware Trojan horses (HTHs) are the malicious altering of hardware specification or implementation in such a way that its functionality is altered under a set of conditions defined by the attacker. There are numerous HTHs sources including non-trusted foundries, synthesis tools and libraries, testing and verification tools, and configuration scripts. HTH attacks can greatly comprise security and privacy of hardware users either directly or through interaction with pertinent systems and application software or with data. However, while there has been a huge research and development effort for detecting software Trojan horses, surprisingly, HTHs are rarely addressed. HTH detection is a particularly difficult task in modern and pending deep submicron technologies due to intrinsic manufacturing variability.

Since semiconductor manufacturing demands a large capital investment, the role of contract foundries has dramatically grown, increasing exposure to theft of masks, attacks by insertion of malicious circuitry, and unauthorized excess fabrication. The development of hardware security techniques is exceptionally difficult due to reasons that include limited controllability and observability, large size and complexity (the latest Intel processor has 2.06 billion transistors), variety of components, unavoidable design bugs, possibility of attacks by non-physically connected circuitry, many potential attack sources (e.g. hardware IP providers, CAD tools, and foundries), potentially sophisticated and well-funded attackers (foundries and foreign governments), and manufacturing variability that makes each Integrated Circuit coming from the same design unique.

There are several broad types of malicious hardware attacks that we consider. The first is gate resizing, where the attacker intentionally changes the sizing factors of one or more gates in such a way that the circuit passes all standard timing test, but its timing for a certain inputs is incorrect or its switching or leakage power are globally or locally increased drastically. Note that many other gate sizing attacks can be envisioned, including one where the sizes of the gates are altered in such a way that the calculation of internal signals is facilitated through altered timing or switching power. In the second type of attack, the adversary adds one or more gates so that the functionality of the design is altered. It is important to observe that the gates can be added so that no timing path between primary inputs and flip-flops (FFs) and primary outputs and FFs is altered. However, leakage power is always altered because even if the attacker gates the added circuitry, the gating requires an additional gate. Our HTH detection approach is generic in a sense that it can easily be retargeted to other circuit components, such as interconnect by considering more comprehensive timing and/or power models.

Here we present specific HTH, in an attempt to describe the nature of HTH attacks in general. A simple, yet powerful HTH attack is presented in Figure 1, which shows how ghost circuitry can be activated in a cell phone when specific inputs or data are detected at specific memory locations. The unshaded portion of the circuit represents the HTH circuitry when it is activated by a HTH caller ID number. Upon activation, the attacker bitstream (ABS) is activated and the initial cell phone design is corrupted. In this example, HTHs will either cause the cell phones to malfunction or cause confidential information to be leaked. Important information can be disclosed after activation of the HTH. The exploited phone can automatically dial a hidden spy third party when certain numbers are dialed. Ghost circuitry (HTH) may be difficult to identify by traditional timing/power analysis techniques. To avoid timing analysis-based detection, an attacker only needs to ensure that no path delays between the inputs to flip-flops (FFs) or between the outputs to FFs are increased. Also, the switching power can remain stable until the trigger of the attacker’s caller ID activates the HTH.
Figure 1. Example of a cell phone HTH

Tuesday, 22 May 2012

The Trojan Horse Defense

There is a defense which came up during the year 2003, which is called the "Trojan Horse Defense" which attributes the commission of a cybercrime on a malware, whether a Trojan Horse, virus, worm or other programs in which it has been called such a way because its a defense which can be use over a cybercrime that was based on the operation of a Trojan Horses virus. It has been believed that such virus has a malicious funtionality that includes anything from donwnloading , editing or crushing files, spy's on other users screen to attacking other computers. Thus, this defense are used for crimes related to cyber crime where a virus was involved in it as virus of Trojan Horse are capable of malicious malfuntional by itself even without the presence of the user or the hacker themselves as the virus was programmed to do so. Having a defense that putting the blame over a virus is acceptable to the modern law and many cases of it has been tried over the courts. ( Susan W. Brenner, Brian Carrier, and Jef Henninger "THE TROJAN HORSE DEFENSE IN CYBERCRIME CASES" CERIAS Tech Report 2005-15)

The leading case in which first brought such new defense to the cyber world's attention was on the case of Aaron Caffrey which was basically charged on "carrying out a denial of service attack on the computers of the port of Houston, Texas or in other words hacks them, and causes them to shut down on September 20, 2001, which was less than two weeks after the 9/11 attacks. 

