Slashdot Log In
FBI Remotely Installs Spyware to Trace Bomb Threat
Posted by
CmdrTaco
on Wed Jul 18, 2007 10:22 AM
from the hey-wait-a-minute dept.
from the hey-wait-a-minute dept.
cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."
Related Stories
[+]
IT: Enhanced Carnivore To Crack Encryption Via Virus 522 comments
suqur writes: "MSNBC has a story about a new Carnivore feature, dubbed 'Magic Lantern,' which arrives on a victim's computer in the form of a virus through email or well-known vulnerabilities. Magic Lantern uses keylogging to extract keys typed in, and sends them off to the FBI. This is similar to a story reported on previously, but taken one step further, allowing computers to be compromised remotely."
[+]
Will Security Firms Detect Police Spyware? 269 comments
cnet-declan writes "A recent appeals court case dealt with Drug Enforcement Administration agents using a key logger to investigate a suspect using PGP and Hushmail. That invites the obvious question: Will security companies ever intentionally overlook police spyware? There were somewhat-muddled reports in 2001 that Symantec and McAfee would do just that, so over at News.com we figured we'd do a survey of the top 13 security firms. We asked them if it is their policy to detect policeware. Notably, Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested. We've also posted the full results, with the companies' complete answers. Another question we asked is if they have ever received a court order requiring them to overlook police key loggers or spyware. Symantec, IBM, Kaspersky, and others said no. Only Microsoft and McAfee refused to answer."
[+]
IT: What We Know About the FBI's CIPAV Spyware 207 comments
StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"
This discussion has been archived.
No new comments can be posted.
FBI Remotely Installs Spyware to Trace Bomb Threat
|
Log In/Create an Account
| Top
| 325 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
the answer is simple (Score:1)
(Last Journal: Tuesday May 20 2003, @01:02PM)
Re:the answer is simple (Score:5, Insightful)
(http://www.sigsegv.cx/)
Re:the answer is simple (Score:5, Insightful)
Re:the answer is simple (Score:5, Funny)
(Last Journal: Friday November 28 2003, @02:48AM)
From the summary:
A MySpace account linked to bomb threats sent to a high school.
Chances of this system being secure, updated, well-managed? 0
Chances of this system being a Gateway laptop that takes 10 minutes to boot, loads 5 IM apps on startup, has 4 different IE toolbars, and constantly warns that the Norton Antivirus subscription lapsed 16 months ago? Our survey says yes!
How long will it be before ... (Score:5, Insightful)
(Last Journal: Wednesday October 31, @08:33AM)
Re:How long will it be before ... (Score:5, Interesting)
(Last Journal: Monday April 30 2007, @10:21PM)
Then they came for net access records, you did not care because you don't need privacy there
Someday they will come for you, and there will be no one left to care
The warrant isn't really the point. (Score:5, Insightful)
(Last Journal: Tuesday January 16 2007, @10:33AM)
Re:The warrant isn't really the point. (Score:5, Insightful)
(http://slashdot.org/)
There is no magic at play here. If it's a secret, someone can learn it. If it's a method, someone can learn it. If it can be done by one, it can be done by all and whether or not you trust your government or your legal system is almost irrelevant to the larger point. If there exists that serious of a chink in your armor, SOMEONE will exploit it and it may not always be for the right reasons or by the right people.
Re:How long will it be before ... (Score:4, Interesting)
I'm kind of new here (Score:5, Insightful)
(Last Journal: Friday October 05, @02:20PM)
What exactly do you want?They got a warrant. Isn't that kind of oversight what we want? I don't understand why you think making a comparison to the Gestapo (and did they really have warrants?) adds a single thing to the conversation.
Please tell me what your solution is, so I can put your comment in some kind of context. I've seen it and its like from several other posters, but not a single one of them goes on to make a coherent argument after making it, and neither did you.
The FBI has a job, in this case it seems a job that we'd all like them to be proficient at, that of preventing bombings. They pursued evidence through the correct channels, got a warrant, set up an operation, and did their jobs. In light of that, doesn't the "Gestapo" comment seem a bit reactionary and irrational?
So what the hell is with the specious Gestapo comparison? Do you think someone's rights were violated somehow, or the FBI overstepped their authority, or what exactly? Or is it vogue here to toss out inflammatory comments for no reason other than to provoke a reaction? I thought that's what the "troll" mod was for?
Lastly, the Gestapo also pandered to the fears and insecurities of the populace, so I'd be careful throwing around such comparisons if I were you.
Re:How long will it be before ... (Score:5, Funny)
(Last Journal: Friday November 10 2006, @02:16PM)
[2] Then they came for the end-of-sentence punctuation Nazis, and I did not care because I punctuate my sentences.
