Friday, April 17, 2009

FBI Is Using Spyware Programs against Extortionists and Hackers

In a separate March 2007 Cinicinnati -based investigation of hackers who'd successfully targeted an unnamed bank, the documents indicate the FBI's efforts may have been detected. An FBI agent became alarmed when the hacker he was chasing didn't get infected with the spyware after visiting the CIPAV-loaded website. Instead, the hacker "proceeded to visit the site 29 more times," according to a summary of the incident. "In these instances, the CIPAV did not deliver its payload because of system incompatibility."

But the documents released Thursday under the Freedom of Information Act show the FBI has quietly obtained court authorization to deploy the CIPAV in a wide variety of cases, ranging from major hacker investigations, to someone posing as an FBI agent online. Shortly after its launch, the program became so popular with federal law enforcement that Justice Department lawyers in Washington warned that overuse of the novel technique could result in its electronic evidence being thrown out of court in some cases.

"While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit," reads a formerly-classified March 7, 2002 memo from the Justice Department's Computer Crime and Intellectual Property Section.

The documents, which are heavily redacted, do not detail the CIPAV's capabilities, but an FBI affidavit in the 2007 case indicate it gathers and reports a computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

After sending the information to the FBI, the CIPAV settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every server to which the machine connects.

The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That's what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.c0m."

In a separate February 2007 Cincinnati -based investigation of hackers who'd successfully targeted an unnamed bank, the documents indicate the FBI's efforts may have been detected. An FBI agent became alarmed when the hacker he was chasing didn't get infected with the spyware after visiting the CIPAV-loaded website. Instead, the hacker "proceeded to visit the site 29 more times," according to a summary of the incident. "In these instances, the CIPAV did not deliver its payload because of system incompatibility."

The agent phoned the FBI's Special Technologies Operations Unit for "urgent" help, expressing "the valid concern that the Unsub hackers would be 'spooked.'" But two days later the hacker, or a different one, visited the site again and "the system was able to deliver a CIPAV and the CIPAV returned data."

The software's primary utility appears to be in tracking down suspects that use proxy servers or anonymizing websites to cover their tracks. That's illustrated in several cases in the documents, including the 2004 hunt for a saboteur who cut off telephone, cable TV and internet service for thousands of Boston residents. The man's name is redacted from the documents, but the description of the case matches that of Danny Kelly, an unemployed Massachusetts engineer.
According to court records, Kelly deliberately cut a total of 18 communications cables belong to Comcast, AT&T, Verizon and others over a three month period. In anonymous extortion letters to Comcast and Verizon, Kelly threatened to increase the sabotage if the companies didn't begin paying him $10,000-a-month in protection money. He instructed the companies to deposit the cash in a new bank account and post the account information to a webpage he could access anonymously.

When the FBI tried to track him down from his visits to the webpage, they found he was routing through a German-based anonymizer. The FBI obtained a warrant to use the CIPAV on February 10, 2005, and was apparently successful. Kelly went on to plead guilty to extortion, and was sentenced to five years probation.

The CIPAV also played a previously-unreported role in an investigation of a prolific computer hacker who made headlines after penetrating thousands of computers at Cisco, various U.S. national laboratories, and NASA's Jet Propulsion Laboratory in 2005. The FBI agent leading the case sought approval to plant a CIPAV through an undercover operative posing as a Defense Department contractor "with a computer network connected to JPL's computer network," according to one document. The FBI linked the intrusions to known 16-year-old hacker in Sweden.

And in 2005, FBI agents on the Innocent Images task force hit a wall when trying to track a sexual predator who'd begun threatening the life of a teenage girl he'd met for sex. The man's IP addresses were "from all over the world" -- a sign of web proxy use. The bureau sought and won court approval to use the CIPAV on August 9 2005.

Other cases are less weighty. In another 2oo5 case, someone was unwisely using the name of the chief of the FBI's Buffalo, New York office to harass people online. The FBI got a warrant to use the spyware to track down the fake agent.

Related Search
windows spyware removal
top 10 virus removal
Types of Spyware in your computer
Password-Manipulating Virus Spreading
How To Secure Yourself Against Conficker Worm

No comments:

Post a Comment