Feeds

back to article Child porn hidden in legit hacked websites: 100s redirected to sick images

Innocent companies' websites are being hacked to serve images of child sex abuse, the Internet Watch Foundation has warned. The charity said that, in the past six weeks, it has received 227 reports of netizens being directed from completely legal online porno sites to web pages on a second server containing illegal material. …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

So strictly speaking...

... shouldn't the owners of the hacked websites be prosecuted and put on the sex offenders register? Just because you didn't know it was there can't be allowed to be an excuse or else everyone would be doing it, wouldn't they? I mean, think of the children(*)

(*) Unless you've already been prosecuted for thinking of the children too much. In which case, stop thinking of the children.

39
2
Anonymous Coward

Re: So strictly speaking...

You got it ! That's the way the law was written. The only way to avoid prosecution is to (a) ensure the police don't investigate or (b)issue guidelines to the CPS about not prosecuting where there was no intent - which effectively neutralises the law, which was EXPRESSLY written to the contrary.

Given the current paedosteria climate, I can't see either satisfying the Daily Mail.

Things get more interesting when you start to look at where the charges would fall. Network Manager ? IT Director ? Company secretary ? Any one of which has the potential to throw UK business back to the dark ages, if people start getting jailed.

22
1
Silver badge

Re: So strictly speaking...

"Credit travels upwards, blame travels downwards. That's the way it works."

6
0
Anonymous Coward

Re: So strictly speaking...

So, strictly speaking...if you accidentally stumble across some KP and report it to the police, then YOU will be arrested and charged, as possession is a strict liability offence, and if you're reporting it then you must have been in possession of it? Seems very strange, even stupid, and I'm sure a British Government would never pass a stupid and inconsistent law. Bit of a disincentive to helping the police.

It's as silly as imagining that someone could go into a police station to report that they're the victim of domestic violence and promptly being grilled about whether they're an illegal immigrant...oh hang on, they do do that, don't they, so maybe they actually intended for people reporting KP to be arrested, as it would allow them to publish some interesting stats about how succesful they've been in the fight againt this vile trade etc.

God, I'm getting cynical....

23
2
Unhappy

Re: So strictly speaking...

Many years ago I was driving home in the early hours after visiting a friend. On the road through suburbia was a concrete lamppost, horizontal, lying across (the other) half of the road. It was waiting to cause an accident.

Being young (early 20s) my immediate reaction was to stop and call the police from a 'phone box. They asked me to wait. I did. Ten minutes later a police car arrived. I expected them to thank me for reporting it and waiting. Instead they gave a quick glance at the concrete obstruction then grilled me for 10 minutes about where I had been, was going, why. Looked all around my car. Made me open the boot.

Then they let me drive home.

I felt as if I had been treated as a criminal rather than a well-meaning, reponsible citizen. It didn't stop me being on the side of the police. I've known a couple and they have to deal with some pretty terrible stuff sometimes. It just wasn't the polite, Dixon of Dock Green approach that my grandfather had believed in and passed on to me when I was young.

Years later, the unpleasant taste still lingers, faintly. More recent events, like the video of the innocent old guy violently hit and pushed over in London a few years ago, who subsequently died, leave a fresher, ranker taste. I don't expect every law enforcer to be an angel, though I hope most have high standards suited to their role. But I do expect the ruling, controlling powers to distinguish accurately between "good" and "bad" actions and to act accordingly; not treating their paymasters, citizens, as criminals by default and not dealing with their own bad apples by closing ranks, which leads to a "We're in control; we can get away with most things" culture.

When the majority of innocent, well-intentioned citizens are regarded as criminals in the first instance I expect many end up thinking, "Why should I bother and suffer for trying to act responsibly?"

Police, I expect, are mostly doing a good job and sometimes trying to maintain their own sanity when travelling on the darker pathways of society.

Politicians, however, who make and rant about laws, often with seemingly little comprehension of the nitty-gritty contexts, but with great expertise in fields such as "spin", the finer points of expense claims and milking the media for every possible vote-winning sound-bite, rarely seem to have much of the darker side of life to deal with, compassionately and wisely. They seem, often, to be experts only in their own careers and future incomes and those of their families, friends (*) and business backers.

(*) Mostly the sort of "Et tu Brute" friends that Julius Caesar had. Such is the world they chose to inhabit.

31
2
Anonymous Coward

Re: So strictly speaking...

You are correct if you reported it to the police you would be prosecuted.

It's just like the gun laws - if you find a gun, pick it up and take it to the police station they will arrest you and at least attempt put you in prison for the minimum sentence of 5 years. Google 'Paul Clarke Guildford crown court' to see what happens in this instance.

It's called 'strict liability' - no excuses, you are guilty even when you're not !

8
1
Silver badge
Mushroom

Re: So strictly speaking...

...Things get more interesting when you start to look at where the charges would fall. Network Manager ? IT Director ? Company secretary ? Any one of which has the potential to throw UK business back to the dark ages, if people start getting jailed....

Actually, the way the law is written and interpreted, anyone associated in ANY way with the computer system or network on which a forbidden image resides is guilty. That would probably include the entire company from Chairman of the Board down to delivery boy, and doubtless all the shareholders too.

Looking on the bright side, there are probably a lot of politicians on the boards of companies...

2
1
Anonymous Coward

Why don't they hack the Daily Mail

That way they can all be arrested and the paper closed down.

9
0
Anonymous Coward

Moral Panic

Find something, anything then whip it up and create a moral panic to justify new Laws and new sanctions.

So there have been 200-300 of these incidents, how many websites are there in the world, anyone like to take a guess? Lets put this story into perspective instead of trying to use it as a way to tighten and regulate and spy on us and our Internet access.

0
0
Silver badge
Facepalm

"The law is an ass."

So if 50,000 people visit www.ibm.com or www.tesco.com and see it, it's technically been downloaded. So that's at least 50,000 people who now need to be put in chokey for possession of CP then!

2
1
Silver badge

Re: "The law is an ass."

> So that's at least 50,000 people who now need to be put in chokey for possession of CP then!

Possession AND creation, because there was a local copy made in the browser cache at the very least.. Yes, that's stupid, but look at all the previous cases, the CPS always went also for creation, on these grounds.

2
0
Bronze badge

Re: Why don't they hack the Daily Mail

Since the DM is constantly promoting child porn, they should all be arrested and the paper closed down anyway. And Cameron should be locked away for the same reason.

1
0
Bronze badge
Holmes

@AC - Re: So strictly speaking...

AC wrote :- "So, ..if you accidentally stumble across some KP and report it to the police, then YOU will be arrested and charged ... It's as silly as imagining that someone could go into a police station to report that they're the victim of domestic violence and promptly being grilled about whether they're an illegal immigrant."

Wrong analogy. First case is about the same offence. Second case is about two different offences.

0
1
Nym
Coat

Reporting child smut and the like

At least in the U.S. no, you can't get prosecuted for reporting it if you do it immediately. Mind you, you could be called as a witness and have to admit to the hanky beside your keyboard. (That it has dried 'mucus' will be the hardest part to explain methinks.)

0
0
Childcatcher

Strict liability offence

Possession and/or distribution of child porn, innit? What could possibly go wrong?

12
1
Gold badge
Childcatcher

Gosh could someone have been hoarding a stack of nasty CP and a zero day exploit

to distribute it.

Whoever could have such resources?

Hmm.

The thing is real CP lovers have historically taken a lot of trouble to hide their very unpleasant subject matter in such a way it's difficult to find unless you have been told exactly what path to take (because you've shown you can be trusted). Anyone remember the "Wonderland" gang?

This sounds suspiciously like someone trying to whip up a moral panic playing the "Looooook! It's even on legal pron sites"

Cue the (surprisingly) well briefed torrent of media outrage, saturation appearances by Clare Perry etc ad nauseum and assorted bo**cks about how "Society must be protected."

35
0
Silver badge

Re: Gosh could someone have been hoarding a stack of nasty CP and a zero day exploit

In the mind of Claire Perry, there are no legal porn sites.

21
1
Silver badge

Re: Gosh could someone have been hoarding a stack of nasty CP and a zero day exploit

And when they go too far and the backlash from the underworld is to dump all this shit on ceebeebies, or hmrc.gov or the tory party web site?

4
1
Silver badge
Happy

Re: Gosh could someone have been hoarding a stack of nasty CP and a zero day exploit (@ Tom 38)

In the mind of Claire Perry, there are no legal porn sites.

I guess there's not enough space nor processing power for them. From what I've read about her she probably has to keep her family members first names 'in the cloud'.

4
1
Meh

Re: Gosh could someone have been hoarding a stack of nasty CP and a zero day exploit

"In the mind of Claire Perry, there are no legal porn sites."

What about sites hosting damaging, dangerous political prattling?

