FBI Remotely Installs Spyware to Trace Bomb Threat

cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."

How long will it be before ...

[140Mandak262Jamuna (970587)]

... FBI (and some if-it-will-save-one-child-it-is-worth-it legislators) demand all the OS vendors to install backdoors so that it can come in and install whatever spyware it wants to be installed?

Open letter reply to that kind of law

[Opportunist (166417)]

"Thank you. You just made hacking a whole lot easier."

The Germans already proposed something like that. It was retracted when they realized that it pretty much opens the door to any kind of espionage, and that this could quickly turn AGAINST them.

No backdoor is secure. Word will get out and it will be abused. Worse yet, if you force AV and firewall manufacturers to keep that hole unplugged, you open yourself and all the businesses in your country to industrial sabotage and espionage.

Think the feds are THAT stupid? Even if, do you think their lobbyists will allow them to?

Re:Open letter reply to that kind of law

[hpa (7948)]

Think the feds are THAT stupid?

Yes.

Re:

[Cro Magnon (467622)]

Think the feds are THAT stupid? Even if, do you think their lobbyists will allow them to?

Yes, to both! The lobbyists aren't exactly rocket scientists themselves.

Re:

[Opportunist (166417)]

Lobbyists usually don't care jack about bombs either, though. They might want to sniff through your computers to make sure you don't have files they consider theirs, but they sure as hell would not want that crap on their own machines. Imagine the feds being able to sniff through their files and finding ... teh horrorz!

So if anything, they'll want this on the PCs of normal people, but certainly not in a system they might use themselves!

Re:Open letter reply to that kind of law

[vertinox (846076)]

The Germans already proposed something like that. It was retracted when they realized that it pretty much opens the door to any kind of espionage, and that this could quickly turn AGAINST them.

Its already happened to Greece's wiretapping software. Someone broke into the main cell phone company and hacked the software installed for legal wire taps to listen in on government official's cell phone. They didn't notice it until they tried to upgrade the software and realized someone had been using it.

http://www.spectrum.ieee.org/jul07/5280/1 [ieee.org]

Re:

[Hotawa Hawk-eye (976755)]

Those backdoors would be the biggest targets ever for any malware authors. I'd also envision a series of lawsuits from large companies (Intel, AMD, IBM, AT&T, the big pharmaceutical manufacturers, etc.) against the OS vendors and the government as soon as somebody breaks in via the backdoors and steals confidential information. "We've spent billions of dollars researching drug X, and your backdoors allowed hackers to break in, steal all that research, and sell it to our competitors. Now tell us again

NSAKEY

[bill_mcgonigle (4333)]

... FBI (and some if-it-will-save-one-child-it-is-worth-it legislators) demand all the OS vendors to install backdoors so that it can come in and install whatever spyware it wants to be installed?

Where have you been [wikipedia.org]?

Re:How long will it be before ...

[Opportunist (166417)]

I only use my car for groceries. So why should I be against complete surveillance and GPS positioning of every single car? Hey, it doesn't affect me, ya know?

I only use my credit card to pay for my phone bill. So why should I be against complete surveillance of CC payments? Hey, it doesn't affect me, ya know?

I only...

Re:How long will it be before ...

[ArcherB (796902)]

First they came for the library records, you did not care because you cant read

Then they came for net access records, you did not care because you don't need privacy there ...

Someday they will come for you, and there will be no one left to care

They did have a warrant.

The warrant isn't really the point.

[camperdave (969942)]

The warrant isn't really the point. The point is that they have the tech to get past firewalls and antivirus software, and can plant spyware on your machine. This time it was legal, because the FBI got the warrant. But what about the CIA/NSA/RIAA using the same tech to spy on you? Some government agencies don't need warrants.

Re:The warrant isn't really the point.

[erroneus (253617)]

The bigger problem isn't only Government bodies or even the RIAA (who would have to disclose their methods of evidence collection as a means of validating the evidence). If they can do it, ultimately anyone can do it.

There is no magic at play here. If it's a secret, someone can learn it. If it's a method, someone can learn it. If it can be done by one, it can be done by all and whether or not you trust your government or your legal system is almost irrelevant to the larger point. If there exists that serious of a chink in your armor, SOMEONE will exploit it and it may not always be for the right reasons or by the right people.