[3] Then they came for tense agreement Nazis, and I did not care because I know that 'do not need privacy' (even abbreviated as don't) is present tense while 'did not care' is past tense.
Then I realized that it matters not, because if someone can't read, they aren't going to care about net access records regardless of the privacy issues.
Re:How long will it be before ... (Score:5, Insightful)
I only use my credit card to pay for my phone bill. So why should I be against complete surveillance of CC payments? Hey, it doesn't affect me, ya know?
I only...
Open letter reply to that kind of law (Score:5, Insightful)
The Germans already proposed something like that. It was retracted when they realized that it pretty much opens the door to any kind of espionage, and that this could quickly turn AGAINST them.
No backdoor is secure. Word will get out and it will be abused. Worse yet, if you force AV and firewall manufacturers to keep that hole unplugged, you open yourself and all the businesses in your country to industrial sabotage and espionage.
Think the feds are THAT stupid? Even if, do you think their lobbyists will allow them to?
Re:Open letter reply to that kind of law (Score:5, Funny)
(http://www.zytor.com/~hpa/)
Re:Open letter reply to that kind of law (Score:5, Interesting)
(http://mp3bat.com/)
http://www.spectrum.ieee.org/jul07/5280/1 [ieee.org]
NSAKEY (Score:5, Informative)
(http://kadin.sdf-us.org/ | Last Journal: Tuesday October 16, @01:46PM)
http://en.wikipedia.org/wiki/NSAKEY [wikipedia.org] is a good primer.
It was covered extensively at the time by the likes of Bruce Schneier and others, his comments [schneier.com] said:I think the jury is still out on exactly what was really going on; if it was an NSA backdoor, it was a pretty boneheaded one. Alternately, if it was just Microsoft being redundant, then it shows that they didn't plan very well and don't seem to understand security very well. Given the choice between the two, I think boneheadedness on MS's part is more likely.
NSAKEY (Score:4, Informative)
(http://blog.bfccomputing.com/ | Last Journal: Tuesday August 07, @06:50PM)
Where have you been [wikipedia.org]?
User (Score:3, Insightful)
(http://pyscrabble.sf.net/)
My guess is that nothing quite so sophisticated was necessary since the user downloaded and ran an unknown attachment from an email message
Occam's razor at work (Score:4, Insightful)
Assumption 1: He doesn't know jack about computer security like 99% of the users out there and simply clicks everything sent to him.
Assumption 2: The FBI keeps a hole open in Windows that only they know about.
Assumption 3: AV vendors are forced to keep holes open, as well as firewall vendors and everyone else who could technically find it.
Assumption 2 and 3 bear a heavy load. Assumption 2 implies that EVERY Windows OS can be remotely exploited. Now, it IS possible to reverse Windows. And since there are Windows emulators out there that can handle calls to functions most people don't even know exists, it's safe to assume that quite a few people already reversed some parts of Windows. A hole would have been found by now. More important, such a hole could easily be used against US companies when, say, China finds them and uses it to eavesdrop on confidential data. If such a hole existed, the first thing the FBI would do is make sure that no US company dealing with critical or sensitive information (nuclear, biological, you name it) uses Windows as their main operating system.
Thus I consider it rather unlikely.
Assumption 3 includes that every AV vendor on this planet knows about the hole/malware and keeps his mouth shut. Now, a good deal of such AV vendors sit in countries that are not the US, worse, some of those countries are economical competitors to the US. Think they'll keep silent? Or that they would include it into their software? Hardly likely.
I'd stay with assumption 1: He was careless, clicking on everything and running no AV kit.
Re:Occam's razor at work (Score:4, Insightful)
Hold it, hold it... (Score:4, Interesting)
Heuristics and spyware (Score:5, Insightful)
(http://www.yafla.com/dforbes/ | Last Journal: Tuesday September 27 2005, @10:43AM)
Would it even be necessary to compromise security vendors? While heuristics and malware detection has been something long promised, it is my understanding that the vast majority of security software works purely by comparing against their dictionary of known attacks. If the police have highly specialized, very limited deployment spyware, it seems that most security software wouldn't have any inkling that it's malware in the first place.
I have no doubt that organized crime and government agencies are aware of and abusing exploits. Given that they don't blast it to the world like a giddy teenager looking for attention, no one knows what to look for.
Why are people so stupid anyway? (Score:1)
(http://stylus-toolbox.sf.net/ | Last Journal: Tuesday May 15, @11:50AM)
Criminals are dumb.
Click here for free movies! (Score:5, Funny)
Subject: Click here for free movies!
Attachment: not_spyware.exe
Hello! You have been selected to receive free movies at no cost to you! All you have to do is install the attached program to start downloading all the latest Hollywood hits free of charge!