Are they legal? (Usually)

Obscene? (Sometimes)

Immoral (Often)

Porn? (Occasionally , depending on particular predilections being paraded)

2
2
Silver badge

Re: Gosh could someone have been hoarding a stack of nasty CP and a zero day exploit

They already did - on her website.

0
0
Anonymous Coward

On TV

They had a quote from IWF saying that the directory listed videos/images that when clicked on installed malware.

As usual with CP, the alleged crime is not reported the same everywhere, is this intentional? Which is it, CP or a malware/blackmail unlock scam?

If the 'hacked' sites are not charged with distribution, that will become the excuse of the real perps; Just setup a business selling greetings cards and become the victim of a hacker when found to be distributing CP.

3
1
Anonymous Coward

Re: On TV

Back in 2000, a company I worked for had an FTP server "hacked" (someone either cracked a password, OR they hadn't deleted a leavers account, OR they created an account for a client which was compromised) and some very disturbing stuff apparently put on it. The police were called, and after having FTP explained to them (they couldn't understand why the network manager was so worried. "After all the computer is locked up") they just said "best to wipe it, and er, take more care".

2
0

Re: On TV

Doesn't say anything about malware on the IWF press release - which is pretty much repeated verbatim in the Reg article.

http://www.iwf.org.uk/about-iwf/news/post/367-websites-hacked-to-host-the-worst-of-the-worst-child-sexual-abuse-images

0
0
Anonymous Coward

Re: On TV

Around 2004 I had a developer install SQL on a box and put it unpatched on the internet late Friday.

I arrive Monday to "we have no internet". Uplink is saturated, just looking at the switch blinky lights tells me it's the developer box. After asking the developers what the hell it was, and finding it was a SQL server I figured it was just Slammed. But a quick look showed it had a large folder full of .jpg files named like 82574small.jpg and 82574big.jpg. Thousands of them.

Developers wanted to have a look, I said no I had to fix the server first. I "fixed" the server with a secure wipe CD.

One of the developers was quite mad that I didn't let him look.

2
1
Anonymous Coward

Re: On TV

Only ever met one unix SA who had to deal with CP on internal servers. This was way back around '98, she found a small stash about 30MB of images on an internal server from tech savvy user. Police called, she had a spend about and hour explaining the tech and showing examples of what she found ( which she said made her almost physically sick ) HR, her manager and the company legal team all present while she showed the evidence to the coppers. HR then called the user to another meeting room to meet the coppers, company legal present, the user was sacked on the spot and then immediately arrested by the coppers. The server had to be put into offsite secure storage ( all local storage back then ) until the court case just in case.

0
0
JQW

Re: On TV

Around the same time, an FTP server at company I worked for was similarly hacked. In this case, though, the hackers uploaded a large archive of cracked application software.

The FTP server was running on an old Solaris development box assigned to one project. I suspect that the hackers got in via an exploit, and not a leaked password.

0
0
Anonymous Coward

SQL

Repeat after me: "SQL" is a language used to interrogate databases, it is not a piece of software developed by Microsoft.

2
1
Anonymous Coward

This sort of problem was solved a while back. All that it takes is awareness and use of the tooling to solve.

Here's one way http://www.bleb.org/software/PeridotFlyer.pdf

0
1
Silver badge
Childcatcher

Is that a solution, or a way of making the problem worse?

Suppose you use this automatic link-fixing tool...

scenario:

1. You build your website and protect it with this link-fixing tool

2. Unknown attacker breaks into your site and uploads CP into an unlinked folder

3. One of the links on your pages goes bad, the link-fixing tool automatically searches for an alternative and chooses the CP folder

4. You loose your job and get thrown into jail.

0
0
Silver badge

Just too bad

That some governments seem more concerned for hiding this stuff than actually fighting it.

But this development is a no brainer; a lot of companies who got their website hacked care only for 1 thing: to have it back up working as soon as possible. Even if this involves risks. So the best thing a hacker can do is simply nothing. And then he'll have a whole box to himself.

In bizarre cases ICT could even be told not to fix any problems because of the risk that the site might become unavailable.

THAT is modern computing for you. Yeah, let's focus on filtering out the results then all is well with the Internet again.

I'd say confiscate the machine and at least hold the person(s) responsible for the web contents accountable too.

2
2
Silver badge

I don't get this

Why would you go to all the expense of cracking a computer, then uploading your cp collection, only to link it to a publicly available web server.

Either this is a group of very stupid people or someone is trying to whip up another moral panic.

