Schneier on Security
A blog covering security and security technology.
« Woman Registers a Dog to Vote |
| The TSA and the Case of the Strange Battery Charger »
July 18, 2007
Detecting Police Spyware
Most computer security products deliberately do not detect police spyware.
Posted on July 18, 2007 at 4:28 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
But this isn't what the article says. It says that all the computer security companies have a policy to detect police spyware, and most say they have never received a court order to make an exception, but a few did not answer this question.
The rest of the article is a general discussion about police spyware.
Actually, according to the article, most security product vendors report that they would comply with a valid court order to not detect "police spyware", but that they've never received such an order.
It's exceedingly unlikely that they ever would. The PR blowback and policy problems that would result for any police agency trying that are probably too severe to chance something so entirely unnecessary.
Presently, antivirus is a best an 80% solution. At a rate of 1000+ new variants of malware a day, antivirus companies are hard-pressed to keep up with widespread attacks. Narrowly targeted attacks aren't generally going to be noticed.
There's thus little chance that sparingly-used "police spyware" would ever be on the radar for detection. Moreover, if it were detected due to some kind of massive screw-up, the police wouldn't want it labelled as "police spyware", thereby tipping off their target. Instead, they'd just morph it to dodge the detection as generic malware, and go on about their business of monitoring.
That small-run, morph and dodge technique has certainly been demonstrated as both trivial and fruitful by the criminal gangs distributing spyware, after all. There's no reason it won't work for court-ordered monitoring of criminals as well.
ID theft is a growing problem. I'd say that spyware increases the problem. The police shouldn't be using spyware.
I wonder how ClamAV would respond?
There are companies that decline to answer the question if they whitelist 'official' spyware.
If you do not whitelist then why not come out and say so? This would increase 'good vibes' with your customers and might increase sales.
Maybe they don't want to lie to their customers.
Therefor I think they DO whitelist.
There are companies that did answer the question and they all said "no".
They might not be telling the truth at the request of the government.
Damned if you do and damned if you don't...
Now we all have to act as if all 'official' spyware goes undetected by the security product of our choice.
One problem is that all of the police malware can be copied without limit, and copies can do the same things the originals can do. This allows anyone involved anywhere in the surveillance with even momentary access to the files to set himself up in business, either for himself, or for a fee.
Eventually, the police malware will get into the hands of criminals, who can then use it the same way the police do, or they can figure out how to defeat it -- which solutions they could use themselves and/or market.
"I wonder how ClamAV would respond?"
I guess you'll have to ask them. I have been using Avira Antivir, which is off shore (in Germany); so seems unlikely that they would feel subject to a court order even if one were issued. They are otherwise doing a good job for me, so I think I'll stick with them.
I really doubt anyone has written code to specifically exempt police spyware. That's work, and requires coordination, neither of which is going to happen ahead of time.
Far more likely is that the policy spyware is rare enough in the wild, and quiet enough, that it doesn't get added to signature sets. Behavioral products probably block it, unless it's very clever.
"Professional" spyware also isn't generally detected. Though you could argue whether that's deliberate or not.
At my previous place of employment, they placed keylogger/reporting software called PC Activity Monitor secretly on a tester's machine. His normal AVG and Ad Aware scans did not detect it (nor did Norton I think), but Spyware Doctor out of the Google Pack did.
This would be a good reason to use something like OpenBSD - at least for all the things you *really* want to protect.
Although of course if someone really wants to get in you cant easily stop them
Sometimes the questions not asked in the article scream the loudest.
I wouldn't expect many subponeas and warrants to be served for this type of criminal investigation.
If the case is big enough to take the time to plan such surveillance, it's likely other methods of gathering the information will be discovered and exploited.
Now, they didn't as how many companies have been served National Security Letters. Granted no one would say yes (unless someone slips up)...still would've been interesting to see the break down of "No" and "We can neither confirm nor deny..." you got :)
no current antivirus detects this:
if the police use it, is it police spyware?
and if the police write their own spyware, use a warrant to enter the house, install it, listen to it, then crash in arrest the guy and seize the hard drive... how exactly will their kit get out and take over the world?
ok, hypothetical time. let's say some guy who writes linux filesystems kills his wife. if he has a pgp virtual disk on his computer, and the police have a warrant to search and wiretap his house, what would you suggest they do?
POLICE ARE BAD PEOPLE BECAUSE THEY WRITE TRAFFIC TICKETS RIGHT?
btw bruce the article actually says no one but mcaffee makes exceptions for law enforcement. key component of writing good articles is reading them too.
My guess is that the 'security' product companies have never recieved a court order, because they were probably asked directly first (why waste the red tape?) and immediately complied.
Also read about this over on slashdot, and apparently Norton & AVG both have a policy to whitelist gov't spyware.
