FBI Surveillance Tools

Interesting blog post from EFF.

Posted on May 12, 2011 at 6:24 AM • 38 Comments

Comments

GreenSquirrelMay 12, 2011 7:22 AM

Interesting but not surprising. I /suspect/ the FBI are not alone in this.

BF SkinnerMay 12, 2011 7:55 AM

So the feebies have established a penetration unit since at least 2005; likely just an extension of their current tradecraft into digital.

They must maintain their tool so - active collection and exploitation of zero-days on, presumedly, all three browser platforms.

I wonder if they disclose the existence of zero-days to the vendor? Or if, like VUPEN they keep them for their own use.

regular_guyMay 12, 2011 7:55 AM

I'm rather interested in the installation methods.

I question the effectiveness on the non-standard linksys/IE/Windows 7 crowd.

How do they keep from inadvertently infecting non-targeted machines?

What if the target was using a company or government owned computer? Can they lawfully force a firewall admin to allow the traffic in such environments?

The whole concept seems like a very bad idea to me.

regular_guyMay 12, 2011 7:59 AM

I forgot to mention the scenario of compromised accounts. The article mentions using MySpace. What if the MySpace account is compromised and they get the wrong person?

Clive RobinsonMay 12, 2011 8:58 AM

Burried away in the middle is this little jem,

'In that email, the FBI employee notes he considers the tool to be " consensual monitoring without need for process; in my mind, no different than sitting in a chat room and tracking participants' on/off times; or for that matter sitting on P2P networks..."'

I was under the impression that FBI employee's involved with investigations should be legaly trained?

How on earth does he equate deliberatly infecting a computer owned by another (a crime) and the stealing of the owners resources (another crime) with "consensual"...

It's like a police officer saying "because she was dressed that way she was consenting to be sexualy assulted".

On a lesser note I don't know what the state of play is in the US, but in many jurisdictions being in a private place with public access does not entitle even police officers to record peoples details without due cause, unless they own the place and have indicated their intention to make such recordings in a way that is obvious to people before they enter.

That is why it's ok in the UK for a shop keeper to have CCTV in the shop but not ok for the police or others to just point a camera or other recording device through the windows etc.

An Internet chat room is very rarely on a publicaly owned computer, it is usually hosted on a privately owned computer and is thus equivalent to a "privately owned place to which some of the public are allowed" just like a shop or cafe etc. People just being there is not due cause to record their movments nor (unless they actively participate) should it be cause for them to be considered a conspiritor etc.

hdd_makerMay 12, 2011 8:59 AM

@ regular_guy

What are you for people getting away with crime?

(Please note that this is sarcasm.)

A guy at work was talking about our fde drives (full disk encryption) and was saying that he didn't like that we were making it harder for feebies to get data. I responded that a person should be able to keep their secrets if they choose, plus the fbi is likely one of our fde customers.

secuspecMay 12, 2011 9:23 AM

Indeed, they're not alone. In Germany the "Bundestrojaner" aims towards similar goals.

GreenSquirrelMay 12, 2011 9:59 AM

@regular_guy:

"I'm rather interested in the installation methods. "

I wouldnt put a covert entry and installation past them... Other than that spearfishing, trojans etc. Most people's home systems arent tight enough to stop a dedicated attacker who can serve a warrant on the ISP.

@hdd_maker
"What are you for people getting away with crime?"

Personally, I stand by the maxim that I would rather a criminal got away with their crime than an innocent person was incarcerated.

one tooMay 12, 2011 10:40 AM

@hdd_maker

I probably work for the same company you do!

Remind that co-worker that FDE also protects his credit card and other personal information in the event that some idiot from Walmart has a laptop stolen, that has his, and thousands of other persons CC numbers on it.

Or the travel agency that our company uses, that stores his travel itinerary.

Or the doctor, that has his medical conditions on it, that he may not want our employer, or anybody else for that matter, to know about.

FDE protects everybody. Too bad the "feebies" can't get their hands on it... unless... Have the Feds asked us to put a backdoor in our encryption algorithm?

let's get the basics straightMay 12, 2011 10:47 AM

Just to get the basics on this straight, this seems to be a standard 'get the guy or gal to click on a link that points to a site that downloads a Trojan,' this time the link being on a social site and not an email. The particular Trojan being downloaded by the FBI is "CIPAV", which seems to be characterized by an intent to record the full "Internet identity" of the computer user(s) but also by lack of a keylogger, lack of a C&C capability from the FBI's end, and lack of an upload facility for the target's files. Are these just things we don't know about, or are they for the next generation of CIPAV or what?

What's the difference between this and the Aurora hack?

What's the difference between this and the rootkits that HBGary was flogging to the Gov't?

Non-Egg-On-Your-Facebook userMay 12, 2011 10:48 AM

Let this be a lesson to you children, NEVER open any link from a three-letter agency that wants to be your "friend".

regular_guyMay 12, 2011 11:02 AM

I wonder if this could backfire. Assuming it is the sort of app that calls home and somebody intentionally installed the malware on a large bot net, the FBI just opened themselves up to a DDoS attack.

BF SkinnerMay 12, 2011 11:09 AM

@Clive " deliberatly infecting a computer owned"

Deliberate and clandestinely...
I think this was the same argument they made about the gps vehicle tracking beacons.

Your honor he was doing his bookmaking in a glass phone booth. Obviously he didn't care about his privacy.

He had in a locked bag in a locked trunk ...but on a public road so obviously he didn't have the same percieved protection from scruitny.

he used an internet connected computer to access an email I sent him and a link that exploited a vulnerability he was completely unaware of so obviously he had no expectation of privacy.

and the one that floats justification for all boats.

He's a very bad man. I know it and anything I do to prove it is a good thing.

NobodySpecialMay 12, 2011 11:26 AM

@clive
A similar argument was used for listening in on phones where the receiver hadn't been replaced properly. The argument, which held up in court, was that the speech was public.

Accidentally leaving phones off hook suddenly became very common among suspects - of course you can with a voltage spike force an old fashioned analogue phone to go off-hook, but f course law enforcement would never do anything so underhand

StephenMay 12, 2011 11:30 AM

I find it fascinating that our authorities are entirely permitted to commit Class B felonies in the course of their investigative work.

Who watches the watchmen, indeed.

Dirk PraetMay 12, 2011 11:42 AM

Hardly a surprise. They consider themselves the good guys, so what's the problem with whatever they're doing ? Imagine the Chinese doing the same.

The real question here however is to which extent governments and their TLA's have agreements with anti-virus and anti-malware vendors to not detect their spyware.

Clive RobinsonMay 12, 2011 1:34 PM

@ Dirk Praet,

"The real question here however is to which extent governments and their TLA's have agreements with anti-virus and anti-malware vendors to not detect their spyware."

That is a significant consideration, but AVetc software from the major vendors is not going to be the Feebies only concern.

For instance I will assume that as others have noted the spy ware has occasionaly to do an ET and "phone home", the question is how?

The simplest and most visable is if it sends a packet or two of to an 'unknown to the user' IP address that is the Feebies gateway. If the user has IP based whitlist software (which is appearing on homebrew routers) then it's going to throw an exception at the Feebies gateway IP address. Likewise if the user sets the machine up in a "honeypot" style environment.

More covertly it modifies the users browser and hides in their facebook traffic. This would be harder to spot but not impossible. Hardest would be using the timing between packets etc which could be either logged at the ISP or if sufficiently low bandwidth by the end service provider.

Now this makes me think that the Feebies (who supposadly don't currently have ISP cooperation to the level required) would have to either be at some mid point or getting co-operation from the service provider such as facebook the user had this malware downloaded from.

So it's not just the AV vendors you need to be considering but the likes of facebook etc. as well...

BackdoorMay 12, 2011 2:23 PM

@hdd_maker and @one too:

Come on, we know you guys have backdoors in your encrypted HDD's. There's no way NSA/FBI would allow them on the market if this weren't the case.

davidshayerMay 12, 2011 3:45 PM

I assume this is Windows only, and you're immune if you use linux or Mac OS, or some newfangled device like Android or iPad?

let's get the basics straightMay 12, 2011 4:15 PM

@ Dirk Praet,

If you go to the Symantec analysis of the Stuxnet virus, which surely is a model for what a state actor is capable of, you will see that it's not a matter of cooperation with the AV Vendors, but the use of 0-day Windows exploits to circumvent the more popular and well-respected AV packages.

Moreover, the whole point of what HBGary appeared to be doing was to sell rootkits to the Gov't which were advanced enough not to be detected by the various AV and anti-rootkit/anti-malware packages. And not only that, but to market straight 0-day exploits--presumably on a 'use it in your own hack' basis. Judging from these 'in the wild' approaches, while there may theoretically be cooperation it's more a matter of smart vendors selling solutions containing 0-day exploits.

Dirk PraetMay 12, 2011 6:09 PM

@ Clive / Basics straight

Both very much on the money. Expanding CALEA would definitely help in forcing cooperation from ISP's and service providers. I can also imagine some skilled TLA's having infiltrated the likes of service providers with a poor security reputation for quite a while already. If discovered, there's always the Chinese to blame.

Arguably, there seems to be a black cybermarket out there where 0-days and crimeware like Zeus can be bought and sold, and where criminals are definitely not the only folks shopping around. Since the HBGary fiasco, we have tangible proof that even so-called respectable companies are getting some of their raw material there to sell off the hardly legal finished products to the highest bidder. The problem with 0-days however remains that they most of the time will become public and patches released, thus necessitating product lifecycle management and requiring additional communications than just the occasional obfuscated or fragmented home call to remain effective. I guess we can only applaud initiatives such as Upsploit where both white hat researchers and black hat whistleblowers can upload newly found vulnerabilities.

The thing that bothers me most however, is that we gradually seem to be approaching some tipping point where the combined forces of cybercriminals and government spying are starting to push security and privacy aware folks into the underground or off the grid alltogether. There used to be a time when running FOSS and observing some basic security best practices was more than sufficient to keep you safe, but that is by far no longer the case today. I have never had Facebook for obvious reasons, but since a while I have also been canceling all on-line accounts except those which I really need and minimising as much as possible any personal info on those. Mail sent to my gmail account is read from Thunderbird and stored locally. My Firefox has a full set of plugins to minimise Google and other tracking. Dropbox does not contain any sensitive files, and what is stored there is encrypted. I could go on.

It's safe to say that we are living in interesting times.

Richard Steven HackMay 12, 2011 6:33 PM

I read a story years ago about the NSA having similar trojans they sic on "terrorists suspects" and the like.

The real story here is 1) the notion that FBI agents think anything they do is "legal", and 2) the FBI agents ticked off that they have to share their tools with other agencies.

Trust me, folks, the FBI are scumbags down the line. They will do anything to advance their careers - including falsifying evidence and corrupting forensic evidence as has been established, and including illegal black bag jobs as has been proven in court in the case of the American Indian Movement - without regard to the actual guilt or innocence of anyone.

And for the finale, Google "Sibel Edmonds" and read her story. The FBI is perfectly willing to help certain politicians commit treason just to CYA. Sibel is the most legally gagged person in US history. No one in the main stream media will touch her story because it involved certain "senior elected officials" involved in outright organized crime and treason. Note: "senior ELECTED officials" - that means your Senators, your Congressmen, and possibly a (previous) Vice President and/or President. And she can name names - were she allowed to.

There's a guy named Marc Grossman currently serving as Special Envoy to Afghanistan and Pakistan, replacing the late Richard Holbrooke. Sibel has named him. Look him up in Wikipedia - especially his connections to the guy who wired $100K to the 9/11 terrorists.

For Sibel's efforts, the FBI canned her and the DoJ gagged her.

JayMay 12, 2011 9:19 PM

@backdoor:

As long as it's a question of resources.

If someone can read my hard disk but it requires them to extract the platters / decapsulate the controller IC - well, fine. The FBI/NSA/CIA are not going to steal my CC#, and by the point they're *that* motivated I'm in trouble anyway.

In a more paranoid sense: Why bother backdooring the HDD if you can backdoor the OS and get all the data delivered for free? (Evil Maid in the BIOS, anyone?)

tommyMay 12, 2011 10:43 PM

@ Clive Robinson, O/T:

My reply to your comment about Gov property sins, taxes, etc. finally made it through moderation at the "tally stick" post:
http://www.schneier.com/blog/archives/2011/05/medieval_tally.html

Since the topic is now two or three days old, I hope that everyone will forgive me for the O/T post in attempting to catch Clive, should he still be interested.
***

ON TOPIC:

I share the general disgust of most commenters. The US continues to be more and more like the alleged "enemies" it is fighting. Sad. I wrote about the FBI abuses in 2006, under Bush, and it's even sadder that they continue under the current POTUS, who campaigned on a platform of "representing the people" and of "transparency in Government".

http://www.amiright.com/parody/60s/thevogues1.shtml

(I hope that link doesn't get me filtered!)

DilbertMay 13, 2011 7:14 AM

@let's get the basics straight,

What makes you think HBGary was creating any rootkits that were "advanced enough not to be detected by the various AV and anti-rootkit/anti-malware packages"? I expect they were just a new rootkit. Nothing too fantastic, just unknown, like 0-day exploits. If they're quiet, non-intrusive (from an operational perspective) and don't otherwise broadcast their presence they won't get picked up. As a rootkit, they'll hide there presence anyway. Malware needs to DO SOMETHING to draw attention to itself. Suppose a major software company had built malware into every product for the past 10 years, but never activated it. It's just sitting dormant, waiting for some even to kick it off. Until it does something malicious it won't get picked up as malware. Sound like a new hollywood terrorist plot?? lol

David ThornleyMay 13, 2011 9:11 AM

@Dirk Praet: Sony apparently had an agreement with anti-virus vendors not to detect their rootkit, which to me was a gross dereliction of duty to their customers. I suspect the US government would have little difficulty convincing US anti-virus vendors. They may have more difficulty with foreign vendors, but they can always pretend to be one of the major record labels or something.

let's get the basics straightMay 13, 2011 10:48 AM

@Dilbert:

The package of articles on the Anonymous hack of HBGary that Bruce linked to a while back had some screen images of HBGary promotional material for their rootkits--after all, you have to market your product. The promotional material listed the anti-rootkit packages that the HBGary product remained undetected by.