14
0
Gold badge
Meh

Re: I don't get this

"Either this is a group of very stupid people"

But smart enough to subvert multiple web sites and with what seems to be a private stash of CP they want to share with their friends, but not very securely, hence not encrypted or password protected.

"or someone is trying to whip up another moral panic."

Quite.

Time to sharpen up Occam's Razor?

9
0
Silver badge

Re: I don't get this

It seems quite a sensible method to avoid government-imposed porn filters and search engine blacklists to me. They can't block it if it's everywhere, can they?

0
2

Re: I don't get this

I can understand using hacked websites to store/share/sell the material. What I don't get is: "Typically, someone visiting a normal adult porn website is redirected to, say, a file directory listing in a furniture shop's online home, which has been compromised and filled with images of terrible abuse."

Why do that? It would seem logical they would want to keep knowledge of the compromised server to themselves, not broadcast it to people who will report it.

1
0
Anonymous Coward

Re: I don't get this

Or you just want to point out the stupidity of sctrict liability legislation and net censorship....

0
0
Silver badge

Re: I don't get this

The only reason I can imagine would be a hoax. Something the denizens of 4chan might think funny.

0
0
Anonymous Coward

Small Businesses and Websites

I am not surprised by this. Especially when "Furniture Store" is mentioned in the example. Often many of the people on El'Reg Comments Section can get lost in Enterprise sized issues and forget the Mom and Pop stores. Run on a shoestring with a tiny staff. Someone up there mentions "Network Manager, IT Director". Trouble is, in a small company, these posts do not exist. IT is done on shoestring. "Someone's Mate" creates a website and hosts it on the cheapest hosting available. And no one EVER looks at that website's files ever again. No one monitors the logs (mainly as they expect them to be made of wood). No one watches the IT. No one understands that they need to patch the software on the server.

Often when a website goes on line, the next time it is touched is when it is replaced five years later.

This kind of hack is old. I have seen it happen many times - though rarely for something like KP. Too often the Small Business has setup a password that is dumb and simple as they don't realise how vital it is.

As an IT Contractor to small business I often get frustrated at issues like this. I get called in and paid by the hour, which does not allow me to check up on websites.

The law is a total a*se here. The way the law stands the owner of the company will be locked up. Even though they were never aware of any of this KP on their website. This makes it a very clever way to put your competitor not only out of business but to trash their name for life.

I once spotted this kind of stuff on a CHURCH website. Via a mis-typed web search. Nothing illegal in that case, but clearly nasty and unwanted. I assisted the church to clean the website up. For free. The thanks I got? Four days later I get threatening letters from the owner of the website. His lack of understanding refused to believe it was a simple hack via his weak password - and he started to accuse ME of infecting his site!! I pointed him at a few chapters of his favourite book about the Good Samaritan.

This story is only the tip of the iceberg... we are going to see a lot more stories about websites being hacked.

17
0
Unhappy

Re: Small Businesses and Websites

"This story is only the tip of the iceberg... we are going to see a lot more stories about websites being hacked."

Yes.

And it's early August. This isn't, and won't be, the only non-story during the reporters-and-everyone-on-holiday season.

1
1
Silver badge

The IWF is not the most reliable source.

They have something of a history of whipping up hysteria. I imagine this happened once or maybe twice, but the IWF is trying to make it seem like some sort of epidemic of child abuse images.

Anonymous Coward: There was a study a while ago that found the most dangerous sites on the internet, malware-wise, were church websites. Even more than porn or piracy. Simply because few churches pay a professional administrator, they just have a volunteer muddle their way through.

8
0

Re: The IWF is not the most reliable source.

>...they just have a volunteer muddle their way through.

Or worse, someone looking for some 'portfolio' building experience and a place to deploy their newly self-made CMS named after the almighty himself (shall remain nameless here as it would take 1 second to Google, but I swear that theist, atheist, and non-theist alike would be ROFLing at the audacity - particularly after seeing the 'developer's' company site) when all the updates would fit into 20 tweets and yet registration and sign-in are unencrypted, copy-writing badly lacking....arrrrrrrrrrr.

Other than churches, mom and pops, and vanity sites, small festival and events' sites are also often lacking in well rounded development.

On the other hand, some of the larger churches have very competent staff who work full time in tech and they have excellent security capabilities. I once found myself conversing with such a fellow and whilst he name dropped his friends and associates, I had to stifle a laugh when I realized that some of his work was on sites that people I know on the other side of the religious-political spectrum actively watch.

