Naavi.org has time and again warned security specialists about bragging about their hacking exploits on the web.
On August 25, 2010, Naavi.org had brought to the notice of public how a senior software professional from Hyderabad working in a leading software company had bragged on his blog about a tool to hack IRCTC booking system. After realizing his mistake, the professional had withdrawn the web post which made the tool available free to public.
Again , in this article “Developer or Virus Writer” written on May 18, 2013 with reference to a news report ,it was highlighted that a legitimate Apple Developer ID holder had released a malware that could bypass Apple’s Gatekeeper.
The point we were making in these incidents was that security professionals without knowing the legal consequence of their activities and more particularly about the publication of their activities land themselves in problem.
Today I came across another LinkedIn posting which states as under:
“Hacking Windows 10 was one of my topmost priorities since the beginning of this year. Finally I did it. “
The post has been made by a Cyber Security professional and explains how Windows 10 can be hacked and a payload can be unauthorizedly introduced.
“Good evening friends. Hacking Windows 10 was one of my topmost priorities since the beginning of this year. Finally I did it. Hercules is a special payload generator that can bypass all antivirus software. It has features like persistence and keylogger which make it too cool. Named after a Greek Hero, Hercules stands up for its name. In our testing, none of the antivirus was able to detect payload generated by Hercules. Now let us see how to hack Windows 10 with this tool.”
One can feel the excitement of this hacker who volunteeers that he was planning this hack for a long time and finally has succeeded. He goes on to remind people that the payload generator used has “features” such as “keylogger” which make it “too cool”. Then he goes about explaining step by step how the payload can be dropped onto an unsuspecting computer user working on Windows 10 as well as Windows 7 and Windows 8.
Many other security professionals may hail this as “Great”.
But let me remind this security professional that if Microsoft lodges a formal complaint or if the Police or an Adjudicator takes suomoto cognizance that this article is providing guidance to public and criminally minded script kiddies to place a “Computer Contaminant” and “Keyloggers” into a user’s computer, it may tantamount to an offence under ITA 2008 which is cognizable.
The security professional then has to try to hide behind the fact that before the software is finally installed there would perhaps be a screen asking for the user’s permission and only if the user says “Yes” it will proceed.
Legal professionals will however clarify that even if the user clicks “Yes”, his “Permission” has been obtained by “Deceit” and will be considered invalid.
I consider this action and the publication as some thing similar to a murderer going to town with an advertisement that
“I wanted to check if I can murder a person with a new poison that I have detected. I am glad to announce today that I have succeeded. You can also use the poison and here is how to make it”
God bless the security professionals who think this is the way to expose their security skills.
I have posted a note on the person’s LinkedIn profile and look forward to receiving his reactions.
(P.S: I will post a link to this article in some groups which contain not only Police officials like Dr Triveni but also several vocal cyber security professionals. It would be interesting to watch their reactions.)