Hackers get backdoor access

Hackers may get a welcome mat to some software programs

By BBC News Online internet reporter Mark Ward

Governments are searching for ways to stop cyber-criminals at the same time as the US is adopting laws that will make it easier for malicious hackers to remotely disable software, say security experts.

In the wake of the havoc caused by the Love Bug virus, leading industrial nations are debating how best to tackle the rising tide of computer crime at a G8 conference in Paris.

But their efforts could be undone by a law being adopted by US states which allows software makers to put backdoors into programs so they can be remotely disabled.

The law is designed to help software companies enforce licence agreements. The backdoors will let them remotely disable software if customers have not paid for it. But security experts fear the remote control ability will be hijacked by hackers.

Remote control

Cryptography and security expert Bruce Schneier called the legislation, the Uniform Computer Information Transactions Act (UCITA), a horrible law. He said software companies are naively hoping that no-one but them will be able to use the backdoors or codes for turning off software.

Chirac: "Criminals exploit the loopholes"

Mr Schneier expects that hackers will also find ways through the backdoors and gain the ability to turn off software. He said the idea of putting backdoors in software was "insane," and just asking for trouble.

Thomas Olafson, chief technology officer for ethical hacking group Defcom, said hackers would take it as a challenge if they knew that programs had backdoors built in. "What hackers do best is spend time finding security weaknesses and a backdoor is a weakness," he said.

He said hackers have already found many backdoors into popular databases and programs. Information about them was regularly distributed in the underground community.

A hacking group known as the Cult of the Dead Cow has developed the Back Orifice program that exploits holes in most versions of Microsoft Windows.

Licence fees

The UCITA legislation is being brought in to harmonise laws controlling software licences. It has only been passed in Virginia and Maryland but the other 50 states are expected to adopt it over the next few years. Anti-piracy group Business Software Alliance is backing the legislation.

At the G8 conference, French President Jacques Chirac called for greater state regulation of the internet and said that the efforts of computer companies to self-regulate online life was not working.

He strongly backed a convention on cyber-crime being drafted by the Strasbourg-based Council of Europe that would set common definitions of crimes and require extensive co-operation to trace and punish cyber-criminals. He said that convention had to be widely adopted so there were no safe havens for malicious hackers or other computer criminals.

Mr Chirac said: "We must overcome the obstacles of differences in national legislation. Criminals take advantage of these. They exploit the loopholes."

But industry groups warned against greater state regulation of the internet. The Global Internet Project, a group of executives chaired by John Patrick, vice president for Internet technology at IBM, said they could not think of any set of regulations that would not inhibit the growth of online commerce.