0
0
Silver badge

Fixable, just like SPAM, but good luck.

We live in a climate where the legal apparatus can snare anybody the state pleases. This is one of those things that someone like me knew about decades ago.

If having noxious content on your system is a crime, then we are all potentially criminals and someone like me with nominal control over a fair number of systems is likely a criminal in waiting now.

If a well funded attacker like the NSA decides to incriminate you, there is not much you can do to defend yourself. As an aside: if, for any reason, you are or may become suspect for any breach, leave the talking to your lawyer. If you are going to be targeted you will be targeted by people who are expert in getting you to incriminate yourself. If you engage them, you will lose.

We are about to face an extremely challenging environment where pornography of any type, no matter how depraved can be synthesized without involving any actual subjects. CGI will be able to produce whatever the creator can imagine. This will usher in a time where this material is available in effectively unlimited quantities and where it will seep into things, just like SPAM.

Consider this: if you are the type of person to consume illegal pornography, what better way to get what you want and keep yourself protected than to make sure the material exists everywhere, regardless of whether or not it is wanted? I just checked and a Bing image search for a benign cosmetic procedure turns up all kinds of images that would already be illegal in some jurisdictions. Those images are now in my cache, and if I were in the wrong place and under siege by the state, I would be on my way to jail.

We really need to get public minded people who understand this stuff to help educate legislators and the public so they understand the issues.

In my opinion, we need to legislate communications such that unwanted communication can be stopped. It is desirable and possible to eliminate the vast majority of SPAM. Whatever can be used to protect against SPAM can be used to protect against noxious SPAM like illegal images.

A trickier issue is material communicated from consenting individuals and trickier still is material both produced and consumed by the same individual. In my opinion, we need to bite the bullet and make it *not* illegal to possess any imagery of any type, but rather to make proactive communication of things outside of acceptable norms illegal and to be strict in our enforcement.

The most difficult thing about stuff like this is getting people to actually understand the issues.

9
0
Silver badge

Re: Fixable, just like SPAM, but good luck.

"We really need to get public minded people who understand this stuff to help educate legislators and the public so they understand the issues."

The cynic in me believes that there are people in power how want it *exactly* how it is, everybody in fear because they could be next.

People who are afraid don't rock the boat. It's all about population control.

11
0
Facepalm

Re: Fixable, just like SPAM, but good luck.

"The cynic in me believes that there are people in power how want it *exactly* how it is, everybody in fear because they could be next."

Yes.

Their problem is that self-serving career-politicos are not, really, the brightest of beings. They fail to see that they are themselves much more attractive targets of career-killing attacks than the average bloke on the street.

Mr. Jones at number 181 dressing up in Spurs kit for hanky-panky - yawn!

Mr. Tory MP doing similarly - scoop! 24-hour photographer vigils. Histories (*) dissected. Skeletons unearthed.

(*) HisLibDems? HisSocialists?

1
1

This post has been deleted by its author

Silver badge
Trollface

no legal porn

"In the mind of Claire Perry, there are no legal porn sites."

We really need to quit calling those ancient carved naked figures art as well. The Statue of David after all is just some of the world's first gay porn.

8
0
Meh

Re: no legal porn

So... would that make the Venus Demilo statue the world's first paraplegic porn?

2
0
Silver badge

Re: no legal porn

That'd be the Venus of Willendorf. It's not limbless but it is so unrealistically proportioned the arms are just stumps.

0
0
Anonymous Coward

A few years ago one of the emails I received had a link pointing to a car dealership's website but the email was one of those medicine selling places. (my spam filter missed it) I thought it was strange that a car dealership is selling prescription drugs on the side, so I checked it out, I was curious, the car dealer was in South Africa, the medicine was sold supposedly from Canada. There was no link from the dealership's home page, I thought maybe somebody is doing some part time business or the site was hacked, so I wrote an email to the manager of the dealership. He answered that there is nothing like I am talking about on their website, but they would be happy to discuss a fantastic deal about a new or used car. So I answered, again giving the link in the email and asking him to check it and to forward my email to the person responsible for the website to check it too. Next day got an email from the host of the website thanking me and mentioning that they found several similar links on their servers. A few days later the manager of the dealership wrote again apologising for not realising the problem immediately and thanking me for my help.

The bad thing is that now I am on their mailing list and after several emails they still seem incapable deleting my email address from their list.

3
0
Silver badge

No good deed...

goes unpunished.

6
0

Page:

This topic is closed for new posts.