Re:

[Knuckles (8964)]

The Gestapo had warrants too ...

Re:How long will it be before ...

[SpaceLifeForm (228190)]

And now, they don't even want to bother with that formality.

I'm kind of new here

[SIIHP (1128921)]

But posts like this really irk me.

What exactly do you want?They got a warrant. Isn't that kind of oversight what we want? I don't understand why you think making a comparison to the Gestapo (and did they really have warrants?) adds a single thing to the conversation.

Please tell me what your solution is, so I can put your comment in some kind of context. I've seen it and its like from several other posters, but not a single one of them goes on to make a coherent argument after making it, and neither did you.

The FBI has a job, in this case it seems a job that we'd all like them to be proficient at, that of preventing bombings. They pursued evidence through the correct channels, got a warrant, set up an operation, and did their jobs. In light of that, doesn't the "Gestapo" comment seem a bit reactionary and irrational?

So what the hell is with the specious Gestapo comparison? Do you think someone's rights were violated somehow, or the FBI overstepped their authority, or what exactly? Or is it vogue here to toss out inflammatory comments for no reason other than to provoke a reaction? I thought that's what the "troll" mod was for?

Lastly, the Gestapo also pandered to the fears and insecurities of the populace, so I'd be careful throwing around such comparisons if I were you.

Re:

[toiletsalmon (309546)]

"What exactly do you want?"

You know what I want? I want to be able to TRUST that the executive branch of the government (law enforcement included) really has what's best for the country in mind, but I'm just not feeling it.

The executive branch of our government has recently, been found guilty of large scale domestic spying "for the greater good", torture, and any number of other egregious offenses. Of course, it's up to some interpretation I guess, but I say they're blatantly illegal offenses at worst and c

Re:How long will it be before ...

[Red Flayer (890720)]

First they came for the library records, you did not care because you cant[1] read[2a]

Then they came for net access records, you did not care[3a] because you don't need privacy[3b] there[2b]

[1] First they came for the apostrophe Nazis, and I did not care because I know how to use apostrophes.
[2] Then they came for the end-of-sentence punctuation Nazis, and I did not care because I punctuate my sentences.
[3] Then they came for tense agreement Nazis, and I did not care because I know that 'do not need privacy' (even abbreviated as don't) is present tense while 'did not care' is past tense.

Then I realized that it matters not, because if someone can't read, they aren't going to care about net access records regardless of the privacy issues.

NSAKEY

[Kadin2048 (468275)]

Microsoft denied it, they said that the key's variable name being called "NSAKEY" was just an ... uh, you know ... coincidence.

http://en.wikipedia.org/wiki/NSAKEY [wikipedia.org] is a good primer.

It was covered extensively at the time by the likes of Bruce Schneier and others, his comments [schneier.com] said:

Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.

Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

I think the jury is still out on exactly what was really going on; if it was an NSA backdoor, it was a pretty boneheaded one. Alternately, if it was just Microsoft being redundant, then it shows that they didn't plan very well and don't seem to understand security very well. Given the choice between the two, I think boneheadedness on MS's part is more likely.

User

[kevin_conaway (585204)]

But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors...

My guess is that nothing quite so sophisticated was necessary since the user downloaded and ran an unknown attachment from an email message

Occam's razor at work

[Opportunist (166417)]

We have: A teenager who used his computer to send bomb threats through myspace.

Assumption 1: He doesn't know jack about computer security like 99% of the users out there and simply clicks everything sent to him.

Assumption 2: The FBI keeps a hole open in Windows that only they know about.

Assumption 3: AV vendors are forced to keep holes open, as well as firewall vendors and everyone else who could technically find it.

Assumption 2 and 3 bear a heavy load. Assumption 2 implies that EVERY Windows OS can be remotely exploited. Now, it IS possible to reverse Windows. And since there are Windows emulators out there that can handle calls to functions most people don't even know exists, it's safe to assume that quite a few people already reversed some parts of Windows. A hole would have been found by now. More important, such a hole could easily be used against US companies when, say, China finds them and uses it to eavesdrop on confidential data. If such a hole existed, the first thing the FBI would do is make sure that no US company dealing with critical or sensitive information (nuclear, biological, you name it) uses Windows as their main operating system.