The prosecution submitts that the attack came from Caffrey's laptop computer, but denied by Caffrey that a virus of Trojan Horse whcih was installed on his computer by someone else was doing the attack. However, investigations done by the forensics and yet no trace of Trojan Horse virus was found in the laptop computer. But claimed by the defense that the virus had "self-erased" of its own traces. Caffrey's defense was successfull and the jury acquitted Caffrey and convinced by the defense counsel that "a Trojan Horse armed with a 'wiping tool' was responsible, enabling the computer to launcg teh DoS attack, edit the system's log files, and tehn deletes all traces of the rojan- despite prosecution claims that no such technology existed"

Another case, which came up few months before Caffrey's acquittal was another United Kingdom's case where the defense used the same defence of Trojan Horse in rebutting the prosecutions charge of the plaintiff's, Julian Greene, over possession of child pornography. He was charged over having 172 indecent pictures of children in his computer and also prior to the investigation, 11 Trojan Horse program was also found. Green's attorney argued that the indecent pictures was put or downloaded by the virus to be placed on Greene's computer. Having the chain of custody for the computer did not excludes the possibility of someone else could placed the virus on Greene's computer, thus the prosecution offered no evidence to counter-claims.

Few months prior to this case, similar case came about on UK over another man called Karl Schofield. Forensic experts concludes that in existence of the Trojan Horse programs  on his computer, thus the same indecent children pictures that was found on his computer was also viewed as was placed by the same malicious programs.

A different case which is important to be highlighted upon was the case of Eugene Pitts on the United States where he was prosecuted on nine counts of tax evasion and filing fraudulent tax returns with the Alabama state revenue department. Pitts asserting that the errors was actually the result of a virus that he did not aware of until after the stat revenue investigators alerted him in 2000 of problems with his personal and corporate returns. Pitts then acquitted of all charges by the jury.

The common thing about these four cases was that this defense was almost the same with the defense of SODDI which stands for  "Some Other Dude Did It". In which in this defense, when someone raises it, he or she concedes that the crime was not not done by him or her but blames it on someone else unknown to him and others. This defense was particularly viewed sceptically, because jurors usually understands hwo the real-world works. Serene said that the SODDI defense was actually much more successfull in the cybercrime cases because it involves things in which most jurors dont understand enough to buy claims of caffrey's about being framed by self-erasing Trojan Horse Program.

Thus for a THD to be convinced to the jury, all the defense have to do is to present credible evidence that would let a 'reasonable juror' finds that the crime was done by someone else according to the SODDI defense which was the crime was done by someone else.  Then, the prosecution must rebut the defense by proving that it was beyond reasonable doubt that it was the defendant who done it not Some Other Dude Using a Trojan Horse. The prosecution however still available to ponder around proving a negative argument where : it was not Some Other Dude Using a Trojan Horse prgram who done it. Yet, doing this is not easy to do so. This part of the case comes from one of the expert witnesses :

" I was one of the prosecution expert witnesses in the case of Aaron Caffrey. His computer was used to launch a distributed denial-of-service (DoS) attack. One of the computers used for the DoS attack belonged to the Port of Houston, and it crashed as a result of the DoS script intrusion. On Caffrey’s computer there were IRC logs in which he apparently discussed the launching and probable effect of the DoS attack; there was the DoS script itself; and there were logs of the program being run. It seemed an open and shut case, in which a love-struck 17-year-old defended his American girlfriend’s honour by responding to insulting IRC behaviour by launching a DoS attack. 
 . . . . 
I analysed the seized computer and found no viruses or Trojan programs infecting any of the applications loaded on it. There was no evidence of any backdoor services having been enabled; there was no evidence of any logs having been altered; there was no evidence of any vulnerable services that could have been used to hack into the computer; and there was no trace of any secure deletion tool having been used. In short, there was no evidence that the computer had ever been remotely controlled. Though the defence effectively claimed a big boy did it and ran away, I could find no footprints where I would expect to have found them. Caffrey’s defence was that such footprints could have been completely erased; the prosecution’s assertion was that it is not possible to erase all the footprints, and that the attempt to do so would leave distinctive remains. For the defence, no computer expert witness was called to offer support to the claim. Caffrey himself served as his own expert witness. Despite no evidence beyond Caffrey’s assertion that running programs could delete themselves without a trace, the jury found him not guilty. This leaves the prosecution of computer crime in the UK in a difficult position. Every case will now offer the defence of an untraceable Trojan horse program having been responsible. As a result of this decision, internet paedophiles and careless hackers have been offered a “get out of jail free” card 
that we will have to work very hard to counter. We will have to find better ways of presenting our arguments and of explaining how computers work - it’s not going to be easy, but it is going to be necessary."

