Sidepocket Posted July 23, 2007 Share Posted July 23, 2007 FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News. The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals. The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment. In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV. FBI Spyware in a Nutshell The full capabilities of the FBI's "computer and internet protocol address verifier" are closely guarded secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News. • IP address • MAC address of ethernet cards • A list of open TCP and UDP ports • A list of running programs • The operating system type, version and serial number • The default internet browser and version • The registered user of the operating system, and registered company name, if any • The current logged-in user name • The last visited URL Once that data is gathered, the CIPAV begins secretly monitoring the computer's internet use, logging every IP address to which the machine connects. All that information is sent over the internet to an FBI computer in Virginia, likely located at the FBI's technical laboratory in Quantico. Sanders wrote that the spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL. The CIPAV then settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days. Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet. According to the affidavit, the CIPAV sends all the data it collects to a central FBI server located somewhere in eastern Virginia. The server's precise location wasn't specified, but previous FBI internet surveillance technology -- notably its Carnivore packet-sniffing hardware -- was developed and run out of the bureau's technology laboratory at the FBI Academy in Quantico, Virginia. The FBI's national office referred an inquiry about the CIPAV to a spokeswoman for the FBI Laboratory in Quantico, who declined to comment on the technology. The FBI has been known to use PC-spying technology since at least 1999, when a court ruled the bureau could break into reputed mobster Nicodemo Scarfo's office to plant a covert keystroke logger on his computer. But it wasn't until 2001 that the FBI's plans to use hacker-style computer-intrusion techniques emerged in a report by MSNBC.com. The report described an FBI program called "Magic Lantern" that uses deceptive e-mail attachments and operating-system vulnerabilities to infiltrate a target system. The FBI later confirmed the program, and called it a "workbench project" that had not been deployed. No cases have been publicly linked to such a capability until now, says David Sobel, a Washington, D.C., attorney with the Electronic Frontier Foundation. "It might just be that the defense lawyers are not sufficiently sophisticated to have their ears perk up when this methodology is revealed in a prosecution," says Sobel. "I think it's safe to say the use of such a technique raises novel and unresolved legal issues." The June affidavit doesn't reveal whether the CIPAV can be configured to monitor keystrokes, or to allow the FBI real-time access to the computer's hard drive, like typical Trojan malware used by computer criminals. It notes that the "commands, processes, capabilities and ... configuration" of the CIPAV is "classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique." The document is also silent as to how the spyware infiltrates the target's computer. In the Washington case, the FBI delivered the program through MySpace's messaging system, which allows HTML and embedded images. The FBI might have simply tricked the suspect into downloading and opening an executable file, says Roger Thompson, CTO of security vendor Exploit Prevention Labs. But the bureau could also have exploited one of the legion of web browser vulnerabilities discovered by computer-security researchers and cybercrooks -- or even used one of its own. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.