If anybody here thinks companies won't do the governments bidding, I wish you well. Yes they will and they won't tell you or anybody else about it. Remember the Narus devices at AT&T? Do you think any company smaller than AT&T can tell the US government "No, not without a court order?" You are dreaming. I work in IT department for a large three letter telecomunications company and I can assure you they do all of your worst fears. Those tiny (less than one billion US dollars revenue per year), AV companies don't stand a chance against the US government.
Yes you are paranoid, and yes they are monitoring you. I don't know any of this for a fact, but I do know what I know that I can't say here and things I've heard from co-workers and it's enough to scare me. I don't even trust my own employer.
One more thing. The people in any company that work in the security department are under scrutiny. They will never post anything here or anywhere else because they know they are being watched no matter what they do. Linux is not an option for most IT security people because they are generally not from a Unix background. But they do know that any MS Windows machine is probably logging their every keystroke and mouse click.
In germany there is currently much talk about the "Bundestrojaner", police spyware that german right wing politicians want to search people's harddisks without them ever knowing.
I would expect that the legal bill allowing such online searches will include words that force antivirus companies to whitelist that thing. And even if not, I would expect them to whitelist it without even asking for a court order, and at the same time loudly claim that they didn't. There is just no money in the truth.
"I really doubt anyone has written code to specifically exempt police spyware. That's work, and requires coordination, neither of which is going to happen ahead of time."
All the commercial security products that I have seen have had whitelist systems ready against false positives. Especially the heurestic scanners can produce a lot of those, and it's often the easiest to whitelist the md5/sha1 of the target or do something similar.
Also, if you think for instance about the firewall components.. You could hardly ever notice if certain products had a port knocking scheme.
Technically quite easy stuff. It is a shame that OpenBSD is not fit for desktop use...
Yeah, I was going to post the original Wired article ( http://www.wired.com/politics/law/news/2007/07/... ), but thanks -- I hadn't seen the update.
I don't think the protectorate has to ask vendors not to detect things. There are so many available unresolved vulnerabilities to typically-managed systems that it's not difficult to find an available exploit. Interesting that most government agencies will not hire anyone with a history of writing malware. Maybe it's ok if you call it something else.
This quote from the article I found particularly disturbing:
"In theory, government agencies could even seek a court order requiring security companies to deliver spyware to their customers as part of an auto-update feature. Most modern security companies, including operating system makers such as Microsoft and Apple, offer regular patches and bug fixes. Although it would be technically tricky, it would be possible to send an infected update to a customer if the vendor were ordered to do so."
Just what we need, Windows Update distributing government sanctioned malware.
This article is mostly hyperbole and no substance. The firms will comply with a court order. So what? As a customer, it doesn't make me feel safer, but it's the politically correct response. Should they have said, "we will protect our pedophile customers from the US justice system no matter what"?
There is no evidence in the article that any security products "deliberately do not detect police spyware". In fact, it says almost the opposite. Obviously, the companies want to be PC on both sides.
@Kees: "If you do not whitelist then why not come out and say so? This would increase 'good vibes'"
And if you have nothing to hide, then why should you refuse a warrantless search of your records?
There was a story back around the time that BO2K was released of a police trojan called D.I.R.T. and it was even available for download. Was the story true? Was the download really what it was presented to be? I honestly don't know, but the stories are still out there on the web...
This is a little like makers of bulletproof vests modifying their products to pass projectiles of the sort typically fired by law enforcement. Whee.
I am a person in a Fortune 500 company, I work in the security department, I post here and elsewhere, and I am the one doing the watching. We sometimes cooperate with law enforcement, but they've never expressed interest in watching employees here.
I absolutely disagree that IT security people are "not from a Unix background". Linux is not an option for us because of concerns about security and support, not because of any preference for (or background with) Microsoft products.
Similar concerns lead us to not have clients auto-update directly from AV vendors or from Microsoft, but rather to retrieve updates from an internal update server.
The question to be asked is about the means and not the end. If spyware is considered illegal, the police should not be using illegal means of surveillance in any case. Does this not enter the realm of wiretapping without legitimate cause or authorization?
So, why isn't anyone asking how the spyware gets on the computers in the first place? What backdoor are they exploiting? Are they sending millions of phishing emails hoping their target installs it?
"Presently, antivirus is a best an 80% solution. At a rate of 1000+ new variants of malware a day, antivirus companies are hard-pressed to keep up with widespread attacks. Narrowly targeted attacks aren't generally going to be noticed."
Ok I may be way off guard here, and it depends on what you're talking about, but an huge antivirus company "could" not detect a special spyware or virus from a police dept. because it is too narrow?
IIRC aren't antivirus programs detecting bugs by algorithms and not the actual viri themselves? If this is true than the above statement is way off base.
A company looking for a certain type of virus may miss the little boys in blue, but a broad spectrum shotgun blast looking for anything that may resemble a virus would be more likely.
Besides, I think the piggly wiggly's are too busy fighting over that next federal handout and kicking in doors to hire dexter the programmer, it's not manly enough
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.