Thus I consider it rather unlikely.

Assumption 3 includes that every AV vendor on this planet knows about the hole/malware and keeps his mouth shut. Now, a good deal of such AV vendors sit in countries that are not the US, worse, some of those countries are economical competitors to the US. Think they'll keep silent? Or that they would include it into their software? Hardly likely.

I'd stay with assumption 1: He was careless, clicking on everything and running no AV kit.

Re:

[PPH (736903)]

Assumption 1: He doesn't know jack about computer security like 99% of the users out there and simply clicks everything sent to him.

Most likely the case.

However:

Assumption 2: The FBI keeps a hole open in Windows that only they know about.

Why is Microsoft's DoJ settlement supervised by a FISA court judge (Kathleen Kotar-Kelly). These judges are the only ones cleared to review cases where espionage techniques may be revealed and there is a need to keep such information out of the public record.

Assumpti

Re:

[Aeiri (713218)]

Sure, there are a lot of APIs used that are unknown to the public, there are lots of things reverse engineered, but even the most reverse engineered features have stuff in them that are unknown.

For instance, the NTLMv2 response in NT authentication.

NTLMv2 Specs [sourceforge.net]

Scroll down and you'll see:

0x00000000 (unknown, but zero will work)

This is simply the best place to put a password bypass, a flag in the authentication packet itself. If it's the right value, then just don't check the password and let

Re:Occam's razor at work

[Opportunist (166417)]

Still, there has to be some kind of code providing for such a signed tool. And a branch that gets never accessed is something absolutely irresistable for every reverser, especially if it looks like something that could run code on privileged levels.

Hold it, hold it...

[Opportunist (166417)]

...where does it say that the guy even had any kind of AV software on his computer?

Heuristics and spyware

[ergo98 (9391)]

Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors...

Would it even be necessary to compromise security vendors? While heuristics and malware detection has been something long promised, it is my understanding that the vast majority of security software works purely by comparing against their dictionary of known attacks. If the police have highly specialized, very limited deployment spyware, it seems that most security software wouldn't have any inkling that it's malware in the first place.

I have no doubt that organized crime and government agencies are aware of and abusing exploits. Given that they don't blast it to the world like a giddy teenager looking for attention, no one knows what to look for.

Click here for free movies!

[Spudtrooper (1073512)]

From: spyware@fbi.gov
Subject: Click here for free movies!
Attachment: not_spyware.exe

Hello! You have been selected to receive free movies at no cost to you! All you have to do is install the attached program to start downloading all the latest Hollywood hits free of charge!

Re:

[tehcyder (746570)]

From: spyware@fbi.gov

Subject: Click here for free movies!
Attachment: not_spyware.exe

Hello! You have been selected to receive free movies at no cost to you! All you have to do is install the attached program to start downloading all the latest Hollywood hits free of charge!

Oh, FUCK.

Re:

[elrous0 (869638)]

Headline of a future Washington Post article:

"Our Investigation Was Going Nowhere Until We Thought of Posing as a Nigerian Prince," Says FBI Agent

Hello World

[TodMinuit (1026042)]

Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors...

There are other ways:
-Social engineering (either against the person, or his mother)
-Breaking into the basement^W house and installing the damn thing
-Hiding it in porn

Re:

[Shakrai (717556)]

How hard is it to pay someone who can?

s/pay/blackmail

There, fixed that for you.

Getting past defenses?

[ShaunC (203807)]

But how did the FBI get the spyware activated and past anti-virus defenses?

Easy, they sent it to some kid on MySpace. It's a rather large assumption that he had any anti-virus defenses at all, much less that AV vendors are being complicit with the FBI trojan.

Something seems fishy about the whole story, though. This guy was apparently savvy enough to use a proxy in Italy to send his Gmail bomb threat emails, so he was at least trying to cover his tracks... But he was dumb enough to open a random email attachment? It strikes me as more likely that the CIPAV is deployed through a browser exploit (or perhaps even "legitimately" as an ActiveX control or BHO, people will install anything).

