Saturday, October 26, 2013

Third Circuit Court giggle

Yet again we have an example how the judicial system treats hacking like witchcraft. Lawyers submitting briefs to the court are required to have (the hacking equivalent of) a Catholic priest sprinkle Holy Water on the document to exorcise any demons or curses.

Weev's team of lawyers have filed their "Appellant Reply Brief", the next stage in appealing the case. Near the end, on page 53/65 is the text:
CERTIFICATIONS 1. I certify that a virus check was performed on the PDF file of Appellant’s Reply Brief using McAfee Security Scan Plus.
This conforms to the rules of the Third Circuit which require that the brief be sent in PDF format, and:
Counsel must also certify that a virus detection program has been run on the file and that no virus was detected.
But as a cybersec professional, I know this to be useless. Malicious PDFs contain neither viruses nor worms, but "trojans" and "exploits". They do not spread by one PDF infecting another PDF. As this SANS document confirms:
To date PDF Malware has fallen into the purely Trojan category of malware. As with other Trojans, there is good news in that your known-good PDFs will not become "infected" after opening a malicious PDF. Each malicious PDF is custom made and contains no reproductive capabilities.
If this Weev PDF were to contain malware (hypothetically), then it would due to a problem that an anti-virus program cannot stop. Most probably, it would be because counsel (in this case Hanni Fakhoury) put the malware there himself, intentionally. Moreover, if Hanni infected his PDF, it'd almost certainly pass McAfee's scan. That's because while anti-virus is good at detecting mass infections, it's not so good at detecting a single "patient zero". The tools Hanni might use, like Metasploit, have a good track record of creating exploitable files that anti-virus cannot detect.

Let me prove it. Below is a screenshot of me adding malware to Hanni's PDF brief. I'm using a very old, very easily detectable exploit:

Now I take the infected brief and upload it to "VirusTotal", a website that tests files across a wide variety of anti-virus products to see if it can be detected. As you can see, because I'm being stupid here not actually trying to evade AV, some products actually catch this trojan/exploit. But not McAfee, the one Hanni used to certify his file free of viruses. Hanni's certification applies not only to his virus-free brief, but my infected one, too.

What we see here is a mismatch between the problem and the remedy, between the threat and the protection. A lawyers brief will not be accidentally infected with a virus, only intentionally, and intentional infections will pass virus scanners. Hence, forcing lawyers to virus scan has no effect on any threat.

What the Third Circuit court probably gets malicious, infected PDFs, but through the same vector as everyone else: phishing emails and drive-by downloads. But that's a far different source of PDFs unrelated to submissions by lawyers. Making lawyers virus scan PDFs has no bearing on the problem. What would mitigate this problem is heuristics on their upload website and email gateway that would filter suspicious PDFs, such as those containing JavaScript.

I don't mean to be snarky here, but LAR 31.1(c) demonstrates that the Third Circuit court has as much competence to judge Weev's case as the Salem courts had to judge witches in the 1690s. Requiring AV scans of PDFs has as little effect stopping viruses as sprinkling Holy Water on your computer. Weev's judgement will come from ignorance, prejudice, superstition, and fear, not from an educated understanding of how things work. I'm not saying that hacking should be legal, it's just that hacking laws should have the narrowest possible interpretation, reflecting the courts inability to fully understand the subject. For example, another hacker named Jeremy Hammond was guilty of stealing credit card numbers. That is illegal in of itself, regardless whether he obtained them via witchcraft, hacking, or time machines. Aggressive interpretation of the CFAA isn't needed to catch such hackers. Instead, aggressive interpretation of the CFAA by the ignorant threatens everyone else.

No comments: