[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

Dear Border Czar: This Nonprofit Boasts A List Of 400 Companies That Employ Migrants

US Deficit Explodes: Blowout October Deficit Means 2nd Worst Start To US Fiscal Year On Record

Gaetz Resigns 'Effective Immediately' After Trump AG Pick; DC In Full Blown Panic

MAHA MEME

noone2222 and John Bolton sitting in a tree K I S S I N G

Donald Trump To Help Construct The Third Temple?

"The Elites Want To ROB Us of Our SOVEREIGNTY!" | Robert F Kennedy

Take Your Money OUT of THESE Banks NOW! - Jim Rickards

Trump Taps Tulsi Gabbard As Director Of National Intelligence

DC In Full Blown Panic After Trump Picks Matt Gaetz For Attorney General

Cleveland Clinic Warns Wave of Mass Deaths Will Wipe Out Covid-Vaxxed Within ‘5 Years’

Judah-ism is as Judah-ism does

Danger ahead: November 2024, Boston Dynamics introduces a fully autonomous "Atlas" robot. Robot humanoids are here.

Trump names [Fox News host] Pete Hegseth as his Defense secretary

Lefties losing it: Trump’s YMCA dance goes viral

Elon Musk: "15 Products You'll Stop Buying After You Know What They're Made Of"

Walmart And Other Major Retailers Canceling Billions In Orders Amid Fears Of A Dark Winter Ahead

Joe and Jill Biden deliver final 'kick' against Kamala Harris on election day

Relative importance of carbon dioxide and water in the greenhouse effect: Does the tail wag the dog?

Fired FEMA Employee Speaks Out, Says It Was Not Isolated Incident: Colossal Event Of Avoidance

Judge Merchan Hands Trump Historic Victory Donald Receives Stay on Felony Conviction

PNut the Squirrel was marked for death and decapitation from the start as rabies test results are negative

Yemeni forces strike military base in Tel Aviv with hypersonic ballistic missile

SheÂ’s lying. The FEC shows the payment

Speaker Johnson Orders Entire Biden Administration to Preserve and Retain All Records and Documents

Boeing has given up on diversity.

Trump Targeting up to 100,000 Deep Staters for Absolute Exile From DC

FBI Execs Rush to Retire After Trump Victory Leaves Them Shell-Shocked.

Witness to Tragedy: Huge Financial Incentives Led Hospitals to Use COVID Treatments That Killed Patients

‘Knucklehead’: Tim Walz returns to Minnesota ‘defeated'


Science/Tech
See other Science/Tech Articles

Title: FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats
Source: Wired
URL Source: http://www.wired.com/politics/law/news/2007/07/fbi_spyware
Published: Jul 18, 2007
Author: Kevin Poulsen
Post Date: 2007-07-18 12:06:46 by Brian S
Keywords: None
Views: 78
Comments: 1

Kevin Poulsen Email 07.18.07 | 2:00 AM

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.

Sanders wrote that the spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

The CIPAV then settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days.

Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet.

According to the affidavit, the CIPAV sends all the data it collects to a central FBI server located somewhere in eastern Virginia. The server's precise location wasn't specified, but previous FBI internet surveillance technology -- notably its Carnivore packet-sniffing hardware -- was developed and run out of the bureau's technology laboratory at the FBI Academy in Quantico, Virginia.

The FBI's national office referred an inquiry about the CIPAV to a spokeswoman for the FBI Laboratory in Quantico, who declined to comment on the technology.

The FBI has been known to use PC-spying technology since at least 1999, when a court ruled the bureau could break into reputed mobster Nicodemo Scarfo's office to plant a covert keystroke logger on his computer. But it wasn't until 2001 that the FBI's plans to use hacker-style computer-intrusion techniques emerged in a report by http://MSNBC.com. The report described an FBI program called "Magic Lantern" that uses deceptive e-mail attachments and operating-system vulnerabilities to infiltrate a target system. The FBI later confirmed the program, and called it a "workbench project" that had not been deployed.

No cases have been publicly linked to such a capability until now, says David Sobel, a Washington, D.C., attorney with the Electronic Frontier Foundation. "It might just be that the defense lawyers are not sufficiently sophisticated to have their ears perk up when this methodology is revealed in a prosecution," says Sobel. "I think it's safe to say the use of such a technique raises novel and unresolved legal issues."

The June affidavit doesn't reveal whether the CIPAV can be configured to monitor keystrokes, or to allow the FBI real-time access to the computer's hard drive, like typical Trojan malware used by computer criminals. It notes that the "commands, processes, capabilities and ... configuration" of the CIPAV is "classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique."

The document is also silent as to how the spyware infiltrates the target's computer. In the Washington case, the FBI delivered the program through MySpace's messaging system, which allows HTML and embedded images. The FBI might have simply tricked the suspect into downloading and opening an executable file, says Roger Thompson, CTO of security vendor Exploit Prevention Labs. But the bureau could also have exploited one of the legion of web browser vulnerabilities discovered by computer-security researchers and cybercrooks -- or even used one of its own.

"It's quite possible the FBI knows about vulnerabilities that have not been disclosed to the rest of the world," says Thompson. "If they had discovered one, they would not have disclosed it, and that would be a great way to get stuff on people's computer. Then I guess they can bug whoever they want."

The FBI's 2008 budget request hints at the bureau's efforts in the hacking arena, including $220,000 sought to "purchase highly specialized equipment and technical tools used for covert (and) overt search and seizure forensic operations.… This funding will allow the technology challenges (sic) including bypass, defeat or compromise of computer systems."

With the FBI in the business of hacking, security companies are in a tight place. Thompson's LinkScanner product, for example, scans web pages for security exploits, and warns the customer if one is found. How would his company respond if the FBI asked him to turn a blind eye to CIPAV? He says he's never fielded such a request. "That would put us in a very difficult position," Thompson says. "I don't know what I'd say."

The Washington case unfolded May 30, when a handwritten bomb threat prompted the evacuation of Timberline High School in Lacey, Washington. No bomb was found.

On June 4, a second bomb threat was e-mailed to the school from a Gmail account that had been newly created under the name of an innocent student. "I will be blowing up your school Monday, June 4, 2007," the message read. "There are 4 bombs planted throughout Timberline high school. One in the math hall, library hall, main office and one portable. The bombs will go off in 5 minute intervals at 9:15 AM."

In addition, the message promised, "The e-mail server of your district will be offline starting at 8:45 am."

The author made good on the latter threat, and a denial-of-service attack smacked the North Thurston Public Schools computer network, generating a relatively modest 1 million packets an hour. Responding to the bomb threat, school administrators ordered an evacuation of the high school, but, once again, no explosives were found.

That began a bizarre cat-and-mouse game between law enforcement and school officials and the ersatz cyberterrorist, who e-mailed a new hoax bomb threat every day for several days, each triggering a new evacuation. Each threat used the same pseudonym, but was sent from a different, newly created Gmail account to complicate tracing efforts.

On June 7, the hoaxer started issuing threats through other online mediums. In his most brazen move, he set up a MySpace profile called Timberlinebombinfo and sent friend requests to 33 classmates.

The whole time he was daring law enforcement officials to trace him. "The e-mail was sent over a newly made Gmail account, from overseas in a foreign country," he wrote in one message. "Seeing as you're too stupid to trace the e-mail back lets (sic) get serious," he taunted in another. "Maybe you should hire Bill Gates to tell you that it is coming from Italy. HAHAHA. Oh wait. I already told you that it's coming from Italy."

As promised, attempts to trace the hoaxer dead-ended at a hacked server in Grumello del Monte, Italy. The FBI's Seattle Division contacted the FBI legal attaché in Rome, who provided an official request to the Italian national police for assistance. But on June 12, perhaps fed up with the mocking, the FBI applied for and obtained a search warrant authorizing the bureau to send the CIPAV to the Timberlinebombinfo MySpace profile.

Court documents reveal the search warrant was "executed" June 13 at 5:49 p.m. Though the CIPAV provided a wealth of information, Glazebrook's IP address would have been enough to guide the FBI to the teen's front door.

John Sinclair, Glazebrook's attorney, says his client never intended to blow anything up -- "it was a prank from the get-go" -- but admits he hacked into computers in Italy to launder his activities, and that he launched the denial-of-service attack against the school district's network.

Glazebrook was sentenced Monday to 90 days in custody, and given credit for 32 days he's spent behind bars since his arrest. When he's released he'll be on two years' probation with internet and computer restrictions, and he's been expelled from high school. The teen is being held at the Thurston County Juvenile Detention Center, where he will serve out his sentence, says Sinclair.

Sinclair says he was told that the FBI had tracked down his client in response to a request from local police -- but that he didn't know exactly how the bureau did it. "The prosecutor made it clear that they wouldn't indicate how this device works or how they do it," says Sinclair. "For obvious reasons."

Larry Carr, a spokesman with the FBI's Seattle field office, couldn't confirm that the CIPAV is the same software previously known as Magic Lantern, but emphasized that the bureau's technological capabilities have grown since the 2001 report. The case shows that FBI scientists are equipped to handle internet threats, says Carr.

"It sends a message that, if you're going to try and do stuff like this online, that we have the ability to track individuals' movements online and bring the case to resolution."

(1 image)

Post Comment   Private Reply   Ignore Thread  


TopPage UpFull ThreadPage DownBottom/Latest

#1. To: Brian S (#0)

"It does not take a majority to prevail, but rather an irate, tireless minority, keen on setting brush fires of freedom in the minds of men." -- Samuel Adams (1722-1803)‡

ghostdogtxn  posted on  2007-07-18   12:39:36 ET  Reply   Trace   Private Reply  


TopPage UpFull ThreadPage DownBottom/Latest


[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]