Re:Getting past defenses?

[Opportunist (166417)]

Using an onion router is no sign of computer knowledge. Some pal might have pointed him to The Onion Router [eff.org], he saw it, went "wow, they can't track me if I got that", and that's it.

Just because someone does something the "average Joe" cannot or does not do, doesn't mean that he knows more than said Joe. He might just have gotten some clue from a pal, without said pal telling him the whole story.

It's simple script-kid style. Yes, some of the malware that circulates is pretty well written, but the people using it are sometimes so dumb that you wonder if they ain't better off serving fries. They're bound to be caught.

Not the guys only issue

[Mr. Sketch (111112)]

If this guy will open random e-mail attachments, there is a good chance he already has tons of spyware/adware/viruses on his machine anyways. I doubt he would have noticed one more.

Where's the provision for any federal police squad

[dada21 (163177)]

I keep re-reading my Constitution, and I don't see where it allows for a police power for the Federal government to go after bomb threats or any similar crime.

Is a bomb threat considered piracy?

Is a bomb threat considered treason?

Is a bomb threat considered counterfeiting?

If it isn't, there is NO Federal allocation of power to go after bomb threats, period. What the FBI is doing is not just unconstitutional, but any political leader who took an oath to uphold the Constitution is violating the only oath the

Re:Where's the provision for any federal police sq

[Attila Dimedici (1036002)]

Congress does a lot of things that are not authorized in the Constitution..Social Security, Department of Education, and on and on. Many of them are "good" things. Personally, I heard a suggestion a couple of years ago that I think would be a great idea: before Congress can consider any Bill, it must contain a clause which states where in the Constitution Congress is given the authority to legislate on this particular topic. This would eliminate a lot of laws from even being considered and make it easier to

Re:

[dada21 (163177)]

You are wrong about constitutionally protected speech when it can cause harm or mass hysteria. That is NOT protected.

At the Federal level it surely is, regardless of what the Supreme Court wrongfully interpreted. Let us read a very simple part of the Constitution, a document written specifically to declare what the Federal Government can do, and what it is restricted from doing:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the fre

Re:

[giafly (926567)]

Show me one terrorist who would dare to threaten hijacking on a plane where half the passengers are armed and trained and protecting themselves.

• You have apparantly never heard of suicide bombers?
• Also who needs real terrorists if half the passengers are trigger-happy amateurs? Just 'phone in a hoax and hope they panic.

Interesting speculation

[HangingChad (677530)]

The Feds would have the $$$ and be able to hire the skill labor to build some pretty sophisticated spyware tools. On the other hand, I wouldn't be surprised to find out Microsoft included a back door in Windows. That rumor has surfaced before.

The problem with either of those options is if they get out in the wild. How many people have access to those tools and how is their deployment managed? Who wouldn't be tempted to do a little sideline testing if they had those goodies in their tool chest.

Woot!

[DRAGONWEEZEL (125809)]

They think this guy really did it! I fooled 'em good!

Why is this even on /.?

[mpapet (761907)]

I know this site is a big echo chamber but the simple fact of the matter is Federal law enforcement coordinates very closely with every computer vendor that has anything of interest to them. The coordination efforts are expressly for purposes like this. I seem to recall photochop will throw an error if you try to scan U.S. currency. It's like that, only everywhere and no error messages.

Law enforcement is very deep into every aspect of computer activity. It's been this way for more than a decade.

The /. moral outrage rings very hollow because no one will fight for anything different.

The Problem

[Bob9113 (14996)]

I support surveillance by law enforcement agencies. I also believe in fairly stiff penalties for breaking the law (though I would add that I feel that harsher penalties for real crimes should be balanced with reducing the breadth of behavior that the government restricts). However, I am opposed to the use of spyware on the suspect's property for such surveillance. Why this conundrum?

The problem is that technology is getting closer to us all the time. The barrier between man and machine is becoming much narrower. And that is a good thing. At the far end of the spectrum people have long been getting artificial hearing enhancers, and now we are starting on intelligent artificial eyes and limbs. People with epilepsy are getting electronics embedded in their brains. At the nearer end of the spectrum, a large percentage of the population now carries a small computer with them everywhere (their cell phone). The man/machine split is disappearing.

So what? Well, we have a problem developing if the government assumes that anything that does not have your genome is fair game for them to crack. Today it is the suspect's computer. This already poses a problem if the suspect is, for example, engaged in legitimate contracting for some corporation - should the government have the right to compromise the security of that corporation because one of their employees is breaking the law?

But what of the more tightly coupled technology? Should the government be allowed to plant a bug in my hearing aid? Should they be allowed to tap the signals coming from my artificial eyes? Should they be allowed to monitor the same brain activity patterns that my seizure mitigating device monitors?

The problem is that we are becoming more closely coupled with technology, and that is a good thing. We are the first species in history to actively engage in our own evolution. But if we cannot trust our technology, it creates a barrier to that evolutionary step. I have the right not to self-incriminate. But if a computer is part of me, where does the line get drawn?

Read the real version of the story

[by Anonymous Coward]

Declan not only ripped this story off from Wired without attribution, he got it wrong. There's no way the police could have emailed the tracking software to the kid as an attachment. Myspace doesn't allow attachments. Want to see the real story with real reporting: try the original story here: http://www.wired.com/politics/law/news/2007/07/fbi _spyware [wired.com]

Happening right now.

[by Anonymous Coward]

Too much info has been released and I can explain what is occurring right now. This is not speculation.

- E-mail account made at a foreign e-mail hosting site that has an extremely terse address so as not to be hit by spambots (i.e. 4433dakjikk83726jj@somewhere.org)
- E-mails are sent from a stolen laptop through a public wireless access point that are copycats of this crime to illicit the same FBI response.
- E-mails are then checked each day from different public access points each day using a different MAC address at each access point. [The only e-mail that should be coming into this account would be the one from the FBI. Probably easy to verify by checking DNS records of the e-mails originating IP or IP block.]
- E-mail is received and copied to disk.
- Laptop is destroyed.
- CD with e-mail is then analyzed on a Linux/Unix machine that has no internet connection.
- Backdoor/exploit vector is discovered and used for "other" purposes.

Grey-market exploits

[athloi (1075845)]

The answer is right in front of you [securityfocus.com]. Governments and spy shops pay for exploits before they're made public, so they can use them to enter your machine as they need to. In this case, we don't know how CIPAV was delivered, but it might be as simple as an undiscovered exploit in Outlook or a browser-based email system. While none of us trust government, I equally don't trust my fellow citizens, so the "ethics" of this point are moot.

Re:the answer is simple

[arivanov (12034)]

Neither. In the current security climate most security vendors will bend over straight away and turn a blind eye on an "authorised" Troyan. In fact at least one of the US ones is known to have done so and that was leaked to the press around 2004 (sorry forgot which one). Even further, I would not be surprised if some of them go as far as "facilitating" its installation.

Re:the answer is simple

[pe1chl (90186)]

But what if you (as any sensible person would do) simply block anything that is executable from being received via mail?

Real or just FBI PR?

[EmbeddedJanitor (597831)]

After Sept 11. the FBI etc have PR issues trying to convince the world that they are on the ball and protecting Joe Citizen. These sorts of statement are not necessarily true. They could just be "feel good" measures like making you take your shoes off at airports.

Re:the answer is simple

[ozric99 (162412)]

Even then, the Acrobat process would need write-access to system files. On a decently managed system, it hasn't.

From the summary:
A MySpace account linked to bomb threats sent to a high school.

Chances of this system being secure, updated, well-managed? 0
Chances of this system being a Gateway laptop that takes 10 minutes to boot, loads 5 IM apps on startup, has 4 different IE toolbars, and constantly warns that the Norton Antivirus subscription lapsed 16 months ago? Our survey says yes!

Re:

[ehrichweiss (706417)]

Ever heard of a rootkit? Those are installed every day without a single peep from an up-to-date AV scanner. Hell, I've got a book on creating them right now that has an example that has managed to bypass Avira and AVG. And that's just example code.

Re:

[TheRaven64 (641858)]

If your version of file can't tell the difference between an MS-DOS executable and a Windows PE binary then you might want to consider upgrading, as it's almost certainly a good 15 years out of date.