Therefore according to statement which was given, such defense will proven to be a difficulties to the prosecution at the later date as it involves with such a complex mechanism of programs and the explanation of it must be carry out in a laypeople's term so that everyone could understand it. Blaming a Trojan Horse virus is a new thing in the eyes of the law. For a computer program to done a cybercrime and appears to be framing other people that does it, is not impossible. However I do believe that blaming alone the Trojan Horse virus may not be sufficient to achieve justice as there are more things that should be done, that is, tracking the hacker behind these Trojan Horse virus which are doing more and more cyber crimes in the internet world. Although unfeasible as of right now, but possible to be done in the future in order to track the hackers more efficiently to tackle the increasing rate of cybercrimes.  However, it is significant as of right now, that the law finally recognized of such malicious computer program of Trojan Horse Virus that the defense of it was created prior to the case of Aaron Caffrey. With this, we can see that the law are developing following the flow of modern times of the computer world and one day, a universal statute or provision can be made over the usage of programs on the internet to curb more efficiently of problems brought by Trojan Horses viruses.

Saturday, 5 May 2012

Definition of Software and Malware

Following my friend Afiq Roslan (aka Hitman) post for the Introduction, I will give a further explanation about the Software and the Malware. 

Software is a collection of computer programs and related data that provides the instructions for telling a computer what to do and how to do it[1]. Software refers to one or more computer programs and data held in the storage of the computer for some purposes. In other words, software is a set of programs, procedures, algorithms and its documentation concerned with the operation of a data processing system. Program software performs the function of the program it implements, either by directly providing instructions to the computer hardware or by serving as input to another piece of software. The term was coined to contrast to the old term hardware (meaning physical devices). In contrast to hardware, software "cannot be touched"[2].Software is also sometimes used in a more narrow sense, meaning application software only. 

And the next one Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. While it is sometimes software, it can also appear in the form of script or code. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software.[3]
So basically, software is a programs which is an instruction or tool for our computer to do works. For example, software of Microsoft Word is a tool for our computer to do typing. So do other computer programs like Internet Browser, Paint, your-favorite game Call of Duty and others. All of the programs made of tiny-tiny data and numbers that being programmed by the programmer and then work together to produce an instruction that create the software.

On the other hand, Malware, the combination of words of Malicious and Software, work as the villain or destructor for your computer. They are:

The Malware are also software, where they also made up from data and numbers. However, unlike software which gives instruction to the computer, they exploited our computers. I will give further explanation about the categories of the malware.

1.       Computer viruses : computer program that can replicate itself and spread from one computer to another, e.g. Elk Cloner(the first personal computer virus)

2.       Trojan horses : program with a benign capability that conceals another malicious program.

3.       Spyware : program installed on computers that collects information about users without their knowledge. 

4.       Adware : software package which automatically renders advertisements.

5.       Rootkit : stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

6.       Malicious programs : Other than above categories, if the program are malicious and exploited our computer, they are malicious program, e.g. Hijackers, Toolbars and Dialers

This is the easy definition for both Software and Malware. For the next post, I will explain further on the Software vs Malware in the legal field. Oh, last but not least, if there is any question on our topic, just post it in the comment box on respective post, thank you!

[2] " WordNet 2.0", Princeton University, Princeton, NJ.

Wednesday, 2 May 2012

Cyber Law

Please show some support to our fellow comrades whose taking Cyber Law. They are also making a blog with 'Cloud Computing' as the topic of discussion. This is the link to their blog, Show some love by giving constructive comments and reviews regarding their articles.


This will be my first post for the topic 'Legal Issues Related to Hardware Trojans and Malware-Embedded Software'. So basically I'll start off by explaining the definition and give a clearer view on the two malicious viruses. The common question people, or the so called netizens, will ask globally is "What is Trojans?". Let me illuminate you people with the proper nationwide accepted definition given by the 'Oxford Advanced Learner's Dictionary International Student's Edition 7th edition', Trojans is '2 (computing) a computer program that seems to be helpful but that is, in fact, designed to destroy data, etc.' A Hardware Trojans is normally associated with an integrated circuit. This integrated circuit is then modified maliciously, hence the name Hardware Trojans. Hardware Trojans is also known as HTH. The hardware that has undergone malicious alteration(Hardware Trojans), could result in functional changes to the system. This is very bad to the system itself as it somehow tries to bypass the security wall of a system. Not to mention its capability to disable the security wall as well which is more dangerous and poses a bad consequent.When this happens, it will allow confidential information to be leaked and stolen without the owner's consent. This is not as worrying as most people assumed that the hardware is secure and trusted. On the other hand, Malware-Embedded software is also dangerous but the only difference is they attack in another manner. This is when the law comes to the rescue. A saying by TIMES INDIA states that, 'No one is immune to cyber crimes and attack'. Furthermore, at the same time, legal issues start to arise. This is why our group will be discussing this topic by posting current issues, local and international development, decided cases and many more. The laws governing this area are the Computer Crimes Act 1997, Penal Code (Act 574) and many more.