I'm not too sure your logic is correct. Let's take two situations, the first an anti-virus product that monitors downloads. Presumably it will be monitoring the datastream for signatures both known and generic (heuristics). The second would be a general scan of the computer files by the same or different anti-rootkit package. This would check, using the same signature database and same heuristic algorithms if it were the same anti-virus package, for suspicious code. The implication I took from the HBGary promotional material was that their rootkit product, which they were actively marketing to gov't, was not detected by a big list of anti-rootkit packages.

So this is not a matter of dormant code. Presumably, someone could put some sort of malware on a computer in encrypted form that did nothing for 10 years, but which would be automatically decrypted and put into action after 10 years, but that's not what's in issue here. The rootkits that HBGary was promoting were evidently intended to be used as Trojans in the immediate future--their customers would be looking for an immediate payoff.

Would the rootkit be using a 0-day exploit to hide from the anti-rootkit package? I suppose the issue is conceptual: how do we understand the hiding and detection of rootkits and how do we understand what a 0-day exploit is?

anonymousMay 16, 2011 3:06 PM

It is very easy from Gov's to introduce malwares on your systems. Have a look on EICAR 2011 papers and also ZouAV PoC from Eric Filiol and Alan Zacardelle (http://cvo-lab.blogspot.com/2011/05/mcafee-quarantine-file-and-sequels-from.html) and (https://sites.google.com/site/ericfiliol/home/international-conferences/internationalconferencefiles/eicar11filiol_zacardelle.pdf?attredirects=0&d=1)

asdMay 17, 2011 10:20 PM

Received a email that was quiet interesting. Some one can ring you, using telephone number and send a broadband signal down the line to active TR-069 Client on your router , and open up you network.

Sorry was there meant to be privacy in these day and age.

meMay 19, 2011 11:26 AM

OK, that's a long article, I don't read too great, and there are 38 comments above mine by much smarter people. That's a lot of read before jumping out of my desk to ask a question.

[jumps out of desk]

I have a dumb question: Is the article at EFF referencing that FBI 'email reader program' called 'Cannibal'? I think that's what it was called but beyond impatience is also a not so great memory probably.

If so, they need some new software engineers. Or 'developers'. Whatever those are.

zorgMay 19, 2011 11:37 AM

@me:
I have a dumb question: Is the article at EFF referencing that FBI 'email reader program' called 'Cannibal'?
--

I think you are referring to Carnivore. The article was about CIPAV, a "Computer and Internet Protocol Address Verifier".

Just to help identify you by identifying your system. In case your IP changes and cookies are deleted, the sort of stuff that "normal" websites would look at in order to see if you have logged in before.

mepartdooMay 19, 2011 11:44 AM

[insert apologies for abundant postings]

non-egg: that was funny

regular-guy: hmm..that's a good point but wouldn't they think of
that too?

green-Squirrel: You wrote "Personally, I stand by the maxim that I would rather a criminal got away with their crime than an innocent person was incarcerated." That's pretty absolute. What if you also knew the criminal was a baby raper? or rapist in general? a serial killer? I won't go on listing what most would consider 'more heinous' crimes than say, stealing movies. I'm just wondering how absolutist you really are when you make a statement like that.

I feel very strongly about freedom, but I can't say it with as much resolute confidence as you seem able to. iow, i admit i waffle.

Seems to me that just like people say 'disinformation' to bin laden's info-lair revelations, they could also consider 'disinformation' in other contexts as well, couldn't they?

And, maybe the feds, like the nsa, have that 'hot list' of spoken and written words and if someone uses enough of them at enough regularity, they get looked at?

I don't know. but then, I rarely feel confident about very much I think I do know.

meMay 19, 2011 11:44 PM

I see zorg, thank you for clarifying about Carnivore.

A carny and a herbivore had a baby. Thus was born Carnivore. For CIPAV, I will have to be a little more creative. Citibank and Pavlov's lesser known dog 'Pav' had a baby, thus was born CIPAV. Food for thought!

Thank you ladies and gentlemen, I'll be here till Sunday. Oh, and make sure you get signed up on my tour mailing list on your way out of the show tonite.


crickets....

LinuxloraxFebruary 20, 2012 5:22 PM

I notice that the link is no longer found on the EFF website? Can someone verify this?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..