Hello World (Score:2)
-Social engineering (either against the person, or his mother)
-Breaking into the basement^W house and installing the damn thing
-Hiding it in porn
Getting past defenses? (Score:5, Insightful)
(http://www.shaunc.com/)
Something seems fishy about the whole story, though. This guy was apparently savvy enough to use a proxy in Italy to send his Gmail bomb threat emails, so he was at least trying to cover his tracks... But he was dumb enough to open a random email attachment? It strikes me as more likely that the CIPAV is deployed through a browser exploit (or perhaps even "legitimately" as an ActiveX control or BHO, people will install anything).
Re:Getting past defenses? (Score:5, Insightful)
Just because someone does something the "average Joe" cannot or does not do, doesn't mean that he knows more than said Joe. He might just have gotten some clue from a pal, without said pal telling him the whole story.
It's simple script-kid style. Yes, some of the malware that circulates is pretty well written, but the people using it are sometimes so dumb that you wonder if they ain't better off serving fries. They're bound to be caught.
Not the guys only issue (Score:2)
Where's the provision for any federal police squad (Score:2, Interesting)
(http://www.unanimocracy.com/about.html | Last Journal: Tuesday April 04 2006, @12:04PM)
Is a bomb threat considered piracy?
Is a bomb threat considered treason?
Is a bomb threat considered counterfeiting?
If it isn't, there is NO Federal allocation of power to go after bomb threats, period. What the FBI is doing is not just unconstitutional, but any political leader who took an oath to uphold the Constitution is violating the only oath they took.
It is time that the residents and citizens of the United States of America ask where the government has gotten these powers from. I know that many of the previous generation is afraid of terrorist attacks, but we are all being attacked already in having our natural rights taken away from the very government that has one major purpose: to protect us from the State who wants to take those rights away.
It is fairly simple. The FBI has no provision in the Constitution, nor in any Amendments to said Constitution, and should just go away. Let the local State police force worry about bomb threats. If it happens from across State lines, let both State police forces work together.
Interesting speculation (Score:2)
(http://www.dangercollie.com/music/)
The Feds would have the $$$ and be able to hire the skill labor to build some pretty sophisticated spyware tools. On the other hand, I wouldn't be surprised to find out Microsoft included a back door in Windows. That rumor has surfaced before.
The problem with either of those options is if they get out in the wild. How many people have access to those tools and how is their deployment managed? Who wouldn't be tempted to do a little sideline testing if they had those goodies in their tool chest.
Thank Goodness (Score:1)
(http://www.ianmcintosh.org/)
Woot! (Score:3, Funny)
(http://www.dragonweezel.com/ | Last Journal: Monday January 29 2007, @01:47PM)
livecd (Score:1)
A far more likely way (Score:2)
Linux... (Score:1)
smileys.exe (Score:1)
Sorry FBI, I'd like to help, but it seems your wiles only affect chimps.
Use MySpace? (Score:1)
(Last Journal: Sunday September 02, @04:01AM)
Of course there is still the chance that a firewall or piece of security software would pick up the offending malware. Chances are the kid didn't have a very secure setup as others have suggested. The FBI probably thought they'd give the spyware thing a try and it worked out - I doubt they need to make use of OS exploits. They probably had enough data about the kid to create a highly targeted piece of spam or advertising that he was simply not able to resist.
Why is this even on /.? (Score:3, Insightful)
(http://www.friendwich.com/ | Last Journal: Thursday November 09 2006, @12:05PM)
Law enforcement is very deep into every aspect of computer activity. It's been this way for more than a decade.
The
The Problem (Score:5, Interesting)
(http://www.traxel.com/)
The problem is that technology is getting closer to us all the time. The barrier between man and machine is becoming much narrower. And that is a good thing. At the far end of the spectrum people have long been getting artificial hearing enhancers, and now we are starting on intelligent artificial eyes and limbs. People with epilepsy are getting electronics embedded in their brains. At the nearer end of the spectrum, a large percentage of the population now carries a small computer with them everywhere (their cell phone). The man/machine split is disappearing.
So what? Well, we have a problem developing if the government assumes that anything that does not have your genome is fair game for them to crack. Today it is the suspect's computer. This already poses a problem if the suspect is, for example, engaged in legitimate contracting for some corporation - should the government have the right to compromise the security of that corporation because one of their employees is breaking the law?
But what of the more tightly coupled technology? Should the government be allowed to plant a bug in my hearing aid? Should they be allowed to tap the signals coming from my artificial eyes? Should they be allowed to monitor the same brain activity patterns that my seizure mitigating device monitors?
The problem is that we are becoming more closely coupled with technology, and that is a good thing. We are the first species in history to actively engage in our own evolution. But if we cannot trust our technology, it creates a barrier to that evolutionary step. I have the right not to self-incriminate. But if a computer is part of me, where does the line get drawn?